What Is a TLS Handshake?

February 4, 2025

A transport layer security (TLS) handshake establishes encrypted and authenticated communication between a client (such as a web browser) and a server. The handshake involves exchanging messages, agreeing on cryptographic algorithms, verifying the serverโ€™s identity (and optionally the clientโ€™s), and generating shared secret keys to encrypt subsequent data transfers. It is the foundation for secure data exchange, ensuring that transmitted information remains confidential and tamper-proof.

What is a TLS handshake?

What Does TLS Handshake Mean?

A TLS handshake is a series of steps that initiates a secure connection by validating the involved parties, selecting compatible security parameters, and creating shared encryption keys. The handshake determines how the data will be encrypted, verifies the serverโ€™s digital certificate, and establishes the secure channel necessary to protect data integrity and confidentiality. It is an essential part of TLS, a protocol designed to provide privacy and data security over networks.

What Are the Components of a TLS Handshake?

Below are the primary components that make a TLS handshake possible.

Client and Server

The handshake involves two main entities: the client, which initiates the connection (for instance, a web browser or other application), and the server, which hosts the resource or service the client wishes to access. The client starts the handshake by proposing various parameters for encryption and authentication, and the server responds with its chosen options based on supported configurations.

Cipher Suites

A cipher suite is a collection of cryptographic algorithms used during the handshake and subsequent data transfers. It includes the key exchange algorithm, the bulk encryption cipher, the message authentication code algorithm, and sometimes the digital signature algorithm. The client suggests a list of cipher suites it supports, and the server selects one that it recognizes and deems acceptable.

Certificates

Certificates are digital documents used to confirm the identity of a communicating party. In most TLS connections, the server presents an X.509 certificate, which is issued by a trusted certificate authority (CA). This certificate binds the serverโ€™s domain name to a public key. The client verifies the certificate chain to ensure that it has not been tampered with and that it was issued by a legitimate CA.

Public and Private Keys

Public and private keys are integral to TLS. The server holds a private key that corresponds to the public key listed in its certificate. During the handshake, these keys participate in asymmetric cryptographic operations. Clients use the public key in the server certificate to encrypt a piece of data (such as the pre-master secret), and only the serverโ€™s private key can decrypt it.

Session Keys

Once the client and server agree on a set of cryptographic parameters, they generate symmetric session keys. These keys encrypt and decrypt messages during the data transfer phase, providing both confidentiality and performance benefits. Symmetric encryption algorithms are usually much faster than asymmetric ones, which is why the handshake uses asymmetric methods for authentication and key exchange, then falls back to symmetric methods for bulk data encryption.

How Does TLS Handshake Work?

The TLS handshake typically unfolds in several steps that ensure a secure and authenticated channel. Each phase has a defined purpose and consists of message exchanges that finalize the encryption parameters and verify the authenticity of the server and possibly the client.

ClientHello

The client begins the handshake by sending a ClientHello message to the server. This message contains the following information:

  • A list of supported cipher suites and TLS versions.
  • A random value (client random) used later in key generation.
  • Supported compression methods (though compression is largely deprecated in recent TLS versions).

ServerHello

The server responds with a ServerHello message. This response includes:

  • The selected TLS version.
  • The chosen cipher suite from the clientโ€™s proposal.
  • Another random value (server random).

Certificate and Key Exchange

The server sends its certificate, which contains the serverโ€™s public key along with the certificate chain. After that, the server may send additional key exchange parameters if the chosen cipher suite requires it (for example, in Diffie-Hellman or Elliptic Curve Diffie-Hellman ciphers).

The client verifies the serverโ€™s certificate, ensuring it is valid, not expired, and signed by a trusted CA.

Client Verification and Pre-Master Secret

After the client verifies the serverโ€™s certificate, it generates a pre-master secret and encrypts it using the serverโ€™s public key. This encrypted pre-master secret is then sent to the server.

The server uses its private key to decrypt the pre-master secret, and both parties derive session keys from the pre-master secret, the client random, and the server random.

Handshake Finalization

Both the client and server send โ€œFinishedโ€ messages to each other, which are encrypted with the newly derived session keys. These messages verify that the agreed-upon keys are functioning correctly and that no tampering occurred.

Once these messages are successfully exchanged and verified, the handshake is complete, and subsequent communications are encrypted using the session keys.

When Does a TLS Handshake Occur?

A TLS handshake occurs whenever a client initiates a new secure connection to a server over TLS. Common scenarios include:

The handshake repeats if a new session is established or if a TLS renegotiation is triggered to refresh the cryptographic keys for long-running connections.

