diff --git a/CMakeLists.txt b/CMakeLists.txt
index d8382652..1f9c246b 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -760,8 +760,9 @@ if(ENABLE_TLS AND NOT WIN32)
 	else()
 		message(STATUS "OpenSSL TLS interop tests require ENABLE_AES=ON, ENABLE_SHA2=ON and ENABLE_SECP256R1=ON; skipping")
 	endif()
-	add_test(NAME tlcp_sm4_cbc COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tlcp_sm4_cbc -P "${CMAKE_SOURCE_DIR}/cmake/tlcp_commands.cmake")
-	add_test(NAME tlcp_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tlcp_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tlcp_commands.cmake")
+	add_test(NAME tlcp_sm4_gcm_sni COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tlcp_sm4_gcm_sni -P "${CMAKE_SOURCE_DIR}/cmake/tlcp_commands.cmake")
+	add_test(NAME tlcp_sm4_cbc_sni COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tlcp_sm4_cbc_sni -P "${CMAKE_SOURCE_DIR}/cmake/tlcp_commands.cmake")
+	add_test(NAME tlcp_sm4_gcm_client_cert COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tlcp_sm4_gcm_client_cert -P "${CMAKE_SOURCE_DIR}/cmake/tlcp_commands.cmake")
 	add_test(NAME tls12_sm4_cbc COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_cbc -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake")
 	add_test(NAME tls12_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls12_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tls12_commands.cmake")
 	add_test(NAME tls13_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
@@ -770,8 +771,9 @@ if(ENABLE_TLS AND NOT WIN32)
 	add_test(NAME tls13_psk_only_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_psk_only_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
 	add_test(NAME tls13_early_data_sm4_gcm COMMAND ${CMAKE_COMMAND} -DTEST_CASE=tls13_early_data_sm4_gcm -P "${CMAKE_SOURCE_DIR}/cmake/tls13_commands.cmake")
 	set_tests_properties(
-		tlcp_sm4_cbc
-		tlcp_sm4_gcm
+		tlcp_sm4_gcm_sni
+		tlcp_sm4_cbc_sni
+		tlcp_sm4_gcm_client_cert
 		tls12_sm4_cbc
 		tls12_sm4_gcm
 		tls13_sm4_gcm
@@ -825,7 +827,7 @@ endif()
 #
 set(CPACK_PACKAGE_NAME "GmSSL")
 set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
-set(CPACK_PACKAGE_VERSION "3.2.0-dev.1112")
+set(CPACK_PACKAGE_VERSION "3.2.0-dev.1113")
 set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
 set(CPACK_NSIS_MODIFY_PATH ON)
 include(CPack)
diff --git a/cmake/tlcp_commands.cmake b/cmake/tlcp_commands.cmake
index c83372e4..329b09b7 100644
--- a/cmake/tlcp_commands.cmake
+++ b/cmake/tlcp_commands.cmake
@@ -3,39 +3,62 @@ include("${CMAKE_CURRENT_LIST_DIR}/tls_command_test.cmake")
 gmssl_require_file(sm2_root_ca_cert.pem)
 gmssl_require_file(sm2_tlcp_server_certs.pem)
 gmssl_require_file(sm2_tlcp_server_keys.pem)
+gmssl_require_file(sm2_tls_client_certs.pem)
+gmssl_require_file(sm2_tls_client_key.pem)
 
 if(NOT DEFINED TEST_CASE)
-	set(TEST_CASE tlcp_sm4_cbc)
+	set(TEST_CASE tlcp_sm4_gcm_sni)
 endif()
 
