Debugging SSL Connections

Submitted by Bill St. Clair on Wed, 25 Jun 2008 00:24:59 GMT  <== Webmaster stuff ==> 

I've had a little trouble with the SSL certificate for this site and for some sites for which I do technical maintenance. I wrote up a little about that in Intermediate SSL Certificates. Well, I asked my web hosting provider to install the intermediate certificates for another web site that is also using a GoDaddy certificate. They said that they had done it, but I was still getting warnings in Safari, on both my Mac and my iPhone. So I did some Googling, and found some simple Java code that I could modify, and enable debugging while running, to show the SSL handshake during a connection to a web site.

I have uploaded that code as The zip file decompresses into the "ssltest" directory, containing the following files:

ssltesta bash script to run the java program
ssltest.classthe compiled version of the Java program
ssltest.javathe source code for the Java program bash script to create

You're certainly welcome to look at the Java source, and change it to your liking, but to use the program, you just need to cd to the ssltest directory in your shell, and type the following:


Or change "" to your favorite SSL-enabled web site. It prints quite a bit of stuff, but the most interesting to me were the lines beginning with "chain [", which show the certificate and the intermediate certificates, if any.

I didn't include an ssltest.bat file for Windows, because I have no way to test it, but it should be pretty obvious how to convert the bash script into a Windows batch file.


Add comment Edit post Add post

Comments (1):

Simpler SSL debugging

Submitted by Bill St. Clair on Thu, 26 Jun 2008 09:39:17 GMT

I found an easier way to debug SSL connections, at least the certificate chain part, if you have openssl installed on your system, which most Linux systems, and the Macintosh, do.

Debugging SSL Connections recommends using the openssl s_client command. They also talk about ssldump, but that's not on my system, so I haven't tried it.

The following command connects to with SSL, and prints the certificate chain and some other information about the connection. You can then send HTTP commands (e.g. "GET /\n\n"), to fetch a page, or just type Ctrl-D (EOF).

openssl s_client -connect -showcerts

The Java version is much more verbose, though.

Edit comment