Debugging and auditing (GnuTLS 3.8.4)

In many cases things may not go as expected and further information, to assist debugging, from GnuTLS is desired. Those are the cases where the gnutls_global_set_log_level and gnutls_global_set_log_function are to be used. Those will print verbose information on the GnuTLS functions internal flow.

Alternatively the environment variable GNUTLS_DEBUG_LEVEL can be set to a logging level and GnuTLS will output debugging output to standard error. Other available environment variables are shown in Table 6.1.

Variable	Purpose
`GNUTLS_DEBUG_LEVEL`	When set to a numeric value, it sets the default debugging level for GnuTLS applications.
`SSLKEYLOGFILE`	When set to a filename, GnuTLS will append to it the session keys in the NSS Key Log format. That format can be read by wireshark and will allow decryption of the session for debugging.
`GNUTLS_CPUID_OVERRIDE`	That environment variable can be used to explicitly enable/disable the use of certain CPU capabilities. Note that CPU detection cannot be overridden, i.e., VIA options cannot be enabled on an Intel CPU. The currently available options are: 0x1: Disable all run-time detected optimizations 0x2: Enable AES-NI 0x4: Enable SSSE3 0x8: Enable PCLMUL 0x10: Enable AVX 0x20: Enable SHA_NI 0x100000: Enable VIA padlock 0x200000: Enable VIA PHE 0x400000: Enable VIA PHE SHA512
`GNUTLS_FORCE_FIPS_MODE`	In setups where GnuTLS is compiled with support for FIPS140-2 (see FIPS140-2 mode) if set to one it will force the FIPS mode enablement.

Table 6.1: Environment variables used by the library.

When debugging is not required, important issues, such as detected attacks on the protocol still need to be logged. This is provided by the logging function set by gnutls_global_set_audit_log_function. The provided function will receive an message and the corresponding TLS session. The session information might be used to derive IP addresses or other information about the peer involved.

6.1.4 Debugging and auditing