The TLS Handshake is a 4 steps, fairly complex process. It takes place after the TCP Handshake and assumes TCP is being used at the Transport Layer.
Client Server
ClientHello |\ |
Protocol version | \ |
Cipher Suites | \ |
| \ |
| \ |
| \ |
| \| ServerHello
| /| Protocol version
| / | Cipher Suites
| / | Certificates
| / | ServerHelloDone
| / |
| / |
ClientKeyExchange |/ |
(Pre-master secret) |\ |
ChangeCipherSpec | \ |
Finished | \ |
| \ |
| \ |
| \ |
| \| ChangeCipherSpec
| | Finished
| |
| |-
After the TCP
ACK, TLS Handshake sends aClientHellomessage. This message contains the maximum version of TLS protocol and Cipher Suites that the client is able to use. -
Server receives
ClientHelloand responds with aServerHellowhich sets the protocol version and Cipher Suites (amongst other things). It also sends its certificate (including its public key) and aServerHelloDoneto indicate the end of this step of the handshake. -
Client receives the
ServerHelloDonemarker and initiates the key exchange process. It starts with a newly generated pre-master secret encrypted with the server’s public key which the client sends to the server using theClientKeyExchangemessage. Both then use this pre-master secret to generate the same symmetric key. The client finally sends aChangeCipherSpecand aFinishedflags to indicate it is ready to respectively starts communicating with the symmetric key and indicates the TLS Handshake is over. - The server sends the two same message and flag to indicate acknowledgment.
After the four steps, the client and server can finally begin to communicate securely using the symmetric key.