| Jan 2021. This page gets many hits. Please can you tell me if the information below is what you were looking for, or if you were looking for more information, such as understanding the trace flow, and finding problems. Please send me an email or post a comment below with information on what you were looking for, and I’ll see what I can do. |
There are different levels you can get from the -Djavax.net.debug option. You can display its options using -Djavax.net.debug=help .
Ive added a section on -Djava.security.debug=… which looks at keystore access.
Ive also added a examples of what each trace option give you.
I’ve also put up a post which describes the trace, and has an annotated output (from both ends), showing common problems and possible solutions.
With -Djavax.net.debug you get
all turn on all debugging ssl turn on ssl debugging The following can be used with ssl: record enable per-record tracing handshake print each handshake message keygen print key generation data session print session activity defaultctx print default SSL initialization sslctx print SSLContext tracing sessioncache print session cache tracing keymanager print key manager tracing trustmanager print trust manager tracing pluggability print pluggability tracing handshake debugging can be widened with: data hex dump of each handshake message verbose verbose handshake message printing record debugging can be widened with: plaintext hex dump of record plaintext packet print raw SSL/TLS packets
and your program exits.
To display specific levels of detail you can use
-Djavax.net.debug=ssl:recordor-Djavax.net.debug=ssl:handshake
To specify more than one option use
-Djavax.net.debug=ssl:keymanager:record
-Djava.security.debug=
Out of all the options below, I found certpath,provider provided the most useful information for seeing what was happening with certificates and the handshake. For example
certpath: X509CertSelector.match(SN: 1a
Issuer: CN=TEMP4Certification Authority, OU=TEST, O=TEMP
Subject: CN=SERVER, OU=SSS, O=ZZZZ)
certpath: X509CertSelector.match: subject DNs don’t match
certpath: ForwardBuilder.getMatchingCACerts: found 0 CA certs
certpath: SunCertPathBuilder.depthFirstSearchForward(): certs.size=0
certpath: PKIXCertPathValidator.engineValidate()…
certpath: AdaptableX509CertSelector.match: subject key IDs don’t match. Expected: [] Cert’s: []
certpath: NO – don’t try this trustedCert
certpath: X509CertSelector.match(SN: 0
Issuer: CN=TEMP4Certification Authority, OU=TEST, O=TEMP
Subject: CN=TEMP4Certification Authority, OU=TEST, O=TEMP)
certpath: X509CertSelector.match returning: true
certpath: YES – try this trustedCert
certpath: anchor.getTrustedCert().getSubjectX500Principal() = CN=TEMP4Certification Authority, OU=TEST, O=TEMP
certpath: AlgorithmChecker.contains: SHA256withRSA
Provider: MessageDigest.SHA-256 algorithm from: SUN
I grepped with pkcs12: and got
pkcs12: Loading PKCS#7 encryptedData (PBEWithSHA1AndRC2_40 iterations: 2048)
pkcs12: Loading PKCS#7 data
pkcs12: Checking keystore integrity (HmacPBESHA1 iterations: 2048)
pkcs12: PKCS12KeyStore load: private key count: 1. secret key count: 0. certificate count: 1
pkcs12: Retrieved a protected private key at alias ‘ss’ (PBEWithSHA1AndDESede iterations: 2048)
pkcs12: Retrieved a 1-certificate chain at alias ‘ss’
The options…
all turn on all debugging - this produces millions of lines of
output for one handshake!
access print all checkPermission results
certpath PKIX CertPathBuilder and CertPathValidator debugging
combiner SubjectDomainCombiner debugging
gssloginconfig GSS LoginConfigImpl debugging
configfile JAAS ConfigFile loading
configparser JAAS ConfigFile parsing
jar jar verification
logincontext login context results
jca JCA engine class debugging
policy loading and granting
provider security provider debugging
pkcs11 PKCS11 session manager debugging
pkcs11keystore PKCS11 KeyStore debugging
sunpkcs11 SunPKCS11 provider debugging
scl permissions SecureClassLoader assigns
ts timestamping
The following can be used with access:
stack include stack trace
domain dump all domains in context
failure before throwing exception, dump stack and domain that
didn't have permission
thread include the thread name
The following can be used with stack and domain:
permission=<classname>
only dump output if specified permission is being checked
codebase=<URL> only dump output if specified codebase is being checked
permname=<name> only dump output if the specified name matches the
permission getName()
permactions=<actions> only dump output if the specified actions
matches the permission getActions()
The following can be used with provider:
engine=<engines> only dump output for the specified list of JCA engines.
Supported values:
Cipher, KeyAgreement, KeyGenerator,
KeyPairGenerator, KeyStore, Mac,
MessageDigest, SecureRandom, Signature.
Note: Separate multiple options with a comma
-Djavax.net.debug=ssl:record
gave
records doing read and write ... SSLSocketOutputRecord.java:241|WRITE: TLS12 handshake, length = 294 SSLSocketInputRecord.java:214|READ: TLSv1.2 handshake, length = 2948 ...
-Djavax.net.debug=ssl:handshake
gave all of the sections.
