Obtaining SSL debugging information
Establishing an SSL secured connection between two endpoints typically involves a multitude
of verification steps, each of which must complete successfully. By default the output of these very verbose steps are usually hidden by applications.
This article demonstrates how to activate this output in HiveMQ and how use the openssl utility to obtain a clear picture of what is happening during the establishment of a TLS/SSL secured connection.
JVM Options
In order to see HiveMQ’s side of the connection establishment we can make use of JVM options.
Adding -Djavax.net.debug=ssl,handshake
to our startup instructions will do the trick. Assuming HiveMQ is being launched with the supplied run.sh the easiest way to do so is to add the following line to the variables section:
JAVA_OPTS="$JAVA_OPTS -Djavax.net.debug=ssl,handshake"
Alternatively, if intended as a temporary measure, the option may be added to $JAVA_OPTS directly in the executing shell:
JAVA_OPTS="$JAVA_OPTS -Djavax.net.debug=ssl,handshake" ./bin/run.sh
OpenSSL command line program
The command line utility openssl includes a wide variety of tools that ease working with SSL. For the purpose of obtaining meaningful insight into what is happening during the connection with HiveMQ s_client
is of special interest to us. It is a minimum SSL client implementation and ideal to examine this step of communication between an MQTT client and broker. Note that openssl does not contain functionality beyond this, so MQTT features cannot be tested with it as is.
You will need to provide all elements (CA, key, cert) required via command line options. To enable verbose output, add the -debug
option:
openssl s_client -connect <hostname>:8883 -CAfile ca.cert.pem -key client1.key.pem -cert client1.cert.pem -debug
Hostname and port will need to match your node’s configuration.