This page is meant to collect the various mechanism used to trace the runtime behavior of NSS. It might be necessary to use a debug build.
libPKIX uses the PR_LOG macro with log module name "pkix".
You may enable logging output using NSPR_LOG_MODULES="pkix:5"
In addition, you may have to use NSS_STRICT_SHUTDOWN="x" to ensure the pkix log module gets activated. This is the subject of bug 429039.
OCSP tracing uses PR_LogPrint.
NSS_TRACE_OCSP="1" is supposed to enable OCSP tracing. However, it's not sufficient.
It appears, you must enable logging for at least one module. It appears to be sufficient to request logging for any module, even if that module doesn't exit. If you're not interested in any other log output, you might even use NSPR_LOG_MODULES="any_random_string:5"
This is the subject of bug 429052.
If you have compiled NSS in debug mode, set environment variable SSLDEBUG to 1 in order to enable debug output.
In addition, you should set variable SSLTRACE to the desired amount of details you want for SSL connections, valid numbers are from 0 to 127. The higher the number, the more details you'll get.
You may set SSLDEBUGFILE to dump the output to a file of the given filename.
Additional environment variables can be found, by search the NSS source code in directory nss/lib/ssl for the "getenv".