Our application uses Apache HttpClient 4.5.3 and we are observing a very weird behavior with communication between our client and the server using SNI capability

The server is configured to return a Go Daddy signed certificate if the SSL request comes in the with the server name expected from our client(ie: the host name of the server) and it will return a self signed certificate for all other domain names

Behavior observed

• The client receives the correct server certificate on all server except on our production machine
• The client code is running in an application deployed on tomcat 8, we have noticed that initial requests to the endpoint go through successfully. After some time of running we receive an SSL exception on the client.
• The error is because the server is not sending the correct certificate(it sends the default self signed certificate)
• If we restart the tomcat server on which the client is deployed, the calls again start to go through successfully.

We have used javax.net.debug for debugging purposes in the past but we cannot use it in this case as we need to restart the tomcat server for its effect to take place and when we restart the tomcat server, the calls to the endpoint server start to succeed. Also the javax.net.debug logs a lot of information which will flood our logs and hence we wanted it enabled only for a specific request. We are hoping to log only the Client Hello(which contains the server_name passed to the endpoint)

I have read through https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#OwnX509ETM But not sure of what we can use to print only the SSL server name indicator pushed down to the server.