When a HTTPS connection with a client certificate request is done, the client sends a CertificateVerify message with his public certificate so the server can verify that the client has a valid private certificate that matches the public key.
This CertificateVerify has a signed hash made from a common client and server data. How this data is made? It's random? Who makes it? Is the server or is the client that generates this data and sends it to the server? I can't find information about that and I'm unable to read the code (apache2 mod_ssl or openssl).
Besides that, is it possible to get the original data and the hashed signed result sent by the client from the server side (log from apache, PHP)?
All the technical data that I've found about a SSL handshake only makes reference that this is the procedure but not how the data to sign is generated and how the server can "save" it as proof that the authentication is made (How does a server validate the Certificate Verify message in SSL/TLS?)