What Is the SSL\/TLS Handshake?<\/h2>\n\n\n\n
At the beginning of every HTTPS connection, the client (the internet user\u2019s web browser) and the server (hosting the website) must go through a series of checks \u2014 for lack of a better term \u2014 to authenticate one another and determine the parameters of the encrypted connection. This is known as the TLS handshake, although some within the industry still refer to it as an SSL handshake. <\/p>\n\n\n\n
(SSL is no longer technically accurate since it’s a deprecated protocol. However, we’ll still refer to it as such throughout the article because people still commonly use the term. So, you’ll see “SSL handshake” and “TLS handshake” used interchangeably throughout the content, but just know that we’re still talking about the TLS handshake.)<\/p>\n\n\n\n
The TLS handshake process accomplishes three things:<\/p>\n\n\n\n
- \n
- Authenticates the server as the rightful owner of the asymmetric public\/private key pair.<\/li>\n\n\n\n
- Determines the TLS version and cipher suite that will be used for the connection.<\/li>\n\n\n\n
- Exchanges the symmetric session key that will be used for communication.<\/li>\n<\/ul>\n\n\n\n
![\"TLS](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/11\/bigstock-218959840-300x300.jpg\")
<\/figure>\n<\/div>\n\n\nIf you simplify public key infrastructure<\/a> (PKI) \u2014which serves as the infrastructure for the entire SSL\/TLS ecosystem \u2014 it\u2019s really about secure key exchange<\/a>. During an HTTPS connection, the communication is actually done with symmetric session keys<\/a> \u2014 generally 256-bit advanced encryption standard (AES)<\/a> keys \u2014 that are generated on the client side of things. When a symmetric key is generated, both parties get a copy. They can use it to encrypt and decrypt the data that transmits between them.<\/p>\n\n\n\n
While 256-bit encryption is still sufficiently robust<\/a>, the real security is at the gate where a much larger, much stronger private key (generally a 2048-bit RSA key) helps handle the authentication portion of the connection. Authentication is important because the client wants to make sure it\u2019s connecting with the correct party. That\u2019s essentially what the SSL\/TLS handshake is for \u2014 it\u2019s a set of checks where: <\/p>\n\n\n\n
- \n
- The client and server authenticate one another, <\/li>\n\n\n\n
- They determine the parameters of the HTTPS connections (what cipher suite will be used<\/a>), and then <\/li>\n\n\n\n
- The client encrypts a copy of the session key and sends it to the server for use during the connection.<\/li>\n<\/ul>\n\n\n\n
Historically, the SSL\/TLS handshake has added a small bit of latency to a connection, which is what led to the claim that HTTPS slows down your website. That latency has been addressed in more recent versions of the TLS protocol though, so that\u2019s almost entirely untrue today \u2014 especially with HTTP\/2<\/a> and HTTP\/3<\/a>.<\/p>\n\n\n\n
Currently, there are two different versions of the TLS handshake in use: TLS 1.2 and TLS 1.3. <\/p>\n\n\n\n
The SSL\/TLS Handshake Process in TLS 1.2 vs TLS 1.3<\/h3>\n\n\n\n
TLS 1.2 uses a handshake that makes multiple roundtrips between the client and the server.<\/p>\n\n\n
\n![\"TLS](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/01\/SSL_Handshake_10-Steps-1.png\")
<\/figure>\n<\/div>\n\n\nWondering how the TLS handshake process works? We\u2019re not going to go step-by-step, but essentially: <\/p>\n\n\n\n
- \n
- The client and server ping one another. <\/li>\n\n\n\n
- The server presents its SSL\/TLS certificate. <\/li>\n\n\n\n
- The client authenticates the certificate authority<\/a> (CA)-signed certificate. <\/li>\n\n\n\n
