Security Resource Hub
Application Security

Topic 2: TLS/SSL Handshake

Complete & Continue Next Lesson Learn More

Understanding the TLS/SSL Handshake

The SSL (Secure Sockets Layer) handshake is critical to establishing a secure communication channel between a client and a server over the Internet. SSL has been succeeded by the more modern TLS (Transport Layer Security), but the handshake process is still commonly referred to as SSL handshake. Below is an explanation of the steps involved in an SSL/TLS handshake

  • ClientHello: The process begins with the client (e.g., a web browser) sending a "ClientHello" message to the server. This message includes information such as supported SSL/TLS versions, cipher suites, and other parameters.

  • ServerHello: The server responds with a "ServerHello" message, indicating the chosen SSL/TLS version, cipher suite, and other configuration details. If the server cannot support the client's proposed options, it may terminate the connection or negotiate a different configuration.

  • Server Certificate: The server sends its digital certificate to the client, proving its identity. The certificate contains the server's public key, digital signature, and information about the certificate authority that issued it.

  • Key Exchange: The client verifies the server's digital certificate. It may use a pre-installed list of trusted certificate authorities. The client generates a pre-master secret (random data), encrypts it with the server's public key (from the received certificate), and sends it back to the server.

  • Pre-Master Secret: Both the client and the server independently generate the same secret key, known as the pre-master secret, based on the client's random data, the server's random data, and additional information exchanged during the handshake.

  • Session Key Derivation: Using the pre-master secret, the client and the server independently derive a shared session key. This session key encrypts and decrypts the data exchanged during the SSL/TLS session.

  • Finished Messages: Both the client and the server send "Finished" messages to indicate that the handshake is complete. These messages contain a hash of all the exchanged messages so far, ensuring the integrity of the handshake.

  • Established Secure Connection: Once the "Finished" messages are exchanged and verified, a secure SSL/TLS connection is established. The client and server can now exchange encrypted data using the derived session key.

HTTP Terminology

Example: http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]

  • HTTP messages consist of requests from client to server and responses from server to client. HTTP-message = Request | Response ; HTTP/1.1 messages

  • HTTP header fields include general header, request header, response header, and entity-header fields.

  • The message body (if any) of an HTTP message carries the entity-body associated with the request or response.

  • The transfer length of a message is the length of the message body as it appears in the message after any transfer codings have been applied.

  • A Request from a client to a server includes the method to be applied to the resource within the first line of that message, the resource, its identifier, and the protocol version in use.

  • Response: After receiving and interpreting a request message, a server responds with an HTTP response message.

Status Codes

  • 1xx: Informational - Request received, continuing process

  • 2xx: Success - The action was successfully received, understood, and accepted 

  • 3xx: Redirection - Further action must be taken to complete the request

  • 4xx: Client Error - The request contains bad syntax or cannot be fulfilled 

  • 5xx: Server Error - The server failed to fulfill a valid request