IE prompts for client certificate but doesn't send it

Question

I have an intranet website which requires clients to authenticate themselves using client certificate. I created a self-signed server certificate for the website, trusted it with clients and with that certificate I created many client certificates. It works great in every browser and curl and wget and openssl s_client, but doesn't work in IE (except for IE8 in XP).

IE prompts for the client certificate, but doesn't actually send it. I'm using Wireshark to see what IE sends since the only error message it provides me is "This page can't be displayed".

The website is in the trusted sites. What I see in wireshark:

Before prompt:

• TCP connection is established
• The server sends its certificate and requests client certificate
• Connection closed

This makes IE show the certificate prompt. I select the certificate:

• TCP connection established
• The server sends its certificate and requests client certificate
• IE starts sending something but ends the message before the client certificate's name shows up.
• Server send an ACK and 7 bytes of something then TCP closes.

Wireshark analysis:

• IE's truncated response shows: Certificates length: 0
• after IE's response shows: Alert, Fatal, Bad Certificate

The website uses tomcat 7.

If you need any more information, I do what I can to provide more.

Answer 1

Finally I was able to solve the problem. Chrome and other browsers used TLSv1.0 to communicate and upgraded the communication to TLSv1.2 (Wireshark only showed this in the Client Hello's first version instance). IE initiated the request using TLSv1.2 and refused to try and downgrade the protocol version. After I configured tomcat's server.xml to support TLSv1.2 as well, IE started working.