How to enable SSL debugging on the Android platform?

Is there something similar to setting -D javax.net.debug=ssl at the command line for Java desktop applications, but for the Android? I’ve tried setting it in code via System.setProperty("javax.net.debug", "ssl"); but that didn’t work.

If there isn’t a way to enable this property, is there at least another way to debug the client side of an SSL connection?

  • testing that an activity called setResult
  • How to change system navigation bar color
  • Import existing Android project in Eclipse: no gen source folder?
  • ActionBar or ActionBarSherlock - Smoothly Hide / Show the ActionBar
  • How to change Width of Android's Switch track?
  • Android Studio with Google Play Services
  • EDIT: Just to clarify, this is referring to raw SSL sockets (SSLSocket and SSLSocketFactory), not the Apache library or any other network library.

  • Android - Writing a custom (compound) component
  • AudioFlinger could not create record track, status: -1 , Need help to ifx
  • Android: Notification stops updating once it has updated for a certain number of times on Kit-Kat
  • setOnClickListener of a ListView not working
  • Android, How to use readTypedList method correctly in a Parcelable class?
  • Get data from GCM notification
  • 4 Solutions collect form web for “How to enable SSL debugging on the Android platform?”

    At this point, there just doesn’t seem to be a way to do this. But in any case, we’re switching to the Netty library soon which has more detailed logging capabilities build in.

    So the (not great) solution to this issue is simply not to use SSLSocket, but to use a better network library instead.

    you can write a TrustManager class to handle it.
    example :

    ClientConnectionManager cm = new BasicClientConnectionManager();
    cm.getSchemeRegistry().register(createHttpsScheme());
    DefaultHttpClient client = new DefaultHttpClient(cm);
    String url = "https://your domain/your url";
    HttpGet get = new HttpGet(url);
    HttpResponse resp = client.execute(get);
    
    etc..
    
    public static Scheme createHttpsScheme() {
            SSLContext context = SSLContext.getInstance("TLS");
            context.init(null, new TrustManager[] {
                    new TestTrustManager()
            }, new SecureRandom());
    
            SSLSocketFactory sf = new SSLSocketFactory(context);
            return new Scheme("https", 443, sf);
    }
    

    int TestTrustManager.java you can print the chain like this:

    public class TestTrustManager implements X509TrustManager {
        @Override
        public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
    
           for (int i = 0; i < chain.length; ++i) {
            System.out.println(chain[i]);
           }
    
           decorated.checkServerTrusted(chain, authType);
      }
    }
    

    If you are using Apache HttpClient (by importing a jar file), you can enable logging by setting environmental variables in Eclipse. If you use Commons Logging, the logs are printed to the Console. However this only works if you are running your app in the emulator and not on the device. Not sure of this helps.

    See http://hc.apache.org/httpcomponents-client-ga/logging.html

    I have found a useful debugging aid is to write a wrapper around X509KeyManager and X509TrustManager that delegates calls to the original implementation while logging the results, e.g.:

            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            tmf.init(ks);
    
            KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            kmf.init(ks, null);
    
            TrustManager[] tms = WrapTrustManager.WrapArray(tmf.getTrustManagers());
            KeyManager[] kms = WrapKeyManager.WrapArray(kmf.getKeyManagers());
            SSLContext context = SSLContext.getInstance("TLS");
            context.init(kms, tms, null);
    
            ....setSocketFactory(context.getSocketFactory());
    

    The implementation of WrapTrustManager and WrapKeyManager are pretty straightforward, but bewarned that they use exceptions to indicate failure and so it is important to not swallow exceptions while logging the outcome.

    Note that the interface uses the empty KeyManager and TrustManager interfaces, and you need to dynamically upcast these to X509KeyManager and X509TrustManager.

    Android Babe is a Google Android Fan, All about Android Phones, Android Wear, Android Dev and Android Games Apps and so on.