In order to verify a client certificate is being sent to the server, you need to analyze the output from the combination of the -state and -debug flags.
First as a baseline, try running
$ openssl s_client -connect host:443 -state -debug
You’ll get a ton of output, but the lines we are interested in look like this:
SSL_connect:SSLv3 read server done A
write to 0x211efb0 [0x21ced50] (12 bytes => 12 (0xC))
0000 - 16 03 01 00 07 0b 00 00-03 .........
000c - <SPACES/NULS>
SSL_connect:SSLv3 write client certificate A
What’s happening here:
-
The
-stateflag is responsible for displaying the end of the previous section:SSL_connect:SSLv3 read server done AThis is only important for helping you find your place in the output.
-
Then the
-debugflag is showing the raw bytes being sent in the next step:write to 0x211efb0 [0x21ced50] (12 bytes => 12 (0xC)) 0000 - 16 03 01 00 07 0b 00 00-03 ......... 000c - <SPACES/NULS> -
Finally, the
-stateflag is once again reporting the result of the step that-debugjust echoed:SSL_connect:SSLv3 write client certificate A
So in other words: s_client finished reading data sent from the server, and sent 12 bytes to the server as (what I assume is) a “no client certificate” message.
If you repeat the test, but this time include the -cert and -key flags like this:
$ openssl s_client -connect host:443 \
-cert cert_and_key.pem \
-key cert_and_key.pem \
-state -debug
your output between the “read server done” line and the “write client certificate” line will be much longer, representing the binary form of your client certificate:
SSL_connect:SSLv3 read server done A
write to 0x7bd970 [0x86d890] (1576 bytes => 1576 (0x628))
0000 - 16 03 01 06 23 0b 00 06-1f 00 06 1c 00 06 19 31 ....#..........1
(*SNIP*)
0620 - 95 ca 5e f4 2f 6c 43 11- ..^%/lC.
SSL_connect:SSLv3 write client certificate A
The 1576 bytes is an excellent indication on its own that the cert was transmitted, but on top of that, the right-hand column will show parts of the certificate that are human-readable: You should be able to recognize the CN and issuer strings of your cert in there.