← Back

2026

SSL/TLS: The Protocol Behind Secure Connections

TLS secures most of the internet's traffic and nearly every protocol you interact with daily. Here is how the handshake works, what the certificate chain is actually checking and why the TLS version a server advertises still matters.

Most of what makes the internet feel safe happens in a negotiation you never see. The padlock in your browser is the visible symbol. Underneath it sits TLS, a protocol that has been designed, attacked, patched and eventually rewritten across three decades of network security research. Knowing what it actually does, how the handshake works and why certain versions got retired tells you something practical about every secure connection your code makes.

TLS is not just for HTTPS. It secures email submission over SMTP, database connections from application servers, API calls between microservices and certificate validation traffic. The same handshake, the same certificate chain, the same session key derivation. Learning it once covers a wide surface.

From SSL to TLS

SSL was created by Netscape in the mid-1990s to address a specific problem: HTTP traffic crossed the network as plain text. Anyone positioned between a browser and a server could read every request without any special equipment. SSL wrapped that traffic in encryption. The first public version shipped in 1995.

The Internet Engineering Task Force took over development and released TLS 1.0 in 1999. The name changed but the protocol was close enough to SSL 3.0 that the two names are still used interchangeably in casual conversation. The underlying differences between SSL and modern TLS are substantial. Two decades of cryptographic research produced a completely different algorithm set, a redesigned handshake and a much smaller attack surface. SSL 2.0 is now banned by RFC. SSL 3.0 is prohibited. TLS 1.0 and 1.1 were retired by every major browser in 2020.

SSL 2.0

1995

broken

Netscape's first public release. It contained fundamental design flaws that let attackers downgrade connections to weaker encryption. Banned by RFC 6176 in 2011.

SSL 3.0

1996

broken

A full redesign that was widely deployed for nearly two decades. The POODLE attack in 2014 showed the protocol was exploitable regardless of cipher strength. RFC 7568 prohibited its use in 2015.

TLS 1.0

1999

deprecated

Technically SSL 3.1 under a new name. It made enough changes to be incompatible with SSL 3.0 but retained structural similarities. Major browsers deprecated it in 2020 after the BEAST vulnerability proved persistent.

TLS 1.1

2006

deprecated

Added protections against certain cipher block chaining attacks. It never dominated on its own because TLS 1.2 followed two years later with broader improvements. Deprecated alongside TLS 1.0 in 2020.

TLS 1.2

2008

supported

Removed reliance on MD5 and SHA-1, introduced authenticated encryption modes and gave servers more flexibility in algorithm selection. Still widely deployed because much existing infrastructure depends on it.

TLS 1.3

2018

recommended

A near-complete redesign. All broken algorithms from previous decades were removed. The handshake was reduced to a single round trip. Forward secrecy became a requirement rather than an option. Modern servers should default to this version.

What TLS actually guarantees

TLS provides three distinct security properties at once. Each one addresses a separate category of threat. Understanding which threat each property counters makes it easier to reason about what TLS protects against and what falls outside its scope entirely.

Confidentiality

Traffic is encrypted. An attacker who captures packets in transit sees ciphertext. Reversing it without the session key is computationally infeasible with current algorithms and key sizes.

Authentication

The server proves its identity using a certificate signed by a trusted Certificate Authority. The client verifies that signature before trusting the connection. Without this, encrypting traffic to the wrong destination would be pointless.

Integrity

Every TLS record includes a message authentication code. Any modification to the ciphertext in transit produces an invalid code. The receiving side detects tampering immediately and closes the connection.

Worth noting

TLS authenticates the server to the client by default. Mutual TLS adds client authentication as well, requiring the client to present its own certificate. This is common in service-to-service communication inside private infrastructure where both sides need to prove their identity before exchanging data.

Two kinds of encryption

TLS uses asymmetric cryptography during the handshake and symmetric cryptography for the actual data. Each serves a different purpose. The distinction explains why the handshake exists at all rather than just encrypting everything with a single key from the start.

Asymmetric (handshake)

Public key: known to everyone

Private key: server keeps this secret

Data encrypted with the public key can only be decrypted with the private key.

No prior shared secret needed. Used to establish one.

