SSL Handshake (TLS Handshake) Explained | Okta (2024)

Table of Contents
What is an SSL handshake? SSL handshake steps explained How secure is an SSL/TLS handshake? References FAQs

An SSL handshake defines a connection between two devices, such as your browser and the server that supports the website you want to visit.

During an SSL handshake, the two devices determine:

  • What security version both parties will use
  • What type of encryption will protect the information
  • How both parties are verified

The word "SSL" in SSL handshake is a misnomer. The secure sockets layer (SSL) protocol is old, and people rarely use it these days. Now, most devices use transport layer security (TLS).

See Also
How to fix ERR_SSL_PROTOCOL_ERROR: causes, variations, and troubleshooting

The term “TLS handshake” is more accurate, but it’s common for people to call this step a simple SSL handshake instead.

What is an SSL handshake?

Pull up a website on your browser, and you may believe the connection happened both instantly and spontaneously. In reality, the two devices need to negotiate how they'll communicate and transfer information. That negotiation happens through an SSL handshake.

As we mentioned, the SSL handshake is sometimes called the TLS handshake. Here's why.

Netscape developed the SSL protocol in 1995. Unfortunately, it was riddled with security flaws. In the early 2000s, the industry moved to the TLS protocol for the promise of better security. The handshake process remains the same despite the name change.

An SSL handshake is a process that begins a communication session. The two parties acknowledge one another, determine how they will protect information, verify one another's security protocols, and set session keys.

SSL handshake steps explained

As we've explained, SSL handshakes are negotiations. The two parties agree on styles and protocols. The SSL handshake steps result from those agreements, and they can vary depending on what the two sides want.

In general, an SSL handshake proceeds via these steps:

  1. Contact: A browser sends a "client hello" message to the server. The message includes critical details, such as the SSL version the client uses, cipher settings (more on that in a minute), and session-specific information.

  2. First response: The server sends back proof of security (via certificates), the server's cipher settings, and session-specific data.

  3. Authentication: The browser verifies the security certificate to ensure it made contact with the right authority.

  4. Key exchange: The browser and the server exchange keys, validating the security of their exchange.

  5. Wrap up: Both the server and the browser confirm that the work is complete, and the handshake is finished.

Despite the complexity of these steps, it takes just a few seconds for both sides to do their work. Few users notice the delay.

How secure is an SSL/TLS handshake?

Look through the SSL handshake steps, and you'll notice a mention of key exchange. That process involves encryption, and the process uses two forms.

The two forms of encryption include:

  • Asymmetric encryption. A public key, readily available via the server's security certificate, is used for description. A private key is used for decryption.
  • Symmetric encryption. After asymmetric encryption, the two parties set up a shared key. This single session key allows for a secure connection with lower server strain.

The two parties also agree on a so-called "cipher suite," a set of rules about what type of authentication will be required, how they'll encrypt data, and more.

These steps should protect data in transit. But unfortunately, attacks are still possible. The BREACH attack, for example, allows hackers to change data in transport. Hackers can also take over and perform a man-in-the-middle attack. The problem begins with data that attackers steal as it's encrypted.

Many security experts became aware of security risks with encryption in 2012, when news of vulnerable Android apps broke. Did you miss the story? Read our recap here.

References

What is Transport Layer Security (TLS)? (November 2018). Network World.

Inside the BREACH Attack: How to Avoid HTTPS Traffic Exploits. TechTarget.

SSL Handshake (TLS Handshake) Explained | Okta (2024)

FAQs

SSL Handshake (TLS Handshake) Explained | Okta? ›

An SSL handshake defines a connection between two devices, such as your browser and the server that supports the website you want to visit.

Read On
What is the difference between SSL handshake and TLS handshake? ›

SSL/TLS handshakes

This process authenticates both parties, then exchanges cryptographic keys. An SSL handshake was an explicit connection, while a TLS handshake is an implicit one. The SSL handshake process had more steps than the TLS process.

Discover More Details
What are the 4 phases of SSL handshake? ›

SSL handshake
  • The client sends a request to the server for a secure session. ...
  • The client receives the server's X. ...
  • The client authenticates the server, using a list of known certificate authorities.
  • The client generates a random symmetric key and encrypts it using server's public key.

Continue Reading
How does TLS handshake work? ›

During a TLS handshake, the two communicating sides exchange messages to acknowledge each other, verify each other, establish the cryptographic algorithms they will use, and agree on session keys. TLS handshakes are a foundational part of how HTTPS works.

See Details
What is an SSL handshake and how does it work? ›

The SSL/TLS handshake is a series of steps that allows two parties – typically a client and a server – to authenticate each other, agree on encryption standards, and establish a secure channel for transferring data. It's like a complex digital dance with sophisticated back-and-forth communication in milliseconds.

Find Out More
Why did the SSL handshake fail? ›

Often, the SSL handshake error shows up when the server runs on a protocol version that is much higher than that of the client computer. For instance, if the server uses the TLS 1.3 version but the browser's using the TLS 1.1, then the SSL handshake is likely to fail because servers do not support previous versions.

Tell Me More
How do SSL and TLS work? ›

The SSL/TLS handshake involves the following steps: The browser opens an SSL/TLS-secure website and connects to the web server. The browser attempts to verify the authenticity of the web server by requesting identifiable information. The web server sends the SSL/TLS certificate that contains a public key as a reply.

