How an SSL connection is established
An SSL connection between a client and server is set up by a handshake, the goals of which are:
- To satisfy the client that it is talking to the right server (and optionally visa versa)
- For the parties to have agreed on a “cipher suite”, which includes which encryption algorithm they will use to exchange data
- For the parties to have agreed on any necessary keys for this algorithm
Once the connection is established, both parties can use the agreed algorithm and keys to securely send messages to each other. We will break the handshake up into 3 main phases - Hello, Certificate Exchange and Key Exchange.
Hello - The handshake begins with the client sending a ClientHello message. This contains all the information the server needs in order to connect to the client via SSL, including the various cipher suites and maximum SSL version that it supports. The server responds with a ServerHello, which contains similar information required by the client, including a decision based on the client’s preferences about which cipher suite and version of SSL will be used.
Certificate Exchange - Now that contact has been established, the server has to prove its identity to the client. This is achieved using its SSL certificate, which is a very tiny bit like its passport. An SSL certificate contains various pieces of data, including the name of the owner, the property (eg. domain) it is attached to, the certificate’s public key, the digital signature and information about the certificate’s validity dates. The client checks that it either implicitly trusts the certificate, or that it is verified and trusted by one of several Certificate Authorities (CAs) that it also implicitly trusts. Much more about this shortly. Note that the server is also allowed to require a certificate to prove the client’s identity, but this typically only happens in very sensitive applications.
Key Exchange - The encryption of the actual message data exchanged by the client and server will be done using a symmetric algorithm, the exact nature of which was already agreed during the Hello phase. A symmetric algorithm uses a single key for both encryption and decryption, in contrast to asymmetric algorithms that require a public/private key pair. Both parties need to agree on this single, symmetric key, a process that is accomplished securely using asymmetric encryption and the server’s public/private keys.
The client generates a random key to be used for the main, symmetric algorithm. It encrypts it using an algorithm also agreed upon during the Hello phase, and the server’s public key (found on its SSL certificate). It sends this encrypted key to the server, where it is decrypted using the server’s private key, and the interesting parts of the handshake are complete. The parties are sufficiently happy that they are talking to the right person, and have secretly agreed on a key to symmetrically encrypt the data that they are about to send each other. HTTP requests and responses can now be sent by forming a plaintext message and then encrypting and sending it. The other party is the only one who knows how to decrypt this message, and so Man In The Middle Attackers are unable to read or modify any requests that they may intercept.
https://robertheaton.com/2014/03/27/how-does-https-actually-work/
How an SSL connection is established的更多相关文章
- WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default i
jdbc连接数据库候,对数据进行访问,访问正常当出现如下警告: WARN: Establishing SSL connection without server's identity verifica ...
- Java连接Mysql数据库警告: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established
详细错误: Establishing SSL connection without server's identity verification is not recommended. Accordi ...
- NetCore HttpClient The SSL connection could not be established, see inner exception
之前遇到一个问题 https://www.cnblogs.com/leoxjy/p/10201046.html 在centos 7.x HttpClient访问会出问题 The SSL conne ...
- HttpClient SSL connection could not be established error
系统从.net framework 升级到dotnet core2.1 原先工作正常的httpclient,会报SSL connection could not be established erro ...
- java链接Mysql出现警告:Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by
Java使用mysql-jdbc连接MySQL出现如下警告: Establishing SSL connection without server's identity verification is ...
- The request with exception: The SSL connection could not be established, see inner exception. requestId 解决方案
DOTNET CORE 部署 Centos7 抛出异常 环境变量如下: .NET Core SDK (reflecting any global.json): Version: 2.2.401 Com ...
- MySQL 警告WARN: Establishing SSL connection without server's identity verification is not recommended.解决办法
Fri Jun 17 13:46:54 CST 2016 WARN: Establishing SSL connection without server's identity verificatio ...
- C3P0 WARN: Establishing SSL connection without server's identity verification is not recommended
c3p0的出现,是为了大大提高应用程序和数据库之间访问效率的. 它的特性: 编码的简单易用 连接的复用 连接的管理 今天在配置C3p0的时候出现了这个warn 原因是因为要验证SSL Wed Se ...
- WARN: Establishing SSL connection without server's identity verification is not recommended
0.要想用Java连接mysql数据库,首先装好JDK,配置好环境变量,将jdk*.*.*\lib放入classpath,将jdk*.*.*\bin放入path中(*.*.*表示版本号):其次安装好m ...
随机推荐
- [Vue @Component] Simplify Vue Components with vue-class-component
While traditional Vue components require a data function which returns an object and a method object ...
- C++对象模型——函数的效能(第四章)
4.3 函数的效能 在以下的这组測试中,在不同的编译器上计算两个3D点,当中用到一个nonmember friend function,一个member function,以及一个 virtual m ...
- 杭电 1548 A strange lift(广搜)
http://acm.hdu.edu.cn/showproblem.php?pid=1548 A strange lift Time Limit: 2000/1000 MS (Java/Others) ...
- 关于OpenFileDialog的使用(转)
OpenFileDialog控件有以下基本属性 InitialDirectory 对话框的初始目录 Filter 要在对话框中显示的文件筛选器,例如,"文本文件(*.txt)|*.txt|所 ...
- JSTL判断list的size()大小,以及choose(相当于if else作用)
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%> <%@ tag ...
- MSP430 G2553 Timer 中断总结
目前总共用到了四个中断向量,我觉得已经把G2553的所有定时器中断都用到了. 定时器有两个,TA0与TA1,每个定时器又有两个中断向量 1,CCR0到达时的中断,在计数模式时候很有用,平时定时器的基本 ...
- [Swift通天遁地]五、高级扩展-(5)获取互补色、渐变色、以及图片主题颜色
★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★➤微信公众号:山青咏芝(shanqingyongzhi)➤博客园地址:山青咏芝(https://www.cnblogs. ...
- [Swift通天遁地]九、拔剑吧-(11)创建强大的Pinterest风格的瀑布流界面
★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★★➤微信公众号:山青咏芝(shanqingyongzhi)➤博客园地址:山青咏芝(https://www.cnblogs. ...
- 多物体运动框架案例一:多个Div的宽度运动变化
多物体运动框架,鼠标移入Div,此Div逐渐变宽,鼠标移出后,此Div逐渐缩短恢复原长度. <!doctype html> <html> <head> <ti ...
- easyui datagrid 页面详细使用
//加载数据workflowName onloadmyCgxList: function (id) { if (id != null && id != "" ...