[Tips] SSL 디버깅 설정
WebLogic 기동 스크립트의 Java 옵션에 다음을 추가하면 SSL 디버깅을 할 수 있습니다.
1. 사용법
-Djavax.net.debug=all // 전체 디버깅
-Djavax.net.debug=ssl // SSL 디버깅
-Djavax.net.debug=help // 옵션 목록 확인(도움말)
ssl 옵션과 사용가능한 옵션 목록
- record: Enable per-record tracing
- handshake: Print each handshake message
- keygen: Print key generation data
- session: Print session activity
- defaultctx: Print default SSL initialization
- sslctx: Print SSLContext tracing
- sessioncache: Print session cache tracing
- keymanager: Print key manager tracing
- trustmanager: Print trust manager tracing
handshake 옵션과 같이 사용가능한 옵션
- data - hex dump of each handshake message
- verbose - verbose handshake message printing
record 옵션과 사용가능한 옵션 목록
- data: Hex dump of each handshake message
- verbose: Verbose handshake message printing
2. 사용 예시
다음은 javax.net.debug 속성을 사용하는 예입니다.
(예시1)
각 handshake 메시지의 16진수 덤프를 보려면 다음을 입력합니다(콜론은 선택 사항).
-Djavax.net.debug=ssl:handshake:data
각 handshake 메시지의 16진수 덤프를 보고 신뢰 관리자(trustmanager) 추적을 인쇄하려면 다음을 입력하십시오(쉼표는 선택 사항임).
-Djavax.net.debug=SSL,handsake,data,trustmanager
3. WebLogic 로그 내용
WebLogic 10.3.6 버전에서 "-Djavax.net.debug=ssl" 설정 후 로그 내용은 아래와 같습니다. 전체적인 로그 내용 흐름 참조하면 될것입니다.
1) trusted cert를 adding 함 : $JAVA_HOME/jre/lib/security/cacerts 파일에 있는 정보를 출력함
adding as trusted cert:
Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
Issuer: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
Algorithm: RSA; Serial number: 0x4eb200670c035d4f
Valid from Wed Oct 25 08:36:00 GMT 2006 until Sat Oct 25 08:36:00 GMT 2036
.....
adding as trusted cert:
Subject: CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Issuer: CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Algorithm: RSA; Serial number: 0x8b5b75568454850b00cfaf3848ceb1a4
Valid from Fri Oct 01 00:00:00 GMT 1999 until Wed Jul 16 23:59:59 GMT 2036
2) DemoTrust.jks에 있는 데모인증서 정보를 출력함
***
found key for : -459055
chain [0] = [
[
Version: V1
Subject: CN=was.linux7, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: Sun RSA public key, 512 bits
modulus: 8013063532277797687766062500196345400553039956052669669541367155641585147322584561944537717246084909842577825887120538349080773357333583265100932811535251
public exponent: 65537
Validity: [From: Thu Aug 31 03:02:11 GMT 2023,
To: Wed Sep 01 03:02:11 GMT 2038]
Issuer: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
SerialNumber: [ -1cb1a390 5656e6ca b4a8f477 4864d8d3]
]
Algorithm: [MD5withRSA]
Signature:
0000: 51 1C 21 E5 4A 91 9B 63 39 93 A2 2B C0 F6 03 0D Q.!.J..c9..+....
0010: DF D3 94 86 1A D5 62 33 6F 55 FD 95 37 AF 73 C4 ......b3oU..7.s.
0020: 4E 18 1C A1 2B FB D0 F8 30 99 1F 77 D3 9A B8 E3 N...+...0..w....