-if(TEST_CASE STREQUAL tlcp_sm4_cbc)
-	set(TEST_NAME tlcp_sm4_cbc)
-	set(TEST_PORT 4431)
-	set(TEST_CIPHER_SUITE TLS_ECC_SM4_CBC_SM3)
-elseif(TEST_CASE STREQUAL tlcp_sm4_gcm)
-	set(TEST_NAME tlcp_sm4_gcm)
+if(TEST_CASE STREQUAL tlcp_sm4_gcm_sni)
+	set(TEST_NAME tlcp_sm4_gcm_sni)
 	set(TEST_PORT 4435)
 	set(TEST_CIPHER_SUITE TLS_ECC_SM4_GCM_SM3)
+	set(TEST_CLIENT_CERT OFF)
+elseif(TEST_CASE STREQUAL tlcp_sm4_cbc_sni)
+	set(TEST_NAME tlcp_sm4_cbc_sni)
+	set(TEST_PORT 4431)
+	set(TEST_CIPHER_SUITE TLS_ECC_SM4_CBC_SM3)
+	set(TEST_CLIENT_CERT OFF)
+elseif(TEST_CASE STREQUAL tlcp_sm4_gcm_client_cert)
+	set(TEST_NAME tlcp_sm4_gcm_client_cert)
+	set(TEST_PORT 4436)
+	set(TEST_CIPHER_SUITE TLS_ECC_SM4_GCM_SM3)
+	set(TEST_CLIENT_CERT ON)
 else()
 	message(FATAL_ERROR "unknown TLCP test case: ${TEST_CASE}")
 endif()
 
+set(TEST_SERVER_ARGS
+	tlcp_server
+	-port ${TEST_PORT}
+	-cipher_suite ${TEST_CIPHER_SUITE}
+	-cert sm2_tlcp_server_certs.pem
+	-key sm2_tlcp_server_keys.pem
+	-pass P@ssw0rd)
+
+set(TEST_CLIENT_ARGS
+	tlcp_client
+	-host 127.0.0.1
+	-port ${TEST_PORT}
+	-server_name localhost
+	-cacert sm2_root_ca_cert.pem
+	-cipher_suite ${TEST_CIPHER_SUITE}
+	-in ${TEST_NAME}_message.txt)
+
+if(TEST_CLIENT_CERT)
+	list(APPEND TEST_SERVER_ARGS
+		-cacert sm2_root_ca_cert.pem
+		-cert_request)
+	list(APPEND TEST_CLIENT_ARGS
+		-cert sm2_tls_client_certs.pem
+		-key sm2_tls_client_key.pem
+		-pass P@ssw0rd)
+endif()
+
 gmssl_run_tls_command_test(
 	TEST_NAME ${TEST_NAME}
 	PORT ${TEST_PORT}
-	SERVER_ARGS
-		tlcp_server
-		-port ${TEST_PORT}
-		-cipher_suite ${TEST_CIPHER_SUITE}
-		-cert sm2_tlcp_server_certs.pem
-		-key sm2_tlcp_server_keys.pem
-		-pass P@ssw0rd
-	CLIENT_ARGS
-		tlcp_client
-		-host 127.0.0.1
-		-port ${TEST_PORT}
-		-server_name localhost
-		-cacert sm2_root_ca_cert.pem
-		-cipher_suite ${TEST_CIPHER_SUITE}
-		-in ${TEST_NAME}_message.txt
+	SERVER_ARGS ${TEST_SERVER_ARGS}
+	CLIENT_ARGS ${TEST_CLIENT_ARGS}
 )
diff --git a/include/gmssl/tls.h b/include/gmssl/tls.h
index 977c70e0..27e7a8e2 100644
--- a/include/gmssl/tls.h
+++ b/include/gmssl/tls.h
@@ -1025,7 +1025,7 @@ int tls13_ctx_set_key_update_seq_num_limit(TLS_CTX *ctx, size_t max_seq_num);
 
 
 
-#define TLS_MAX_CERTIFICATES_SIZE	2048
+#define TLS_MAX_CERTIFICATES_SIZE	4096
 #define TLS_DEFAULT_VERIFY_DEPTH	4
 #define TLS_MAX_VERIFY_DEPTH		5
 
diff --git a/include/gmssl/version.h b/include/gmssl/version.h
index 753e8b26..4503fdb6 100644
--- a/include/gmssl/version.h
+++ b/include/gmssl/version.h
@@ -18,7 +18,7 @@ extern "C" {
 
 
 #define GMSSL_VERSION_NUM	30200
-#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1112"
+#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1113"
 
