2026
SSL/TLS: The Protocol Behind Secure Connections
TLS secures most of the internet's traffic and nearly every protocol you interact with daily. Here is how the handshake works, what the certificate chain is actually checking and why the TLS version a server advertises still matters.
Most of what makes the internet feel safe happens in a negotiation you never see. The padlock in your browser is the visible symbol. Underneath it sits TLS, a protocol that has been designed, attacked, patched and eventually rewritten across three decades of network security research. Knowing what it actually does, how the handshake works and why certain versions got retired tells you something practical about every secure connection your code makes.
TLS is not just for HTTPS. It secures email submission over SMTP, database connections from application servers, API calls between microservices and certificate validation traffic. The same handshake, the same certificate chain, the same session key derivation. Learning it once covers a wide surface.
From SSL to TLS
SSL was created by Netscape in the mid-1990s to address a specific problem: HTTP traffic crossed the network as plain text. Anyone positioned between a browser and a server could read every request without any special equipment. SSL wrapped that traffic in encryption. The first public version shipped in 1995.
The Internet Engineering Task Force took over development and released TLS 1.0 in 1999. The name changed but the protocol was close enough to SSL 3.0 that the two names are still used interchangeably in casual conversation. The underlying differences between SSL and modern TLS are substantial. Two decades of cryptographic research produced a completely different algorithm set, a redesigned handshake and a much smaller attack surface. SSL 2.0 is now banned by RFC. SSL 3.0 is prohibited. TLS 1.0 and 1.1 were retired by every major browser in 2020.
SSL 2.0
1995
brokenNetscape's first public release. It contained fundamental design flaws that let attackers downgrade connections to weaker encryption. Banned by RFC 6176 in 2011.
SSL 3.0
1996
brokenA full redesign that was widely deployed for nearly two decades. The POODLE attack in 2014 showed the protocol was exploitable regardless of cipher strength. RFC 7568 prohibited its use in 2015.
TLS 1.0
1999
deprecatedTechnically SSL 3.1 under a new name. It made enough changes to be incompatible with SSL 3.0 but retained structural similarities. Major browsers deprecated it in 2020 after the BEAST vulnerability proved persistent.
TLS 1.1
2006
deprecatedAdded protections against certain cipher block chaining attacks. It never dominated on its own because TLS 1.2 followed two years later with broader improvements. Deprecated alongside TLS 1.0 in 2020.
TLS 1.2
2008
supportedRemoved reliance on MD5 and SHA-1, introduced authenticated encryption modes and gave servers more flexibility in algorithm selection. Still widely deployed because much existing infrastructure depends on it.
TLS 1.3
2018
recommendedA near-complete redesign. All broken algorithms from previous decades were removed. The handshake was reduced to a single round trip. Forward secrecy became a requirement rather than an option. Modern servers should default to this version.
What TLS actually guarantees
TLS provides three distinct security properties at once. Each one addresses a separate category of threat. Understanding which threat each property counters makes it easier to reason about what TLS protects against and what falls outside its scope entirely.
Confidentiality
Traffic is encrypted. An attacker who captures packets in transit sees ciphertext. Reversing it without the session key is computationally infeasible with current algorithms and key sizes.
Authentication
The server proves its identity using a certificate signed by a trusted Certificate Authority. The client verifies that signature before trusting the connection. Without this, encrypting traffic to the wrong destination would be pointless.
Integrity
Every TLS record includes a message authentication code. Any modification to the ciphertext in transit produces an invalid code. The receiving side detects tampering immediately and closes the connection.
Worth noting
TLS authenticates the server to the client by default. Mutual TLS adds client authentication as well, requiring the client to present its own certificate. This is common in service-to-service communication inside private infrastructure where both sides need to prove their identity before exchanging data.
Two kinds of encryption
TLS uses asymmetric cryptography during the handshake and symmetric cryptography for the actual data. Each serves a different purpose. The distinction explains why the handshake exists at all rather than just encrypting everything with a single key from the start.
