Update TLS -verbose options

2026-06-19 19:33:38 +08:00 · 2026-06-12 14:23:56 +08:00
parent 8b586d4299
commit c56d7edfab
11 changed files with 403 additions and 280 deletions
--- a/include/gmssl/tls.h
+++ b/include/gmssl/tls.h
@@ -775,7 +775,6 @@ typedef struct {
 typedef struct {
 	int is_client;
 	int quiet;
 	int verbose;
 	int protocol;
@@ -939,6 +938,7 @@ int tls_ctx_add_certificate_list_and_key(TLS_CTX *ctx, const char *chainfile,
 	const char *keyfile, const char *keypass);
 int tls_ctx_set_verbose(TLS_CTX *ctx, int verbose);
 int tls_ctx_enable_verbose(TLS_CTX *ctx, int enable);
 int tls_ctx_enable_trusted_ca_keys(TLS_CTX *ctx, int enable);
@@ -1020,6 +1020,7 @@ typedef struct {
 	tls_socket_t sock;
 	TLS_CTX *ctx;
 	int verbose;
 	// states for state machines
 	int handshake_state;
@@ -1513,6 +1514,7 @@ void tls_clean_record(TLS_CONNECT *conn);
 int tls_print_record(FILE *fp, int fmt, int ind, const char *label, TLS_CONNECT *conn);
 int tls_init(TLS_CONNECT *conn, TLS_CTX *ctx);
 int tls_set_verbose(TLS_CONNECT *conn, int verbose);
 int tls_set_hostname(TLS_CONNECT *conn, const char *hostname);
 int tls_set_socket(TLS_CONNECT *conn, tls_socket_t sock);
--- a/src/tlcp.c
+++ b/src/tlcp.c
@@ -390,14 +390,14 @@ int tlcp_send_client_hello(TLS_CONNECT *conn)
 			return -1;
 		}
-		tls_trace("send ClientHello\n");
+		if(conn->verbose) tls_trace("send ClientHello\n");
 		tlcp_record_print(stderr, 0, 0, conn->record, conn->recordlen);
 		if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) {
 			error_print();
 			return -1;
 		}
-		tls_handshake_digest_print(stderr, 0, 0, "ClientHello", &conn->dgst_ctx);
+		if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ClientHello", &conn->dgst_ctx);
 		if (conn->client_certificate_verify) {
 			sm2_sign_update(&conn->sign_ctx, conn->record + 5, conn->recordlen - 5);
@@ -436,7 +436,7 @@ int tlcp_recv_server_hello(TLS_CONNECT *conn)
 	size_t application_layer_protocol_negotiation_len;
-	tls_trace("recv ServerHello\n");
+	if(conn->verbose) tls_trace("recv ServerHello\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
@@ -611,7 +611,7 @@ int tlcp_recv_server_hello(TLS_CONNECT *conn)
 		error_print();
 		return -1;
 	}
-	tls_handshake_digest_print(stderr, 0, 0, "ServerHello", &conn->dgst_ctx);
+	if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerHello", &conn->dgst_ctx);
 	if (conn->client_certs_len) {
 		sm2_sign_update(&conn->sign_ctx, conn->record + 5, conn->recordlen - 5);
@@ -627,7 +627,7 @@ int tlcp_recv_server_certificate(TLS_CONNECT *conn)
 	const uint8_t *server_cert;
 	size_t server_cert_len;
-	tls_trace("recv server Certificate\n");
+	if(conn->verbose) tls_trace("recv server Certificate\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
@@ -647,7 +647,7 @@ int tlcp_recv_server_certificate(TLS_CONNECT *conn)
 		error_print();
 		return -1;
 	}
-	tls_handshake_digest_print(stderr, 0, 0, "Certificate", &conn->dgst_ctx);
+	if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "Certificate", &conn->dgst_ctx);
 	if (conn->client_certs_len) {
@@ -722,7 +722,7 @@ int tlcp_recv_server_key_exchange(TLS_CONNECT *conn)
 	SM2_VERIFY_CTX verify_ctx;
-	tls_trace("recv ServerKeyExchange\n");
+	if(conn->verbose) tls_trace("recv ServerKeyExchange\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
@@ -749,7 +749,7 @@ int tlcp_recv_server_key_exchange(TLS_CONNECT *conn)
 		return -1;
 	}
-	tls_handshake_digest_print(stderr, 0, 0, "ServerKeyExchange", &conn->dgst_ctx);
+	if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerKeyExchange", &conn->dgst_ctx);
 	// verify ServerKeyExchange
 	if (x509_certs_get_cert_by_index(conn->peer_cert_chain, conn->peer_cert_chain_len, 0, &cp, &len) != 1
@@ -840,13 +840,15 @@ int tlcp_recv_certificate_request(TLS_CONNECT *conn)
 	if (handshake_type != TLS_handshake_certificate_request) {
 		conn->client_certs_len = 0;
-		fprintf(stderr, "%s %d: no certificate_request\n", __FILE__, __LINE__);
+		if(conn->verbose) {
-		fprintf(stderr, "recordlen = %zu\n", conn->recordlen);
+			fprintf(stderr, "%s %d: no certificate_request\n", __FILE__, __LINE__);
 			fprintf(stderr, "recordlen = %zu\n", conn->recordlen);
 		}
 		return 0; // 表明对方没有发送预期的报文
 	}
-	tls_trace("recv CertificateRequest\n");
+	if(conn->verbose) tls_trace("recv CertificateRequest\n");
 	tlcp_record_print(stderr, 0, 0, conn->record, conn->recordlen);
 	if (tls_record_get_handshake_certificate_request(conn->record,
@@ -880,7 +882,7 @@ int tlcp_recv_certificate_request(TLS_CONNECT *conn)
 		return -1;
 	}
-	tls_handshake_digest_print(stderr, 0, 0, "CertificateRequest", &conn->dgst_ctx);
+	if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "CertificateRequest", &conn->dgst_ctx);
 	sm2_sign_update(&conn->sign_ctx, conn->record + 5, conn->recordlen - 5);
@@ -892,7 +894,7 @@ int tlcp_recv_certificate_request(TLS_CONNECT *conn)
 int tlcp_recv_server_hello_done(TLS_CONNECT *conn)
 {
 	int ret;
-	tls_trace("recv ServerHelloDone\n");
+	if(conn->verbose) tls_trace("recv ServerHelloDone\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
@@ -917,7 +919,7 @@ int tlcp_recv_server_hello_done(TLS_CONNECT *conn)
 		error_print();
 		return -1;
 	}
-	tls_handshake_digest_print(stderr, 0, 0, "ServerHelloDone", &conn->dgst_ctx);
+	if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerHelloDone", &conn->dgst_ctx);
@@ -934,7 +936,7 @@ int tlcp_recv_server_hello_done(TLS_CONNECT *conn)
 int tlcp_send_client_certificate(TLS_CONNECT *conn)
 {
 	int ret;
-	tls_trace("send client Certificate\n");
+	if(conn->verbose) tls_trace("send client Certificate\n");
 	// 如果我们没有证书，并且也没有设置optional，那么就得返回错误了
@@ -961,7 +963,7 @@ int tlcp_send_client_certificate(TLS_CONNECT *conn)
 			error_print();
 			return -1;
 		}
-		tls_handshake_digest_print(stderr, 0, 0, "client Certificate", &conn->dgst_ctx);
+		if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "client Certificate", &conn->dgst_ctx);
 		sm2_sign_update(&conn->sign_ctx, conn->record + 5, conn->recordlen - 5);
@@ -985,7 +987,7 @@ int tlcp_send_client_key_exchange(TLS_CONNECT *conn)
 	size_t enced_pre_master_secret_len;
 	int ret;
-	tls_trace("send ClientKeyExchange\n");
+	if(conn->verbose) tls_trace("send ClientKeyExchange\n");
 	if (!conn->recordlen) {
 		if (tls_pre_master_secret_generate(conn->pre_master_secret, TLS_protocol_tlcp) != 1) {
@@ -1007,7 +1009,7 @@ int tlcp_send_client_key_exchange(TLS_CONNECT *conn)
 			error_print();
 			return -1;
 		}
-		tls_handshake_digest_print(stderr, 0, 0, "ClientKeyExchange", &conn->dgst_ctx);
+		if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ClientKeyExchange", &conn->dgst_ctx);
 	}
 	if ((ret = tls_send_record(conn)) != 1) {
@@ -1042,7 +1044,7 @@ int tlcp_send_certificate_verify(TLS_CONNECT *conn)
 	uint8_t sig[SM2_MAX_SIGNATURE_SIZE];
 	size_t siglen;
-	tls_trace("send CertificateVerify\n");
+	if(conn->verbose) tls_trace("send CertificateVerify\n");
 	// 这句应该是没用的			
 	if (!conn->client_certificate_verify) {
@@ -1083,7 +1085,7 @@ int tlcp_send_client_finished(TLS_CONNECT *conn)
 	if (conn->recordlen == 0) {
 		uint8_t verify_data[12];
-		tls_trace("send client {Finished}\n");
+		if(conn->verbose) tls_trace("send client {Finished}\n");
 		if (tls_compute_verify_data(conn->master_secret, "client finished", &conn->dgst_ctx, verify_data) != 1) {
@@ -1107,7 +1109,7 @@ int tlcp_send_client_finished(TLS_CONNECT *conn)
 			error_print();
 			return -1;
 		}
-		tls_handshake_digest_print(stderr, 0, 0, "client Finished", &conn->dgst_ctx);
+		if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "client Finished", &conn->dgst_ctx);
 		if (tlcp_record_encrypt(conn->cipher_suite,
@@ -1145,7 +1147,7 @@ int tlcp_recv_server_finished(TLS_CONNECT *conn)
 	uint8_t local_verify_data[12];
-	tls_trace("recv server {Finished}\n");
+	if(conn->verbose) tls_trace("recv server {Finished}\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
@@ -1199,7 +1201,7 @@ int tlcp_recv_server_finished(TLS_CONNECT *conn)
 		return -1;
 	}
-	if (!conn->ctx->quiet)
+	if(conn->verbose)
 		fprintf(stderr, "Connection established!\n");
@@ -1336,7 +1338,7 @@ int tlcp_recv_client_hello(TLS_CONNECT *conn)
 		tls_client_verify_init(&conn->client_verify_ctx);
 	*/
-	tls_trace("recv ClientHello\n");
+	if(conn->verbose) tls_trace("recv ClientHello\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
@@ -1565,7 +1567,7 @@ int tlcp_recv_client_hello(TLS_CONNECT *conn)
 		error_print();
 		return -1;
 	}
-	tls_handshake_digest_print(stderr, 0, 0, "ClientHello", &conn->dgst_ctx);
+	if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ClientHello", &conn->dgst_ctx);
 	//sm3_update(&conn->sm3_ctx, conn->record + 5, conn->recordlen - 5);
 	//tlcp_handshake_digest_print(stderr, 0, 0, "ClientHello", &conn->sm3_ctx);
@@ -1575,8 +1577,9 @@ int tlcp_recv_client_hello(TLS_CONNECT *conn)
 		tls_client_verify_update(&conn->client_verify_ctx, conn->record + 5, conn->recordlen - 5);
 	*/
-
+	if(conn->verbose) {
-	fprintf(stderr, "end of recv_client_hello\n");
+		fprintf(stderr, "end of recv_client_hello\n");
 	}
 	tls_clean_record(conn);
 	return 1;
@@ -1586,7 +1589,7 @@ int tlcp_send_server_hello(TLS_CONNECT *conn)
 {
 	int ret;
-	tls_trace("send ServerHello\n");
+	if(conn->verbose) tls_trace("send ServerHello\n");
 	if (conn->recordlen == 0) {
 		uint8_t exts[TLS_MAX_EXTENSIONS_SIZE];
@@ -1661,13 +1664,13 @@ int tlcp_send_server_hello(TLS_CONNECT *conn)
 			tls_send_alert(conn, TLS_alert_internal_error);
 			return -1;
 		}
-		tlcp_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
+		if(conn->verbose) tlcp_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
 		if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) {
 			error_print();
 			return -1;
 		}
-		tls_handshake_digest_print(stderr, 0, 0, "ServerHello", &conn->dgst_ctx);
+		if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerHello", &conn->dgst_ctx);
 	}
 	if ((ret = tls_send_record(conn)) != 1) {
@@ -1710,7 +1713,7 @@ int tlcp_send_server_certificate(TLS_CONNECT *conn)
 {
 	int ret;
-	tls_trace("send ServerCertificate\n");
+	if(conn->verbose) tls_trace("send ServerCertificate\n");
 	if (conn->recordlen == 0) {
 		if (!conn->cert_chain || !conn->cert_chain_len) {
@@ -1730,7 +1733,7 @@ int tlcp_send_server_certificate(TLS_CONNECT *conn)
 			error_print();
 			return -1;
 		}
-		tls_handshake_digest_print(stderr, 0, 0, "Certificate", &conn->dgst_ctx);
