tls – Debugging HTTP 403 Forbidden when using cURL for mutual authentication SSL (mTLS)

I’m a beginner in security but I am trying to send a request to a server through mutual authentication.
I was given

  1. CA pem file
  2. client cert pem file
  3. private key pem file

Right now, I’m trying to establish a connection to the server but it keeps hitting 403 error and I’m unsure how to debug from here.

Using cURL to execute the below command:
curl -H "Content-Type: application/json" -H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36" --cacert ca.pem --key privateKey.pem --cert client.pem https://svc.server.com -d '{}'

The log showing http 403 error

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 222.222.222.222:443...
* Connected to svc.server.com (222.222.222.222) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: ca.pem
*  CApath: none
} (5 bytes data)
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} (512 bytes data)
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ (63 bytes data)
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ (5573 bytes data)
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ (333 bytes data)
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
{ (5482 bytes data)
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ (4 bytes data)
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
} (4024 bytes data)
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} (70 bytes data)
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
} (264 bytes data)
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} (1 bytes data)
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} (16 bytes data)
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ (16 bytes data)
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=BE; L=Waterloo; O=International Corporated; OU=BIP0 AIDC; CN=svc.server.com
*  start date: Apr  7 19:27:43 2020 GMT
*  expire date: Jul  6 19:57:43 2022 GMT
*  subjectAltName: host "svc.server.com" matched cert's "svc.server.com"
*  issuer: C=US; O=Entrust, Inc.; OU=See www.entrust.net/legal-terms; OU=(c) 2012 Entrust, Inc. - for authorized use only; CN=Entrust CA
*  SSL certificate verify ok.
} (5 bytes data)
> POST /v1/0/activate HTTP/1.1
> Host: svc.server.com
> Accept: */*
> Content-Type: application/json
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
> Content-Length: 2
>
} (2 bytes data)
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Content-Type: application/json;charset=UTF-8
< Content-Length: 109
< Date: Fri, 10 Sep 2021 06:55:23 GMT
< Server: Information Not Disclosed
<
{ (109 bytes data)
100   111  100   109  100     2     86      1  0:00:02  0:00:01  0:00:01    87{
  "res": "",
  "code": "AUTHORIZATION_FAILED",
  "description": "Authorization failed."
}
* Connection #0 to host svc.server.com left intact  

I’ve also install the cert in my windows client machine and the server team has mention that there is nothing wrong from their side as others are able to send their request successfully.

Moreover further authentication is not required and just the certs are sufficient.

I’ve also checked the trace logs and it seems to be the same , showing TLS handshake done but receiving the same error.

Any help is greatly appreciated.