TLS client auth, handshake error 402

Hello Team,
as described in this GH issue:
I’d like to use TLS authentication for my sensu agents.
Is there any working TLS auth client config so I can take a look?
As workaround I currently let sensu agents talk with the backend through SSH tunnels.

  1. What have you already tried? Please include links to gists and/or code blocks (if relatively small)

I tried this config:

from backend.yml :

agent-auth-cert-file: “/etc/ssl/sensu/backend.crt”
agent-auth-key-file: “/etc/ssl/sensu/backend.key”
agent-auth-trusted-ca-file: “/etc/ssl/sensu/ca.pem”

from agent.yml :

cert-file: “/etc/ssl/sensu/v2clt.crt”
key-file: “/etc/ssl/sensu/v2clt.key”
trusted-ca-file: “/etc/ssl/sensu/ca.pem”

backend certificate CN match backend DNS name (FQDN replaced with xxx)

backend and agent TLS certs generated with easy-rsa CA

agent logs:

Dec 7 15:46:56 v2 sensu-agent[6891]: {“component”:“agent”,“level”:“info”,“msg”:"connecting to backend URL “wss://xxx:8081"”,“time”:“2019-12-07T15:46:56+01:00”}
Dec 7 15:46:56 v2 sensu-agent[6891]: {“component”:“agent”,“header”:“Accept: application/octet-stream”,“level”:“debug”,“msg”:“setting header”,“time”:“2019-12-07T15:46:56+01:00”}
Dec 7 15:46:56 v2 sensu-agent[6891]: {“component”:“agent”,“error”:“handshake failed with status 402”,“level”:“error”,“msg”:“reconnection attempt failed”,“time”:“2019-12-07T15:46:56+01:00”}

  1. Tell us about your setup, this should include OS, version of Sensu, version of Sensu components (redis, rabbitmq), plugin versions (if applicable), anything special about your setup such as an airgapped network or strict ACLs

Sensu version used (sensuctl, sensu-backend, and/or sensu-agent): both sensu-backend and sensu-agent version 5.15.0, build 13884593ee08a7f25d7f66a8b71da61c529de014, built 2019-11-19T20:18:33Z
sensu-backend and sensu-agent on the same machine
Installation method (packages, binaries, docker etc.): deb packages through APT
Operating System and version (e.g. Ubuntu 14.04): Debian bullseye/sid, kernel 5.3.0-2-amd64

  1. Is there a Github issue related to your issue?