Symmetric (data)

Session key: derived by both sides, never transmitted

The same key encrypts and decrypts.

Orders of magnitude faster than asymmetric. Used for all application data.

Asymmetric cryptography is computationally expensive. Using it to encrypt every byte of a file download would be painfully slow. TLS uses it for a narrow purpose: establishing a shared secret that neither side ever sends across the wire. Both sides independently derive the same symmetric session key from that shared secret. All subsequent data travels under AES with that key.

Modern TLS uses Elliptic Curve Diffie-Hellman for the key exchange rather than RSA directly. ECDH achieves the same result with much shorter keys. The ephemeral variant, ECDHE, generates a fresh key pair for every session. A future compromise of the server's long-term private key cannot be used to decrypt past traffic. This property is called forward secrecy.

The TLS 1.3 handshake

TLS 1.3 reduced the handshake to a single round trip. In TLS 1.2, the client had to wait for the server to announce its supported algorithms before it could send key material. TLS 1.3 collapses that exchange by having the client include key shares upfront for the algorithms it expects the server to pick.

1

ClientHello

Client → Server

The client sends a list of cipher suites it supports along with key share data for the algorithms it expects the server to select. Including key material upfront means the server can start deriving session keys without waiting for another round trip.

2

ServerHello + Certificate + Finished

Server → Client

The server responds in a single flight. It confirms the chosen cipher suite, contributes its own key share, presents its certificate and sends a Finished message. Everything after the ServerHello is already encrypted with keys derived from the exchanged key shares.

3

Client Finished

Client → Server

The client verifies the server certificate, derives the same session keys using the exchanged key shares and sends its own Finished message. Application data can follow immediately in the same flight.

The full handshake completes in one round trip. Compared to TLS 1.2 which required two, this is a measurable improvement on any connection with noticeable latency. TLS 1.3 also supports 0-RTT resumption for returning connections, where the client can send application data before the handshake completes. This comes with replay attack trade-offs that make it unsuitable for requests with side effects.

Reading a cipher suite

A cipher suite is a named combination of algorithms that TLS uses for a session. The name reads like a formula. Each field identifies one component of the cryptographic system. Most developers never need to configure cipher suites directly, but knowing what each part means is useful when reading server configuration documentation.

TLS 1.2 cipher suite example

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS

Identifies the protocol. In all current cipher suite names this field is always TLS.

ECDHE

The key exchange algorithm. Elliptic Curve Diffie-Hellman Ephemeral generates a fresh key pair for every session. That ephemeral quality is what enables forward secrecy: compromising the server's long-term private key does not expose past sessions.

RSA

The authentication algorithm. Used to verify the server's certificate during the handshake. In TLS 1.3 cipher suites this field is absent because authentication is handled separately from the cipher suite itself.

AES_256_GCM

The bulk encryption cipher. AES-256 in Galois/Counter Mode encrypts the application data flowing through the tunnel. GCM provides both encryption and message integrity checking in a single operation.

SHA384

The hash function feeding the HMAC that protects message integrity. Also used in the key derivation function that generates session keys from the exchanged key material.

TLS 1.3 cipher suites are shorter because authentication was separated from the cipher suite definition entirely. A TLS 1.3 suite looks like TLS_AES_256_GCM_SHA384. There is no key exchange field and no authentication field. Both are determined by other parts of the handshake. The suite only describes the bulk cipher and the hash function.

The certificate chain

TLS authentication depends on certificates. A certificate binds a public key to a domain name and carries a digital signature from a Certificate Authority. The client verifies that signature using the CA's public key, which comes pre-installed in its trust store.

Most production certificates are not signed directly by a root CA. They are signed by an intermediate CA, which is itself signed by the root. This creates a chain. The server presents its certificate along with any intermediates needed to build the path back to a trusted root. If any link is missing the validation fails.

Certificate chain

Root CA certificate

↓ signs

Intermediate CA certificate

↓ signs

Server certificate (for example.com)

↓ presented during TLS handshake

Browser trusts root CA → chain validates → connection proceeds

Root CA certificates are distributed with operating systems and browsers. They are rotated rarely because replacing a trusted root across all devices takes years. Intermediate CAs carry the operational load instead. If an intermediate is compromised, it can be revoked without touching the root. The intermediate takes the hit.