+		if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "Certificate", &conn->dgst_ctx);
 	}
 	if ((ret = tls_send_record(conn)) != 1) {
@@ -1761,7 +1764,7 @@ int tlcp_send_server_key_exchange(TLS_CONNECT *conn)
 	size_t server_ecc_params_len;
 	int ret;
-	tls_trace("send ServerKeyExchange\n");
+	if(conn->verbose) tls_trace("send ServerKeyExchange\n");
 	if (conn->recordlen == 0) {
 		X509_KEY *sign_key;
@@ -1814,7 +1817,7 @@ int tlcp_send_server_key_exchange(TLS_CONNECT *conn)
 			error_print();
 			return -1;
 		}
-		tls_handshake_digest_print(stderr, 0, 0, "ServerKeyExchange", &conn->dgst_ctx);
+		if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerKeyExchange", &conn->dgst_ctx);
 	}
 	if ((ret = tls_send_record(conn)) != 1) {
@@ -1961,6 +1964,10 @@ static int tlcp_generate_record_keys(TLS_CONNECT *conn)
 static void tlcp_secrets_print(TLS_CONNECT *conn)
 {
 	if (conn->verbose < 5) {
 		return;
 	}
 	if (conn->cipher_suite == TLS_cipher_ecc_sm4_gcm_sm3) {
 		size_t keylen = conn->cipher->key_size;
@@ -1984,7 +1991,7 @@ static void tlcp_secrets_print(TLS_CONNECT *conn)
 int tlcp_generate_keys(TLS_CONNECT *conn)
 {
-	tls_trace("generate secrets\n");
+	if(conn->verbose) tls_trace("generate secrets\n");
 	if (tlcp_generate_master_secret(conn) != 1
 		|| tlcp_generate_key_block(conn) != 1
@@ -2069,7 +2076,7 @@ int tlcp_recv_client_key_exchange(TLS_CONNECT *conn)
 	X509_KEY *enc_key;
 	int ret;
-	tls_trace("recv ClientKeyExchange\n");
+	if(conn->verbose) tls_trace("recv ClientKeyExchange\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
@@ -2120,7 +2127,7 @@ int tlcp_recv_client_key_exchange(TLS_CONNECT *conn)
 		error_print();
 		return -1;
 	}
-	tls_handshake_digest_print(stderr, 0, 0, "ClientKeyExchange", &conn->dgst_ctx);
+	if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ClientKeyExchange", &conn->dgst_ctx);
 	if (tlcp_generate_keys(conn) != 1) {
 		error_print();
@@ -2155,7 +2162,7 @@ int tlcp_recv_client_finished(TLS_CONNECT *conn)
 		return -1;
 	}
-	tls_trace("recv client {Finished}\n");
+	if(conn->verbose) tls_trace("recv client {Finished}\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
@@ -2196,7 +2203,7 @@ int tlcp_recv_client_finished(TLS_CONNECT *conn)
 		error_print();
 		return -1;
 	}
-	tls_handshake_digest_print(stderr, 0, 0, "client Finished", &conn->dgst_ctx);
+	if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "client Finished", &conn->dgst_ctx);
 	return 1;
 }
@@ -2207,7 +2214,7 @@ int tlcp_send_server_finished(TLS_CONNECT *conn)
 	uint8_t verify_data[12];
 	if (conn->recordlen == 0) {
-		tls_trace("send server {Finished}\n");
+		if(conn->verbose) tls_trace("send server {Finished}\n");
 		if (tls_compute_verify_data(conn->master_secret, "server finished",
 			&conn->dgst_ctx, verify_data) != 1) {
--- a/src/tls.c
+++ b/src/tls.c
@@ -1636,7 +1636,6 @@ int tls_record_recv(uint8_t *record, size_t *recordlen, tls_socket_t sock)
 			p += n;
 			len -= n;
 		} else if (n == 0) {
 			tls_trace("TCP connection closed");
 			*recordlen = 0;
 			return 0;
 		} else {
@@ -1674,7 +1673,6 @@ int tls_record_recv(uint8_t *record, size_t *recordlen, tls_socket_t sock)
 			p += n;
 			len -= n;
 		} else if (n == 0) {
 			tls_trace("connection closed");
 			*recordlen = 0;
 			return 0;
 		} else {
@@ -1738,7 +1736,7 @@ int tls_send_alert(TLS_CONNECT *conn, int alert)
 		error_print();
 		return -1;
 	}
-	tls_record_trace(stderr, record, sizeof(record), 0, 0);
+	if(conn->verbose) tls_record_trace(stderr, record, sizeof(record), 0, 0);
 	return 1;
 }
@@ -1787,7 +1785,7 @@ int tls_send_warning(TLS_CONNECT *conn, int alert)
 		error_print();
 		return -1;
 	}
-	tls_record_trace(stderr, record, sizeof(record), 0, 0);
+	if(conn->verbose) tls_record_trace(stderr, record, sizeof(record), 0, 0);
 	return 1;
 }
@@ -1848,7 +1846,7 @@ static int tls_encrypt_send(TLS_CONNECT *conn, int record_type, const uint8_t *i
 			error_print();
 			return -1;
 		}
-		tls_record_trace(stderr, conn->databuf, tls_record_length(conn->databuf), 0, 0);
+		if(conn->verbose) tls_record_trace(stderr, conn->databuf, tls_record_length(conn->databuf), 0, 0);
 		if (conn->protocol == TLS_protocol_tls12) {
 			switch (conn->cipher_suite) {
@@ -1895,7 +1893,7 @@ static int tls_encrypt_send(TLS_CONNECT *conn, int record_type, const uint8_t *i
 		conn->record_offset = 0;
 		conn->sentlen = inlen;
 		conn->send_state = TLS_state_send_record;
-		tls_encrypted_record_trace(stderr, conn->record, recordlen, 0, 0);
+		if(conn->verbose) tls_encrypted_record_trace(stderr, conn->record, recordlen, 0, 0);
 	}
 	ret = tls_send_record(conn);
@@ -1935,7 +1933,7 @@ int tls_decrypt_recv(TLS_CONNECT *conn)
 		seq_num = conn->client_seq_num;
 	}
-	tls_trace("recv Encrypted Record\n");
+	if(conn->verbose) tls_trace("recv Encrypted Record\n");
 	if (conn->send_state) {
 		return TLS_ERROR_SEND_AGAIN;
 	}
@@ -1950,7 +1948,7 @@ int tls_decrypt_recv(TLS_CONNECT *conn)
 	}
 	conn->recv_state = 0;
 	recordlen = conn->recordlen;
-	tls_encrypted_record_trace(stderr, record, recordlen, 0, 0);
+	if(conn->verbose) tls_encrypted_record_trace(stderr, record, recordlen, 0, 0);
 	if (conn->protocol == TLS_protocol_tls12) {
 		if (tls12_record_decrypt(conn->cipher_suite, hmac_ctx, dec_key, fixed_iv, seq_num,
@@ -1977,14 +1975,14 @@ int tls_decrypt_recv(TLS_CONNECT *conn)
 	conn->data = tls_record_data(conn->databuf);
 	conn->datalen = tls_record_data_length(conn->databuf);
-	tls_record_trace(stderr, conn->databuf, tls_record_length(conn->databuf), 0, 0);
+	if(conn->verbose) tls_record_trace(stderr, conn->databuf, tls_record_length(conn->databuf), 0, 0);
 	return 1;
 }
 static int tls12_tlcp_send(TLS_CONNECT *conn, const uint8_t *in, size_t inlen, size_t *sentlen)
 {
-	tls_trace("send ApplicationData\n");
+	if(conn->verbose) tls_trace("send ApplicationData\n");
 	return tls_encrypt_send(conn, TLS_record_application_data, in, inlen, sentlen);
 }
@@ -2038,14 +2036,14 @@ static int tls12_tlcp_recv(TLS_CONNECT *conn, uint8_t *out, size_t outlen, size_
 			int alert;
 			tls_record_get_alert(conn->databuf, &level, &alert);
 			if (alert == TLS_alert_close_notify) {
-				tls_trace("recv Alert.close_notify\n");
+				if(conn->verbose) tls_trace("recv Alert.close_notify\n");
 				conn->close_notify_received = 1;
 				conn->data = NULL;
 				conn->datalen = 0;
 				tls_clean_record(conn);
 				return 0;
 			}
-			tls_trace("alert received\n");
+			if(conn->verbose) tls_trace("alert received\n");
 			conn->data = NULL;
 			conn->datalen = 0;
 			tls_clean_record(conn);
@@ -2109,7 +2107,7 @@ static int tls13_send_close_notify(TLS_CONNECT *conn)
 			seq_num = conn->server_seq_num;
 		}
-		tls_trace("send Alert.close_notify\n");
+		if(conn->verbose) tls_trace("send Alert.close_notify\n");
 		tls_record_set_alert(conn->plain_record, &conn->plain_recordlen,
 			TLS_alert_level_warning, TLS_alert_close_notify);
@@ -2153,7 +2151,7 @@ static int tls_send_close_notify(TLS_CONNECT *conn)
 	alert[0] = TLS_alert_level_warning;
 	alert[1] = TLS_alert_close_notify;
-	tls_trace("send Alert.close_notify\n");
+	if(conn->verbose) tls_trace("send Alert.close_notify\n");
 	return tls_encrypt_send(conn, TLS_record_alert, alert, sizeof(alert), &sentlen);
 }
@@ -2187,7 +2185,7 @@ int tls_shutdown(TLS_CONNECT *conn)
 	}
 	if (conn->shutdown_state == TLS_state_shutdown_recv_close_notify) {
-		tls_trace("recv Alert.close_notify\n");
+		if(conn->verbose) tls_trace("recv Alert.close_notify\n");
 		ret = tls_recv(conn, buf, sizeof(buf), &len);
 		if (ret == 0 && conn->close_notify_received) {
 			conn->shutdown_state = TLS_state_shutdown_over;
@@ -2197,7 +2195,7 @@ int tls_shutdown(TLS_CONNECT *conn)
 			return ret;
 		}
 		if (ret == TLS_ERROR_TCP_CLOSED) {
-			tls_trace("Connection closed by remote without close_notify\n");
+			if(conn->verbose) tls_trace("Connection closed by remote without close_notify\n");
 			return ret;
 		}
 		error_print();
@@ -2586,6 +2584,20 @@ int tls_ctx_set_ca_certificates(TLS_CTX *ctx, const char *cacertsfile, int depth
 	return 1;
 }
 int tls_ctx_set_verbose(TLS_CTX *ctx, int verbose)
 {
 	if (!ctx) {
 		error_print();
 		return -1;
 	}
 	if (verbose < 0 || verbose > 5) {
 		error_print();
 		return -1;
 	}
 	ctx->verbose = verbose;
 	return 1;
 }
 int tls_ctx_enable_verbose(TLS_CTX *ctx, int enable)
 {
 	if (!ctx) {
@@ -3030,6 +3042,7 @@ int tls_init(TLS_CONNECT *conn, TLS_CTX *ctx)
 	conn->is_client = ctx->is_client; // TODO: remove conn->is_client
 	conn->protocol = ctx->protocol;
 	conn->verbose = ctx->verbose;
 	if (conn->is_client && ctx->cert_chains_len) {
@@ -3067,7 +3080,9 @@ int tls_init(TLS_CONNECT *conn, TLS_CTX *ctx)
 			return -1;
 		}
-		fprintf(stderr, "%s %d: conn->key_exchange_modes = %d\n", __FILE__, __LINE__, conn->key_exchange_modes);
+		if(conn->verbose) {
 			fprintf(stderr, "%s %d: conn->key_exchange_modes = %d\n", __FILE__, __LINE__, conn->key_exchange_modes);
 		}
 		if (conn->key_exchange_modes & (TLS_KE_CERT_DHE|TLS_KE_PSK_DHE)) {
 			conn->key_share = 1;
@@ -3099,6 +3114,20 @@ void tls_cleanup(TLS_CONNECT *conn)
 	gmssl_secure_clear(conn, sizeof(TLS_CONNECT));
 }
 int tls_set_verbose(TLS_CONNECT *conn, int verbose)
 {
 	if (!conn) {
 		error_print();
 		return -1;
 	}
 	if (verbose < 0 || verbose > 5) {
 		error_print();
 		return -1;
 	}
 	conn->verbose = verbose;
 	return 1;
 }
 int tls_set_socket(TLS_CONNECT *conn, tls_socket_t sock)
 {
 #ifdef WIN32
--- a/src/tls12.c
+++ b/src/tls12.c
@@ -833,7 +833,7 @@ int tls_send_client_hello(TLS_CONNECT *conn)
 		const int *client_cipher_suites = conn->ctx->cipher_suites;
 		size_t client_cipher_suites_cnt = conn->ctx->cipher_suites_cnt;
-		tls_trace("send ClientHello\n");
+		if(conn->verbose) tls_trace("send ClientHello\n");
 		tls_record_set_protocol(conn->record, TLS_protocol_tls1);
@@ -1310,7 +1310,7 @@ int tls_recv_client_hello(TLS_CONNECT *conn)
 	*/
-	tls_trace("recv ClientHello\n");
+	if(conn->verbose) tls_trace("recv ClientHello\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
@@ -1318,7 +1318,7 @@ int tls_recv_client_hello(TLS_CONNECT *conn)
 		}
 		return ret;
 	}
-	tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
+	if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
 	if (tls_record_protocol(conn->record) != TLS_protocol_tls1) {
 		error_print();
@@ -1624,7 +1624,7 @@ int tls_recv_client_hello(TLS_CONNECT *conn)
