JVM debugging
Verbose everything
Section titled “Verbose everything”Network, TLS handshake, cert chain, session resumption. Useful for “the connection just hangs / fails” diagnostics, very noisy:
JAVA_OPTS="$JAVA_OPTS -Djavax.net.debug=all"TLS handshake only
Section titled “TLS handshake only”Most of the time you only want the handshake — much less noise:
JAVA_OPTS="$JAVA_OPTS -Djavax.net.debug=ssl:handshake:verbose"Common TLS knobs (JDK 21+)
Section titled “Common TLS knobs (JDK 21+)”When the handshake fails on a modern JDK (TLS 1.3 by default):
# Force TLS 1.2 only — quickly rules out a 1.3-specific issue.-Djdk.tls.client.protocols=TLSv1.2
# Restrict the curves offered in the ClientHello (some middleboxes drop# unexpected curves). Default in JDK 21+ includes x25519, secp256r1, etc.-Djdk.tls.namedGroups="secp256r1,secp384r1"
# Allow a legacy/weak algorithm temporarily for a one-off connection.# DO NOT keep this in production.-Djdk.tls.disabledAlgorithms=""Disabled-algorithm list lives in $JAVA_HOME/conf/security/java.security
under jdk.tls.disabledAlgorithms — read it before overriding so you know
what you are re-enabling.