Tracing Options for CCI SSL

SSL connection failure can be difficult to diagnose. A trace facility has been added to provide details of the reason for connection failures that occur during SSL session negotiation sequences.

CCI SSL tracing can be enabled in two ways, configuring the ctf.cfg file and/or the cci.ini file. If SSL tracing is enabled via CTF then any SSL tracing output will go to the output files configured in ctf.cfg. If SSL tracing is configured via the cci.ini file, then any SSL tracing output will go to the file specified in the cci.ini file.

Enabling SSL tracing via the ctf.cfg file

To enable CCI SSL tracing via CTF, you must first enable CTF tracing, then edit the ctf.cfg configuration file to trace the CCI component:

mftrace.level.mf.cci = info

Then specify the TLS tracing options in the ctf.cfg file. The options are:

mftrace.comp.mf.CCI.TCP#ssl_cipher=true|false: Display the negotiated cipher.
mftrace.comp.mf.CCI.TCP#ssl_cert=true|false: Display details of the peer certificate, if any.
mftrace.comp.mf.CCI.TCP#ssl_cert_fail_report=true|false: Display why the certificate could not be verified.
mftrace.comp.mf.CCI.TCP#ssl_cert_connection_details=true|false: Display all information available about the offered certificate.
mftrace.comp.mf.CCI.TCP#ssl_options_all=true|false: Switch on or off all of the SSL options listed above.

The following example ctf.cfg file configuration enables all CCI SSL tracing options:

mftrace.level.mf.cci                              = debug
mftrace.comp.mf.CCI.TCP#ssl_options_all           = true

The following example ctf.cfg file configuration enables only cipher and connection details:

mftrace.level.mf.cci                                  = debug
mftrace.comp.mf.CCI.TCP#ssl_cipher                    = true
mftrace.comp.mf.CCI.TCP#ssl_cert_connection_details   = true
mftrace.comp.mf.CCI.TCP#ssl_cert                      = false
mftrace.comp.mf.CCI.TCP#ssl_cert_fail_report          = false

Enabling SSL tracing via CCI.ini file

SSL tracing can also be enabled by configuring the [ccitrace-base] section of the CCI configuration file, cci.ini. The options are:

ssl_display_cipher=yes|no: Display the negotiated cipher.
ssl_display_cert=yes|no: Display details of the peer certificate, if any.
ssl_display_cert_fail_report=yes|no: Display why the certificate content failed its trust test.
ssl_display_cert_connection_details=yes|no: Display all details available about the offered certificate.
ssl_display_options_on=yes|no: Switch on or off all of the SSL options above.
ssl_display_destination=file path: Specify the path to a file where the tracing output is written to.
Note: The file path specifies the path to a file where the SSL tracing output will be written. For example, C:\path\to\sslout.txt. If no file is specified, then SSL tracing output will l be written to stderr instead.

The following example cci.ini file configuration enables all CCI SSL tracing options:

[ccitrace-base]
ssl_display_options_on=yes
ssl_display_destination=C:\path\to\sslout.txt

The following example cci.ini file configuration enables only cipher and connection details:

[ccitrace-base]
ssl_display_cipher=yes
ssl_display_cert=no
ssl_display_cert_fail_report=no
ssl_display_cert_connection_details=yes
ssl_display_destination=C:\path\to\sslout.txt