 		error_print();
 		return -1;
 	}
-	tls_handshake_digest_print(stderr, 0, 0, "ClientHello", &conn->dgst_ctx);
+	if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ClientHello", &conn->dgst_ctx);
@@ -1635,7 +1635,9 @@ int tls_recv_client_hello(TLS_CONNECT *conn)
 	*/
-	fprintf(stderr, "end of recv_client_hello\n");
+	if(conn->verbose) {
 		fprintf(stderr, "end of recv_client_hello\n");
 	}
 	tls_clean_record(conn);
 	return 1;
 }
@@ -1644,7 +1646,7 @@ int tls_send_server_hello(TLS_CONNECT *conn)
 {
 	int ret;
-	tls_trace("send ServerHello\n");
+	if(conn->verbose) tls_trace("send ServerHello\n");
 	if (conn->recordlen == 0) {
@@ -1703,14 +1705,14 @@ int tls_send_server_hello(TLS_CONNECT *conn)
 			tls_send_alert(conn, TLS_alert_internal_error);
 			return -1;
 		}
-		tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
+		if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
 		if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) {
 			error_print();
 			return -1;
 		}
-		tls_handshake_digest_print(stderr, 0, 0, "ServerHello", &conn->dgst_ctx);
+		if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerHello", &conn->dgst_ctx);
 	}
@@ -1746,7 +1748,7 @@ int tls_recv_server_hello(TLS_CONNECT *conn)
 	int trusted_ca_keys = 0;
 	int renegotiation_info = 0;
-	tls_trace("recv ServerHello\n");
+	if(conn->verbose) tls_trace("recv ServerHello\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
@@ -1894,13 +1896,13 @@ int tls_recv_server_hello(TLS_CONNECT *conn)
 		error_print();
 		return -1;
 	}
-	tls_handshake_digest_print(stderr, 0, 0, "ClientHello", &conn->dgst_ctx);
+	if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ClientHello", &conn->dgst_ctx);
 	if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) {
 		error_print();
 		return -1;
 	}
-	tls_handshake_digest_print(stderr, 0, 0, "ServerHello", &conn->dgst_ctx);
+	if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerHello", &conn->dgst_ctx);
@@ -1919,7 +1921,7 @@ int tls_recv_server_hello(TLS_CONNECT *conn)
 int tls_send_server_certificate(TLS_CONNECT *conn)
 {
 	int ret;
-	tls_trace("send ServerCertificate\n");
+	if(conn->verbose) tls_trace("send ServerCertificate\n");
 	if (conn->recordlen == 0) {
 		if (tls_record_set_handshake_certificate(conn->record, &conn->recordlen,
@@ -1928,13 +1930,13 @@ int tls_send_server_certificate(TLS_CONNECT *conn)
 			tls_send_alert(conn, TLS_alert_internal_error);
 			return -1;
 		}
-		tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
+		if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
 		if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) {
 			error_print();
 			return -1;
 		}
-		tls_handshake_digest_print(stderr, 0, 0, "Certificate", &conn->dgst_ctx);
+		if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "Certificate", &conn->dgst_ctx);
 	}
@@ -1965,7 +1967,7 @@ int tls_recv_server_certificate(TLS_CONNECT *conn)
 	size_t signature_algorithms_cert_cnt = 0;
-	tls_trace("recv server Certificate\n");
+	if(conn->verbose) tls_trace("recv server Certificate\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
@@ -1973,7 +1975,7 @@ int tls_recv_server_certificate(TLS_CONNECT *conn)
 		}
 		return ret;
 	}
-	tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
+	if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
 	if (tls_record_protocol(conn->record) != conn->protocol) {
 		error_print();
@@ -2001,7 +2003,7 @@ int tls_recv_server_certificate(TLS_CONNECT *conn)
 		error_print();
 		return -1;
 	}
-	tls_handshake_digest_print(stderr, 0, 0, "Certificate", &conn->dgst_ctx);
+	if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "Certificate", &conn->dgst_ctx);
 	// server_sign_key
@@ -2145,7 +2147,7 @@ int tls_send_server_key_exchange(TLS_CONNECT *conn)
 {
 	int ret;
-	tls_trace("send ServerKeyExchange\n");
+	if(conn->verbose) tls_trace("send ServerKeyExchange\n");
 	if (conn->recordlen == 0) {
 		int curve_oid = tls_named_curve_oid(conn->key_exchange_group);
@@ -2198,13 +2200,13 @@ int tls_send_server_key_exchange(TLS_CONNECT *conn)
 			tls_send_alert(conn, TLS_alert_internal_error);
 			return -1;
 		}
-		tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
+		if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
 		if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) {
 			error_print();
 			return -1;
 		}
-		tls_handshake_digest_print(stderr, 0, 0, "ServerKeyExchange", &conn->dgst_ctx);
+		if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerKeyExchange", &conn->dgst_ctx);
 	}
@@ -2312,7 +2314,7 @@ int tls_recv_server_key_exchange(TLS_CONNECT *conn)
 	const void *sign_args = NULL;
 	size_t sign_argslen = 0;
-	tls_trace("recv ServerKeyExchange\n");
+	if(conn->verbose) tls_trace("recv ServerKeyExchange\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
@@ -2325,7 +2327,7 @@ int tls_recv_server_key_exchange(TLS_CONNECT *conn)
 		tls_send_alert(conn, TLS_alert_unexpected_message);
 		return -1;
 	}
-	tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
+	if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
 	if ((ret = tls12_record_get_handshake_server_key_exchange(conn->record,
@@ -2344,7 +2346,7 @@ int tls_recv_server_key_exchange(TLS_CONNECT *conn)
 		error_print();
 		return -1;
 	}
-	tls_handshake_digest_print(stderr, 0, 0, "ServerKeyExchange", &conn->dgst_ctx);
+	if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerKeyExchange", &conn->dgst_ctx);
 	switch (conn->cipher_suite) {
 	case TLS_cipher_ecdhe_sm4_cbc_sm3:
@@ -2472,7 +2474,9 @@ int tls_recv_server_key_exchange(TLS_CONNECT *conn)
 		return -1;
 	}
-	fprintf(stderr, ">>>>>> ServerKeyExchange verify success\n");
+	if(conn->verbose) {
 		fprintf(stderr, ">>>>>> ServerKeyExchange verify success\n");
 	}
 	// xxxx
@@ -2499,7 +2503,7 @@ int tls_send_certificate_request(TLS_CONNECT *conn)
 	}
 	if (conn->recordlen == 0) {
-		tls_trace("send CertificateRequest\n");
+		if(conn->verbose) tls_trace("send CertificateRequest\n");
 		if (tls_authorities_from_certs(ca_names, &ca_names_len, sizeof(ca_names),
 			conn->ctx->cacerts, conn->ctx->cacertslen) != 1) {
 			error_print();
@@ -2513,7 +2517,7 @@ int tls_send_certificate_request(TLS_CONNECT *conn)
 			tls_send_alert(conn, TLS_alert_internal_error);
 			return -1;
 		}
-		tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
+		if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
 	}
 	if ((ret = tls_send_record(conn)) != 1) {
@@ -2542,7 +2546,7 @@ int tls_recv_certificate_request(TLS_CONNECT *conn)
 	const uint8_t *ca_names;
 	size_t ca_names_len;
-	tls_trace("recv CertificateRequest*\n");
+	if(conn->verbose) tls_trace("recv CertificateRequest*\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
@@ -2563,10 +2567,10 @@ int tls_recv_certificate_request(TLS_CONNECT *conn)
 	}
 	if (handshake_type != TLS_handshake_certificate_request) {
-		tls_trace("    no CertificateRequest\n");
+		if(conn->verbose) tls_trace("    no CertificateRequest\n");
 		return 0; // 表明对方没有发送预期的报文
 	}
-	tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
+	if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
 	if (tls_record_get_handshake_certificate_request(conn->record,
@@ -2607,19 +2611,19 @@ int tls_recv_certificate_request(TLS_CONNECT *conn)
 int tls_send_server_hello_done(TLS_CONNECT *conn)
 {
 	int ret;
-	tls_trace("send ServerHelloDone\n");
+	if(conn->verbose) tls_trace("send ServerHelloDone\n");
 	if (conn->recordlen == 0) {
 		tls_record_set_handshake_server_hello_done(conn->record, &conn->recordlen);
-		tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
+		if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
 		if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) {
 			error_print();
 			return -1;
 		}
-		tls_handshake_digest_print(stderr, 0, 0, "ServerHelloDone", &conn->dgst_ctx);
+		if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerHelloDone", &conn->dgst_ctx);
 	}
@@ -2642,7 +2646,7 @@ int tls_send_server_hello_done(TLS_CONNECT *conn)
 int tls_recv_server_hello_done(TLS_CONNECT *conn)
 {
 	int ret;
-	tls_trace("recv ServerHelloDone\n");
+	if(conn->verbose) tls_trace("recv ServerHelloDone\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
@@ -2655,7 +2659,7 @@ int tls_recv_server_hello_done(TLS_CONNECT *conn)
 		tls_send_alert(conn, TLS_alert_unexpected_message);
 		return -1;
 	}
-	tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
+	if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
 	if (tls_record_get_handshake_server_hello_done(conn->record) != 1) {
 		error_print();
@@ -2667,7 +2671,7 @@ int tls_recv_server_hello_done(TLS_CONNECT *conn)
 		error_print();
 		return -1;
 	}
-	tls_handshake_digest_print(stderr, 0, 0, "ServerHelloDone", &conn->dgst_ctx);
+	if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerHelloDone", &conn->dgst_ctx);
@@ -2681,7 +2685,7 @@ int tls_recv_server_hello_done(TLS_CONNECT *conn)
 int tls_send_client_certificate(TLS_CONNECT *conn)
 {
 	int ret;
-	tls_trace("send ClientCertificate\n");
+	if(conn->verbose) tls_trace("send ClientCertificate\n");
 	if (conn->client_certs_len == 0) {
 		error_print();
@@ -2695,7 +2699,7 @@ int tls_send_client_certificate(TLS_CONNECT *conn)
 			tls_send_alert(conn, TLS_alert_internal_error);
 			return -1;
 		}
-		tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
+		if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
 	}
 	if ((ret = tls_send_record(conn)) != 1) {
@@ -2719,7 +2723,7 @@ int tls_recv_client_certificate(TLS_CONNECT *conn)
 	const int verify_depth = 5;
 	int verify_result;
-	tls_trace("recv ClientCertificate\n");
+	if(conn->verbose) tls_trace("recv ClientCertificate\n");
 	if (conn->ctx->cacertslen == 0) {
 		error_print();
@@ -2737,7 +2741,7 @@ int tls_recv_client_certificate(TLS_CONNECT *conn)
 		tls_send_alert(conn, TLS_alert_unexpected_message);
 		return -1;
 	}
-	tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
+	if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
 	if (tls_record_get_handshake_certificate(conn->record, conn->client_certs, &conn->client_certs_len) != 1) {
 		error_print();
 		tls_send_alert(conn, TLS_alert_unexpected_message);
@@ -2771,7 +2775,9 @@ static int tls12_generate_pre_master_secret(TLS_CONNECT *conn,
 		error_print();
 		return -1;
 	}
-	format_bytes(stderr, 0, 0, "pre_master_secret", pre_master_secret, *pre_master_secret_len);
+	if (conn->verbose >= 5) {
