This section provides a tutorial example on how to use JVM property, javax.net.debug, to turn on the SSL socket communication debug option. The debug output message can help you to know what exactly happens at the SSL layer.
If you want to know what is really going on at the SSL layer, you could use the JSSE Debug options,
"-Djavax.net.debug=options". Here is how I use it on the client side:
>\jdk\bin\java -cp . "-Djavax.net.ssl.trustStore=public.jks"
"-Djavax.net.debug=help" SslSocketClient
all turn on all debugging
ssl turn on ssl debugging
The following can be used with ssl:
record enable per-record tracing
handshake print each handshake message
......
(Run SslReverseEchoer.java in another window)
>\jdk\bin\java -cp . "-Djavax.net.ssl.trustStore=public.jks"
"-Djavax.net.debug=ssl:record" SslSocketClient
setting up default SSLSocketFactory
......
init truststore
adding as trusted cert:
Subject: CN=Herong Yang, OU=My unit, O=My home, L=My ci
Issuer: CN=Herong Yang, OU=My unit, O=My home, L=My ci
Algorithm: DSA; Serial number: 0x42266fba
......
init context
trigger seeding of SecureRandom
......
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1111734670 bytes = { 64, 255, 55, 15,
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC
Compression Methods: { 0 }
***
main, WRITE: TLSv1 Handshake, length = 73
main, WRITE: SSLv2 client hello message, length = 98
main, READ: TLSv1 Handshake, length = 1187
*** ServerHello, TLSv1
RandomCookie: GMT: 1111734670 bytes = { 120, 194, 143, 2
Session ID: {66, 68, 186, 142, 195, 126, 97, 92, 127, 59
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
Compression Method: 0
***
%% Created: [Session-1, TLS_DHE_DSS_WITH_AES_128_CBC_SHA
** TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: CN=Herong Yang, OU=My unit, O=My home, L=My ci
Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4
......
]
......
]
***
Found trusted certificate:
[
[
Version: V1
Subject: CN=Herong Yang, OU=My unit, O=My home, L=My ci
Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4
......
]
......
]
*** Diffie-Hellman ServerKeyExchange
DH Modulus: { 244, 136, 253, 88, 78, 73, 219, 205, 32, 1
DH Base: { 2 }
Server DH Public Key: { 100, 97, 85, 119, 180, 34, 56, 2
Anonymous
*** ServerHelloDone
*** ClientDiffieHellmanPublic
DH Public key: { 40, 239, 235, 116, 118, 207, 63, 85, 24
main, WRITE: TLSv1 Handshake, length = 134
SESSION KEYGEN:
PreMaster Secret:
0000: 69 65 81 69 31 1E 9E 4D 34 9C 49 54 6E 0A A5 FB
0010: B9 C0 21 F7 4F 84 D5 75 69 86 F2 10 B5 F6 8D 20
......
CONNECTION KEYGEN:
Client Nonce:
0000: 42 44 BA 8E 40 FF 37 0F 7B 46 96 D1 E5 6A 99 FA
0010: A5 7E 85 2F 57 A9 E4 17 8A 2C 74 54 60 6A B4 10
Server Nonce:
0000: 42 44 BA 8E 78 C2 8F E0 60 82 32 C9 C4 EE 68 F3
0010: 6C B7 6A AB B0 F9 E8 DD 66 3F A1 3C 5E 96 97 32
Master Secret:
0000: 49 B5 9D BC 38 95 E6 34 EE 10 89 7E 3E 53 77 F9
0010: BD 93 83 F7 FC D1 F1 6F B1 95 83 B5 97 63 1F 2B
0020: 0D A6 05 50 DA B7 21 28 EB B9 D5 6B A4 2D F0 02
Client MAC write Secret:
0000: 34 57 AE 02 2B CA 00 04 0D D5 49 27 37 DB E0 76
0010: 92 38 DD 1E
Server MAC write Secret:
0000: 2D 58 DD 43 59 4C CB AC F5 C7 B2 ED 5F B1 16 03
0010: E7 A0 57 D2
Client write key:
0000: 65 25 6A 56 FB AE B2 37 B0 BD FE 82 BE 45 F4 5F
Server write key:
0000: 44 23 24 A7 BE CD FB 3C CF D6 50 EC 43 C1 C2 E1
Client write IV:
0000: 73 F3 98 2D F3 9A 6D 72 2F 59 4E 58 80 3D 17 F1
Server write IV:
0000: 68 10 0A C0 FE 36 88 CD 92 E3 14 DC 87 9C 51 93
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 148, 191, 195, 227, 118, 168, 181, 3, 60,
***
main, WRITE: TLSv1 Handshake, length = 48
main, READ: TLSv1 Change Cipher Spec, length = 1
main, READ: TLSv1 Handshake, length = 48
*** Finished
verify_data: { 33, 227, 154, 8, 58, 178, 246, 217, 219,
***
%% Cached client session: [Session-1, TLS_DHE_DSS_WITH_AE
Cipher suite = TLS_DHE_DSS_WITH_AES_128_CBC_SHA
Protocol = TLSv1
%% Client cached [Session-1, TLS_DHE_DSS_WITH_AES_128_CBC
%% Try resuming [Session-1, TLS_DHE_DSS_WITH_AES_128_CBC_
*** ClientHello, TLSv1
RandomCookie: GMT: 1111734671 bytes = { 180, 13, 13, 192
Session ID: {66, 68, 186, 142, 195, 126, 97, 92, 127, 59
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC
Compression Methods: { 0 }
***
main, WRITE: TLSv1 Handshake, length = 128
main, READ: TLSv1 Application Data, length = 96
Welcome to SSL Reverse Echo Server. Please type in some w
Hello World!