- They exchange a list of supported cipher suites and agree on one, then key exchange occurs.<\/li>\n<\/ul>\n\n\n\n
This process involves a lot of steps \u2014 all of which occur in a short amount of time.<\/p>\n\n\n\n
TLS 1.3, on the other hand, has refined the TLS handshake to a single round-trip.<\/p>\n\n\n
\n![\"TLS](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/03\/TLS_1_3_Handshake.jpg\")
<\/figure>\n<\/div>\n\n\nObviously, this cuts down on the time that it takes for a connection to start \u2014 we\u2019re talking milliseconds here so maybe not noticeably (except at scale) \u2014 and makes everything more efficient. TLS 1.3 also allows 0-RTT resumption, which streamlines subsequent connections to a TLS 1.3-enabled website even more.<\/p>\n\n\n\n
But, given the number of moving parts in a TLS handshake, there\u2019s plenty that can go wrong if a website or a device are misconfigured. A couple years ago we wrote about fixing TLS handshakes failed errors on Firefox<\/a>, but these errors are far more universal than that. So now let\u2019s talk about what can go wrong with the TLS handshake and what need to be done to fix it.<\/p>\n\n\n
\n\t\t\t\n\t\t<\/a>\n\t\t\n\t\t\n\t\t\tTaking a Closer Look at the SSL\/TLS Handshake<\/a>\n\t\t<\/p>\n\t\t
\n\t\t\t\n\t\t\t\t\t\t\t\t\t In Everything Encryption <\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t By Patrick Nohe <\/span>\n\t\t\t\t\t\t\t<\/em>\n\t\t<\/p>\n\t\t
\n\t\t\t\n\t\t\t\t
There’s a lot going on underneath the hood when you connect to a website via HTTPS. First and foremost, everyone needs to… shake hands?!<\/p>\n\t\t\t<\/p>\n\t\t<\/div>\n\t\t
\n\t\t\t\n\t\t\t\tRead more\t\t\t<\/a>\n\t\t<\/p>\n\t<\/div>\n<\/div>\n\n\n\n
An Overview of SSL\/TLS Handshake Failed Errors<\/h2>\n\n\n\n
To make this article a little bit easier to follow, we\u2019re going to put all of the possible causes for SSL\/TLS handshake failed errors (SSL handshake errors) and who can fix them. After that, we\u2019ll have a dedicated section for each where we\u2019ll cover how to fix them.<\/p>\n\n\n\n
- They exchange a list of supported cipher suites and agree on one, then key exchange occurs.<\/li>\n<\/ul>\n\n\n\n
- The client encrypts a copy of the session key and sends it to the server for use during the connection.<\/li>\n<\/ul>\n\n\n\n
![\"TLS](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/11\/bigstock-Computer-Screen-With-Warning-A-237826066-e1542224215167-300x300.png\")
<\/figure>SSL\/TLS Handshake Failed \u2014 Client Errors<\/h2>\n\n\n\n![\"TLS](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/11\/bigstock-Calendar-Time-Icon-Simple-Ill-252192211-300x300.jpg\"){kind=icon}
<\/figure>\n<\/div>\n\n\n![\"TLS](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/11\/bigstock-Error-Browser-Vector-Icon-Fil-2421763211-e1542224072360-300x300.jpg\"){kind=icon}
<\/figure>Browser Error<\/h2>\n\n\n\n![\"SSL](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/10\/SSL-Bridging.jpg\")
<\/figure>\n<\/div>\n\n\n![\"\"](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/11\/TLS-1.3-300x283.png\")
<\/figure>Protocol Mismatch<\/h2>\n\n\n\n![\"TLS](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/11\/bigstock-206113780-e1542224468298-300x300.jpg\")
<\/figure>Cipher Suite Mismatch<\/h2>\n\n\n\n![\"difference](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/Certificate-Chain.jpg\")
<\/figure>\n<\/div>\n\n\n![\"TLS](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/11\/bigstock-Vector-sandglass-illustration-7926105-208x300.jpg\")
<\/figure>\n<\/div>\n\n\n![\"Hashed](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/08\/bigstock-222348568.jpg\")
<\/figure>\n<\/div>","protected":false},"excerpt":{"rendered":"