 		format_bytes(stderr, 0, 0, "pre_master_secret", pre_master_secret, *pre_master_secret_len);
 	}
 	return 1;
 }
@@ -2791,7 +2797,9 @@ static int tls12_generate_master_secret(TLS_CONNECT *conn,
 		return -1;
 	}
-	format_bytes(stderr, 0, 0, "master_secret", conn->master_secret, 48);
+	if (conn->verbose >= 5) {
 		format_bytes(stderr, 0, 0, "master_secret", conn->master_secret, 48);
 	}
 	return 1;
 }
@@ -2813,7 +2821,9 @@ static int tls12_generate_key_block(TLS_CONNECT *conn)
 			return -1;
 		}
-		format_bytes(stderr, 0, 0, "key_blocks", conn->key_block, key_block_len);
+		if (conn->verbose >= 5) {
 			format_bytes(stderr, 0, 0, "key_blocks", conn->key_block, key_block_len);
 		}
 		break;
 	}
 	case TLS_cipher_ecdhe_sm4_cbc_sm3:
@@ -2837,7 +2847,9 @@ static int tls12_generate_key_block(TLS_CONNECT *conn)
 		*/
-		format_bytes(stderr, 0, 0, "key_blocks", conn->key_block, 96);
+		if (conn->verbose >= 5) {
 			format_bytes(stderr, 0, 0, "key_blocks", conn->key_block, 96);
 		}
 		break;
 	default:
 		error_print();
@@ -2854,10 +2866,12 @@ static int tls12_generate_record_keys(TLS_CONNECT *conn)
 	{
 		size_t keylen = conn->cipher->key_size;
-		format_bytes(stderr, 0, 0, "client_write_key", conn->key_block, keylen);
+		if (conn->verbose >= 5) {
-		format_bytes(stderr, 0, 0, "server_write_key", conn->key_block + keylen, keylen);
+			format_bytes(stderr, 0, 0, "client_write_key", conn->key_block, keylen);
-		format_bytes(stderr, 0, 0, "client_write_iv", conn->key_block + keylen * 2, 4);
+			format_bytes(stderr, 0, 0, "server_write_key", conn->key_block + keylen, keylen);
-		format_bytes(stderr, 0, 0, "server_write_iv", conn->key_block + keylen * 2 + 4, 4);
+			format_bytes(stderr, 0, 0, "client_write_iv", conn->key_block + keylen * 2, 4);
 			format_bytes(stderr, 0, 0, "server_write_iv", conn->key_block + keylen * 2 + 4, 4);
 		}
 		memset(conn->client_write_iv, 0, sizeof(conn->client_write_iv));
 		memset(conn->server_write_iv, 0, sizeof(conn->server_write_iv));
@@ -2882,10 +2896,12 @@ static int tls12_generate_record_keys(TLS_CONNECT *conn)
 			return -1;
 		}
-		format_bytes(stderr, 0, 0, "client_write_mac_key", conn->key_block, 32);
+		if (conn->verbose >= 5) {
-		format_bytes(stderr, 0, 0, "server_write_mac_key", conn->key_block + 32, 32);
+			format_bytes(stderr, 0, 0, "client_write_mac_key", conn->key_block, 32);
-		format_bytes(stderr, 0, 0, "client_write_key", conn->key_block + 64, 16);
+			format_bytes(stderr, 0, 0, "server_write_mac_key", conn->key_block + 32, 32);
-		format_bytes(stderr, 0, 0, "server_write_key", conn->key_block + 80, 16);
+			format_bytes(stderr, 0, 0, "client_write_key", conn->key_block + 64, 16);
 			format_bytes(stderr, 0, 0, "server_write_key", conn->key_block + 80, 16);
 		}
 		if (conn->is_client) {
@@ -2964,20 +2980,20 @@ int tls_send_client_key_exchange(TLS_CONNECT *conn)
 			return -1;
 		}
-		tls_trace("send ClientKeyExchange\n");
+		if(conn->verbose) tls_trace("send ClientKeyExchange\n");
 		if (tls_record_set_handshake_client_key_exchange(conn->record, &conn->recordlen,
 			point_octets, len) != 1) {
 			error_print();
 			tls_send_alert(conn, TLS_alert_internal_error);
 			return -1;
 		}
-		tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
+		if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
 		if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) {
 			error_print();
 			return -1;
 		}
-		tls_handshake_digest_print(stderr, 0, 0, "ClientKeyExchange", &conn->dgst_ctx);
+		if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ClientKeyExchange", &conn->dgst_ctx);
 	}
 	if ((ret = tls_send_record(conn)) != 1) {
@@ -3004,7 +3020,7 @@ int tls_recv_client_key_exchange(TLS_CONNECT *conn)
 	const uint8_t *point_octets;
 	size_t point_octets_len;
-	tls_trace("recv ClientKeyExchange\n");
+	if(conn->verbose) tls_trace("recv ClientKeyExchange\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
 			error_print();
@@ -3016,7 +3032,7 @@ int tls_recv_client_key_exchange(TLS_CONNECT *conn)
 		tls_send_alert(conn, TLS_alert_unexpected_message);
 		return -1;
 	}
-	tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
+	if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
 	if (tls_record_get_handshake_client_key_exchange(conn->record,
 		&point_octets, &point_octets_len) != 1) {
@@ -3037,7 +3053,7 @@ int tls_recv_client_key_exchange(TLS_CONNECT *conn)
 		error_print();
 		return -1;
 	}
-	tls_handshake_digest_print(stderr, 0, 0, "ClientKeyExchange", &conn->dgst_ctx);
+	if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ClientKeyExchange", &conn->dgst_ctx);
@@ -3061,7 +3077,7 @@ int tls_send_certificate_verify(TLS_CONNECT *conn)
 	uint8_t sig[SM2_MAX_SIGNATURE_SIZE];
 	size_t siglen;
-	tls_trace("send CertificateVerify\n");
+	if(conn->verbose) tls_trace("send CertificateVerify\n");
 	if (!conn->client_certificate_verify) {
 		error_print();
@@ -3078,7 +3094,7 @@ int tls_send_certificate_verify(TLS_CONNECT *conn)
 			tls_send_alert(conn, TLS_alert_internal_error);
 			return -1;
 		}
-		tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
+		if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
 	}
 	if ((ret = tls_send_record(conn)) != 1) {
@@ -3108,7 +3124,7 @@ int tls_recv_certificate_verify(TLS_CONNECT *conn)
 		return -1;
 	}
-	tls_trace("recv CertificateVerify\n");
+	if(conn->verbose) tls_trace("recv CertificateVerify\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
 			error_print();
@@ -3120,7 +3136,7 @@ int tls_recv_certificate_verify(TLS_CONNECT *conn)
 		error_print();
 		return -1;
 	}
-	tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
+	if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
 	// get signature from certificate_verify
 	if (tls_record_get_handshake_certificate_verify(conn->record, &sig, &siglen) != 1) {
@@ -3163,13 +3179,13 @@ int tls_send_change_cipher_spec(TLS_CONNECT *conn)
 {
 	int ret;
 	if (conn->recordlen == 0) {
-		tls_trace("send [ChangeCipherSpec]\n");
+		if(conn->verbose) tls_trace("send [ChangeCipherSpec]\n");
 		if (tls_record_set_change_cipher_spec(conn->record, &conn->recordlen) !=1) {
 			error_print();
 			tls_send_alert(conn, TLS_alert_internal_error);
 			return -1;
 		}
-		tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
+		if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
 	}
 	if ((ret = tls_send_record(conn)) != 1) {
 		if (ret != TLS_ERROR_SEND_AGAIN) {
@@ -3184,7 +3200,7 @@ int tls_recv_change_cipher_spec(TLS_CONNECT *conn)
 {
 	int ret;
-	tls_trace("recv [ChangeCipherSpec]\n");
+	if(conn->verbose) tls_trace("recv [ChangeCipherSpec]\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
 			error_print();
@@ -3198,7 +3214,7 @@ int tls_recv_change_cipher_spec(TLS_CONNECT *conn)
 		return -1;
 	}
-	tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
+	if(conn->verbose) tls12_record_trace(stderr, conn->record, conn->recordlen, 0, 0);
 	if (tls_record_get_change_cipher_spec(conn->record) != 1) {
 		error_print();
 		tls_send_alert(conn, TLS_alert_unexpected_message);
@@ -3213,7 +3229,7 @@ int tls_send_client_finished(TLS_CONNECT *conn)
 	if (conn->recordlen == 0) {
-		tls_trace("send client {Finished}\n");
+		if(conn->verbose) tls_trace("send client {Finished}\n");
 		uint8_t local_verify_data[12];
@@ -3244,13 +3260,13 @@ int tls_send_client_finished(TLS_CONNECT *conn)
 			return -1;
 		}
-		tls12_record_trace(stderr, conn->plain_record, conn->plain_recordlen, 0, 0);
+		if(conn->verbose) tls12_record_trace(stderr, conn->plain_record, conn->plain_recordlen, 0, 0);
 		if (digest_update(&conn->dgst_ctx, conn->plain_record + 5, conn->plain_recordlen - 5) != 1) {
 			error_print();
 			return -1;
 		}
-		tls_handshake_digest_print(stderr, 0, 0, "Finished", &conn->dgst_ctx);
+		if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "Finished", &conn->dgst_ctx);
 		if (tls12_record_encrypt(conn->cipher_suite,
 			&conn->client_write_mac_ctx, &conn->client_write_key, conn->client_write_iv,
@@ -3263,7 +3279,9 @@ int tls_send_client_finished(TLS_CONNECT *conn)
 		}
 		tls_seq_num_incr(conn->client_seq_num);
-		format_bytes(stderr, 0, 0, "encrypted finsished ..... ", conn->record, conn->recordlen);
+		if (conn->verbose >= 5) {
 			format_bytes(stderr, 0, 0, "encrypted finsished ..... ", conn->record, conn->recordlen);
 		}
 	}
 	if ((ret = tls_send_record(conn)) != 1) {
@@ -3301,11 +3319,13 @@ int tls_recv_client_finished(TLS_CONNECT *conn)
 		tls_send_alert(conn, TLS_alert_internal_error);
 		return -1;
 	}
-	format_bytes(stderr, 0, 0, "verify_data", local_verify_data, 12);
+	if (conn->verbose >= 5) {
 		format_bytes(stderr, 0, 0, "verify_data", local_verify_data, 12);
 	}
 	// recv ClientFinished
-	tls_trace("recv client {Finished}\n");
+	if(conn->verbose) tls_trace("recv client {Finished}\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
 			error_print();
@@ -3314,7 +3334,9 @@ int tls_recv_client_finished(TLS_CONNECT *conn)
 	}
 	//tls12_record_print(stderr, conn->record, conn->recordlen, 0, 0);
-	format_bytes(stderr, 0, 0, "Finished", conn->record, conn->recordlen);
+	if (conn->verbose >= 5) {
 		format_bytes(stderr, 0, 0, "Finished", conn->record, conn->recordlen);
 	}
 	if (tls_record_protocol(conn->record) != conn->protocol) {
@@ -3324,10 +3346,12 @@ int tls_recv_client_finished(TLS_CONNECT *conn)
 	}
 	// decrypt ClientFinished
-	tls_trace(">>>>>>>decrypt Finished\n");
+	if(conn->verbose) tls_trace(">>>>>>>decrypt Finished\n");
-	format_bytes(stderr, 0, 0, "client_seq_num", conn->client_seq_num, 8);
+	if (conn->verbose >= 5) {
 		format_bytes(stderr, 0, 0, "client_seq_num", conn->client_seq_num, 8);
 	}
 	if (tls12_record_decrypt(conn->cipher_suite, &conn->client_write_mac_ctx, &conn->client_write_key,
 		conn->client_write_iv, conn->client_seq_num, conn->record, conn->recordlen,
@@ -3340,7 +3364,7 @@ int tls_recv_client_finished(TLS_CONNECT *conn)
-	tls12_record_trace(stderr, conn->plain_record, conn->plain_recordlen, 0, 0);
+	if(conn->verbose) tls12_record_trace(stderr, conn->plain_record, conn->plain_recordlen, 0, 0);
 	if (tls_record_get_handshake_finished(conn->plain_record, &verify_data, &verify_data_len) != 1) {
 		error_print();
@@ -3358,7 +3382,7 @@ int tls_recv_client_finished(TLS_CONNECT *conn)
 		error_print();
 		return -1;
 	}
-	tls_handshake_digest_print(stderr, 0, 0, "client Finished", &conn->dgst_ctx);
