When configuring TLS on the server side using a x509 v3 certificate with the extendedKeyUsage present, but not including the serverAuth purpose, the server process starts up without any warning.
When trying to connect to such a server clients report
so it is at least somewhat clear why connections fail.
When the server is set up correctly, but the client wants to use two way TLS and does not have clientAuth in its own certificate set the situation is more tricky though. The client will report
and the server side error log only shows:
So in this constellation it is extremely difficult to figure out what the actual cause of the connection failure is.
Tested with 10.6.5