diff --git a/pkg/sql/pgwire/pre_serve.go b/pkg/sql/pgwire/pre_serve.go
index 6356dacd982e..e7a448b23155 100644
--- a/pkg/sql/pgwire/pre_serve.go
+++ b/pkg/sql/pgwire/pre_serve.go
@@ -438,6 +438,9 @@ func (s *PreServeConnHandler) maybeUpgradeToSecureConn(
 		// TODO(knz): Remove this condition - see
 		// https://github.com/cockroachdb/cockroach/issues/53404
 		if s.cfg.Insecure {
+			if buildutil.CrdbTestBuild {
+				log.Infof(ctx, "using insecure mode since version=%d and cfg.Insecure=true", version)
+			}
 			return
 		}
 
@@ -450,6 +453,9 @@ func (s *PreServeConnHandler) maybeUpgradeToSecureConn(
 				log.Warningf(ctx, "client cannot connect since version=%d AcceptSQLWithoutTLS=false and connType=%s", version, connType)
 			}
 		}
+		if buildutil.CrdbTestBuild {
+			log.Infof(ctx, "client did not request SSL version=%d AcceptSQLWithoutTLS=false and connType=%s", version, connType)
+		}
 		return
 	}
 
@@ -470,6 +476,9 @@ func (s *PreServeConnHandler) maybeUpgradeToSecureConn(
 	// Protocol sanity check.
 	if len(buf.Msg) > 0 {
 		serverErr = errors.Errorf("unexpected data after SSLRequest: %q", buf.Msg)
+		if buildutil.CrdbTestBuild {
+			log.Warningf(ctx, "protocol error err=%v", serverErr)
+		}
 		return
 	}
 
@@ -479,6 +488,9 @@ func (s *PreServeConnHandler) maybeUpgradeToSecureConn(
 	// Do we have a TLS configuration?
 	tlsConfig, serverErr := s.getTLSConfig()
 	if serverErr != nil {
+		if buildutil.CrdbTestBuild {
+			log.Warningf(ctx, "could not get TLS config err=%v", serverErr)
+		}
 		return
 	}
 
@@ -491,12 +503,21 @@ func (s *PreServeConnHandler) maybeUpgradeToSecureConn(
 		}
 		n, serverErr = conn.Write(sslUnsupported)
 		if serverErr != nil {
+			if buildutil.CrdbTestBuild {
+				log.Warningf(ctx, "error while sending sslUnsupported message to client err=%v", serverErr)
+			}
 			return
 		}
 	} else {
+		if buildutil.CrdbTestBuild {
+			log.Infof(ctx, "sending sslSupported message to client")
+		}
 		// We have a TLS configuration. Upgrade the connection.
 		n, serverErr = conn.Write(sslSupported)
 		if serverErr != nil {
+			if buildutil.CrdbTestBuild {
+				log.Warningf(ctx, "error while sending sslSupported message to client err=%v", serverErr)
+			}
 			return
 		}
 		newConn = tls.Server(conn, tlsConfig)
@@ -506,6 +527,9 @@ func (s *PreServeConnHandler) maybeUpgradeToSecureConn(
 
 	// Finally, re-read the version/command from the client.
 	newVersion, *buf, serverErr = s.readVersion(newConn)
+	if buildutil.CrdbTestBuild && serverErr != nil {
+		log.Warningf(ctx, "error when reading version err=%v", serverErr)
+	}
 	return
 }