TLS Handshake Example

Below is a walkthrough of how a typical HTTPS (HTTP over TLS) handshake transpires between a client and a server.

Step 1: Client Requests Secure Page

A userโ€™s web browser initiates a secure connection by sending a ClientHello message to the server at โ€œexample.com.โ€ The ClientHello message is part of the TLS Handshake Protocol and contains several important pieces of information:

  • Supported protocol version(s). The client proposes one or more versions of TLS (e.g., TLS 1.2, TLS 1.3) that it is capable of using.
  • Client random. A 32-byte random value generated by the client, later used in key derivation.
  • Session ID or session ticket. If the client has recently connected to the same server and holds a valid session ticket or session ID, it may offer it to request session resumption, which can skip or shorten some handshake steps.
  • Cipher suites. These suites are a list of cryptographic algorithms that the client supports. Each cipher suite specifies a key exchange mechanism (e.g., RSA, ECDHE), an encryption algorithm (e.g., AES), and a message authentication code or authentication tag algorithm (e.g., SHA256).
  • Extensions. Modern TLS implementations include various extensions such as server name indication (SNI), which indicates the hostname the client is trying to reach. Additional extensions might indicate supported elliptic curves, signature algorithms, and other parameters that enhance security or performance.

Upon receiving this ClientHello, the server examines the proposed cipher suites and TLS versions to determine whether it supports any of them. The TLS handshake continues only if the server finds at least one compatible set of parameters.

Step 2: Server Responds

After processing the ClientHello, the server replies with a ServerHello message. Several key elements are included:

  • Chosen protocol version. The server selects one version of TLS (e.g., TLS 1.2) that both client and server support.
  • Server random. Another 32-byte random value generated by the server, used with the client random to derive shared keys.
  • Cipher suite selection. From the clientโ€™s list, the server picks a single cipher suite that it supports. For instance, it might choose an ECDHE_RSA key exchange, AES_128_GCM encryption, and SHA256 for message authentication.
  • Session ID or new session ticket. If the server supports session resumption, it can accept the clientโ€™s proposed session ID or provide a new one.
  • Extensions. The server includes relevant extension responses, indicating any specific parameters or constraints.

Following the ServerHello, the server typically sends additional handshake messages:

  • Certificate. The server transmits its certificate chain, which includes its end-entity certificate (the actual server certificate) and any intermediate certificates required to link it to a root certificate authority (CA).
  • Server key exchange. Depending on the chosen cipher suite, the server provides key exchange parameters (for example, ephemeral Diffie-Hellman public key) that the client will use to generate a shared secret.
  • Certificate request (optional). If the server requires client authentication, it requests a client certificate at this stage. This is less common in typical web browsing but more frequent in environments needing mutual TLS.

Step 3: Certificate Validation

The client examines the serverโ€™s certificate to ensure the connection is truly with the intended host and not an imposter:

  • Certificate chain verification. The client checks that the serverโ€™s certificate is issued and signed by a trusted CA. The browser or operating system maintains a store of trusted root certificates. The browser also checks intermediate certificates to form a valid chain of trust up to a recognized root CA.
  • Expiration and validity. The client inspects the certificateโ€™s โ€œNot Beforeโ€ and โ€œNot Afterโ€ dates to confirm that the certificate is currently valid.
  • Domain name matching. The client confirms that the domain name listed in the certificate (commonly found in the Subject Alternative Name field) matches โ€œexample.com,โ€ or whichever domain was requested.
  • Revocation check. The client may use the certificate revocation list (CRL) or the online certificate status protocol (OCSP) to see if the certificate or any intermediate certificate has been revoked.

If any part of the validation process failsโ€”such as an invalid signature, expired certificate, or mismatched domain nameโ€”the client typically terminates the connection or displays a warning to the user.

Step 4: Key Exchange and Session Key Generation

Once the client has validated the serverโ€™s certificate (and optionally sent its own certificate if requested), the client proceeds with the key exchange:

  • Client key exchange. If an RSA key exchange is used, the client generates a pre-master secret and encrypts it with the serverโ€™s public key (obtained from the server certificate). If an ECDHE or DHE cipher suite is used, the client also provides its own ephemeral public key for Diffie-Hellman calculations.
  • Decryption or shared key computation. The server decrypts the pre-master secret with its private key or, in the case of Diffie-Hellman/ECDHE, combines the clientโ€™s and serverโ€™s public keys to compute a shared secret.
  • Master secret derivation. Using the pre-master secret (or DH shared secret), the client and server both derive a master secret. This derivation also involves the client random and server random. Pseudorandom functions (like those in TLS 1.2 or the โ€œHandshake Secretโ€ in TLS 1.3) are used to ensure strong cryptographic randomness.
  • Session key creation. From the master secret, the client and server generate separate symmetric keys for encrypting outbound data, decrypting inbound data, and verifying message integrity. These session keys are typically negotiated to be ephemeral (especially in ECDHE-based ciphers), which provides forward secrecy.