Asymmetric (handshake)
Public key: known to everyone
Private key: server keeps this secret
Data encrypted with the public key can only be decrypted with the private key.
No prior shared secret needed. Used to establish one.
Symmetric (data)
Session key: derived by both sides, never transmitted
The same key encrypts and decrypts.
Orders of magnitude faster than asymmetric. Used for all application data.
Asymmetric cryptography is computationally expensive. Using it to encrypt every byte of a file download would be painfully slow. TLS uses it for a narrow purpose: establishing a shared secret that neither side ever sends across the wire. Both sides independently derive the same symmetric session key from that shared secret. All subsequent data travels under AES with that key.
Modern TLS uses Elliptic Curve Diffie-Hellman for the key exchange rather than RSA directly. ECDH achieves the same result with much shorter keys. The ephemeral variant, ECDHE, generates a fresh key pair for every session. A future compromise of the server's long-term private key cannot be used to decrypt past traffic. This property is called forward secrecy.
The TLS 1.3 handshake
TLS 1.3 reduced the handshake to a single round trip. In TLS 1.2, the client had to wait for the server to announce its supported algorithms before it could send key material. TLS 1.3 collapses that exchange by having the client include key shares upfront for the algorithms it expects the server to pick.
ClientHello
Client → Server
The client sends a list of cipher suites it supports along with key share data for the algorithms it expects the server to select. Including key material upfront means the server can start deriving session keys without waiting for another round trip.
ServerHello + Certificate + Finished
Server → Client
The server responds in a single flight. It confirms the chosen cipher suite, contributes its own key share, presents its certificate and sends a Finished message. Everything after the ServerHello is already encrypted with keys derived from the exchanged key shares.
Client Finished
Client → Server
The client verifies the server certificate, derives the same session keys using the exchanged key shares and sends its own Finished message. Application data can follow immediately in the same flight.
The full handshake completes in one round trip. Compared to TLS 1.2 which required two, this is a measurable improvement on any connection with noticeable latency. TLS 1.3 also supports 0-RTT resumption for returning connections, where the client can send application data before the handshake completes. This comes with replay attack trade-offs that make it unsuitable for requests with side effects.
Reading a cipher suite
A cipher suite is a named combination of algorithms that TLS uses for a session. The name reads like a formula. Each field identifies one component of the cryptographic system. Most developers never need to configure cipher suites directly, but knowing what each part means is useful when reading server configuration documentation.
TLS 1.2 cipher suite example
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLSIdentifies the protocol. In all current cipher suite names this field is always TLS.
ECDHEThe key exchange algorithm. Elliptic Curve Diffie-Hellman Ephemeral generates a fresh key pair for every session. That ephemeral quality is what enables forward secrecy: compromising the server's long-term private key does not expose past sessions.
RSAThe authentication algorithm. Used to verify the server's certificate during the handshake. In TLS 1.3 cipher suites this field is absent because authentication is handled separately from the cipher suite itself.
AES_256_GCMThe bulk encryption cipher. AES-256 in Galois/Counter Mode encrypts the application data flowing through the tunnel. GCM provides both encryption and message integrity checking in a single operation.
SHA384The hash function feeding the HMAC that protects message integrity. Also used in the key derivation function that generates session keys from the exchanged key material.
TLS 1.3 cipher suites are shorter because authentication was separated from the cipher suite definition entirely. A TLS 1.3 suite looks like TLS_AES_256_GCM_SHA384. There is no key exchange field and no authentication field. Both are determined by other parts of the handshake. The suite only describes the bulk cipher and the hash function.
The certificate chain
TLS authentication depends on certificates. A certificate binds a public key to a domain name and carries a digital signature from a Certificate Authority. The client verifies that signature using the CA's public key, which comes pre-installed in its trust store.
Most production certificates are not signed directly by a root CA. They are signed by an intermediate CA, which is itself signed by the root. This creates a chain. The server presents its certificate along with any intermediates needed to build the path back to a trusted root. If any link is missing the validation fails.
