How to Limit Java SSL Debug Logging

Mehvish Ashiq Feb 02, 2024
  1. Java SSL Debug and Its Importance
  2. Limit Java SSL Debug Logging
How to Limit Java SSL Debug Logging

Today, we will learn about Java SSL debug, its importance, various utilities and how to use one or multiple in a single command.

Java SSL Debug and Its Importance

Handling SSL (Secure Socket Layer) in Java web applications is not fun, particularly when you get an ugly page saying Page Cannot Be Displayed in your browser without troubleshooting or debugging logs.

These situations increase the importance of SSL that we can easily enable to debug our applications and start seeing verbose logs. These logs will guide us (the developers) about this error.

There are various debug utilities that we can use. The following is the one to enable all SSL debugging logs in our application server JVM (Java Virtual Machine).

Don’t forget to restart your application server after adding the following JVM command line parameter.

-Djavax.net.debug=ssl

The problem is that the above command will turn on all the SSL debugging which may not be required in some scenarios.

So, how can we limit Java SSL debug logging? Let’s learn it below.

Limit Java SSL Debug Logging

Using the -Djavax.net.debug=ssl command will log a tremendous amount of logging and details for each SSL event on a server. How can we limit it as per our project requirements?

To resolve it, we need to specify a debug specifier (also known as a flag) separated by a colon (:) for which we need SSL to debug logging. For instance, we can log about handshake as follows.

-Djavax.net.debug=ssl:handshake

Remember that we must specify the javax.net.debug property value, whether it is ssl or all, followed by a debug specifier (optional).

We can also use multiple debug specifiers and don’t have to have a separator in these options (debug specifiers), although having a separator (: or ,) will increase readability. See the following example to understand clearly.

-Djavax.net.debug=ssl:handshake, record, session

The above command can also use a colon (:) as a separator between multiple debug specifiers. Remember, it does not matter what separator we use; the order of debug specifiers is also not important.

Following are some options that can be useful for you to know.

Debug Specifier (Option) Description
all It turns on all debugging.
ssl It turns on all ssl debugging.
record It is used with ssl and enables per-record tracing.
handshake Used with ssl and prints every handshake message.
keygen It is used with ssl and prints key generation data.
session It is used with ssl and prints session activity.
defaultctx We can use it with ssl and print default ssl initialization.
sslctx Used with ssl and print ssl context tracing.
sessioncache It is used with ssl and prints session cache tracing.
keymanager It is used with ssl and prints key manager tracing.
trustmanager It prints trust manager tracing and is used with ssl.
data It is a hex dump of every handshake message we can use to widen the handshake debugging.
verbose It is used for verbose handshake message printing and to widen the handshake debugging.
plaintext Hexadecimal dump of record plaintext, used to widen record debugging.
packet It prints raw SSL/TLS packets, also used to widen record debugging.

You can use any of them as per your needs and project requirements.

Mehvish Ashiq avatar Mehvish Ashiq avatar

Mehvish Ashiq is a former Java Programmer and a Data Science enthusiast who leverages her expertise to help others to learn and grow by creating interesting, useful, and reader-friendly content in Computer Programming, Data Science, and Technology.

LinkedIn GitHub Facebook

Related Article - Java SSL