Debugging SSL Connections

In the event that an HTTPS connection does not go through, debugging JSSE can be a hassle.


Enabling debugging wraps the regular SSLContext into a tracing SSLContext. This means any code that relied on instanceOf checks of the old SSLContext will start behaving differently when debugging is enabled. For example this appears to be the case when trying to use this module with the Jetty ALPN agent.


Prior to 0.4.0, the debug system relied on undocumented modification of internal JSSE debug settings that were normally set using and system properties on startup.

This system has been removed, and the debug flags that do not have a direct correlation in the new system are deprecated.

WS SSL provides configuration options that will turn trace logging at a warn level for SSLContext, SSLEngine, TrustManager and KeyManager.

To configure, set the ssl-config.debug property in application.conf:

ssl-config.debug = {
  # Enable all debugging
  all = false

  # Enable sslengine / socket tracing
  ssl = false

  # Enable SSLContext tracing
  sslctx = false

  # Enable key manager tracing
  keymanager = false

  # Enable trust manager tracing
  trustmanager = false

You can also set and system properties directly at startup, using a .jvmopts file for sbt:

# Don't allow client to dictate terms - this can also be used for DoS attacks.
# Undocumented, defined in

# Add more details to the disabled algorithms list
# and

# Enable this if you need to use OCSP or CRL

Oracle has a number of sections on debugging JSSE issues: