Does client have to send the CA chain along with the client certificate after ServerHello?
You are responsible for sending enough of the chain for the server to connect your certificate to a trusted root.
For TLS 1.2 this is discussed in RFC 5246. Client certificates are defined in §7.4.6, which (among other things) states:
Client certificates are sent using the Certificate structure defined in Section 7.4.2.
And if you look in §7.4.2 it describes the Certificate structure as including the certificate_list
(emphasis mine):
This is a sequence (chain) of certificates. The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case.
In short, the server is expected to have the trusted root, but not required or expected to have any intermediate certificates that may be required. The client is required to provide them if it wants verification to proceed smoothly and reliably. (And the same is true for the certificates the server sends to the client).
The server validating a client certificate is exactly like the client validating the server's certificate, except the server usually only trusts a single root CA and the server is usually unwilling to download missing intermediate certificates (something browsers do).
The server validating the client certificate needs to be able to build a chain from the certificate the server trusts (presumably your root CA) to the end entity certificate. If this requires an intermediate then the intermediate needs to be supplied, or the intermediate needs to be configured as a trusted root on the server, in addition to the real root.