TLS Handshake Explained
In a business context, handshakes typically occur when a supplier and a client meet and discuss a deal for the first time. Acknowledgements like this also happen on the internet.
When a client and a server come across each other, a TLS Handshake occurs, signifying the start of the validation process between the two parties, ending with the generation of a common key.
What is a TLS handshake protocol?
A TLS Handshake, previously called SSL Handshake, is a communication between two parties (client and server). It is responsible for the establishment or the resumption of secure sessions by the process of automation and key exchange.
Similar to the SSL that was the original encryption protocol used in HTTP, the Transport Layer Security (TLS) is also a cryptographic protocol that establishes a server-client secured connection. The TLS is the upgraded version of the SSL, more performant and secure. Modern browsers also do not support SSL anymore.
How TLS handshake works
During a TLS handshake, the client and the server exchange messages to acknowledge each other’s presence, verify the identity of the other party, and agree on the session keys.
To accomplish the goal of securing the connection, the two parties will do the following:
- Specify the TLS version to be used;
- Conduct a cipher suite negotiation to decide on which will be used. A cipher suite is a set of cryptographic algorithms used to generate keys and encryption which both the client and server will agree upon;
- Undergo authentication. The server will prove its identity to the client, and in some instances, the client also proves its identity to the server based on PKI; and
- Facilitate a key exchange to generate the session keys. Session keys are the temporary keys for symmetric encryption. They are generated during the TLS handshake.
TLS Handshake steps
The TLS handshake protocol involves the following:
- Client initiates the handshake by sending a “client hello” message to the server. The message includes the client’s random value, supported TLS version, and cipher suite.
- Server responds with a “server hello” message. The message includes the server’s random value, SSL certificate, chosen cipher suite, and sometimes, request of client’s certificate.
- The client authenticates the server’s SSL certificate and the Certificate Authority.
- The client sends the pre-master secret – a random string of bytes and encrypts it with the public key from the server's SSL certificate.
- Server decrypts the pre-master secret, and the two parties generate the session keys.
- Client sends a “client finished” message, encrypted with the session key.
- Server switches its record layer security state to symmetric encryption using the session keys and sends a "Server finished" message to the client.
- A secured channel is established, and all messages sent are encrypted using the session key.
What is a TLS handshake exception?
In some instances, the client and the server cannot agree on the desired level of security, therefore failing to establish secure communication using the TLS protocol. There are various causes for this error that will further be discussed below.
TLS handshake exceptions often cause the client to receive an HTTP status 503 with a message “service unavailable,” or “your connection isn’t private.” A 503 error means that there was a problem with the server. Some of its causes include website maintenance, error in the server’s code, or a surge in website traffic.
In SSL handshake failures, Error 525 (SSL Handshake Failed) is displayed, which indicates that the server and browser failed to establish a secure connection.
How to resolve TLS handshake exception or TLS handshake fail
Like SSL handshake exceptions, TLS handshake fails can occur due to server-side or client-side issues. This segment will discuss the common causes of TLS handshake failures and how to resolve them.
Client-side errors:
- Browser error. Browser settings or plug-ins within the browser can cause errors when visiting legitimate servers. A simple solution to this problem would be changing the browser. If TLS still fails after switching browsers, check the plug-ins installed. Remove these plug-ins and restore the browser settings to default.
- Middleman errors. Network firewalls or other programs and devices can potentially cause handshake fails due to blocked connections. In these instances, check the devices or programs and adjust the settings.
Server-side errors:
- Protocol mismatch. In instances where the protocol is not supported by the server, it is recommended to upgrade to the new version than going back to the old version. For instance, when the client has TLS 1.1 and the server supports 1.2, the client is recommended to upgrade to 1.2.
- Encryption mismatch. An error will occur when the encryption of the client is not supported by the server. To solve this, clients or servers are recommended to upgrade. Additionally, organizations must support different encryption standards.
- Certificate error. When certificates are non-authenticated or illegal, TLS handshakes will fail. To resolve this, the server must check their domain, certificate expiration, certificate authority legitimacy, and other details.
TLS handshakes ensure the security of both the client and server, protecting your organization from cyberattacks. GlobalSign offers trusted TLS certificates that have the strongest encryption and value-add features to ensure your website is protected.