 int gmssl_version_num(void);
 const char *gmssl_version_str(void);
diff --git a/tools/tlcp_help.h b/tools/tlcp_help.h
index b90bc8b4..d13022ca 100644
--- a/tools/tlcp_help.h
+++ b/tools/tlcp_help.h
@@ -15,29 +15,57 @@
 "\n"
 "Examples\n"
 "\n"
-"    gmssl sm2keygen -pass 1234 -out sm2rootcakey.pem\n"
-"    gmssl certgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN ROOTCA -days 3650 -key sm2rootcakey.pem -pass 1234 -out sm2rootcacert.pem -key_usage keyCertSign -key_usage cRLSign -ca\n"
-"    gmssl sm2keygen -pass 1234 -out sm2cakey.pem\n"
-"    gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN \"Sub CA\" -key sm2cakey.pem -pass 1234 -out sm2careq.pem\n"
-"    gmssl reqsign -in sm2careq.pem -days 365 -key_usage keyCertSign -ca -path_len_constraint 0 -cacert sm2rootcacert.pem -key sm2rootcakey.pem -pass 1234 -out sm2cacert.pem\n"
+"    gmssl sm2keygen -pass P@ssw0rd -out sm2_root_ca_key.pem\n"
+"    gmssl certgen -C CN -ST Beijing -L Haidian -O GmSSL -OU Test -CN \"GmSSL SM2 Test Root CA\" \\\n"
+"        -days 3650 -key sm2_root_ca_key.pem -pass P@ssw0rd -out sm2_root_ca_cert.pem \\\n"
+"        -key_usage keyCertSign -key_usage cRLSign -ca\n"
 "\n"
-"    gmssl sm2keygen -pass 1234 -out sm2signkey.pem\n"
-"    gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key sm2signkey.pem -pass 1234 -out sm2signreq.pem\n"
-"    gmssl reqsign -in sm2signreq.pem -days 365 -key_usage digitalSignature -cacert sm2cacert.pem -key sm2cakey.pem -pass 1234 -out sm2signcert.pem\n"
+"    gmssl sm2keygen -pass P@ssw0rd -out sm2_tlcp_ca_key.pem\n"
+"    gmssl reqgen -C CN -ST Beijing -L Haidian -O GmSSL -OU Test -CN \"GmSSL SM2 TLCP CA\" \\\n"
+"        -key sm2_tlcp_ca_key.pem -pass P@ssw0rd -out sm2_tlcp_ca_req.pem\n"
+"    gmssl reqsign -in sm2_tlcp_ca_req.pem -days 1825 -key_usage keyCertSign \\\n"
+"        -key_usage cRLSign -path_len_constraint 0 -cacert sm2_root_ca_cert.pem \\\n"
+"        -key sm2_root_ca_key.pem -pass P@ssw0rd -out sm2_tlcp_ca_cert.pem -ca\n"
 "\n"
-"    gmssl sm2keygen -pass 1234 -out sm2enckey.pem\n"
-"    gmssl reqgen -C CN -ST Beijing -L Haidian -O PKU -OU CS -CN localhost -key sm2enckey.pem -pass 1234 -out sm2encreq.pem\n"
-"    gmssl reqsign -in sm2encreq.pem -days 365 -key_usage keyEncipherment -cacert sm2cacert.pem -key sm2cakey.pem -pass 1234 -out sm2enccert.pem\n"
+"    gmssl sm2keygen -pass P@ssw0rd -out sm2_tlcp_server_sign_key.pem\n"
+"    gmssl reqgen -C CN -ST Beijing -L Haidian -O GmSSL -OU Test -CN \"GmSSL SM2 TLCP Server\" \\\n"
+"        -key sm2_tlcp_server_sign_key.pem -pass P@ssw0rd -out sm2_tlcp_server_sign_req.pem\n"
+"    gmssl reqsign -in sm2_tlcp_server_sign_req.pem -days 365 -key_usage digitalSignature \\\n"
+"        -ext_key_usage serverAuth -subject_dns_name localhost -cacert sm2_tlcp_ca_cert.pem \\\n"
+"        -key sm2_tlcp_ca_key.pem -pass P@ssw0rd -out sm2_tlcp_server_sign_cert.pem\n"
+"    gmssl sm2keygen -pass P@ssw0rd -out sm2_tlcp_server_enc_key.pem\n"
+"    gmssl reqgen -C CN -ST Beijing -L Haidian -O GmSSL -OU Test -CN \"GmSSL SM2 TLCP Server\" \\\n"
