When a remote repository requires SSL client certificate authentication, Nexus 3 (3.2.0-01) does not match the client certificate present in the keyStore. With SSL debugging enabled, it logs:
2017-03-01 16:38:02,934+0100 INFO [qtp1053574947-168] adm_lop sun.security.ssl.ClientHandshaker - Warning: no suitable certificate found - continuing without client authentication
As a result, we can't see the client certificate being sent to the remote repository in a tcpdump.
In the end Nexus throws an exception:
java.io.IOException: Received fatal alert: handshake_failure
The keyStore and trustStore's are the same as the previous old version 2 (nexus-2.14.2-01) where it was working well. A test with SSLPoke with the same setting and stores works fine. I attached log files for the working SSLPoke and the non-working Nexus.