+	if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "client Finished", &conn->dgst_ctx);
 	// verify ClientFinished
@@ -3383,7 +3407,7 @@ int tls_send_server_finished(TLS_CONNECT *conn)
 	tls_record_set_protocol(conn->plain_record, conn->protocol);
 	if (conn->recordlen == 0) {
-		tls_trace("send server Finished\n");
+		if(conn->verbose) tls_trace("send server Finished\n");
 		uint8_t dgst[32];
 		size_t dgstlen;
@@ -3396,7 +3420,9 @@ int tls_send_server_finished(TLS_CONNECT *conn)
 			return -1;
 		}
-		format_bytes(stderr, 0, 0, "server verify_data", local_verify_data, 12);
+		if (conn->verbose >= 5) {
 			format_bytes(stderr, 0, 0, "server verify_data", local_verify_data, 12);
 		}
 		if (tls_record_set_handshake_finished(conn->plain_record, &conn->plain_recordlen,
 			local_verify_data, sizeof(local_verify_data)) != 1) {
@@ -3404,7 +3430,7 @@ int tls_send_server_finished(TLS_CONNECT *conn)
 			tls_send_alert(conn, TLS_alert_internal_error);
 			return -1;
 		}
-		tls12_record_trace(stderr, conn->plain_record, conn->plain_recordlen, 0, 0);
+		if(conn->verbose) tls12_record_trace(stderr, conn->plain_record, conn->plain_recordlen, 0, 0);
 		if (tls12_record_encrypt(conn->cipher_suite,
 			&conn->server_write_mac_ctx, &conn->server_write_key, conn->server_write_iv,
@@ -3454,11 +3480,13 @@ int tls_recv_server_finished(TLS_CONNECT *conn)
 		tls_send_alert(conn, TLS_alert_internal_error);
 		return -1;
 	}
-	format_bytes(stderr, 0, 0, ">>> verify_data", local_verify_data, 12);
+	if (conn->verbose >= 5) {
 		format_bytes(stderr, 0, 0, ">>> verify_data", local_verify_data, 12);
 	}
 	// Finished
-	tls_trace("recv server Finished\n");
+	if(conn->verbose) tls_trace("recv server Finished\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
 			error_print();
@@ -3472,10 +3500,12 @@ int tls_recv_server_finished(TLS_CONNECT *conn)
 	}
-	tls_trace("decrypt Finished\n");
+	if(conn->verbose) tls_trace("decrypt Finished\n");
-	format_bytes(stderr, 0, 0, "server_seq_num", conn->server_seq_num, 8);
+	if (conn->verbose >= 5) {
 		format_bytes(stderr, 0, 0, "server_seq_num", conn->server_seq_num, 8);
 	}
 	if (tls12_record_decrypt(conn->cipher_suite, &conn->server_write_mac_ctx, &conn->server_write_key,
 		conn->server_write_iv, conn->server_seq_num, conn->record, conn->recordlen,
@@ -3506,7 +3536,7 @@ int tls_recv_server_finished(TLS_CONNECT *conn)
 		return -1;
 	}
-	if (!conn->ctx->quiet)
+	if(conn->verbose)
 		fprintf(stderr, "Connection established!\n");
 	return 1;
@@ -3562,16 +3592,22 @@ int tls12_do_client_handshake(TLS_CONNECT *conn)
 	// the only optional state
 	case TLS_state_certificate_request:
-		fprintf(stderr, "TLS_state_certificate_request\n");
+		if(conn->verbose) {
 			fprintf(stderr, "TLS_state_certificate_request\n");
 		}
 		ret = tls_recv_certificate_request(conn);
-		fprintf(stderr, "    ret = %d\n", ret);
+		if(conn->verbose) {
 			fprintf(stderr, "    ret = %d\n", ret);
 		}
 		if (ret == 1) conn->client_certificate_verify = 1;
 		next_state = TLS_state_server_hello_done;
 		break;
 	case TLS_state_server_hello_done:
-		fprintf(stderr, "TLS_state_server_hello_done\n");
+		if(conn->verbose) {
 			fprintf(stderr, "TLS_state_server_hello_done\n");
 		}
 		ret = tls_recv_server_hello_done(conn);
 		if (conn->client_certificate_verify)
 			next_state = TLS_state_client_certificate;
--- a/src/tls13.c
+++ b/src/tls13.c
@@ -479,13 +479,13 @@ int tls13_generate_early_keys(TLS_CONNECT *conn)
 	}
 	tls_seq_num_reset(conn->client_seq_num);
-	/*
+	if (conn->verbose >= 5) {
-	format_print(stderr, 0, 0, "generate_early_keys\n");
+		format_print(stderr, 0, 0, "generate_early_keys\n");
-	format_bytes(stderr, 0, 4, "early_secret", conn->early_secret, conn->digest->digest_size);
+		format_bytes(stderr, 0, 4, "early_secret", conn->early_secret, conn->digest->digest_size);
-	format_bytes(stderr, 0, 4, "client_early_traffic_secret", conn->client_early_traffic_secret, conn->digest->digest_size);
+		format_bytes(stderr, 0, 4, "client_early_traffic_secret", conn->client_early_traffic_secret, conn->digest->digest_size);
-	format_bytes(stderr, 0, 4, "client_write_key", client_write_key, client_write_key_len);
+		format_bytes(stderr, 0, 4, "client_write_key", client_write_key, client_write_key_len);
-	format_bytes(stderr, 0, 4, "client_write_iv", conn->client_write_iv, TLS13_IV_SIZE);
+		format_bytes(stderr, 0, 4, "client_write_iv", conn->client_write_iv, TLS13_IV_SIZE);
-	*/
+	}
 	gmssl_secure_clear(client_write_key, sizeof(client_write_key));
 	return 1;
@@ -532,15 +532,15 @@ int tls13_generate_handshake_secrets(TLS_CONNECT *conn)
 		return -1;
 	}
-	/*
+	if (conn->verbose >= 5) {
-	format_print(stderr, 0, 0, "generate_handshake_secrets\n");
+		format_print(stderr, 0, 0, "generate_handshake_secrets\n");
-	format_bytes(stderr, 0, 4, "early_secret", conn->early_secret, conn->digest->digest_size);
+		format_bytes(stderr, 0, 4, "early_secret", conn->early_secret, conn->digest->digest_size);
-	format_bytes(stderr, 0, 4, "derived_secret", derived_secret, conn->digest->digest_size);
+		format_bytes(stderr, 0, 4, "derived_secret", derived_secret, conn->digest->digest_size);
-	format_bytes(stderr, 0, 4, "ecdhe_shared_secret", ecdhe_shared_secret, ecdhe_shared_secret_len);
+		format_bytes(stderr, 0, 4, "ecdhe_shared_secret", ecdhe_shared_secret, ecdhe_shared_secret_len);
-	format_bytes(stderr, 0, 4, "handshake_secret",conn->handshake_secret, conn->digest->digest_size);
+		format_bytes(stderr, 0, 4, "handshake_secret", conn->handshake_secret, conn->digest->digest_size);
-	format_bytes(stderr, 0, 4, "client_handshake_traffic_secret", conn->client_handshake_traffic_secret, conn->digest->digest_size);
+		format_bytes(stderr, 0, 4, "client_handshake_traffic_secret", conn->client_handshake_traffic_secret, conn->digest->digest_size);
-	format_bytes(stderr, 0, 4, "server_handshake_traffic_secret", conn->server_handshake_traffic_secret, conn->digest->digest_size);
+		format_bytes(stderr, 0, 4, "server_handshake_traffic_secret", conn->server_handshake_traffic_secret, conn->digest->digest_size);
-	*/
+	}
 	gmssl_secure_clear(ecdhe_shared_secret, sizeof(ecdhe_shared_secret));
 	gmssl_secure_clear(derived_secret, sizeof(derived_secret));
@@ -567,10 +567,10 @@ int tls13_generate_master_secret(TLS_CONNECT *conn)
 		error_print();
 		return -1;
 	}
-	/*
+	if (conn->verbose >= 5) {
-	format_print(stderr, 0, 0, "generate_master_secret\n");
+		format_print(stderr, 0, 0, "generate_master_secret\n");
-	format_bytes(stderr, 0, 4, "master_secret", conn->master_secret, conn->digest->digest_size);
+		format_bytes(stderr, 0, 4, "master_secret", conn->master_secret, conn->digest->digest_size);
-	*/
+	}
 	return 1;
 }
@@ -594,12 +594,12 @@ int tls13_generate_client_handshake_keys(TLS_CONNECT *conn)
 	}
 	tls_seq_num_reset(conn->client_seq_num);
-	/*
+	if (conn->verbose >= 5) {
-	format_print(stderr, 0, 0, "generate_client_handshake_keys\n");
+		format_print(stderr, 0, 0, "generate_client_handshake_keys\n");
-	format_bytes(stderr, 0, 4, "client_write_key", client_write_key, client_write_key_len);
+		format_bytes(stderr, 0, 4, "client_write_key", client_write_key, client_write_key_len);
-	format_bytes(stderr, 0, 4, "client_write_iv", conn->client_write_iv, TLS13_IV_SIZE);
+		format_bytes(stderr, 0, 4, "client_write_iv", conn->client_write_iv, TLS13_IV_SIZE);
-	format_print(stderr, 0, 4, "client_seq_num: %"PRIu64"\n", GETU64(conn->client_seq_num));
+		format_print(stderr, 0, 4, "client_seq_num: %"PRIu64"\n", GETU64(conn->client_seq_num));
-	*/
+	}
 	gmssl_secure_clear(client_write_key, sizeof(client_write_key));
 	return 1;
@@ -625,12 +625,12 @@ int tls13_generate_server_handshake_keys(TLS_CONNECT *conn)
 	}
 	tls_seq_num_reset(conn->server_seq_num);
-	/*
+	if (conn->verbose >= 5) {
-	format_print(stderr, 0, 0, "generate_server_handshake_keys\n");
+		format_print(stderr, 0, 0, "generate_server_handshake_keys\n");
-	format_bytes(stderr, 0, 4, "server_write_key", server_write_key, server_write_key_len);
+		format_bytes(stderr, 0, 4, "server_write_key", server_write_key, server_write_key_len);
-	format_bytes(stderr, 0, 4, "server_write_iv", conn->server_write_iv, TLS13_IV_SIZE);
+		format_bytes(stderr, 0, 4, "server_write_iv", conn->server_write_iv, TLS13_IV_SIZE);
-	format_print(stderr, 0, 4, "server_seq_num: %"PRIu64"\n", GETU64(conn->server_seq_num));
+		format_print(stderr, 0, 4, "server_seq_num: %"PRIu64"\n", GETU64(conn->server_seq_num));
-	*/
+	}
 	gmssl_secure_clear(server_write_key, sizeof(server_write_key));
 	return 1;
@@ -647,11 +647,11 @@ int tls13_generate_application_secrets(TLS_CONNECT *conn)
 		error_print();
 		return -1;
 	}
-	/*
+	if (conn->verbose >= 5) {
-	format_print(stderr, 0, 0, "generate_application_secrets\n");
+		format_print(stderr, 0, 0, "generate_application_secrets\n");
-	format_bytes(stderr, 0, 4, "client_application_traffic_secret", conn->client_application_traffic_secret, conn->dgst_ctx.digest->digest_size);
+		format_bytes(stderr, 0, 4, "client_application_traffic_secret", conn->client_application_traffic_secret, conn->dgst_ctx.digest->digest_size);
-	format_bytes(stderr, 0, 4, "server_application_traffic_secret", conn->server_application_traffic_secret, conn->dgst_ctx.digest->digest_size);
+		format_bytes(stderr, 0, 4, "server_application_traffic_secret", conn->server_application_traffic_secret, conn->dgst_ctx.digest->digest_size);
-	*/
+	}
 	return 1;
 }
@@ -666,11 +666,11 @@ int tls13_update_client_application_secret(TLS_CONNECT *conn)
 		error_print();
 		return -1;
 	}
-	/*
+	if (conn->verbose >= 5) {
-	format_print(stderr, 0, 0, "update_client_application_secret\n");
+		format_print(stderr, 0, 0, "update_client_application_secret\n");
-	format_bytes(stderr, 0, 4, "client_application_traffic_secret",
+		format_bytes(stderr, 0, 4, "client_application_traffic_secret",
-		conn->client_application_traffic_secret, conn->digest->digest_size);
+			conn->client_application_traffic_secret, conn->digest->digest_size);
-	*/
+	}
 	return 1;
 }
@@ -685,11 +685,11 @@ int tls13_update_server_application_secret(TLS_CONNECT *conn)
 		error_print();
 		return -1;
 	}
-	/*
+	if (conn->verbose >= 5) {
-	format_print(stderr, 0, 0, "update_server_application_secret\n");
+		format_print(stderr, 0, 0, "update_server_application_secret\n");
-	format_bytes(stderr, 0, 4, "server_application_traffic_secret",
+		format_bytes(stderr, 0, 4, "server_application_traffic_secret",