0030: 99 F9 6A 45 F2 45 6C EE E3 8E 1F 5E F2 0C 82 6A ..jE.El....^...j
]
3) ClientHello 정보 출력
*** ClientHello, TLSv1.2
RandomCookie: GMT: 387692889 bytes = { 162, 36, 113, 209, 160, 234, 160, 43, 21, 225, 171, 16, 128, 177, 149, 112, 174, 22, 108, 5, 5, 113, 226, 114, 2, 29, 125, 229 }
Session ID: {113, 141, 70, 159, 65, 101, 214, 167, 71, 49, 209, 252, 17, 242, 157, 173, 45, 222, 115, 227, 145, 167, 19, 24, 29, 142, 112, 226, 228, 1, 126, 99}
Cipher Suites: [Unknown 0x13:0x1, Unknown 0x13:0x3, Unknown 0x13:0x2, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA]
Compression Methods: { 0 }
Unsupported extension type_23, data:
Extension renegotiation_info, renegotiated_connection: <empty>
Extension elliptic_curves, curve names: {unknown curve 29, secp256r1, secp384r1, secp521r1, unknown curve 256, unknown curve 257}
Extension ec_point_formats, formats: [uncompressed]
Unsupported extension type_35, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_34, data: 00:08:04:03:05:03:06:03:02:03
Unsupported extension type_51, data: 00:69:00:1d:00:20:41:81:f6:9b:a7:05:02:00:00:3f:47:13:23:03:09:d6:ce:ee:7a:c1:fb:6c:2f:93:7b:6d:e1:1f:5f:6b:f6:71:00:17:00:41:04:92:79:de:65:99:d0:18:84:6e:e6:49:0d:07:2f:4d:c2:b1:ca:e3:18:16:94:5c:f1:e4:60:6d:6b:07:9c:a8:e1:c1:8a:63:01:37:49:56:37:88:8d:e1:f4:b8:3c:0f:7a:fa:36:65:b4:fb:cb:75:7b:1d:53:6c:02:88:12:f1:ea
Unsupported extension type_43, data: 04:03:04:03:03
Extension signature_algorithms, signature_algorithms: SHA256withECDSA, SHA384withECDSA, SHA512withECDSA, Unknown (hash:0x8, signature:0x4), Unknown (hash:0x8, signature:0x5), Unknown (hash:0x8, signature:0x6), SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA1withECDSA, SHA1withRSA
Unsupported extension type_45, data: 01:01
Unsupported extension type_28, data: 40:01
Unsupported extension type_21, data: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
4) ServerHello 정보 출력
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1677232514 bytes = { 169, 246, 251, 61, 31, 217, 52, 77, 22, 205, 64, 127, 33, 217, 205, 160, 233, 10, 58, 143, 135, 196, 48, 14, 59, 195, 82, 6 }
Session ID: {100, 249, 138, 130, 182, 82, 14, 73, 19, 9, 150, 36, 212, 99, 225, 206, 50, 174, 193, 8, 25, 45, 201, 247, 6, 125, 105, 180, 27, 16, 21, 116}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
*** Certificate chain
chain [0] = [
[
Version: V1
Subject: CN=was.linux7, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: Sun RSA public key, 512 bits
modulus: 8013063532277797687766062500196345400553039956052669669541367155641585147322584561944537717246084909842577825887120538349080773357333583265100932811535251
public exponent: 65537
Validity: [From: Thu Aug 31 03:02:11 GMT 2023,
To: Wed Sep 01 03:02:11 GMT 2038]
Issuer: CN=CertGenCAB, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US
SerialNumber: [ -1cb1a390 5656e6ca b4a8f477 4864d8d3]
]
Algorithm: [MD5withRSA]
Signature:
0000: 51 1C 21 E5 4A 91 9B 63 39 93 A2 2B C0 F6 03 0D Q.!.J..c9..+....
0010: DF D3 94 86 1A D5 62 33 6F 55 FD 95 37 AF 73 C4 ......b3oU..7.s.
0020: 4E 18 1C A1 2B FB D0 F8 30 99 1F 77 D3 9A B8 E3 N...+...0..w....
