Enable Java SSL TLS Debugging | Generated by AI
Enabling SSL/TLS Debugging in Java
To enable detailed logging for SSL/TLS-related activities in Java (e.g., handshakes, certificate validation, key exchanges), you use the JVM system property -Djavax.net.debug. This outputs debug information to the console (stdout/stderr) when your Java application runs.
Step-by-Step Instructions
- Choose the Debug Level:
- Use
sslfor basic SSL/TLS handshake details. - Use
ssl:handshakefor verbose handshake messages (including cipher suites and certificates). - Use
allfor comprehensive debugging (includes SSL plus other network protocols—use sparingly as it’s very verbose). - Common recommendation: Start with
ssl:handshake:verbose,keymanager:trustmanagerfor targeted SSL insights.
- Use
- Set the Property When Running Your Java Application:
- Command-Line Execution (e.g., via
javacommand):java -Djavax.net.debug=ssl:handshake -jar your-app.jarReplace
your-app.jarwith your actual application or class (e.g.,com.example.Main). - In an IDE (e.g., IntelliJ IDEA, Eclipse):
- Go to Run/Debug Configurations.
- Add
-Djavax.net.debug=ssl:handshaketo the VM options field. - Run or debug the configuration.
- In a Build Tool (e.g., Maven or Gradle):
- Maven (in
pom.xmlunder<build><plugins><plugin>for surefire):<configuration> <argLine>-Djavax.net.debug=ssl:handshake</argLine> </configuration> - Gradle (in
build.gradle):test { jvmArgs '-Djavax.net.debug=ssl:handshake' }
- Maven (in
- Command-Line Execution (e.g., via
- Capture the Logs:
- The output appears in your console/terminal.
- Redirect to a file for easier review:
java -Djavax.net.debug=ssl:handshake -jar your-app.jar > ssl-debug.log 2>&1 - Look for lines starting with
***(e.g.,*** ClientHellofor handshake starts) orjavax.net.sslprefixes.
- Disable It:
- Simply remove the
-Dflag when done—it’s not set by default to avoid performance overhead.
- Simply remove the
Example Output Snippet
When enabled, you’ll see something like:
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1731000000 bytes = { ... }
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
***
Tips
- This works for Java 8+ (including 11, 17, 21). In newer versions, you might also enable
-Djdk.tls.client.protocols=TLSv1.2,TLSv1.3for protocol-specific logs. - High verbosity can slow down your app and flood logs—test in a dev environment.
- If using a framework like Spring Boot, add it to
application.properties:debug=true(for general) or via command-line args.
For more details, see the official Oracle docs: Java Secure Socket Extension (JSSE) Reference Guide.