-		conn->server_application_traffic_secret, conn->digest->digest_size);
+			conn->server_application_traffic_secret, conn->digest->digest_size);
-	*/
+	}
 	return 1;
 }
@@ -713,12 +713,12 @@ int tls13_generate_client_application_keys(TLS_CONNECT *conn)
 	}
 	tls_seq_num_reset(conn->client_seq_num);
-	/*
+	if (conn->verbose >= 5) {
-	format_print(stderr, 0, 0, "update_client_application_keys\n");
+		format_print(stderr, 0, 0, "update_client_application_keys\n");
-	format_bytes(stderr, 0, 4, "client_write_key", client_write_key, client_write_key_len);
+		format_bytes(stderr, 0, 4, "client_write_key", client_write_key, client_write_key_len);
-	format_bytes(stderr, 0, 4, "client_write_iv", conn->client_write_iv, TLS13_IV_SIZE);
+		format_bytes(stderr, 0, 4, "client_write_iv", conn->client_write_iv, TLS13_IV_SIZE);
-	format_print(stderr, 0, 4, "client_seq_num: %"PRIu64"\n", GETU64(conn->client_seq_num));
+		format_print(stderr, 0, 4, "client_seq_num: %"PRIu64"\n", GETU64(conn->client_seq_num));
-	*/
+	}
 	gmssl_secure_clear(client_write_key, sizeof(client_write_key));
 	return 1;
@@ -744,12 +744,12 @@ int tls13_generate_server_application_keys(TLS_CONNECT *conn)
 	}
 	tls_seq_num_reset(conn->server_seq_num);
-	/*
+	if (conn->verbose >= 5) {
-	format_print(stderr, 0, 0, "update_server_application_keys\n");
+		format_print(stderr, 0, 0, "update_server_application_keys\n");
-	format_bytes(stderr, 0, 4, "server_write_key", server_write_key, server_write_key_len);
+		format_bytes(stderr, 0, 4, "server_write_key", server_write_key, server_write_key_len);
-	format_bytes(stderr, 0, 4, "server_write_iv", conn->server_write_iv, TLS13_IV_SIZE);
+		format_bytes(stderr, 0, 4, "server_write_iv", conn->server_write_iv, TLS13_IV_SIZE);
-	format_print(stderr, 0, 4, "server_seq_num: %"PRIu64"\n", GETU64(conn->server_seq_num));
+		format_print(stderr, 0, 4, "server_seq_num: %"PRIu64"\n", GETU64(conn->server_seq_num));
-	*/
+	}
 	gmssl_secure_clear(server_write_key, sizeof(server_write_key));
 	return 1;
@@ -1071,7 +1071,9 @@ int tls13_send(TLS_CONNECT *conn, const uint8_t *data, size_t datalen, size_t *s
 			datalen = TLS_MAX_PLAINTEXT_SIZE;
 		}
-		format_bytes(stderr, 0, 0, "send", data, datalen);
+		if(conn->verbose) {
 			format_bytes(stderr, 0, 0, "send", data, datalen);
 		}
 		tls13_padding_len_rand(&padding_len);
@@ -1098,7 +1100,7 @@ int tls13_send(TLS_CONNECT *conn, const uint8_t *data, size_t datalen, size_t *s
 		conn->sentlen = datalen;
-		tls_trace("send {ApplicationData}\n");
+		if(conn->verbose) tls_trace("send {ApplicationData}\n");
 		tls13_record_print(stderr, 0, 0, conn->record, conn->recordlen);
 	}
@@ -1201,7 +1203,7 @@ int tls13_do_recv(TLS_CONNECT *conn)
 	conn->recordlen = tls_record_length(conn->record);
-	tls_trace("recv {ApplicationData}\n");
+	if(conn->verbose) tls_trace("recv {ApplicationData}\n");
 	tls13_record_print(stderr, 0, 0, conn->record, conn->recordlen);
@@ -1296,7 +1298,9 @@ int tls13_do_recv(TLS_CONNECT *conn)
 				seq_num = GETU64(conn->server_seq_num);
 				if (seq_num > 2 && update_requested && conn->ctx->key_update) {
-					fprintf(stderr, "server prepare key_update\n");
+					if(conn->verbose) {
 						fprintf(stderr, "server prepare key_update\n");
 					}
 					conn->key_update = 1;
 				}
 			}
@@ -1319,7 +1323,7 @@ int tls13_do_recv(TLS_CONNECT *conn)
 			return -1;
 		}
 		if (alert_description == TLS_alert_close_notify) {
-			tls_trace("recv Alert.close_notify\n");
+			if(conn->verbose) tls_trace("recv Alert.close_notify\n");
 			conn->close_notify_received = 1;
 			conn->data = NULL;
 			conn->datalen = 0;
@@ -1374,7 +1378,7 @@ int tls13_recv_early_data(TLS_CONNECT *conn)
 {
 	int ret;
-	tls_trace("recv EarlyData\n");
+	if(conn->verbose) tls_trace("recv EarlyData\n");
 	if ((ret = tls13_do_recv(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN && ret != TLS_ERROR_SEND_AGAIN) {
@@ -1385,7 +1389,9 @@ int tls13_recv_early_data(TLS_CONNECT *conn)
 	memcpy(conn->early_data_buf, conn->data, conn->datalen);
 	conn->early_data_len = conn->datalen;
-	format_string(stderr, 0, 4, "EarlyData", conn->early_data_buf, conn->early_data_len);
+	if(conn->verbose) {
 		format_string(stderr, 0, 4, "EarlyData", conn->early_data_buf, conn->early_data_len);
 	}
 	// 清空记录，防止后续的握手处理过程出现问题			
@@ -3697,6 +3703,7 @@ int tls13_init(TLS_CONNECT *conn, TLS_CTX *ctx)
 	conn->ctx = ctx;
 	conn->is_client = ctx->is_client;
 	conn->verbose = ctx->verbose;
 	conn->protocol = ctx->protocol;
@@ -3785,7 +3792,7 @@ int tls13_send_client_hello(TLS_CONNECT *conn)
 		uint8_t *pexts = exts;
 		size_t extslen = 0;
-		tls_trace("send ClientHello\n");
+		if(conn->verbose) tls_trace("send ClientHello\n");
 		// record_version
 		tls_record_set_protocol(conn->record, TLS_protocol_tls1);
@@ -4112,12 +4119,14 @@ int tls13_recv_hello_retry_request(TLS_CONNECT *conn)
 	int selected_version;
 	int key_exchange_group;
-	tls_trace("recv HelloRetryRequest*\n");
+	if(conn->verbose) tls_trace("recv HelloRetryRequest*\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
-			fprintf(stderr, "tls_recv_record return %d\n", ret);
+			if(conn->verbose) {
 				fprintf(stderr, "tls_recv_record return %d\n", ret);
 			}
 			error_print();
 		}
@@ -4141,7 +4150,7 @@ int tls13_recv_hello_retry_request(TLS_CONNECT *conn)
 		return -1;
 	}
 	if (handshake_type != TLS_handshake_hello_retry_request) {
-		tls_trace("    no HelloRetryRequest\n");
+		if(conn->verbose) tls_trace("    no HelloRetryRequest\n");
 		return 0;
 	}
@@ -4432,7 +4441,7 @@ int tls13_client_hello_again_psk_update(TLS_CONNECT *conn)
 int tls13_send_client_hello_again(TLS_CONNECT *conn)
 {
 	int ret;
-	tls_trace("send ClientHello again\n");
+	if(conn->verbose) tls_trace("send ClientHello again\n");
 	if (!conn->recordlen) {
 		const uint8_t *legacy_session_id = NULL;
@@ -4719,7 +4728,7 @@ int tls13_recv_server_hello(TLS_CONNECT *conn)
 	int selected_version;
 	int server_key_exchange_mode = 0;
-	tls_trace("recv ServerHello\n");
+	if(conn->verbose) tls_trace("recv ServerHello\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
@@ -5032,7 +5041,7 @@ int tls13_recv_server_hello(TLS_CONNECT *conn)
 			tls13_send_alert(conn, TLS_alert_internal_error);
 			return -1;
 		}
-		tls_handshake_digest_print(stderr, 0, 0, "ServerHello", &conn->dgst_ctx);
+		if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerHello", &conn->dgst_ctx);
 	} else {
 		if (digest_init(&conn->dgst_ctx, conn->digest) != 1) {
 			error_print();
@@ -5044,14 +5053,14 @@ int tls13_recv_server_hello(TLS_CONNECT *conn)
 			error_print();
 			return -1;
 		}
-		tls_handshake_digest_print(stderr, 0, 0, "ClientHello", &conn->dgst_ctx);
+		if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ClientHello", &conn->dgst_ctx);
 		// update(ServerHello)
 		if (digest_update(&conn->dgst_ctx, conn->record + 5, conn->recordlen - 5) != 1) {
 			error_print();
 			return -1;
 		}
-		tls_handshake_digest_print(stderr, 0, 0, "ServerHello", &conn->dgst_ctx);
+		if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerHello", &conn->dgst_ctx);
 	}
 	if (conn->client_certs_len) {
@@ -5085,7 +5094,7 @@ int tls13_send_change_cipher_spec(TLS_CONNECT *conn)
 	if (!conn->recordlen) {
-		tls_trace("send [ChangeCipherSpec]\n");
+		if(conn->verbose) tls_trace("send [ChangeCipherSpec]\n");
 		if (tls_record_set_change_cipher_spec(conn->record, &conn->recordlen) != 1) {
 			error_print();
 			tls_send_alert(conn, TLS_alert_internal_error);
@@ -5108,7 +5117,7 @@ int tls13_recv_change_cipher_spec(TLS_CONNECT *conn)
 {
 	int ret;
-	tls_trace("recv [ChangeCipherSpec]\n");
+	if(conn->verbose) tls_trace("recv [ChangeCipherSpec]\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
@@ -5143,7 +5152,9 @@ int tls13_recv_encrypted_extensions(TLS_CONNECT *conn)
 	int early_data = 0;
 	int alpn = 0;
-	printf("recv {EncryptedExtensions}\n");
+	if(conn->verbose) {
 		printf("recv {EncryptedExtensions}\n");
 	}
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
@@ -5169,7 +5180,7 @@ int tls13_recv_encrypted_extensions(TLS_CONNECT *conn)
 	}
 	tls13_record_print(stderr, 0, 0, conn->plain_record, conn->plain_recordlen);
-	tls_handshake_digest_print(stderr, 0, 0, "EncryptedExtension", &conn->dgst_ctx);
+	if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "EncryptedExtension", &conn->dgst_ctx);
 	if ((ret = tls13_record_get_handshake_encrypted_extensions(conn->plain_record,
@@ -5490,9 +5501,6 @@ int tls_cert_chain_match_extensions(
 	// server_name
 	if (host_name && host_name_len) {
 		format_string(stderr, 0,0, "host_name", host_name, host_name_len);
 		if ((ret = tls_cert_match_server_name(cert, certlen,
 			host_name, host_name_len)) < 0) {
 			error_print();
@@ -5501,8 +5509,6 @@ int tls_cert_chain_match_extensions(
 			return 0;
 		}
 		format_print(stderr, 0, 0, "passed\n");
 	}
 	// signature_algorithms_cert
@@ -5632,7 +5638,7 @@ int tls13_recv_certificate_request(TLS_CONNECT *conn)
 	const uint8_t *filters = NULL;
 	size_t filters_len = 0;
-	tls_trace("recv {CertificateRequest*}\n");
+	if(conn->verbose) tls_trace("recv {CertificateRequest*}\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
@@ -5657,7 +5663,7 @@ int tls13_recv_certificate_request(TLS_CONNECT *conn)
 		return -1;
 	}
 	if (handshake_type != TLS_handshake_certificate_request) {
-		tls_trace("    no {CertificateRequest}\n");
+		if(conn->verbose) tls_trace("    no {CertificateRequest}\n");
 		return 0;
 	}
 	tls13_record_print(stderr, 0, 0, conn->plain_record, conn->plain_recordlen);
@@ -5915,7 +5921,7 @@ int tls13_recv_server_certificate(TLS_CONNECT *conn)
 	int verify_result;
-	tls_trace("recv server {Certificate}\n");
+	if(conn->verbose) tls_trace("recv server {Certificate}\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
@@ -5942,7 +5948,7 @@ int tls13_recv_server_certificate(TLS_CONNECT *conn)
 		return -1;
 	}
 	tls13_record_print(stderr, 0, 0, conn->plain_record, conn->plain_recordlen);
-	tls_handshake_digest_print(stderr, 0, 0, "ServerCertificate", &conn->dgst_ctx);
+	if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerCertificate", &conn->dgst_ctx);
 	if ((ret = tls13_record_get_handshake_certificate(conn->plain_record,
 		&request_context, &request_context_len,
@@ -6051,7 +6057,7 @@ int tls13_recv_server_certificate_verify(TLS_CONNECT *conn)
 	size_t certlen;
 	X509_KEY public_key;
