How does SSL/TLS work

Security Nov 8, 2015

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both of which are frequently referred to as 'SSL', are cryptographic protocols designed to provide communications security over a computer network.


Netscape developed the original SSL protocols. Version 1.0 was never publicly released because of serious security flaws in the protocol.

version 2.0, released in February 1995, "contained a number of security flaws which ultimately led to the design of SSL version 3.0".

SSL version 3.0, released in 1996, represented a complete redesign of the protocol.

TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0.

TLS 1.1 was defined in RFC 4346 in April 2006.

TLS 1.2 was defined in RFC 5246 in August 2008.

As of October 2015, TLS 1.3 is a working draft, and details are provisional and incomplete.

How does it works

  • Trading Secrets
  • Checking out the Certificate
  • Deriving the Master Secret
  • Transport your encrypted data
  • Over

Of course it's not over yet...

I will talk about the Checking out the Certificate process in the next post. So you can jump it directly now. Please read this post directly 数字签名是什么?

A full version looks like this:

  • Client Hello
  • Version Number (TLSv1 TLSv1.1 TLSv1.2 and ect..)
  • Randomly Generated Data Important
  • Cipher Suite
  • Compression Algorithm

For example:

Notice: Client don't send domain name to server, so at first there was only one site was supported on a server. Server Name Indication (SNI) is an extension which was presented in 2006 to solve this problem.

  • Server Hello
  • Server Hello
  • Version Number
  • Randomly Generated Data Important
  • Session Identification (if any)
  • Cipher Suite
  • Compression Algorithm
  • Server Certificate
  • Server Key Exchange
  • Client Certificate Request
  • Server Hello Done

For example:

Client Response to Server

  • Pre-Master Secret (Randomly Generated Data) Important
  • Certificate Verify
  • Change Cipher Spec
  • Client Finished

Server Final Response to Client

  • Master Secret
  • Server Finished
master_secret = PRF(pre_master_secret, 
                    "master secret", 
                    ClientHello.random + ServerHello.random)

For example:

Then the handshake process finished, server and client will encrypted your data with the master_secret, don't worry about performance because Symmetric-key algorithm cost little resources.

Reference documentation:


Jie Li

🚘 On-road / 📉 US Stock / 💻 Full Stack Developer / 🎓 Grad Student / ®️ ENTJ

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.