-Djavax.net.debug=ssl:handshake:verbose
gave the same as ssl:handshake +
Signature algorithm, ed448, is not supported by the underlying providers
SignatureScheme.java:373|Ignore unsupported signature scheme: ed25519
SignatureScheme.java:373|Ignore unsupported signature scheme: ed448
SignatureScheme.java:393|Ignore disabled signature scheme: rsa_md5
-Djavax.net.debug=ssl:keygen
gave: No records.
-Djavax.net.debug=ssl:session
gave just
Session initialized: Session(1611922238363|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
Djavax.net.debug=ssl:defaultctx
gave No records.
-Djavax.net.debug=ssl:sslctx
gave
javax.net.ssl|DEBUG|01|main|2021-01-29 12:29:48.847 GMT|X509TrustManagerImpl.java:79|adding as trusted certificates (
"certificate" : {
"subject" : "CN=DANCA1, OU=DAN, O=DAN",
...
"certificate" : {
"subject" : "CN=SS, O=SSS, C=GB",
...
"certificate" : {
"subject" : "CN=ecec, O=cpwebuser, C=GB",
...
System property jdk.tls.client.cipherSuites is set to 'null'
System property jdk.tls.server.cipherSuites is set to 'null'
jdk.tls.keyLimits: entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
Ignore unsupported cipher suite: TLS_AES_256_GCM_SHA384
found key for : ecec (
"certificate" : {
"subject" : "CN=ecec, O=cpwebuser, C=GB",
"subject" : "CN=SSCA256, OU=CA, O=SSS, C=GB",
...
found key for : mqweb (
"certificate" : {...
trigger seeding of SecureRandom
done seeding of SecureRandom
...
Produced ClientHello handshake message (
"ClientHello": {
...
Consuming ECDH ServerKeyExchange handshake message (
"ECDH ServerKeyExchange": {
"parameters": {
"named group": "secp256r1"
"ecdh public": {
0000: 04 5F 30 8E 64 45 55 C0
0010: 55 23 1B 69 CA FF 78 8D
0020: B5 59 72 BA B4 95 8A 4C
0030: 2B 37 55 3D F2 A5 3D 71
0040: 34
},
},
-Djavax.net.debug=ssl:sessioncache
gave: No records.
-Djavax.net.debug=ssl:keymanager
gave
found key for : ecec (<br>"certificate" : {
"version": "v3",
...
found key for : mqweb (
"certificate" : {
...
-Djavax.net.debug=ssl:trustmanager
gave
adding as trusted certificates</strong> (
"certificate" : {
...
"subject" : "CN=mqweb8, O=cpwebuser, C=GB",
...
"certificate" : {
...
subject" : "CN=DANCA1, OU=DAN, O=DAN",
...
Found trusted certificate</strong> (
"certificate" : {
...
"issuer" : "CN=DANCA1, OU=DAN, O=DAN",
...
"subject" : "CN=DANCA1, OU=DAN, O=DAN",
...
ss private or public key is not of EC algorithm
<p>Where <em>adding as</em> ... is what the local trust store found, and <em>found trusted </em> is what as sent from the server as part of the certificateRequest.</p>
Where adding as… ; is what the local trust store found, and Found trusted certificate is what as sent from the server as part of the certificateRequest.
-Djavax.net.debug=ssl:pluggability
No records.
ColinPaice 
Hello,
Do you know the default option of -Djavax.net.debug please ?
Thank you.
Soziaj
LikeLike
I think the default of -Djavax.net.debug is trace nothing.
LikeLike
Would you know what would cause setting either -Djavax.net.debug=ssl:verbose or -Djavax.security.debug=all to not show the certificate and handshake details? Have an initial client and service set up on Java 11 and removing those generates less logs but adding them does not output the details I’m looking for.
LikeLike
Thanks, nice tip
LikeLike
One of the best descriptions on the web!
LikeLike
This is useful. I came looking for how to configure java with a JVM arge to redirect only the SSL logging to a target log instead of the the console.
LikeLike
Is it possible to explain what the “gave” is at the end of the lines? Example: -Djavax.net.debug=ssl:sslctx gave
Also, is there a way to specify where the log should be created?
Thank you,
LikeLike
Hi Jon, Thanks for the feedback.
The “gave” shows you what was produced so for Linux “ls .” gives the files in my directory. I’ve just reread the blog post – and I agree, it looks wrong. I’ll fix it.
I do not know how to redirect the log.
Colin
LikeLike
Hi Colin,
Would this work? Adding -Djava.util.logging.config.file=myfile
To the startup options? With myfile being a modified version of the logging.properties file?
Thanks,
LikeLike
I think that just points to a properties file. I do not think it tells Java where to write the log data to. I do not have a system at the moment to try it.
LikeLike
Thank you again!
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.comjonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
LikeLike
The -Djavax.net.debug must be given as a VM option. As an application option, it has no effect. (I am using Eclipse).
LikeLike
Thank you – good to know
LikeLike
Hi,
I have only part of your comment, please can you send me the whole comment. Ive got “should be sufficient in many cases. Otherwise there are a number of other debug options that provide more information”
Thank you
Colij
LikeLike
Is there a way to print only SSL Version negotiated rather than lot of information.
LikeLike
Good question; but I do not know how to get this information. It may be easy, I haven’t looked
LikeLike