How to Limit Java SSL Debug Logging
Today, we will learn about Java SSL debug, its importance, various utilities and how to use one or multiple in a single command.
Java SSL Debug and Its Importance
Handling SSL (Secure Socket Layer) in Java web applications is not fun, particularly when you get an ugly page saying Page Cannot Be Displayed
in your browser without troubleshooting or debugging logs.
These situations increase the importance of SSL that we can easily enable to debug our applications and start seeing verbose logs. These logs will guide us (the developers) about this error.
There are various debug utilities that we can use. The following is the one to enable all SSL debugging logs in our application server JVM (Java Virtual Machine).
Don’t forget to restart your application server after adding the following JVM command line parameter.
-Djavax.net.debug=ssl
The problem is that the above command will turn on all the SSL debugging which may not be required in some scenarios.
So, how can we limit Java SSL debug logging? Let’s learn it below.
Limit Java SSL Debug Logging
Using the -Djavax.net.debug=ssl
command will log a tremendous amount of logging and details for each SSL event on a server. How can we limit it as per our project requirements?
To resolve it, we need to specify a debug specifier (also known as a flag) separated by a colon (:
) for which we need SSL to debug logging. For instance, we can log about handshake
as follows.
-Djavax.net.debug=ssl:handshake
Remember that we must specify the javax.net.debug
property value, whether it is ssl
or all
, followed by a debug specifier (optional).
We can also use multiple debug specifiers and don’t have to have a separator in these options (debug specifiers), although having a separator (:
or ,
) will increase readability. See the following example to understand clearly.
-Djavax.net.debug=ssl:handshake, record, session
The above command can also use a colon (:
) as a separator between multiple debug specifiers. Remember, it does not matter what separator we use; the order of debug specifiers is also not important.
Following are some options that can be useful for you to know.
Debug Specifier (Option) | Description |
---|---|
all |
It turns on all debugging. |
ssl |
It turns on all ssl debugging. |
record |
It is used with ssl and enables per-record tracing. |
handshake |
Used with ssl and prints every handshake message. |
keygen |
It is used with ssl and prints key generation data. |
session |
It is used with ssl and prints session activity. |
defaultctx |
We can use it with ssl and print default ssl initialization. |
sslctx |
Used with ssl and print ssl context tracing. |
sessioncache |
It is used with ssl and prints session cache tracing. |
keymanager |
It is used with ssl and prints key manager tracing. |
trustmanager |
It prints trust manager tracing and is used with ssl . |
data |
It is a hex dump of every handshake message we can use to widen the handshake debugging. |
verbose |
It is used for verbose handshake message printing and to widen the handshake debugging. |
plaintext |
Hexadecimal dump of record plaintext , used to widen record debugging. |
packet |
It prints raw SSL /TLS packets, also used to widen record debugging. |
You can use any of them as per your needs and project requirements.