Step 5: Secure Data Transfer

After both sides derive the session keys, the client and server exchange Finished messages:

  • Finished messages. Each side computes a cryptographic hash of all the handshake messages sent so far (the handshake transcript) and encrypts it with the newly established session keys. These โ€œFinishedโ€ messages verify that both parties share the same handshake state and that no tampering has occurred.
  • Handshake confirmation. The client and server confirm receipt of each otherโ€™s Finished message. If the hashes match, it indicates the handshake completed successfully and securely.
  • Encrypted application data. Subsequent dataโ€”such as HTML files, images, or any other application-layer contentโ€”is encrypted with the agreed-upon symmetric key. The encryption ensures confidentiality, while the cryptographic hash or MAC (depending on the cipher suite) ensures integrity.
  • Connection persistence and session resumption. If either side supports TLS session resumption, they can reuse the negotiated master secret for a future connection. This reduces the overhead of performing a full handshake again.

Once the handshake phase is complete, the browser and server communicate via a secure channel. Browsers typically display a lock icon or similar indicator in the address bar to show that the connection is encrypted and authenticated using TLS.

Why Are TLS Handshakes Important?

A TLS handshake provides a method for establishing secure communications in networks that may be susceptible to eavesdropping or tampering.

 Several benefits arise from a successful handshake:

  • Authentication. The client is assured of the serverโ€™s identity, preventing man-in-the-middle attacks.
  • Confidentiality. All traffic that follows the handshake is encrypted, ensuring that unauthorized parties are not able to read the data.
  • Data integrity. Message authentication ensures that transmitted data has not been altered in transit.

The handshake process, through its use of cryptographic algorithms and certificates, establishes a robust layer of trust that protects information during transit.

What If a TLS Handshake Fails?

A failed TLS handshake results in the inability to create a secure connection. The connection is often terminated, and users might encounter error messages such as โ€œSSL/TLS handshake failedโ€ or โ€œUnable to establish a secure connection.โ€

Failure occurs when issues like incompatible TLS versions, invalid certificates, expired certificates, or incorrect system clocks prevent a successful negotiation.

How to Fix a TLS Handshake?

System administrators and end-users can resolve handshake failures by addressing the root causes:

  • Update or install valid certificates. You must replace expired or invalid certificates. Hosting providers and administrators should ensure that certificates are signed by trusted CAs and remain up to date.
  • Check configuration and supported protocols. Ensuring that both client and server support the same TLS versions and cipher suites is crucial. Disabling old protocols like SSLv3 or TLS 1.0 eliminates known vulnerabilities and prevents handshake failures related to deprecated encryption methods.
  • Synchronize system clocks. Accurate system clocks are important for validating certificate expiration and validity times. A server or client with the wrong time setting may reject otherwise valid certificates.
  • Verify CA trust stores. The clientโ€™s operating system or application maintains a list of trusted CAs. Verifying that the relevant root or intermediate CA is present and not revoked helps prevent handshake errors.
  • Inspect server configuration. Misconfigured servers (for instance, incorrect cipher suite priorities or incomplete certificate chains) often lead to handshake problems. Examining server logs and configurations helps pinpoint the mismatch and allows for quick resolution.

What Is the Difference Between SSL and TLS Handshake?

The term โ€œSSL handshakeโ€ refers to the handshake process used by the secure sockets layer (SSL) protocol, which was an earlier standard for encrypting and securing data. The TLS handshake is the modern evolution of SSL, offering stronger security measures and updated cryptographic algorithms.

Although the workflows are similar, TLS introduced improvements over SSL, including enhanced cipher suites, better certificate handling, and more robust cryptographic mechanisms. SSL has been deprecated due to known vulnerabilities, and most modern systems use TLS for secure communications.

Many references still use โ€œSSLโ€ to describe the secure handshake even when TLS is used under the hood, but the more accurate term in current implementations is โ€œTLS handshake.โ€ The core principle remains the same: a handshake process negotiates security parameters, exchanges certificates, and establishes shared keys for encrypted communication.

Nikola
Kostic
Nikola is a seasoned writer with a passion for all things high-tech. After earning a degree in journalism and political science, he worked in the telecommunication and online banking industries. Currently writing for phoenixNAP, he specializes in breaking down complex issues about the digital economy, E-commerce, and information technology.