How to enable SSL debugging on the Android platform?

Question

Is there something similar to setting -D javax.net.debug=ssl at the command line for Java desktop applications, but for the Android? I\'ve tried setting it in code

Answer 1

If you are using Apache HttpClient (by importing a jar file), you can enable logging by setting environmental variables in Eclipse. If you use Commons Logging, the logs are printed to the Console. However this only works if you are running your app in the emulator and not on the device. Not sure of this helps.

See http://hc.apache.org/httpcomponents-client-ga/logging.html

Answer 2

you can write a TrustManager class to handle it. example :

ClientConnectionManager cm = new BasicClientConnectionManager();
cm.getSchemeRegistry().register(createHttpsScheme());
DefaultHttpClient client = new DefaultHttpClient(cm);
String url = "https://your domain/your url";
HttpGet get = new HttpGet(url);
HttpResponse resp = client.execute(get);

etc..

public static Scheme createHttpsScheme() {
        SSLContext context = SSLContext.getInstance("TLS");
        context.init(null, new TrustManager[] {
                new TestTrustManager()
        }, new SecureRandom());

        SSLSocketFactory sf = new SSLSocketFactory(context);
        return new Scheme("https", 443, sf);
}

int TestTrustManager.java you can print the chain like this:

public class TestTrustManager implements X509TrustManager {
    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {

       for (int i = 0; i < chain.length; ++i) {
        System.out.println(chain[i]);
       }

       decorated.checkServerTrusted(chain, authType);
  }
}

Answer 3

I have found a useful debugging aid is to write a wrapper around X509KeyManager and X509TrustManager that delegates calls to the original implementation while logging the results, e.g.:

        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init(ks);

        KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        kmf.init(ks, null);

        TrustManager[] tms = WrapTrustManager.WrapArray(tmf.getTrustManagers());
        KeyManager[] kms = WrapKeyManager.WrapArray(kmf.getKeyManagers());
        SSLContext context = SSLContext.getInstance("TLS");
        context.init(kms, tms, null);

        ....setSocketFactory(context.getSocketFactory());

The implementation of WrapTrustManager and WrapKeyManager are pretty straightforward, but bewarned that they use exceptions to indicate failure and so it is important to not swallow exceptions while logging the outcome.

Note that the interface uses the empty KeyManager and TrustManager interfaces, and you need to dynamically upcast these to X509KeyManager and X509TrustManager.

Answer 4

At this point, there just doesn't seem to be a way to do this. But in any case, we're switching to the Netty library soon which has more detailed logging capabilities build in.

So the (not great) solution to this issue is simply not to use SSLSocket, but to use a better network library instead.