test2101

Troubleshooting Java SSL Connections with SSL Trace Output

Written by

adm

in

How to enable Java SSL/TLS debug logs

  1. JVM option (quickest) — start your Java process with:

    Code
    -Djavax.net.debug=ssl,handshake,record,trustmanager

    Common variants:

    • -Djavax.net.debug=all — everything (very verbose).
    • -Djavax.net.debug=ssl — basic SSL/TLS events.
    • -Djavax.net.debug=ssl:handshake:record — handshake plus record-level bytes.
    • Add -Djavax.net.debug=trustmanager to see certificate chain validation.

  2. Programmatic enabling — set system property before any SSL classes load:

    java
    System.setProperty(“javax.net.debug”, “ssl,handshake,trustmanager”);

    Note: must run early (static initializer or before creating SSLSocket/SSLContext).

  3. Logging to a file — redirect stdout/stderr or use JVM option:

    Code
    java -Djavax.net.debug=all -jar app.jar > ssl-debug.log 2>&1

What the main log sections mean

  • Handshake — shows ClientHello/ServerHello, selected protocol (e.g., TLSv1.3), and cipher suite negotiation. Useful to confirm protocol/cipher mismatch.
  • Certificate messages — the server’s certificate chain, subject/issuer, and validation steps (seen with trustmanager). Use this to detect expired, untrusted, or misordered chains.
  • Key exchange / Finished — key exchange details (e.g., ECDHE) and Finished messages proving successful handshake.
  • Record layer — raw encrypted/decrypted record headers and lengths; helps spot unexpected close_notify or truncated records.
  • Alerts — TLS alerts (e.g., handshake_failure, bad_certificate) and their origin (local/remote). Critical for diagnosing failures.
  • TrustManager output — detailed verifications, reason for trust failures (path building, certificate expired, name mismatch).

Typical failure patterns and where they show up

  • Unsupported protocol/cipher — Handshake shows ClientHello list; server either sends no ServerHello or an alert. Check selected protocol/cipher lines.
  • Certificate path validation failure — trustmanager shows exceptions like CertPathValidatorException; look for “PKIX path building failed” or “certificate expired”.
  • Hostname mismatch — certificate validated but host name check fails; look for HostnameVerifier/SSLPeerUnverifiedException entries (application-level).
  • Incomplete chain (missing intermediate) — server cert chain printed but lacks issuer; trustmanager indicates unable to find valid path.
  • Client auth required — server sends CertificateRequest; handshake stalls if client has no certificate.

Quick diagnostic steps when you see a failure

  1. Search the log for “alert”, “Exception”, “handshakefailure”, or “CertificateException”.
  2. Confirm protocol and cipher: locate ClientHello/ServerHello lines and compare supported lists.
  3. Inspect certificate chain printed under Certificate messages: check validity dates, issuer, and whether intermediates are present.
  4. If trust errors appear, export server certs and test with keytool: 
    Code
    keytool -printcert -sslserver host:port
  5. For hostname issues, verify the certificate’s CN/SAN entries include the target host.

Tools and commands that help

  • openssl s_client -connect host:port -showcerts — view server cert chain and negotiated protocol.
  • keytool -printcert -sslserver host:port — Java-friendly cert inspection.
  • curl –tlsv1.2 -v https://host/ or nmap –script ssl-enum-ciphers -p 443 host — protocol/cipher checks.

Practical tips

  • Start with narrower debug flags (ssl,handshake,trustmanager) before all to reduce noise.
  • Reproduce the issue with increased logging only in test or controlled environments; debug logs can contain sensitive cert info.
  • When diagnosing, capture both client and server logs if possible.
  • For long-lived services, route logs to a file and rotate them.

If you want, I can analyze a specific SSL debug log snippet you provide and point to the exact cause.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts