Code that is involved in an SSL conversation can be tricky to debug because many of the details that you’d normally handle yourself (key exchange, certificate verification, and so on) are hidden from you. When these operations don’t work, it can be difficult to figure out what went wrong.

Complicating this is the fact that setting up an SSL connection is a time-consuming operation. Both parties in the conversation must create a secure random number (an instance of the SecureRandom class if they are Java programs). Then the peers must negotiate which key exchange algorithm to use and actually perform the key exchange. Only then is the socket available to send and receive data. So our first tip in working with SSL code is to be patient when you start a program.

Several exceptions are thrown by the JSSE API. These are often self-explanatory. For example, if you attempt to retrieve the certificate chain of a peer from the SSLSession object, you will get an SSLPeerUnverifiedException if the peer is not verified. However, you will get a SocketException with the somewhat cryptic detail message of “No SSL Sockets” if you specify an incorrect password for a keystore used by an SSL context or an SSL socket factory.

Exceptions are not always thrown when you might expect, however. In particular, an SSL socket will become connected at the socket level even if the SSL protocol negotiation fails. For instance, when an SSL client calls the createSocket( ) method, it will receive ...