Well, EJP was on the right track, but didn't take it quite far enough or explain it thoroughly enough.
In order to verify a client certificate is being sent to the server, you need to analyze the output from the combination of the -state and -debug flags.
First as a baseline, try running
openssl s_client -connect host:443 -state -debug
You'll get a ton of output, but the lines we are interested in look like this:
SSL_connect:SSLv3 read server done A write to 0x211efb0 [0x21ced50] (12 bytes => 12 (0xC)) 0000 - 16 03 01 00 07 0b 00 00-03 . 000c - SSL_connect:SSLv3 write client certificate A
What's happening here:
- The -state flag is responsible for displaying the end of the previous section: "SSL_connect:SSLv3 read server done A". This is only important for helping you find your place in the output.
- Then the -debug flag is showing the raw bytes being sent in the next step: "write to...", "0000 - ...", "000c - ...".
- Finally, the -state flag is once again reporting the result of the step that -debug just echoed: "SSL_connect:SSLv3 write client certificate A".
So in other words: s_client finished reading data sent from the server, and sent 12 bytes to the server as (what I assume is) a "no client certificate" message.
If you repeat the test, but this time include the -cert and -key flags like this,
openssl s_client -connect host:443 -cert cert_and_key.pem -key cert_and_key.pem -state -debug
your output between the "read server done" line and the "write client certificate" line will be much longer, representing the binary form of your client certificate:
SSL_connect:SSLv3 read server done A write to 0x7bd970 [0x86d890] (1576 bytes => 1576 (0x628)) 0000 - 16 03 01 06 23 0b 00 06-1f 00 06 1c 00 06 19 31 .#.1 (*SNIP*) 0620 - 95 ca 5e f4 2f 6c 43 11- ..^%/lC. SSL_connect:SSLv3 write client certificate A
The "1576 bytes" is an excellent indication on its own that the cert was transmitted, but on top of that, the right-hand column will show parts of the certificate that are human-readable: You should be able to recognize the CN and issuer strings of your cert in there.