-	tls_trace("recv server {CertificateVerify}\n");
+	if(conn->verbose) tls_trace("recv server {CertificateVerify}\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
@@ -6127,7 +6133,7 @@ int tls13_recv_client_certificate_verify(TLS_CONNECT *conn)
 	size_t certlen;
 	X509_KEY public_key;
-	tls_trace("recv client {CertificateVerify}\n");
+	if(conn->verbose) tls_trace("recv client {CertificateVerify}\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
@@ -6191,7 +6197,7 @@ int tls13_recv_client_certificate_verify(TLS_CONNECT *conn)
 		error_print();
 		return -1;
 	}
-	tls_handshake_digest_print(stderr, 0, 0, "CertificateVerify", &conn->dgst_ctx);
+	if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "CertificateVerify", &conn->dgst_ctx);
 	return 1;
 }
@@ -6211,7 +6217,7 @@ int tls13_recv_server_finished(TLS_CONNECT *conn)
 		return -1;
 	}
-	tls_trace("recv server {Finished}\n");
+	if(conn->verbose) tls_trace("recv server {Finished}\n");
 	if (!conn->plain_recordlen) {
@@ -6237,7 +6243,7 @@ int tls13_recv_server_finished(TLS_CONNECT *conn)
 		error_print();
 		return -1;
 	}
-	tls_handshake_digest_print(stderr, 0, 0, "ServerFinished", &conn->dgst_ctx);
+	if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerFinished", &conn->dgst_ctx);
 	if ((ret = tls13_record_get_handshake_finished(conn->plain_record,
@@ -6270,7 +6276,7 @@ int tls13_send_client_certificate(TLS_CONNECT *conn)
 {
 	int ret;
-	tls_trace("send client {Certificate*}\n");
+	if(conn->verbose) tls_trace("send client {Certificate*}\n");
 	if (conn->recordlen == 0) {
 		const uint8_t *request_context = NULL;
@@ -6308,7 +6314,7 @@ int tls13_send_client_certificate(TLS_CONNECT *conn)
 			error_print();
 			return -1;
 		}
-		tls_handshake_digest_print(stderr, 0, 0, "client Certficate", &conn->dgst_ctx);
+		if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "client Certficate", &conn->dgst_ctx);
 		tls13_padding_len_rand(&padding_len);
@@ -6335,7 +6341,7 @@ int tls13_send_client_certificate_verify(TLS_CONNECT *conn)
 {
 	int ret;
-	tls_trace("send client {CertificateVerify*}\n");
+	if(conn->verbose) tls_trace("send client {CertificateVerify*}\n");
 	if (!conn->recordlen) {
 		X509_KEY *sign_key = &conn->ctx->x509_keys[conn->cert_chain_idx - 1];
@@ -6362,7 +6368,7 @@ int tls13_send_client_certificate_verify(TLS_CONNECT *conn)
 			error_print();
 			return -1;
 		}
-		tls_handshake_digest_print(stderr, 0, 0, "after client CertificateVerify", &conn->dgst_ctx);
+		if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "after client CertificateVerify", &conn->dgst_ctx);
 		tls13_padding_len_rand(&padding_len);
 		if (tls13_record_encrypt(&conn->client_write_key, conn->client_write_iv,
@@ -6389,7 +6395,7 @@ int tls13_send_client_finished(TLS_CONNECT *conn)
 {
 	int ret;
-	tls_trace("send client {Finished}\n");
+	if(conn->verbose) tls_trace("send client {Finished}\n");
 	if (!conn->recordlen) {
 		uint8_t verify_data[64];
@@ -6546,7 +6552,7 @@ int tls13_recv_client_hello(TLS_CONNECT *conn)
 		tls_client_verify_init(&conn->client_verify_ctx);
 	*/
-	tls_trace("recv ClientHello\n");
+	if(conn->verbose) tls_trace("recv ClientHello\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
@@ -7242,7 +7248,7 @@ int tls13_recv_client_hello(TLS_CONNECT *conn)
 			error_print();
 			return -1;
 		}
-		tls_handshake_digest_print(stderr, 0, 0, "ClientHello", &conn->dgst_ctx);
+		if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ClientHello", &conn->dgst_ctx);
 	}
 	// early_data
@@ -7272,7 +7278,7 @@ int tls13_send_hello_retry_request(TLS_CONNECT *conn)
 {
 	int ret;
-	tls_trace("send HelloRetryRequest\n");
+	if(conn->verbose) tls_trace("send HelloRetryRequest\n");
 	if (conn->recordlen == 0) {
 		const uint8_t *legacy_session_id_echo = NULL;
@@ -7398,7 +7404,7 @@ int tls13_recv_client_hello_again(TLS_CONNECT *conn)
 	size_t key_exchange_len;
-	tls_trace("recv ClientHello again\n");
+	if(conn->verbose) tls_trace("recv ClientHello again\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
@@ -7689,7 +7695,7 @@ int tls13_send_server_hello(TLS_CONNECT *conn)
 {
 	int ret;
-	tls_trace("send ServerHello\n");
+	if(conn->verbose) tls_trace("send ServerHello\n");
 	if (conn->recordlen == 0) {
 		uint8_t exts[256];// 256=> 需要的长度			
@@ -7765,7 +7771,7 @@ int tls13_send_server_hello(TLS_CONNECT *conn)
 			error_print();
 			return -1;
 		}
-		tls_handshake_digest_print(stderr, 0, 0, "ServerHello", &conn->dgst_ctx);
+		if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerHello", &conn->dgst_ctx);
 		if (tls13_generate_handshake_secrets(conn) != 1) {
@@ -7806,7 +7812,7 @@ int tls13_send_alert(TLS_CONNECT *conn, int alert)
 	int ret;
 	size_t padding_len;
-	tls_trace("send {Alert}\n");
+	if(conn->verbose) tls_trace("send {Alert}\n");
 	if (conn->recordlen == 0) {
 		tls_record_set_protocol(conn->plain_record, TLS_protocol_tls12);
@@ -7848,7 +7854,7 @@ int tls13_send_alert(TLS_CONNECT *conn, int alert)
 int tls13_send_encrypted_extensions(TLS_CONNECT *conn)
 {
 	int ret;
-	tls_trace("send {EncryptedExtensions}\n");
+	if(conn->verbose) tls_trace("send {EncryptedExtensions}\n");
 	if (conn->recordlen == 0) {
 		uint8_t exts[256];
@@ -7917,7 +7923,7 @@ int tls13_send_encrypted_extensions(TLS_CONNECT *conn)
 		digest_update(&conn->dgst_ctx, conn->plain_record + 5, conn->plain_recordlen - 5);
-		tls_handshake_digest_print(stderr, 0, 0, "EncryptedExtensions", &conn->dgst_ctx);
+		if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "EncryptedExtensions", &conn->dgst_ctx);
 		tls13_padding_len_rand(&padding_len);
@@ -7953,7 +7959,7 @@ int tls13_send_encrypted_extensions(TLS_CONNECT *conn)
 int tls13_send_certificate_request(TLS_CONNECT *conn)
 {
 	int ret;
-	tls_trace("send {CertificateRequest*}\n");
+	if(conn->verbose) tls_trace("send {CertificateRequest*}\n");
 	if (conn->recordlen == 0) {
 		const uint8_t *request_context = NULL;
@@ -8043,7 +8049,7 @@ int tls13_send_certificate_request(TLS_CONNECT *conn)
 		}
 		tls13_record_print(stderr, 0, 0, conn->plain_record, conn->plain_recordlen);
-		tls_handshake_digest_print(stderr, 0, 0, "after CertificateRequest", &conn->dgst_ctx);
+		if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "after CertificateRequest", &conn->dgst_ctx);
 		//format_print(stderr, 0, 0, "server_seq_num: "PRIu64"\n", GETU64(conn->server_seq_num));
@@ -8072,7 +8078,7 @@ int tls13_send_server_certificate(TLS_CONNECT *conn)
 {
 	int ret;
-	tls_trace("send server {Certificate}\n");
+	if(conn->verbose) tls_trace("send server {Certificate}\n");
 	if (conn->recordlen == 0) {
 		const uint8_t *request_context = NULL;
@@ -8112,7 +8118,7 @@ int tls13_send_server_certificate(TLS_CONNECT *conn)
 			error_print();
 			return -1;
 		}
-		tls_handshake_digest_print(stderr, 0, 0, "ServerCertificate", &conn->dgst_ctx);
+		if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerCertificate", &conn->dgst_ctx);
 		tls13_padding_len_rand(&padding_len);
 		if (tls13_record_encrypt(&conn->server_write_key, conn->server_write_iv,
@@ -8139,7 +8145,7 @@ int tls13_send_server_certificate_verify(TLS_CONNECT *conn)
 {
 	int ret;
-	tls_trace("send server {CertificateVerify}\n");
+	if(conn->verbose) tls_trace("send server {CertificateVerify}\n");
 	if (conn->recordlen == 0) {
 		X509_KEY *sign_key = &conn->ctx->x509_keys[conn->cert_chain_idx - 1];
@@ -8191,7 +8197,7 @@ int tls13_send_server_finished(TLS_CONNECT *conn)
 	int ret;
 	size_t padding_len;
-	tls_trace("send server {Finished}\n");
+	if(conn->verbose) tls_trace("send server {Finished}\n");
 	if (conn->recordlen == 0) {
 		uint8_t verify_data[64];
@@ -8212,7 +8218,7 @@ int tls13_send_server_finished(TLS_CONNECT *conn)
 		}
 		tls13_record_print(stderr, 0, 0, conn->plain_record, conn->plain_recordlen);
-		tls_handshake_digest_print(stderr, 0, 0, "ServerFinished", &conn->dgst_ctx);
+		if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "ServerFinished", &conn->dgst_ctx);
 		//format_print(stderr, 0, 0, "server_seq_num: "PRIu64"\n", GETU64(conn->server_seq_num));
@@ -8264,7 +8270,7 @@ int tls13_recv_client_certificate(TLS_CONNECT *conn)
 	int verify_result;
-	tls_trace("recv client {Certificate*}\n");
+	if(conn->verbose) tls_trace("recv client {Certificate*}\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
@@ -8290,13 +8296,13 @@ int tls13_recv_client_certificate(TLS_CONNECT *conn)
 	}
 	tls_seq_num_incr(conn->client_seq_num);
-	tls13_record_trace(stderr, conn->plain_record, conn->plain_recordlen, 0, 0);
+	if(conn->verbose) tls13_record_trace(stderr, conn->plain_record, conn->plain_recordlen, 0, 0);
 	if (digest_update(&conn->dgst_ctx, conn->plain_record + 5, conn->plain_recordlen - 5) != 1) {
 		error_print();
 		return -1;
 	}
-	tls_handshake_digest_print(stderr, 0, 0, "after client Certificate", &conn->dgst_ctx);
+	if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "after client Certificate", &conn->dgst_ctx);
 	if ((ret = tls13_record_get_handshake_certificate(conn->plain_record,
@@ -8402,7 +8408,7 @@ int tls13_recv_client_finished(TLS_CONNECT *conn)
 	const uint8_t *verify_data;
 	size_t verify_data_len;
-	tls_trace("recv client {Finished}\n");
+	if(conn->verbose) tls_trace("recv client {Finished}\n");
 	if ((ret = tls_recv_record(conn)) != 1) {
 		if (ret != TLS_ERROR_RECV_AGAIN) {
 			error_print();
@@ -8427,7 +8433,7 @@ int tls13_recv_client_finished(TLS_CONNECT *conn)
 	}
 	tls_seq_num_incr(conn->client_seq_num);
-	tls13_record_trace(stderr, conn->plain_record, conn->plain_recordlen, 0, 0);
+	if(conn->verbose) tls13_record_trace(stderr, conn->plain_record, conn->plain_recordlen, 0, 0);
 	if ((ret = tls13_record_get_handshake_finished(conn->plain_record,
@@ -8441,7 +8447,7 @@ int tls13_recv_client_finished(TLS_CONNECT *conn)
 		return -1;
 	}
-	tls_handshake_digest_print(stderr, 0, 0, "before ClientFinished", &conn->dgst_ctx);
+	if(conn->verbose) tls_handshake_digest_print(stderr, 0, 0, "before ClientFinished", &conn->dgst_ctx);
 	if (tls13_compute_verify_data(conn->client_handshake_traffic_secret,
 		&conn->dgst_ctx, local_verify_data, &local_verify_data_len) != 1) {
@@ -8471,7 +8477,7 @@ int tls13_send_early_data(TLS_CONNECT *conn)
 {
 	size_t sentlen;
-	tls_trace("send EarlyData\n");
+	if(conn->verbose) tls_trace("send EarlyData\n");
 	if (!conn->early_data) {
 		error_print();
@@ -8506,7 +8512,7 @@ int tls13_send_client_key_update(TLS_CONNECT *conn, int request_update)
 	if (conn->recordlen == 0) {
