(In reply to J.C. Jones [:jcj] (he/him) from comment #4)
15905cd1cab9c8460b245f19134043b5217e0e8b fails. Since that's the first patch that modifies non-test code past eb03936b42bb51d1e96acc73ac25a3b2501090b9, it must be part of the answer, though that doesn't prove whether the fault is in NSS or the Firefox test.
Thank you for looking into it. Indeed that commit changed the behavior in NSS server: previously the server sent a "bad_certificate" alert instead of "certificate_required" when a client certificate is required by the server but not provided by the client.
It seems the Firefox test relies on the alert description "bad_certificate", so I guess it needs to be updated to expect "certificate_required".