How to debug SSL handshake using cURL?

debug ssl handshake java
curl debug
how to debug ssl handshake failure java
ssl handshake troubleshooting
how to read ssl debug logs
openssl debug logging
curl telnet ssl
curl ssl

I would like to troubleshoot per directory authentication with client certificate. I would specially like to find out which acceptable client certificates does server send.

How do I debug SSL handshake, preferably with cURL?

Thanks in advance


I have used this command to troubleshoot client certificate negotiation:

openssl s_client -connect www.test.com:443 -prexit

The output will probably contain "Acceptable client certificate CA names" and a list of CA certificates from the server, or possibly "No client certificate CA names sent", if the server doesn't always require client certificates.

curl verbose mode format, I find the verbose flag very useful to debug what headers curl sent SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 The above shows that the SSL handshake took 423ms (ssl handshake minus tcp time) for this request. To see the TTFB without the effect of an SSL handshake, the easiest method is to simply request the same URL twice via curl as this will reuse the existing connection:


curl -iv https://your.domain.io

That will give you cert and header output if you do not wish to use openssl command.

SSL/TLS, To make it print the full communication, including the request headers, SSL certificate information, response headers, and response body, use the -v command� Just another nice tip using curl. I will show you how to debug request and response headers using curl utility.. Debug request and response headers using curl. To see the detail of the request and response, we use -v option to print out result in verbose mode when issuing curl request.


curl probably does have some options for showing more information but for things like this I always use openssl s_client

With the -debug option this gives lots of useful information

Maybe I should add that this also works with non HTTP connections. So if you are doing "https", try the curl commands suggested below. If you aren't or want a second option openssl s_client might be good

Debug Curl Requests (TLDR: Use -v or --trace arguments), It also includes the openssl command, which provides a rich variety of commands You can use the same command to debug problems with SSL� When doing file transfers using version two or three of the HTTP protocol, curl sends and receives compressed headers. So to display outgoing and incoming HTTP/2 and HTTP/3 headers in a readable and understandable way, curl will actually show the uncompressed versions in a style similar to how they appear with HTTP/1.1.


  1. For TLS handshake troubleshooting please use openssl s_client instead of curl.
  2. -msg does the trick!
  3. -debug helps to see what actually travels over the socket.
  4. -status OCSP stapling should be standard nowadays.
openssl s_client -connect example.com:443 -tls1_2 -status -msg -debug -CAfile <path to trusted root ca pem> -key <path to client private key pem> -cert <path to client cert pem> 

Other useful switches -tlsextdebug -prexit -state

https://www.openssl.org/docs/man1.0.2/man1/s_client.html

How to: Debug SSL certificate problems from the shell prompt , curl --insecure -vvI https://www.google.com 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL To check for SSL certificate details, I use the following command line tool ever --debug Print additional info that might be helpful when debugging this script. Without using one of those two options, then the connection gets as far as '* SSLv3, TLS handshake, Client hello (1):' and then freezes until the timeout happens By adding -3 or -1 to the command line (to force SSLv3 or TLSv1) then the connection works fine, * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2):


Displaying a remote SSL certificate details using CLI tools, The SSL and TLS protocols use a layered communications stack, and define A SSL handshake has read 1584 bytes and written 346 bytes SSL-Session:. OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards required by them. ADVERTISEMENTS It also includes the openssl command, which provides a rich variety of commands You can use the same command to debug problems with SSL certificates. To test … Continue reading "How to


Debugging SSL communications -- Prefetch Technologies, To troubleshoot a secure connection using the openssl program, you must know at least two things: The remote server name or IP address. The� We are using the default SunJSSE X509KeyManager and X509TrustManager which prints debug information. This example assumes a basic understanding of the SSL/TLS protocol. Please see the The SSL Protocol Overview section of the JSSE Reference Guide for more information on the protocols (handshake messages, etc.).


How to troubleshoot SSL connections with openssl, SSL Handshake times. (all examples use requests from an EU client to a US based app). When making individual requests using a tool like curl or� G3 a SSL certificate verify ok. a Using HTTP2, server supports multi-use a Connection state changed (HTTP/2 confirmed) { [2366 bytes data] a Connection #0 to host curl.haxx.se left