Debugging SSL Issues

I wrote this article Debugging SSL Issues in Java almost 4 years ago. I am writing again a new post on the same topic because I faced the same issue and that article didn’t help me. So I’ll list my new learnings in this post and it will be to the point.

Use to command line

When using Java program, you can add to the command line to produce debug output of the complete handshake of SSL.

In short, this is how the handshake looks like

Client                          Server

ClientHello         ---->   

Application Data    <----->     Application Data

In our case, server abruptly stopped responding after client sent [ChangeCipherSpec] message.


SSLDump is another utility which can show decrypted SSL traffic to debug any issues. So, if you are not using Java, this is the utility to go to debug the SSL issue.

Its output will be as follows, showing each of the SSL handshake.

3 1  0.5765 (0.5765)  C>S  Handshake
        Version 3.3
        cipher suites
        compression methods
3 2  0.6972 (0.1207)  S>C  Handshake
        Version 3.3
          ac f1 e7 3d 87 18 3f 75 f4 b5 d8 bc 61 51 dc 8e
          da 1c db 82 89 c4 d1 df 60 83 e3 8b 56 c7 23 87
        cipherSuite         TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        compressionMethod                   NULL
3 3  0.6972 (0.0000)  S>C  Handshake
3 4  0.6972 (0.0000)  S>C  Handshake
Not enough data. Found 327 bytes (expecting 32767)
3 5    0.6972   (0.0000)    S>C    Handshake
3 6    0.7427   (0.0454)    C>S    Handshake
Not enough data. Found 64 bytes (expecting 16384)
3 7    0.7598   (0.0171)    C>S    ChangeCipherSpec
3 8    0.7605   (0.0007)    C>S      Handshake
3 9    0.8779   (0.1173)    S>C    ChangeCipherSpec
3 10   0.8779   (0.0000)    S>C      Handshake
3 11   0.8956   (0.0177)    C>S      application_data
3 12   1.0474   (0.1517)    S>C      application_data
3 13   11.0491   (10.0017)    S>C      Alert
  3      11.0492   (0.0000)    S>C    TCP FIN


Wireshark or TCPDump can give some insights into what is happening. From the server terminal, you can capture the SSL traffic using TCPDump into a file and open it in wireshark

sudo tcpdump -i eth0 -v  -dst host x.x.x.x or src host x.x.x.x -w /tmp/test.pcap

SSLLabs Analysis

SSLLabs site can give very useful information about server capabilities of SSL certificates. It will show what versions of TLS and list of cipher suites are supported by server.

It can also perform the connection tests to the server using various clients such as Apache HTTP, OkHTTP, browsers, mobile etc.

Java Runtime parameters

There are various runtime parameters which affect the SSL connectivity in Java. Watch out for these parameters, if you are facing SSL issue in a Java application. Note that, its just not enough to look at the arguments while starting the program, since these runtime parameters can be set at runtime too.

For example, in one our client library, the following snippet of code disabled Server Name Indication which caused problems with the TLS connections to virtual servers, in which multiple servers for different network names are hosted at a single underlying network address.

if (System.getProperty("jsse.enableSNIExtension") == null) {
	System.setProperty("jsse.enableSNIExtension", "false");

There are other parameters to watch out for as well. Java Secure Socket Extension Reference Guide is a helpful page to start with.

Hope that helps anyone facing trouble with SSL connections. If you believe, there are some other useful tools to debug SSL issues further, do let me know in the comments.