{{theTime}}

Search This Blog

Total Pageviews

SSL Handshake Overview

SSL handshake overview

SSL communication consists of a series of messages exchanged between two parties (client and server). The SSL handshake between a client and server consists of nine steps, and appears as follows:

 
Negotiation phase handshake examples

·         Successful negotiation

In the following example, the client offered protocol TLSv1.2 (version 3.3) and the server downgraded the protocol to TLSv1.0 (version 3.1). The server also chose the preferred cipher from the client's list:

1 1 0.0003 (0.0003) C>SV3.3(79) Handshake                   
ClientHello
Version 3.3
cipher suites
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256

1 2 0.0008 (0.0005) S>CV3.1(74) Handshake
ServerHello
Version 3.1
cipherSuite TLS_RSA_WITH_RC4_128_SHA

·         Unsuccessful negotiation

In the following examples, the client and server fail to agree on the SSL protocol version in the first example, and the SSL cipher in the second example.

Example 1: The client and server unsuccessfully negotiate the protocol. The server does not support protocol version below TLS1 (version 3.1) and the client does not support protocol versions above SSLv3 (version 3.0):

1 1 0.0012 (0.0012) C>SV3.0(47) Handshake
ClientHello
Version 3.0
cipher suites
SSL_RSA_WITH_AES_256_CBC_SHA

1 2 0.0013 (0.0000) S>CV0.0(2) Alert
level fatal
value handshake_failure

Example 2: The client and server unsuccessfully negotiate a cipher; the server does not support any of the client's ciphers. This is a common failure:

1 1 0.0012 (0.0012) C>SV3.1(58) Handshake
ClientHello
Version 3.2
cipher suites
TLS_DH_anon_WITH_RC4_128_MD5

1 2 0.0013 (0.0000) S>CV3.2(2) Alert
level fatal
value handshake_failure

No comments:

Could not find method signingConfigs() for arguments

Could not find method signingConfigs() for arguments [build_5dw7nwfc8ibd8sagvx4p79x1u$_run_closure5@13e86039] on root project 'android&#...