When I visit a particular site, foobar.com, I am being prompted for a client certificate, which is unexpected for this site.
I assumed there would be a Certificate Request message in the HTTPS handshake, so I fired up Wireshark 4.x and did a clean capture.
There's no Certificate Request after the Server Hello - just the server's certificates (issued by Encryption Everywhere) and the Certificate Status flag.
I've confirmed there are no proxies in-between, and I've verified that WireShark properly picks up the Certificate Request flag from other mTLS-enabled sites.
As far as I know, the Certificate Request cannot be within an encrypted part of the handshake, but maybe I'm wrong on that.
Can anyone shed some light on what to look for within this exchange to identify why my browser's being prompted for a client certificate?