Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

limiting java ssl debug logging

Using JVM flag

-Djavax.net.debug=ssl 

is producing a tremendous ammount of logging, the details for every SSL event on the server. Is there anyway to only have it log errors? or possibly there is some better subset of these flags that produce tidier output

all            turn on all debugging ssl            turn on ssl debugging  The following can be used with ssl:      record       enable per-record tracing     handshake    print each handshake message     keygen       print key generation data     session      print session activity     defaultctx   print default SSL initialization     sslctx       print SSLContext tracing     sessioncache print session cache tracing     keymanager   print key manager tracing     trustmanager print trust manager tracing     pluggability print pluggability tracing      handshake debugging can be widened with:     data         hex dump of each handshake message     verbose      verbose handshake message printing      record debugging can be widened with:     plaintext    hex dump of record plaintext     packet       print raw SSL/TLS packets 

Further reading

  • JavaSE 8: Java Secure Socket Extension (JSSE) Reference Guide: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html
  • JavaSE 8: Debugging SSL/TLS Connections: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/ReadDebug.html
  • JavaSE 11: Java Secure Socket Extension (JSSE) Reference Guide: https://docs.oracle.com/en/java/javase/11/security/java-secure-socket-extension-jsse-reference-guide.html
like image 563
Steve Renyolds Avatar asked May 14 '14 15:05

Steve Renyolds


People also ask

How do you debug SSL handshake?

To diagnose failures during the application phase, you must decrypt the SSL session using a utility, such as ssldump. You can enable SSL debug logging on the BIG-IP system, test SSL connections for the virtual server using a web browser or the OpenSSL client, and then review the debug log files.

How do I enable SSL debug logs?

Command-Line Properties for Enabling SSL Debuggingdebug=all property enables debug logging within the JSSE-based SSL implementation. The -Dssl. debug=true and -Dweblogic. StdoutDebugEnabled=true command-line properties enable debug logging of the SSL calling code within WebLogic Server.

What is SSL trace?

About the SSL Debug Trace The SSL debug trace displays information about the following: Trusted certificate authorities. SSL server configuration information. Server identity (private key and digital certificate)

How do I run Java in debug mode?

A Java program can be debugged simply by right clicking on the Java editor class file from Package explorer. Select Debug As → Java Application or use the shortcut Alt + Shift + D, J instead. Either actions mentioned above creates a new Debug Launch Configuration and uses it to start the Java application.


2 Answers

The format for using the additional ssl flags is ssl:[flag] for example:

-Djavax.net.debug=ssl:record or -Djavax.net.debug=ssl:handshake.

like image 68
Alan MacK Avatar answered Sep 27 '22 19:09

Alan MacK


I also find that using -Djavax.net.debug=ssl (or even its filters) to be too cumbersome for debugging HTTPS issues.

It's a little bit involved, but what I prefer to do is setup mitmproxy on a cheap server somewhere and then configure my Java clients to proxy through it. This way I can comfortably inspect and replay HTTPS request/response flows on the proxy without having to comb through a bunch of logs.

If you are you interested, I've written a guide on how to get this going: Debugging SSL in Java using mitmproxy

like image 41
capotej Avatar answered Sep 27 '22 20:09

capotej