How an SSL connection is established
An SSL connection between a client and server is set up by a handshake, the goals of which are:
- To satisfy the client that it is talking to the right server (and optionally visa versa)
- For the parties to have agreed on a “cipher suite”, which includes which encryption algorithm they will use to exchange data
- For the parties to have agreed on any necessary keys for this algorithm
Once the connection is established, both parties can use the agreed algorithm and keys to securely send messages to each other. We will break the handshake up into 3 main phases - Hello, Certificate Exchange and Key Exchange.
Hello - The handshake begins with the client sending a ClientHello message. This contains all the information the server needs in order to connect to the client via SSL, including the various cipher suites and maximum SSL version that it supports. The server responds with a ServerHello, which contains similar information required by the client, including a decision based on the client’s preferences about which cipher suite and version of SSL will be used.
Certificate Exchange - Now that contact has been established, the server has to prove its identity to the client. This is achieved using its SSL certificate, which is a very tiny bit like its passport. An SSL certificate contains various pieces of data, including the name of the owner, the property (eg. domain) it is attached to, the certificate’s public key, the digital signature and information about the certificate’s validity dates. The client checks that it either implicitly trusts the certificate, or that it is verified and trusted by one of several Certificate Authorities (CAs) that it also implicitly trusts. Much more about this shortly. Note that the server is also allowed to require a certificate to prove the client’s identity, but this typically only happens in very sensitive applications.
Key Exchange - The encryption of the actual message data exchanged by the client and server will be done using a symmetric algorithm, the exact nature of which was already agreed during the Hello phase. A symmetric algorithm uses a single key for both encryption and decryption, in contrast to asymmetric algorithms that require a public/private key pair. Both parties need to agree on this single, symmetric key, a process that is accomplished securely using asymmetric encryption and the server’s public/private keys.
The client generates a random key to be used for the main, symmetric algorithm. It encrypts it using an algorithm also agreed upon during the Hello phase, and the server’s public key (found on its SSL certificate). It sends this encrypted key to the server, where it is decrypted using the server’s private key, and the interesting parts of the handshake are complete. The parties are sufficiently happy that they are talking to the right person, and have secretly agreed on a key to symmetrically encrypt the data that they are about to send each other. HTTP requests and responses can now be sent by forming a plaintext message and then encrypting and sending it. The other party is the only one who knows how to decrypt this message, and so Man In The Middle Attackers are unable to read or modify any requests that they may intercept.
https://robertheaton.com/2014/03/27/how-does-https-actually-work/
How an SSL connection is established的更多相关文章
- WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default i
jdbc连接数据库候,对数据进行访问,访问正常当出现如下警告: WARN: Establishing SSL connection without server's identity verifica ...
- Java连接Mysql数据库警告: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established
详细错误: Establishing SSL connection without server's identity verification is not recommended. Accordi ...
- NetCore HttpClient The SSL connection could not be established, see inner exception
之前遇到一个问题 https://www.cnblogs.com/leoxjy/p/10201046.html 在centos 7.x HttpClient访问会出问题 The SSL conne ...
- HttpClient SSL connection could not be established error
系统从.net framework 升级到dotnet core2.1 原先工作正常的httpclient,会报SSL connection could not be established erro ...
- java链接Mysql出现警告:Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by
Java使用mysql-jdbc连接MySQL出现如下警告: Establishing SSL connection without server's identity verification is ...
- The request with exception: The SSL connection could not be established, see inner exception. requestId 解决方案
DOTNET CORE 部署 Centos7 抛出异常 环境变量如下: .NET Core SDK (reflecting any global.json): Version: 2.2.401 Com ...
- MySQL 警告WARN: Establishing SSL connection without server's identity verification is not recommended.解决办法
Fri Jun 17 13:46:54 CST 2016 WARN: Establishing SSL connection without server's identity verificatio ...
- C3P0 WARN: Establishing SSL connection without server's identity verification is not recommended
c3p0的出现,是为了大大提高应用程序和数据库之间访问效率的. 它的特性: 编码的简单易用 连接的复用 连接的管理 今天在配置C3p0的时候出现了这个warn 原因是因为要验证SSL Wed Se ...
- WARN: Establishing SSL connection without server's identity verification is not recommended
0.要想用Java连接mysql数据库,首先装好JDK,配置好环境变量,将jdk*.*.*\lib放入classpath,将jdk*.*.*\bin放入path中(*.*.*表示版本号):其次安装好m ...
随机推荐
- Ubuntu下非常规方法安装绿色软件(压缩包)
继上一篇http://www.cnblogs.com/EasonJim/p/7117567.html文章中说的常规方式安装的软件,都会自动在命令行及Dash Home中体现. 但是如果是使用压缩包进行 ...
- 19、Java并发性和多线程-嵌套管程锁死
以下内容转自http://ifeve.com/nested-monitor-lockout/: 嵌套管程锁死类似于死锁, 下面是一个嵌套管程锁死的场景: 线程1获得A对象的锁. 线程1获得对象B的锁( ...
- eclipse编译项目用maven编译问题
1.eclipse只是个ide开发环境,并没有编译器功能.没有编译器.eclipse编译项目只是调jdk本地的java编译器.maven是单独编译,eclipse可以调用maven编译, 在eclip ...
- ios測试的时候出现错误
dyld: Library not loaded: @rpath/XCTest.framework/XCTest Referenced from: /Users/zhumin/Library/De ...
- Android studio一些设置项
------Appearance选项------------------------------------------------------------- Cylic scrolling in l ...
- 【POJ 2777】 Count Color(线段树区间更新与查询)
[POJ 2777] Count Color(线段树区间更新与查询) Time Limit: 1000MS Memory Limit: 65536K Total Submissions: 4094 ...
- Linux 下查找文件或文件夹
有些在我看来比较实用的命令,在这里记一下,避免每次都搜索一轮. 1.查找文件和文件夹 $ find . -name "mongo*" 从当前路径开始,向子目录查找名字含有 &quo ...
- Excel 常用快捷键键 快捷方式
移动整行的位置 Shift + Alt + 鼠标拖拽 不加Shit + Alt 移动后 留白 注意:需要移动鼠标到行的最上面,变成十字箭头
- bzoj3505 [Cqoi2014]数三角形——组合数+容斥
题目:https://www.lydsy.com/JudgeOnline/problem.php?id=3505 好题啊好题...好像还曾经出现在什么智力测试卷中来着...当时不会现在还是无法自己推出 ...
- bzoj1607 [Usaco2008 Dec]Patting Heads 轻拍牛头——暴力
题目:https://www.lydsy.com/JudgeOnline/problem.php?id=1607 观察一下数据范围,就是纯粹的暴力. 代码如下: #include<iostrea ...