0030: 99 F9 6A 45 F2 45 6C EE E3 8E 1F 5E F2 0C 82 6A ..jE.El....^...j
]
***
*** ECDH ServerKeyExchange
Signature Algorithm SHA256withRSA
Server key: Sun EC public key, 256 bits
public x coord: 25018756975046297148809748629559258338021477598796243824694759387181491783564
public y coord: 23555742341977300454633609909107565758826472316316976183646820839505014608782
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** ServerHelloDone
ExecuteThread: '2' for queue: 'weblogic.socket.Muxer', WRITE: TLSv1.2 Handshake, length = 731
ExecuteThread: '3' for queue: 'weblogic.socket.Muxer', READ: TLSv1.2 Handshake, length = 70
5) ServerKeyExcahnge 정보 출력
*** ECDH ServerKeyExchange
Signature Algorithm SHA256withRSA
Server key: Sun EC public key, 256 bits
public x coord: 25018756975046297148809748629559258338021477598796243824694759387181491783564
public y coord: 23555742341977300454633609909107565758826472316316976183646820839505014608782
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** ServerHelloDone
ExecuteThread: '2' for queue: 'weblogic.socket.Muxer', WRITE: TLSv1.2 Handshake, length = 731
ExecuteThread: '3' for queue: 'weblogic.socket.Muxer', READ: TLSv1.2 Handshake, length = 70
*** ECDHClientKeyExchange
ECDH Public value: { 4, 78, 120, 81, 186, 184, 114, 35, 95, 200, 133, 241, 141, 229, 169, 208, 90, 147, 206, 156, 99, 25, 126, 74, 76, 119, 213, 20, 15, 234, 22, 52, 55, 134, 98, 26, 229, 238, 202, 145, 32, 61, 45, 56, 107, 175, 63, 105, 202, 195, 241, 79, 32, 175, 235, 28, 191, 2, 25, 206, 140, 132, 182, 145, 171 }
SESSION KEYGEN:
PreMaster Secret:
0000: 81 F3 7B E6 53 66 96 60 CC A4 70 31 67 79 92 C5 ....Sf.`..p1gy..
0010: 93 AA F0 88 A2 6C 22 7C 9B C0 28 F1 80 3E 56 69 .....l"...(..>Vi
CONNECTION KEYGEN:
Client Nonce:
0000: 17 1C B9 59 A2 24 71 D1 A0 EA A0 2B 15 E1 AB 10 ...Y.$q....+....
0010: 80 B1 95 70 AE 16 6C 05 05 71 E2 72 02 1D 7D E5 ...p..l..q.r....
Server Nonce:
0000: 64 F9 8A 82 A9 F6 FB 3D 1F D9 34 4D 16 CD 40 7F d......=..4M..@.
0010: 21 D9 CD A0 E9 0A 3A 8F 87 C4 30 0E 3B C3 52 06 !.....:...0.;.R.
Master Secret:
0000: 52 91 56 FA 27 98 C1 50 0B 65 8A 92 43 B5 F7 14 R.V.'..P.e..C...
0010: A8 FC 67 7B EF 28 BF DB 4D 0B 0A 1A 66 3D D4 20 ..g..(..M...f=.
0020: F0 67 60 BC DE A6 8C 04 2E 4A E0 2F EA 76 5E FD .g`......J./.v^.
Client MAC write Secret:
0000: FB F7 12 7F 7E C3 91 BE EA F5 52 F9 97 D8 BF AA ..........R.....
0010: D6 D5 AD 5F ..._
Server MAC write Secret:
0000: 6E 70 52 C4 F4 AE 21 93 4D 11 53 24 4B 5C E9 A7 npR...!.M.S$K\..
0010: C0 5F BC F5 ._..
Client write key:
0000: D1 CB 1C ED E5 46 40 79 32 7E 77 40 CD F7 96 E0 .....F@y2.w@....
Server write key:
0000: 08 38 BC 93 30 70 04 42 F8 B2 F6 A3 CB 49 4B F2 .8..0p.B.....IK.
... no IV derived for this protocol
ExecuteThread: '3' for queue: 'weblogic.socket.Muxer', READ: TLSv1.2 Change Cipher Spec, length = 1
ExecuteThread: '3' for queue: 'weblogic.socket.Muxer', READ: TLSv1.2 Handshake, length = 64
*** Finished
verify_data: { 57, 175, 70, 171, 234, 52, 160, 216, 136, 150, 228, 122 }
***
ExecuteThread: '3' for queue: 'weblogic.socket.Muxer', WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data: { 230, 231, 191, 166, 42, 47, 225, 74, 228, 87, 87, 111 }
***
ExecuteThread: '3' for queue: 'weblogic.socket.Muxer', WRITE: TLSv1.2 Handshake, length = 64
%% Cached server session: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)', WRITE: TLSv1.2 Application Data, length = 227
[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)', WRITE: TLSv1.2 Application Data, length = 14
[참조] https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#Debug