s_client can be used to debug SSL servers. To connect to an SSL HTTP server the command:
openssl s_client -connect servername:443
would typically be used (https uses port 443). If the connection succeeds then an HTTP command can be given such as GET / to retrieve a web page.
If the handshake fails then there are several possible causes, if it is nothing obvious like no client certificate then the -bugs, -ssl2, -ssl3, -tls1, -no_ssl2, -no_ssl3, -no_tls1 can be tried in case it is a buggy server. In particular you should play with these options before submitting a bug report to an openssl mailing list.
A frequent problem when attempting to get client certificates working is that a web client complains it has no certificates or gives an empty list to choose from. This is normally because the server is not sending the clients certificate authority in its “acceptable CA list” when it requests a certificate. By using s_client the CA list can be viewed and checked. However some servers only request client authentication after a specific URL is requested. To obtain the list in this case it is necessary to use the -prexit command and send an HTTP request for an appropriate page.
If a certificate is specified on the command line using the -cert option it will not be used unless the server specifically requests a client certificate. Therefor merely including a client certificate on the command line is no guarantee that the certificate works.
If there are problems verifying a server certificate then the -showcerts option can be used to show the whole chain.