Reputation: 111
How to enable javax.net.debug on demand
Our application uses Apache HttpClient 4.5.3 and we are observing a very weird behavior with communication between our client and the server using SNI capability
The server is configured to return a Go Daddy signed certificate if the SSL request comes in the with the server name expected from our client(ie: the host name of the server) and it will return a self signed certificate for all other domain names
Behavior observed
- The client receives the correct server certificate on all server except on our production machine
- The client code is running in an application deployed on tomcat 8, we have noticed that initial requests to the endpoint go through successfully. After some time of running we receive an SSL exception on the client.
- The error is because the server is not sending the correct certificate(it sends the default self signed certificate)
- If we restart the tomcat server on which the client is deployed, the calls again start to go through successfully.
We have used javax.net.debug for debugging purposes in the past but we cannot use it in this case as we need to restart the tomcat server for its effect to take place and when we restart the tomcat server, the calls to the endpoint server start to succeed. Also the javax.net.debug logs a lot of information which will flood our logs and hence we wanted it enabled only for a specific request. We are hoping to log only the Client Hello(which contains the server_name passed to the endpoint)
I have read through https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#OwnX509ETM But not sure of what we can use to print only the SSL server name indicator pushed down to the server.
Upvotes: 5
Views: 5262
Answers (1)
Reputation: 5165
I had the same concern as yours, then firstly I was thinking about dynamically adding environment variable, but it's always taking old value. Then I found out that javax.net.debug environment variable is read once only with static block in SSLSocketFactory.java. The full source code is available here.
static {
String s = java.security.AccessController.doPrivileged(
new GetPropertyAction("javax.net.debug", "")).toLowerCase(Locale.ENGLISH);
DEBUG = s.contains("all") || s.contains("ssl");
}
Upvotes: 5
Related Questions
- How can I get debug messages from Java's SSL handshake?
- Totally disabling java net ssl debug logging
- limiting java ssl debug logging
- "Ignoring unsupported cipher suite" message when "-Djavax.net.debug=ssl:handshake" is enabled on server side
- Enable debug logging for Log4J2 + Apache HttpClient
- Enabling ssl debug for java in intellij
- Enable SSL debugging in WebLogic
- Program never throws exception when debugger is attached
- How to enable SSL debugging on the Android platform?
- How do I reduce the amount of debugging messages from javax.net.debug=ssl?