I’ve got lots of code that uses Apache’s HttpClient, and I’d like to log the version of TLS that’s being negotiated when a request is made.
Is this possible?
I’d prefer an approach that doesn’t requiring changing how the request is being built, if possible – something that inspects a response or views a log or something like that?
From my review, it appears this is only possible if we debug SSL at the VM level, or perhaps if a custom SSLContext is used?
Advertisement
Answer
If you turn on debug level logging for org.apache.http.conn.ssl category HttpClient will log quite a bit of details about the SSL session used including TLS/SSL protocol version.
[DEBUG] DefaultHttpClientConnectionOperator - Connecting to httpbin.org/54.225.150.40:443 [DEBUG] SSLConnectionSocketFactory - Connecting socket to httpbin.org/54.225.150.40:443 with timeout 0 [DEBUG] SSLConnectionSocketFactory - Enabled protocols: [TLSv1, TLSv1.1, TLSv1.2] [DEBUG] SSLConnectionSocketFactory - Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] [DEBUG] SSLConnectionSocketFactory - Starting handshake [DEBUG] SSLConnectionSocketFactory - Secure session established [DEBUG] SSLConnectionSocketFactory - negotiated protocol: TLSv1.2 [DEBUG] SSLConnectionSocketFactory - negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [DEBUG] SSLConnectionSocketFactory - peer principal: CN=httpbin.org [DEBUG] SSLConnectionSocketFactory - peer alternative names: [httpbin.org, www.httpbin.org] [DEBUG] SSLConnectionSocketFactory - issuer principal: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US [DEBUG] DefaultHttpClientConnectionOperator - Connection established 192.168.43.64:57534<->54.225.150.40:443