SSL - Handshake


This page describes the TLS handshake process.

The TLS handshake process is the first step in a SSL connection where the two parties (client and server):


You can see the handshake from a client perspective with openssl. The client and server steps are described below.

Example with the datacadamia website.

openssl s_client -connect -servername -state -quiet
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Domain Validation Secure Server CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN =
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
SSL3 alert read:warning:close notify
SSL3 alert write:warning:close notify


Standard SSL handshake when RSA key exchange algorithm is used.

During the negotiation between client and server, they will indicate to each other a list of algorithms that can be understood ranked by order of preference. The common preferred algorithm is then chosen.

Client: Hello

Client initiates the request by sending to the server:

  • Information that the server needs to communicate with the client using SSL. (SSL version number, cipher settings, session-specific data)

For instance, a browser requests a secure page (usually https://).

Server: Hello

The server sends to the client:

  • its certificate (acquired from a keyStore)
  • with its corresponding public key
  • Information that the server needs to communicate with the client using SSL. (SSL version number, cipher settings, session-specific data)

If client authentication is enabled at server side, the server will request a client’s certificate.

If configured, the server may also send the list of Distinguished CA names that it authorizes. This list is then used by the client to select the signed certificate that it must send in its truststore.

If more than one certificate is selected, the client may ask the user to choose one.

Client: Server Authentication and Secret

The client:

The client sends to the server:

  • the encrypted secret with the encrypted URL required
  • other encrypted http data.
  • if client authentication is on, the selected certificate from its keystore and its public key.

Server: Decryption and Master Secret

The Server:

  • (optionally) authenticate the client certificate against the list of authorized CA’s certificate (if client authentication is on)
  • decrypts the symmetric encryption key using its private key
  • uses the symmetric key to decrypt the URL and http data.
  • sends back the requested document and data encrypted with the symmetric key.

Client: Encryption with Session Key

The client decrypts the data and document using the symmetric key and displays the information.

Both client and server exchange messages to inform that future messages will be encrypted.

Discover More
Cryptography - Algorithm (called a Cipher)

A cipher is an algorithm that encrypt a plain text message into a ciphertext. Cipher algorithm can be categorized by the key that they used as parameters. No key symmetric one (using one key) ...
Cryptography - Key

A key is a parameter used in a cipher algorithm that determines: the encryption operation (forward) and the decryption operation (backward). It's the only secret parameter that protect the anonymity...
Cryptography - Store (KeyStore|Truststore)

A keystore is a database of key material ie: key LDAP identity certificate There are actually two: a truststore on the client side a keystore on the server side Both keystores and truststores...
Valid Https
HTTP - HTTPS scheme (HTTP-over-TLS)

The https scheme represents HTTP-over-TLS HTTP is a application protocol (OSI level 7) that is build on TCP as transport layer (OSI level 3) HTTPS is essentially HTTP after the connection has been secured...
Certificate Validity Period Not Before Not After Portecle
How a certificate is signed ? (known also as issuing or producing)

This article talks how a certificate: is send by a sender (known also as the owner) and gets its signature from a trusted ca to validate the identity of the sender. By signing a certificate, the...
400 Default Page No Required Ssl Certificate
How to configure certification based client authentication with Nginx ?

This article shows you how to configure a client authentication via the ownership of a certificat on a Nginx web server. The server should be already configured for HTTPS as client certificate (client...
Ssl Test Server Www
How to debug / test a TLS / SSL connection ?

This article shows you how to see a SSL connection (handhsake) to debug any problem with configuration for: a server authentication or client authentication Check your firewall. Your port should...
Web Site Certificate
How to enable SSL on a server (ie HTTPS on a web server) ?

This page shows you how to configure a certificate and a private key for a server in order to enable SSL or a web server (http) (ie web site) in order to enable https (ie HTTP over SSL).
How to send an email at the command line with SMTP? Email transaction explained

This page is a how-to that describes how you can transport an email to a SMTP server at the command line using the SMTP protocol for further delivery It will show you the inner mechanisms of SMTP. Below...
Card Puncher Data Processing
MySQL - SSL connection

and with MySql The client is below the mysql cli but it can be another implementation. For the authentication: You have the private key private of the client The MySQL Server has the public key...

Share this page:
Follow us:
Task Runner