Show Me More
What is TLS explained simply? ›

Transport Layer Security (TLS) encrypts data sent over the Internet to ensure that eavesdroppers and hackers are unable to see what you transmit which is particularly useful for private and sensitive information such as passwords, credit card numbers, and personal correspondence.

Explore More
What happens when TLS handshake fails? ›

A TLS handshake error prevents a browser from establishing a secure connection with a website or online service. It can be detrimental to business because hackers may intercept or manipulate sensitive data such as personal information, login credentials, and credit card numbers.

Continue Reading
How long is a TLS handshake valid? ›

TLS/SSL certificate validity periods are currently 398 days, or about 13 months.

Show Me More

What is the master secret in TLS? ›

The master secret is a function of the client and server randoms that were previously exchanged between the client and the server during the handshake stage.

Read The Full Story
What is SSL for dummies? ›

Each TLS/SSL session consists of two keys:

TLS/SSL stands for “Secure Socket Layer.” It is a technology that establishes a secure session link between the visitor's web browser and your website so that all communications transmitted through this link are encrypted and are, therefore, secure.

See Details
Can a firewall block SSL handshake? ›

URL filtering response pages do not display for sites blocked during SSL/TLS handshake inspections because the firewall resets the HTTPS connection. The connection reset ends SSL/TLS handshakes and prevents user notification by response page.

Get More Info Here
Is TCP handshake the same as TLS handshake? ›

TLS and TCP handshakes are not the same. The TCP (Transmission Control Protocol) handshake establishes a connection, while the TLS handshake occurs within the established TCP connection to secure the communication.

Continue Reading
What is the difference between SSL handshake and SSH handshake? ›

SSH uses a username/password authentication system, while SSL uses a digital certificate. SSH encrypts remote communication between computers, while SSL establishes a secure connection between servers and browsers.

View More
Does TLS use 3-way handshake? ›

The client establishes a TCP connection with three-way handshake, followed by the TLS 1.2 handshake where the client provides the server with a buffet of options this includes the list of symmetric key and key exchanges algorithms in a client hello message.

View Details
What is the role of TLS handshake? ›

Authentication. Authentication lets each party in a communication verify that the other party is who they say they are. SSL/TLS handshake verifies the server's credibility by comparing its public key with the digital signature issued by the SSL certificate authority, ensuring a client can trust the server's identity.

See More
Top Articles
Humanode in Simple Terms - Staking vs LP staking
eBay sales over $600 must be reported to the IRS in 2023
Foxy Roxxie Coomer
Victor Spizzirri Linkedin
Ron Martin Realty Cam
Somboun Asian Market
Palm Coast Permits Online
Tryst Utah
Craigslist Motorcycles Jacksonville Florida
Meer klaarheid bij toewijzing rechter
Kent And Pelczar Obituaries
Gw2 Legendary Amulet
Free Robux Without Downloading Apps
Sinai Web Scheduler
Craigslistdaytona
Tripadvisor Near Me
Mycarolinas Login
Craigslist Jobs Phoenix
Cool Math Games Bucketball
Hope Swinimer Net Worth
Marion County Wv Tax Maps
Craiglist Galveston
Parent Resources - Padua Franciscan High School
Craigslist Southern Oregon Coast
My Homework Lesson 11 Volume Of Composite Figures Answer Key
Healthier Homes | Coronavirus Protocol | Stanley Steemer - Stanley Steemer | The Steem Team
Bernie Platt, former Cherry Hill mayor and funeral home magnate, has died at 90
Shadbase Get Out Of Jail
Mineral Wells Skyward
fft - Fast Fourier transform
What is Software Defined Networking (SDN)? - GeeksforGeeks
Maths Open Ref
Tokioof
Pokemmo Level Caps
A Man Called Otto Showtimes Near Carolina Mall Cinema
Timothy Kremchek Net Worth
Western Gold Gateway
Metro By T Mobile Sign In
Ticket To Paradise Showtimes Near Marshall 6 Theatre
Setx Sports
Kb Home The Overlook At Medio Creek
Divinity: Original Sin II - How to Use the Conjurer Class
Florida Lottery Powerball Double Play
My Gsu Portal
Gander Mountain Mastercard Login
Turok: Dinosaur Hunter
Hughie Francis Foley – Marinermath
Craigslist Pets Charleston Wv
Richard Mccroskey Crime Scene Photos
David Turner Evangelist Net Worth
Gameplay Clarkston
Worlds Hardest Game Tyrone
Latest Posts
Can A Business Charge For Using A Credit Card? | Bankrate
What you need to know about Convenience Fees and Surcharging
Article information

Author: Gov. Deandrea McKenzie

Last Updated:

Views: 5892

Rating: 4.6 / 5 (66 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Gov. Deandrea McKenzie

Birthday: 2001-01-17

Address: Suite 769 2454 Marsha Coves, Debbieton, MS 95002

Phone: +813077629322

Job: Real-Estate Executive

Hobby: Archery, Metal detecting, Kitesurfing, Genealogy, Kitesurfing, Calligraphy, Roller skating

Introduction: My name is Gov. Deandrea McKenzie, I am a spotless, clean, glamorous, sparkling, adventurous, nice, brainy person who loves writing and wants to share my knowledge and understanding with you.