+"        -key sm2_tlcp_server_enc_key.pem -pass P@ssw0rd -out sm2_tlcp_server_enc_req.pem\n"
+"    gmssl reqsign -in sm2_tlcp_server_enc_req.pem -days 365 -key_usage keyEncipherment \\\n"
+"        -ext_key_usage serverAuth -subject_dns_name localhost -cacert sm2_tlcp_ca_cert.pem \\\n"
+"        -key sm2_tlcp_ca_key.pem -pass P@ssw0rd -out sm2_tlcp_server_enc_cert.pem\n"
 "\n"
-"    cat sm2signcert.pem > tlcpcert.pem\n"
-"    cat sm2enccert.pem >> tlcpcert.pem\n"
-"    cat sm2cacert.pem >> tlcpcert.pem\n"
-"    cat sm2signkey.pem > tlcpkey.pem\n"
-"    cat sm2enckey.pem >> tlcpkey.pem\n"
+"    cat sm2_tlcp_server_sign_cert.pem > sm2_tlcp_server_certs.pem\n"
+"    cat sm2_tlcp_server_enc_cert.pem >> sm2_tlcp_server_certs.pem\n"
+"    cat sm2_tlcp_ca_cert.pem >> sm2_tlcp_server_certs.pem\n"
+"    cat sm2_tlcp_server_sign_key.pem > sm2_tlcp_server_keys.pem\n"
+"    cat sm2_tlcp_server_enc_key.pem >> sm2_tlcp_server_keys.pem\n"
 "\n"
-"    gmssl tlcp_server -port 4431 -cert tlcpcert.pem -key tlcpkey.pem -pass 1234 -cipher_suite TLS_ECC_SM4_CBC_SM3\n"
-"    gmssl tlcp_client -port 4431 -host 127.0.0.1 -cacert sm2rootcacert.pem -cipher_suite TLS_ECC_SM4_CBC_SM3\n"
+"    gmssl sm2keygen -pass P@ssw0rd -out sm2_tls_client_key.pem\n"
+"    gmssl reqgen -C CN -ST Beijing -L Haidian -O GmSSL -OU Test -CN \"GmSSL SM2 TLS Client\" \\\n"
+"        -key sm2_tls_client_key.pem -pass P@ssw0rd -out sm2_tls_client_req.pem\n"
+"    gmssl reqsign -in sm2_tls_client_req.pem -days 365 -key_usage digitalSignature \\\n"
+"        -ext_key_usage clientAuth -cacert sm2_tlcp_ca_cert.pem -key sm2_tlcp_ca_key.pem \\\n"
+"        -pass P@ssw0rd -out sm2_tls_client_cert.pem\n"
+"    cat sm2_tls_client_cert.pem > sm2_tls_client_certs.pem\n"
+"    cat sm2_tlcp_ca_cert.pem >> sm2_tls_client_certs.pem\n"
 "\n"
-"    gmssl tlcp_server -port 4431 -cert tlcpcert.pem -key tlcpkey.pem -pass 1234 -cacert sm2cacert.pem -cipher_suite TLS_ECC_SM4_CBC_SM3 -cert_request -verbose\n"
-"    gmssl tlcp_client -port 4431 -host 127.0.0.1 -cacert sm2rootcacert.pem -cipher_suite TLS_ECC_SM4_CBC_SM3 -cert sm2signcert.pem -key sm2signkey.pem -pass 1234 -verbose\n"
+"    printf 'hello tlcp\\n' > message.txt\n"
+"\n"
+"    gmssl tlcp_server -port 4431 -cert sm2_tlcp_server_certs.pem -key sm2_tlcp_server_keys.pem -pass P@ssw0rd \\\n"
+"        -cipher_suite TLS_ECC_SM4_CBC_SM3\n"
+"    gmssl tlcp_client -host 127.0.0.1 -port 4431 -server_name localhost -cacert sm2_root_ca_cert.pem \\\n"
+"        -cipher_suite TLS_ECC_SM4_CBC_SM3 -in message.txt\n"
+"\n"
+"    gmssl tlcp_server -port 4436 -cert sm2_tlcp_server_certs.pem -key sm2_tlcp_server_keys.pem -pass P@ssw0rd \\\n"
+"        -cipher_suite TLS_ECC_SM4_GCM_SM3 -cacert sm2_root_ca_cert.pem -cert_request\n"
+"    gmssl tlcp_client -host 127.0.0.1 -port 4436 -server_name localhost -cacert sm2_root_ca_cert.pem \\\n"
+"        -cipher_suite TLS_ECC_SM4_GCM_SM3 \\\n"
+"        -cert sm2_tls_client_certs.pem -key sm2_tls_client_key.pem -pass P@ssw0rd \\\n"
+"        -in message.txt\n"
 "\n"