Hi monks,

Thelonius figured out that the problem had to do with the SSL handshake.

From my debugging it looks like the peer cert auth adds another 2 round-trip messages during the SSL handshake.
It turns out that in the code I posted in the OP, I was not ready to read/write at the appropriate moments during the handshake (and therefore, my state machine was incorrect).

It also appears that calling accept() in IO::Socket::INET, followed by start_SSL() in IO::Socket::SSL is doing something slightly different that just calling accept() in IO::Socket::INET with equivalent arguments. I'll post more if I find out what that is.

UPDATE:
It was not clear to me from the docs that if you wish to convert a connected IO::Socket::INET to connected IO::Socket::SSL, there are actually 3 steps:

• call accept() in IO::Socket::INET, to get a connected socket.
• call start_SSL() in IO::Socket::SSL, passing the connected socket and the param: SSL_startHandshake = 0.
• call accept_SSL() on the "converted" connected socket until the result is defined or there is some non-useful error in $SSL_ERROR.

Thank-you monks for your help and your patience (wrt my long-windedness ;).
-David.