34 SSL Debugging

Learn how to enable SSL debugging in Oracle WebLogic Server. SSL debugging provides detailed information about the SSL events that occur during an SSL handshake.

This chapter includes the following sections:

About the SSL Debug Trace

The SSL debug trace provides information about the trusted certificate authorities, SSL server configuration, server identity, SSL records that were passed during the SSL handshake, and more. The SSL debugging stack trace dumps such information into a log file.

The SSL debug trace displays information about the following:

  • Trusted certificate authorities

  • SSL server configuration information

  • Server identity (private key and digital certificate)

  • The encryption strength that is allowed

  • Enabled ciphers

  • SSL records that were passed during the SSL handshake

  • SSL failures detected by WebLogic Server (for example, trust and validity checks and the default host name verifier)

  • I/O related information

SSL debugging dumps a stack trace whenever an ALERT is created in the SSL process. The types and severity of the ALERTS are defined by the Transport Layer Security (TLS) specification.

The stack trace dumps information into the log file where the ALERT originated. Therefore, when tracking an SSL problem, you may need to enable debugging on both sides of the SSL connection (on both the SSL client or the SSL server). The log file contains detailed information about where the failure occurred. To determine where the ALERT occurred, confirm whether there is a trace message after the ALERT. An ALERT received after the trace message indicates the failure occurred on the peer. To determine the problem, you need to enable SSL debugging on the peer in the SSL connection.

When tracking an SSL problem, review the information in the log file to ensure:

  • The correct config.xml file was loaded

  • The setting for domestic, or export, is correct

  • The trusted certificate authority was valid and correct for this server.

  • The host name check was successful

  • The certificate validation was successful

    Note:

    Sev 1 type 0 is a normal close ALERT, not a problem.

Command-Line Properties for Enabling SSL Debugging

Use the command-line properties to enable debug logging within the JSSE-based SSL implementation as well as logging of the SSL calling code within WebLogic Server.

Use the following command-line properties to enable SSL debugging:

-Djavax.net.debug=all

-Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true

Note the following:

  • The -Djavax.net.debug=all property enables debug logging within the JSSE-based SSL implementation.

  • The -Dssl.debug=true and -Dweblogic.StdoutDebugEnabled=true command-line properties enable debug logging of the SSL calling code within WebLogic Server.

You can include SSL debugging properties in the start script of the SSL server, the SSL client, and the Node Manager. For a Managed Server started by the Node Manager, specify this command-line argument on the Remote Start page for the Managed Server.

For information about using WebLogic logging properties with the JSSE SSL logging system, see Using Debugging with JSSE SSL.

For information about debugging utilities available for JSSE, see "Debugging Utilities" in the Java™ Secure Socket Extension (JSSE) Reference Guide, available at the following URL:

http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#Debug