Certificate chain
Root CA certificate
↓ signs
Intermediate CA certificate
↓ signs
Server certificate (for example.com)
↓ presented during TLS handshake
Browser trusts root CA → chain validates → connection proceeds
Root CA certificates are distributed with operating systems and browsers. They are rotated rarely because replacing a trusted root across all devices takes years. Intermediate CAs carry the operational load instead. If an intermediate is compromised, it can be revoked without touching the root. The intermediate takes the hit.
Certificate validation checks
Inspecting TLS from the command line
The openssl command line tool can open a TLS connection to any server and print the certificate it presents along with which protocol version and cipher suite were negotiated. It is useful when debugging certificate issues in environments where you cannot open a browser.
Connect and inspect the certificate chain
$ openssl s_client -connect example.com:443 -servername example.com
CONNECTED(00000003)
depth=2 C=US, O=DigiCert Inc, CN=DigiCert Global Root CA
depth=1 C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1
depth=0 CN=example.com
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
The depth numbers show the chain. Depth 2 is the root CA. Depth 1 is an intermediate. Depth 0 is the server's own certificate. The SSL-Session block shows what was actually negotiated. If the server is presenting the wrong certificate, refusing connections on a particular TLS version or returning an incomplete chain, this output will show it.
Check the expiry dates quickly
$ openssl s_client -connect example.com:443 2>/dev/null \ | openssl x509 -noout -dates
notBefore=Mar 15 00:00:00 2025 GMT
notAfter=Apr 14 23:59:59 2026 GMT
This is faster than opening a browser and clicking through the certificate details. It works on any host you can reach over TCP, including internal services behind a VPN where no browser is in the path.
Common failure points
TLS errors tend to surface as a browser warning without much explanation of what actually went wrong. Most of them trace back to one of a small set of causes, each of which points to a specific part of the certificate lifecycle.
Expired certificate
Certificates carry a hard expiry date. When it passes, browsers refuse the connection without giving the user an option to proceed. Let's Encrypt certificates expire after 90 days by design, pushing operators toward automated renewal. A production service going down because of a certificate expiry is entirely preventable with a renewal process in place.
Hostname mismatch
The certificate is valid but covers a different domain. A certificate for www.example.com does not protect api.example.com. Wildcard certificates cover one level of subdomain depth: *.example.com matches sub.example.com but not deeper.sub.example.com. Subject Alternative Names let a single certificate cover multiple distinct domains explicitly.
Untrusted Certificate Authority
The certificate was signed by an authority that is not in the client's trust store. This is routine in development environments using self-signed certificates. It also appears when an organisation runs an internal CA that has not been distributed to all client machines. The certificate itself may be technically valid in every other respect.
Protocol downgrade
A server configured to accept old protocol versions exposes users to downgrade attacks. An attacker positioned to intercept traffic can interfere with the handshake negotiation and push both sides toward an older version with known weaknesses. Disabling TLS 1.0 and TLS 1.1 at the server level removes that surface entirely.
Mixed content
An HTTPS page requests a resource over HTTP. Browsers block this by default because the insecure resource undermines the security properties of the page. Common when migrating from HTTP to HTTPS with image tags still pointing at HTTP URLs. The browser console identifies the offending resources by URL.
Why the version matters
TLS 1.3 is not just a security improvement over 1.2. It removed years of legacy complexity that had accumulated as each new attack required another workaround rather than a clean redesign. The result is a protocol with fewer moving parts to configure wrongly, a shorter handshake and no reliance on algorithms that cryptographers stopped recommending a decade ago.
Old TLS versions are not just weaker in an abstract sense. They are actively exploitable in specific network positions. A server that advertises TLS 1.0 support is offering attackers a path to vulnerabilities that have been documented for years. Disabling old versions is not optional hygiene. It is the minimum baseline.
Most of this is invisible in day-to-day development. The library your application uses handles TLS automatically. But when a connection fails with a certificate error in production at an inconvenient hour, knowing what each part of the chain is checking is the difference between a two-minute fix and an hour of reading error messages without understanding what they are pointing at.