Certificate validation checks

Domain matchThe Common Name or a Subject Alternative Name must match the hostname in the URL.
Validity periodThe current date must fall within the Not Before and Not After fields on the certificate.
Chain of trustEach certificate in the chain must be signed by the next authority up until a trusted root is reached.
RevocationThe certificate must not appear in a Certificate Revocation List or be flagged as revoked in an OCSP response.

Inspecting TLS from the command line

The openssl command line tool can open a TLS connection to any server and print the certificate it presents along with which protocol version and cipher suite were negotiated. It is useful when debugging certificate issues in environments where you cannot open a browser.

Connect and inspect the certificate chain

$ openssl s_client -connect example.com:443 -servername example.com

CONNECTED(00000003)

depth=2 C=US, O=DigiCert Inc, CN=DigiCert Global Root CA

depth=1 C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1

depth=0 CN=example.com

SSL-Session:

Protocol : TLSv1.3

Cipher : TLS_AES_256_GCM_SHA384

The depth numbers show the chain. Depth 2 is the root CA. Depth 1 is an intermediate. Depth 0 is the server's own certificate. The SSL-Session block shows what was actually negotiated. If the server is presenting the wrong certificate, refusing connections on a particular TLS version or returning an incomplete chain, this output will show it.

Check the expiry dates quickly

$ openssl s_client -connect example.com:443 2>/dev/null \ | openssl x509 -noout -dates

notBefore=Mar 15 00:00:00 2025 GMT

notAfter=Apr 14 23:59:59 2026 GMT

This is faster than opening a browser and clicking through the certificate details. It works on any host you can reach over TCP, including internal services behind a VPN where no browser is in the path.

Common failure points

TLS errors tend to surface as a browser warning without much explanation of what actually went wrong. Most of them trace back to one of a small set of causes, each of which points to a specific part of the certificate lifecycle.

Expired certificate

Certificates carry a hard expiry date. When it passes, browsers refuse the connection without giving the user an option to proceed. Let's Encrypt certificates expire after 90 days by design, pushing operators toward automated renewal. A production service going down because of a certificate expiry is entirely preventable with a renewal process in place.

Hostname mismatch

The certificate is valid but covers a different domain. A certificate for www.example.com does not protect api.example.com. Wildcard certificates cover one level of subdomain depth: *.example.com matches sub.example.com but not deeper.sub.example.com. Subject Alternative Names let a single certificate cover multiple distinct domains explicitly.

Untrusted Certificate Authority

The certificate was signed by an authority that is not in the client's trust store. This is routine in development environments using self-signed certificates. It also appears when an organisation runs an internal CA that has not been distributed to all client machines. The certificate itself may be technically valid in every other respect.

Protocol downgrade

A server configured to accept old protocol versions exposes users to downgrade attacks. An attacker positioned to intercept traffic can interfere with the handshake negotiation and push both sides toward an older version with known weaknesses. Disabling TLS 1.0 and TLS 1.1 at the server level removes that surface entirely.

Mixed content

An HTTPS page requests a resource over HTTP. Browsers block this by default because the insecure resource undermines the security properties of the page. Common when migrating from HTTP to HTTPS with image tags still pointing at HTTP URLs. The browser console identifies the offending resources by URL.

Why the version matters

TLS 1.3 is not just a security improvement over 1.2. It removed years of legacy complexity that had accumulated as each new attack required another workaround rather than a clean redesign. The result is a protocol with fewer moving parts to configure wrongly, a shorter handshake and no reliance on algorithms that cryptographers stopped recommending a decade ago.

Old TLS versions are not just weaker in an abstract sense. They are actively exploitable in specific network positions. A server that advertises TLS 1.0 support is offering attackers a path to vulnerabilities that have been documented for years. Disabling old versions is not optional hygiene. It is the minimum baseline.

Most of this is invisible in day-to-day development. The library your application uses handles TLS automatically. But when a connection fails with a certificate error in production at an inconvenient hour, knowing what each part of the chain is checking is the difference between a two-minute fix and an hour of reading error messages without understanding what they are pointing at.