Below are the process how SSL handshake happens
- The client initiates the SSL handshake by sending a "Client Hello" message to the server.
- This message includes the SSL/TLS version supported by the client, a random number (Client Random), a list of supported cipher
suites (algorithms for encryption), and other parameters.
- The client also includes a list of supported compression methods.
- Upon receiving the Client Hello message, the server responds with a "Server Hello" message.
- This message includes the SSL/TLS version selected by the server, a random number (Server Random), the selected cipher suite
from the client's list, and the selected compression method.
- The server sends its digital certificate to the client.
- The certificate contains the server's public key, its identity information (such as the domain name), and the digital signature of the
certificate authority (CA) that issued the certificate.
- The client verifies the server's certificate by checking its validity and ensuring it was signed by a trusted CA.
- If the certificate is valid, the client generates a pre-master secret (a random value), encrypts it with the server's public key from the
certificate, and sends it to the server.
- Both the client and server use the Client Random, Server Random, and the pre-master secret to derive the session keys for
encryption and decryption.
- After the key exchange is complete, the client and server notify each other that subsequent messages will be encrypted using the negotiated parameters. This is done through the "Change Cipher Spec" message.
- Finally, both the client and server send a "Finished" message to each other.
- This message contains a hash of all the messages exchanged during the handshake, encrypted and decrypted using the session
keys.
- If the Finished messages match on both sides, it indicates that the handshake was successful, and the SSL/TLS session is
established.
Throughout the handshake process, the client and server agree on encryption algorithms, exchange keys securely, and verify each other's identity to ensure a secure and trusted connection.