An SSL connection between a client and server is set up by a handshake, the goals of which are:

  • To satisfy the client that it is talking to the right server (and optionally visa versa)
  • For the parties to have agreed on a “cipher suite”, which includes which encryption algorithm they will use to exchange data
  • For the parties to have agreed on any necessary keys for this algorithm

Once the connection is established, both parties can use the agreed algorithm and keys to securely send messages to each other. We will break the handshake up into 3 main phases - Hello, Certificate Exchange and Key Exchange.

  1. Hello - The handshake begins with the client sending a ClientHello message. This contains all the information the server needs in order to connect to the client via SSL, including the various cipher suites and maximum SSL version that it supports. The server responds with a ServerHello, which contains similar information required by the client, including a decision based on the client’s preferences about which cipher suite and version of SSL will be used.

  2. Certificate Exchange - Now that contact has been established, the server has to prove its identity to the client. This is achieved using its SSL certificate, which is a very tiny bit like its passport. An SSL certificate contains various pieces of data, including the name of the owner, the property (eg. domain) it is attached to, the certificate’s public key, the digital signature and information about the certificate’s validity dates. The client checks that it either implicitly trusts the certificate, or that it is verified and trusted by one of several Certificate Authorities (CAs) that it also implicitly trusts. Much more about this shortly. Note that the server is also allowed to require a certificate to prove the client’s identity, but this typically only happens in very sensitive applications.

  3. Key Exchange - The encryption of the actual message data exchanged by the client and server will be done using a symmetric algorithm, the exact nature of which was already agreed during the Hello phase. A symmetric algorithm uses a single key for both encryption and decryption, in contrast to asymmetric algorithms that require a public/private key pair. Both parties need to agree on this single, symmetric key, a process that is accomplished securely using asymmetric encryption and the server’s public/private keys.

The client generates a random key to be used for the main, symmetric algorithm. It encrypts it using an algorithm also agreed upon during the Hello phase, and the server’s public key (found on its SSL certificate). It sends this encrypted key to the server, where it is decrypted using the server’s private key, and the interesting parts of the handshake are complete. The parties are sufficiently happy that they are talking to the right person, and have secretly agreed on a key to symmetrically encrypt the data that they are about to send each other. HTTP requests and responses can now be sent by forming a plaintext message and then encrypting and sending it. The other party is the only one who knows how to decrypt this message, and so Man In The Middle Attackers are unable to read or modify any requests that they may intercept.

https://robertheaton.com/2014/03/27/how-does-https-actually-work/

How an SSL connection is established的更多相关文章

  1. WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default i

    jdbc连接数据库候,对数据进行访问,访问正常当出现如下警告: WARN: Establishing SSL connection without server's identity verifica ...

  2. Java连接Mysql数据库警告: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established

    详细错误: Establishing SSL connection without server's identity verification is not recommended. Accordi ...

  3. NetCore HttpClient The SSL connection could not be established, see inner exception

    之前遇到一个问题 https://www.cnblogs.com/leoxjy/p/10201046.html 在centos 7.x  HttpClient访问会出问题  The SSL conne ...

  4. HttpClient SSL connection could not be established error

    系统从.net framework 升级到dotnet core2.1 原先工作正常的httpclient,会报SSL connection could not be established erro ...

  5. java链接Mysql出现警告:Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by

    Java使用mysql-jdbc连接MySQL出现如下警告: Establishing SSL connection without server's identity verification is ...

  6. The request with exception: The SSL connection could not be established, see inner exception. requestId 解决方案

    DOTNET CORE 部署 Centos7 抛出异常 环境变量如下: .NET Core SDK (reflecting any global.json): Version: 2.2.401 Com ...

  7. MySQL 警告WARN: Establishing SSL connection without server's identity verification is not recommended.解决办法

    Fri Jun 17 13:46:54 CST 2016 WARN: Establishing SSL connection without server's identity verificatio ...

  8. C3P0 WARN: Establishing SSL connection without server's identity verification is not recommended

    c3p0的出现,是为了大大提高应用程序和数据库之间访问效率的. 它的特性: 编码的简单易用 连接的复用 连接的管理 今天在配置C3p0的时候出现了这个warn   原因是因为要验证SSL Wed Se ...

  9. WARN: Establishing SSL connection without server's identity verification is not recommended

    0.要想用Java连接mysql数据库,首先装好JDK,配置好环境变量,将jdk*.*.*\lib放入classpath,将jdk*.*.*\bin放入path中(*.*.*表示版本号):其次安装好m ...

随机推荐

  1. C语言实现strcmp()和strcpy()函数

    #include <stdio.h> #include <assert.h> char *strcpy(char *strDest, const char *strScr) { ...

  2. BZOJ 3439 Kpm的MCpassword Trie树+可持久化线段树

    题目大意:给定n个字符串,对于每一个字符串求以这个字符串为后缀的字符串中第k小的编号 首先将字符串反转 那么就变成了对于每一个字符串求以这个字符串为前缀的字符串中第k小的编号 然后考虑对字符串排序 那 ...

  3. ObjectiveC开发教程--字符串的连接

    NSString *type = @"hello"; NSString *subtype = @"good"; NSString *typesub = [NSS ...

  4. LeetCode 389. Find the Difference (找到不同)

    Given two strings s and t which consist of only lowercase letters. String t is generated by random s ...

  5. LeetCode 242. Valid Anagram (验证变位词)

    Given two strings s and t, write a function to determine if t is an anagram of s. For example,s = &q ...

  6. 5分钟Serverless实践 | 构建无服务器的敏感词过滤后端系统

    前言 在上一篇“5分钟Serverless实践”系列文章中,我们介绍了什么是Serverless,以及如何构建一个无服务器的图片鉴黄Web应用,本文将延续这个话题,以敏感词过滤为例,介绍如何构建一个无 ...

  7. 数据分析在web交互设计中的作用 页面跳出率 100% 原因分析

    通过分析访问的路径,发现,访问者访问其他页面,直接跳出 页面跳出率  100% 说明: 连作者都发现的导航路径不清晰 对导航进行改版:清晰.明了

  8. 是否能重拾Linux下Init 3的快感?

     对于Windows大多数程序猿(眼下).是否非常怀念Linux下全字符界面的炫酷与优越感? 是否仍然停留在cmd后,将文件拖到dos下简单的操作呢?以下是近期研究在Windows下用全命令行的方 ...

  9. SQL分离附加数据库

    转自:http://www.jb51.net/article/36624.htm

  10. [bzoj3274]Circle

    https://www.zybuluo.com/ysner/note/1243396 题面 有\(n\)个排成一圈的格子,并且已知正整数\(k\)和\(m\),你需要往每个格子中填入一个大于等于\(k ...