T80
The Openssl s_client looks limited and can only do simple GET commands. It emulates a simple ssl clients and doesn’t allow tunneling through it. Debian freeze is a bummer and they likely won’t let exceptions through for curl.
Yet another option that can be added to the ticket is a SSL wrapping server. Titus is a minimalistic wrapper that is security minded. It was designed to isolate private keys of SSL connections to protect against heartbleed class of bugs. Curl couldn’t do that and its out of its scope anyway curl.haxx.se/mail/lib-2014-04/0109.html. Titus was featured in Red hat security blog and is available for Debian wheezy+ opsmate.com/titus/
T135
A solution is to make a list of whonix network facing libs then compare with alerts from Debian support package. Those that match can be called out in an alert. A whonixcheck module can handle it.