main, WRITE: TLSv1 Application Data, length = 48
main, READ: TLSv1 Handshake, length = 96
*** ServerHello, TLSv1
RandomCookie: GMT: 1111734671 bytes = { 172, 192, 94, 22
Session ID: {66, 68, 186, 142, 195, 126, 97, 92, 127, 59
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
Compression Method: 0
***
CONNECTION KEYGEN:
Client Nonce:
0000: 42 44 BA 8F B4 0D 0D C0 2A 41 EC F5 A7 FA 79 34
0010: CD 5E 62 E2 04 13 68 84 D0 62 98 1E C0 1F 15 AA
Server Nonce:
0000: 42 44 BA 8F AC C0 5E E0 74 61 C1 34 E5 14 88 2F
0010: 6D 16 0F E2 EE 27 A5 D1 FA 52 BB 8B A5 21 A7 4A
Master Secret:
0000: 49 B5 9D BC 38 95 E6 34 EE 10 89 7E 3E 53 77 F9
0010: BD 93 83 F7 FC D1 F1 6F B1 95 83 B5 97 63 1F 2B
0020: 0D A6 05 50 DA B7 21 28 EB B9 D5 6B A4 2D F0 02
Client MAC write Secret:
0000: 7F F0 DC C8 FE E4 9D 57 6E 5D E1 C4 D3 D5 9A 3E
0010: 9A 30 48 90
Server MAC write Secret:
0000: E6 F6 DC A1 87 D0 F2 93 0B E8 7C AE 9D BC 98 42
0010: 6A 22 0D 12
Client write key:
0000: AA 64 2F E3 54 E8 2D 86 61 39 F9 B8 C3 C9 73 79
Server write key:
0000: D8 54 5C 02 56 DE B8 1E ED 28 AC FD 5A 01 8A BD
Client write IV:
0000: C9 EE F0 EB 24 41 1B 06 D7 D3 1A 7B DC CD 7C 59
Server write IV:
0000: 16 35 61 8A 34 F2 D4 76 6A 9A 13 FE 17 3E 74 41
%% Server resumed [Session-1, TLS_DHE_DSS_WITH_AES_128_CB
main, READ: TLSv1 Change Cipher Spec, length = 32
main, READ: TLSv1 Handshake, length = 48
*** Finished
verify_data: { 56, 41, 153, 87, 50, 152, 70, 168, 237, 1
***
main, WRITE: TLSv1 Change Cipher Spec, length = 32
*** Finished
verify_data: { 254, 26, 149, 188, 239, 40, 18, 232, 72,
***
main, WRITE: TLSv1 Handshake, length = 48
main, READ: TLSv1 Application Data, length = 48
!dlroW olleH
main, WRITE: TLSv1 Application Data, length = 32
main, READ: TLSv1 Alert, length = 32
main, RECV TLSv1 ALERT: warning, close_notify
main, called closeInternal(false)
main, SEND TLSv1 ALERT: warning, description = close_not
main, WRITE: TLSv1 Alert, length = 32
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)
Exercise : Revise both SslReverseEchoer.java and SslSocketClient.java
so that client authentication is required.
