session.ssl.cert.valid 26

So just to follow up, the issue I believe is an incorrect KU option. At a minimum a client certificate used for authentication must have ClientAuth (1.3.6.1.5.5.7.3.2) in its EKU, and must have digitalSignature in its KU. I'm surprised that a browser is even letting you choose a cert with keyEncipherment only. If you think about it, mutual PKI authentication requires that the client first send its certificate, and then follow that with a CertificateVerify message, which is a digitally signed hash. If the client's certificate isn't capable of digital signature, by virtue of its keyUsage property, then it cannot use it for authentication.