Enabling SSL debugging in a standalone Java program

Solution Verified - Updated -

Environment

  • Java
    • OpenJDK
      • 1.6
      • 1.7
      • 1.8
    • Oracle Java runtime
      • 1.6
      • 1.7
      • 1.8

Issue

  • How to enable SSL debugging in a standalone Java program that makes SSL connections?

Resolution

  • You can use the following as a java argument when starting a standalone Java client.
 -Djavax.net.debug=ssl,handshake
  • To get more filtered logging you can use:
-Djavax.net.debug=ssl:handshake:verbose:keymanager:trustmanager -Djava.security.debug=access:stack
java -Djavax.net.debug=ssl:handshake:verbose:keymanager:trustmanager -Djava.security.debug=access:stack  JavaHttpsClient https://example.com:port 1
  • To get decrypted HTTP requests/responses:
java -Djavax.net.debug=ssl:record:plaintext  JavaHttpsClient https://example.com:port 1

NOTE :https://example.com:port is the server being invoked host and HTTPS port. This can also be anything like https://www.redhat.com. Also, "1" means the number of calls. In the above example it is only a single call.

  • To show available options which can be set to javax.net.debug:
java -Djavax.net.debug=help JavaHttpsClient https://redhat.com/ 1

Attachments

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

3 Comments

See [1] for a complete list of SSL related javax.net.debug options

[1] http://stackoverflow.com/questions/23659564/limiting-java-ssl-debug-logging

I believe the best source for the complete list of options for javax.net.debug is http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#Debug

This is helpful, even though it's years old.

That said, the zip of files is missing a needed JavaHttpsClient$1.class, as otherwise we get a NoClassDefFoundError looking for JavaHttpsClient$1. For folks who trip over this and want to fix it themselves, note that the zip also contains the java source as well. You can easily compile it, which will create the class.

(For those who are more admins rather than developers who want to use this, note that you can easily do the compile with "javac JavaHttpsClient.java", though you may need to modify the command to point to where your javac lives and/or where the JavaHttpsClient.java lives. I won't elaborate, as it's going well beyond the scope of this post.)