 		size_t padding_len = 0;
-		tls_trace("send client {KeyUpdate}\n");
+		if(conn->verbose) tls_trace("send client {KeyUpdate}\n");
 		if (tls13_record_set_handshake_key_update(conn->plain_record, &conn->plain_recordlen,
 			request_update) != 1) {
@@ -8562,7 +8568,7 @@ int tls13_send_server_key_update(TLS_CONNECT *conn, int request_update)
 	if (conn->recordlen == 0) {
 		size_t padding_len = 0;
-		tls_trace("send server {KeyUpdate}\n");
+		if(conn->verbose) tls_trace("send server {KeyUpdate}\n");
 		if (tls13_record_set_handshake_key_update(conn->plain_record, &conn->plain_recordlen,
 			request_update) != 1) {
@@ -8621,7 +8627,7 @@ int tls13_do_client_handshake(TLS_CONNECT *conn)
 	case TLS_state_server_hello:
 	case TLS_state_encrypted_extensions:
 		if (conn->early_data && conn->early_data_offset < conn->early_data_len) {
-			tls_trace("send EarlyData\n");
+			if(conn->verbose) tls_trace("send EarlyData\n");
 			if (tls13_send_early_data(conn) != 1) {
 				error_print();
 				return -1;
--- a/tools/tlcp_client.c
+++ b/tools/tlcp_client.c
@@ -26,7 +26,7 @@ static const char *usage =
 	" [-get path]"
 	" [-alpn str]"
 	" [-trusted_ca_keys]"
-	" [-quiet]";
+	" [-verbose]";
 static const char *help =
 "Options\n"
@@ -48,7 +48,7 @@ static const char *help =
 "    -trusted_ca_keys       Send trusted_ca_keys request\n"
 "    -alpn str              Application protocol name, may appear multiple times, higher priority first\n"
 "    -status_request        Send status_request (OCSP Stapling) request\n"
-"    -quiet                 Without printing any status message\n"
+"    -verbose               Print TLS handshake messages\n"
 "\n"
 #include "tlcp_help.h"
 "\n";
@@ -187,7 +187,7 @@ int tlcp_client_main(int argc, char *argv[])
 	int client_cert_optional = 0;
 	char *get = NULL;
 	char *certoutfile = NULL;
-	int quiet = 0;
+	int verbose = 0;
 	struct hostent *hp;
 	struct sockaddr_in server;
 	tls_socket_t sock = -1;
@@ -297,8 +297,8 @@ int tlcp_client_main(int argc, char *argv[])
 		} else if (!strcmp(*argv, "-certout")) {
 			if (--argc < 1) goto bad;
 			certoutfile = *(++argv);
-		} else if (!strcmp(*argv, "-quiet")) {
+		} else if (!strcmp(*argv, "-verbose")) {
-			quiet = 1;
+			verbose = 1;
 		} else {
 			fprintf(stderr, "%s: invalid option '%s'\n", prog, *argv);
 			return 1;
@@ -388,7 +388,10 @@ bad:
 		}
 	}
-	// quiet/verbose
+	if (verbose && tls_ctx_set_verbose(&ctx, verbose) != 1) {
 		error_print();
 		goto end;
 	}
 	if (tls_init(&conn, &ctx) != 1) {
 		error_print();
--- a/tools/tlcp_server.c
+++ b/tools/tlcp_server.c
@@ -18,7 +18,7 @@
 #include <gmssl/error.h>
-static const char *options = "[-port num] -cert pem -key pem -pass str [-alpn str] [-cacert pem]";
+static const char *options = "[-port num] -cert pem -key pem -pass str [-alpn str] [-cacert pem] [-verbose]";
 static const char *help =
@@ -30,6 +30,7 @@ static const char *help =
 "    -pass str              Password to decrypt both private keys in the same -key PEM, may appear multiple times\n"
 "    -alpn str              Application protocol name, may appear multiple times, higher priority first\n"
 "    -cacert pem            CA certificate for client certificate verification\n"
 "    -verbose               Print TLS handshake messages\n"
 "\n"
 #include "tlcp_help.h"
 "\n";
@@ -156,6 +157,7 @@ int tlcp_server_main(int argc , char **argv)
 	char *alpn_protocols[4];
 	size_t alpn_protocols_cnt = 0;
 	char *cacertfile = NULL;
 	int verbose = 0;
 	int server_ciphers[] = {
 		TLS_cipher_ecc_sm4_gcm_sm3,
@@ -220,6 +222,8 @@ int tlcp_server_main(int argc , char **argv)
 		} else if (!strcmp(*argv, "-cacert")) {
 			if (--argc < 1) goto bad;
 			cacertfile = *(++argv);
 		} else if (!strcmp(*argv, "-verbose")) {
 			verbose = 1;
 		} else {
 			fprintf(stderr, "%s: invalid option '%s'\n", prog, *argv);
 			return 1;
@@ -255,6 +259,10 @@ bad:
 		error_print();
 		return -1;
 	}
 	if (verbose && tls_ctx_set_verbose(&ctx, verbose) != 1) {
 		error_print();
 		return -1;
 	}
 	if (alpn_protocols_cnt) {
 		if (tls_ctx_set_application_layer_protocol_negotiation(&ctx,
 			alpn_protocols, alpn_protocols_cnt) != 1) {
--- a/tools/tls12_client.c
+++ b/tools/tls12_client.c
@@ -23,7 +23,7 @@ static const char *http_get =
 	"Hostname: aaa\r\n"
 	"\r\n\r\n";
-static const char *options = "-host str [-port num] [-cacert pem] [-cert pem -key pem -pass str] [-trusted_ca_keys]";
+static const char *options = "-host str [-port num] [-cacert pem] [-cert pem -key pem -pass str] [-trusted_ca_keys] [-verbose]";
 static const char *help =
 "Options\n"
@@ -45,6 +45,7 @@ static const char *help =
 "    -renegotiation_info_scsv\n"
 "                          Send TLS_EMPTY_RENEGOTIATION_INFO_SCSV\n"
 "    -status_request        Send status_request (OCSP Stapling) request\n"
 "    -verbose               Print TLS handshake messages\n"
 "\n"
 #include "tls12_help.h"
 "\n";
@@ -179,6 +180,7 @@ int tls12_client_main(int argc, char *argv[])
 	int trusted_ca_keys = 0;
 	int renegotiation_info = 0;
 	int empty_renegotiation_info_scsv = 0;
 	int verbose = 0;
 	TLS_CTX ctx;
 	TLS_CONNECT conn;
 	struct hostent *hp;
@@ -278,6 +280,8 @@ int tls12_client_main(int argc, char *argv[])
 			empty_renegotiation_info_scsv = 1;
 		} else if (!strcmp(*argv, "-client_cert_optional")) {
 			client_cert_optional = 1;
 		} else if (!strcmp(*argv, "-verbose")) {
 			verbose = 1;
 		} else {
 			fprintf(stderr, "%s: invalid option '%s'\n", prog, *argv);
 			return 1;
@@ -308,6 +312,10 @@ bad:
 		error_print();
 		return -1;
 	}
 	if (verbose && tls_ctx_set_verbose(&ctx, verbose) != 1) {
 		error_print();
 		goto end;
 	}
 	if (tls_ctx_set_cipher_suites(&ctx, cipher_suites, cipher_suites_cnt) != 1) {
 		error_print();
--- a/tools/tls12_server.c
+++ b/tools/tls12_server.c
@@ -18,7 +18,7 @@
 #include <gmssl/error.h>
-static const char *options = "[-port num] -cert pem -key pem -pass str [-cacert pem]";
+static const char *options = "[-port num] -cert pem -key pem -pass str [-cacert pem] [-verbose]";
 static const char *help =
 "Options\n"
@@ -35,6 +35,7 @@ static const char *help =
 "    -verify_depth num      Certificate verification depth\n"
 "    -client_cert_optional  Allow client send empty Certificate\n"
 "    -renegotiation_info    Send renegotiation_info response when client supports RFC 5746\n"
 "    -verbose               Print TLS handshake messages\n"
 "\n"
 #include "tls12_help.h"
 "\n";
@@ -170,6 +171,7 @@ int tls12_server_main(int argc , char **argv)
 	int verify_depth = TLS_DEFAULT_VERIFY_DEPTH;
 	int client_cert_optional = 0;
 	int renegotiation_info = 0;
 	int verbose = 0;
 	TLS_CTX ctx;
 	TLS_CONNECT conn;
 	char buf[1600] = {0};
@@ -277,6 +279,8 @@ int tls12_server_main(int argc , char **argv)
 			client_cert_optional = 1;
 		} else if (!strcmp(*argv, "-renegotiation_info")) {
 			renegotiation_info = 1;
 		} else if (!strcmp(*argv, "-verbose")) {
 			verbose = 1;
 		} else {
 			fprintf(stderr, "%s: invalid option '%s'\n", prog, *argv);
 			return 1;
@@ -314,6 +318,10 @@ bad:
 		error_print();
 		return -1;
 	}
 	if (verbose && tls_ctx_set_verbose(&ctx, verbose) != 1) {
 		error_print();
 		goto end;
 	}
 	if (tls_ctx_set_cipher_suites(&ctx, cipher_suites, cipher_suites_cnt) != 1) {
 		fprintf(stderr, "%s: context init error\n", prog);
--- a/tools/tls13_client.c
+++ b/tools/tls13_client.c
@@ -103,7 +103,7 @@ static const char *http_get =
 	"Hostname: aaa\r\n"
 	"\r\n\r\n";
-static const char *options = "-host str [-port num] [-cacert pem] [-cert pem -key pem -pass str]";
+static const char *options = "-host str [-port num] [-cacert pem] [-cert pem -key pem -pass str] [-verbose]";
 static const char *help =
 "Options\n"
@@ -136,6 +136,7 @@ static const char *help =
 "    -post_handshake_auth      Support post_handshake_auth\n"
 "    -client_cert_optional     Allow client send empty Certificate\n"
 "    -tls13_change_cipher_spec Support ChangeCipherSpec in TLS 1.3 to be compatible with middlebox\n"
 "    -verbose                  Print TLS handshake messages\n"
 "\n"
 #include "tls13_help.h"
 "\n";
@@ -232,6 +233,7 @@ int tls13_client_main(int argc, char *argv[])
 	// ChangeCipherSpec
 	int tls13_change_cipher_spec = 0;
 	int verbose = 0;
 	int send_again = 0;
@@ -397,6 +399,8 @@ int tls13_client_main(int argc, char *argv[])
 			client_cert_optional = 1;
 		} else if (!strcmp(*argv, "-tls13_change_cipher_spec")) {
 			tls13_change_cipher_spec = 1;
 		} else if (!strcmp(*argv, "-verbose")) {
 			verbose = 1;
 		} else {
 			fprintf(stderr, "%s: invalid option '%s'\n", prog, *argv);
 			return 1;
@@ -424,6 +428,10 @@ bad:
 		error_print();
 		return -1;
 	}
 	if (verbose && tls_ctx_set_verbose(&ctx, verbose) != 1) {
 		error_print();
 		goto end;
 	}
 	// cipher_suites
 	if (tls_ctx_set_cipher_suites(&ctx, cipher_suites, cipher_suites_cnt) != 1) {
--- a/tools/tls13_server.c
+++ b/tools/tls13_server.c
@@ -20,7 +20,7 @@
-static const char *options = "[-port num] -cert pem -key pem -pass str [-cacert pem]";
+static const char *options = "[-port num] -cert pem -key pem -pass str [-cacert pem] [-verbose]";
 static const char *help =
 "Options\n"
@@ -47,6 +47,7 @@ static const char *help =
 "    -ticket_key hex           Session ticket encrypt/decrypt key in HEX format\n"
 "    -key_update_seq_num num   Send KeyUpdate handshake after sending/receiving <num> records\n"
 "    -tls13_change_cipher_spec Support ChangeCipherSpec in TLS 1.3 to be compatible with middlebox\n"
 "    -verbose                  Print TLS handshake messages\n"
 "\n"
 #include "tls13_help.h"
 "\n";
@@ -192,6 +193,7 @@ int tls13_server_main(int argc , char **argv)
 	// ChangeCipherSpec
 	int tls13_change_cipher_spec = 0;
 	int verbose = 0;
 	size_t i;
@@ -346,6 +348,8 @@ int tls13_server_main(int argc , char **argv)
 			client_cert_optional = 1;
 		} else if (!strcmp(*argv, "-tls13_change_cipher_spec")) {
 			tls13_change_cipher_spec = 1;
 		} else if (!strcmp(*argv, "-verbose")) {
 			verbose = 1;
 		} else {
 			fprintf(stderr, "%s: invalid option '%s'\n", prog, *argv);
 			return 1;
@@ -385,6 +389,10 @@ bad:
 		error_print();
 		return -1;
 	}
 	if (verbose && tls_ctx_set_verbose(&ctx, verbose) != 1) {
 		error_print();
 		goto end;
 	}
 	if (tls_ctx_set_cipher_suites(&ctx, cipher_suites, cipher_suites_cnt) != 1) {
 		fprintf(stderr, "%s: context init error\n", prog);