I am using a self-signed CA to issue server and client(s) certificates.

My server is using the standard Python ssl module.
One client, that is using twisted.internet.ssl, consistently fails to connect with:
On the Server:    [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:661),
On the Client:    [WARNING] [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]

This is my code:

path = getModule(__name__).filePath.sibling(u'data')

txt = path.child(u'ca.crt').getContent()
cacert = ssl.Certificate.loadPEM(txt)
root = ssl.trustRootFromCertificates([cacert])

txt = path.child(u'client.pem').getContent()
mycert = ssl.PrivateCertificate.loadPEM(txt)

ctx = ssl.optionsForClientTLS(hostName, trustRoot=root, clientCertificate=mycert)

reactor.connectSSL(hostName, portNumber, factory, ctx)

I am using the latest git trunk code.
With a regular ssl client I don't have an issue.

A known bug?

Thanks, Enoch.