To enable the debug log publisher, run the following configuration
dsconfig create-debug-target \ --publisher-name "File-Based Debug Logger" \ --target-name com.unboundid.directory.server.extensions.TLSConnectionSecurityProvider \ --set debug-level:verbose dsconfig set-log-publisher-prop \ --publisher-name "File-Based Debug Logger" \ --set enabled:trueAfter you make these changes, the logs/debug file captures a substantial amount of information about the TLS-related processing that the server is performing. Although this file does not provide as much detail as the JVM's built-in debugging information, it might help to pinpoint the cause of the problem and to identify potential solutions.
When you no longer require this level of debugging, disable the debug log
publisher and remove the debug target.
dsconfig set-log-publisher-prop \ --publisher-name "File-Based Debug Logger" \ --set enabled:false dsconfig delete-debug-target \ --publisher-name "File-Based Debug Logger" \ --target-name com.unboundid.directory.server.extensions.TLSConnectionSecurityProviderTip:
To troubleshoot TLS communication with a non-Java client that does not offer its own TLS debugging mechanism, and if the server-side debugging support is insufficient, use a network protocol analyzer to capture the communication between the client and the server, and to examine its content. The free open-source Wireshark utility is an excellent graphical tool that runs on a variety of platforms and provides excellent support for understanding TLS communication. Even if you cannot decipher the encrypted content, you can view at least some of the handshake messages. Unfortunately, more of the handshake is encrypted in TLS 1.3 than in earlier versions of the protocol. Although this change improves security and privacy, it might interfere with troubleshooting attempts.
Page created: 7 Jan 2021 |
Page updated: 1 Feb 2021