Beginner Cryptography Updated on Jun 25, 2025

TLS/SSL: Handshake, Certificates, and Attacks

TLS (Transport Layer Security) is the protocol that protects communication between client and server on the internet. SSL is its obsolete predecessor — today only TLS is used, but the name “SSL” is still used informally.

Versions and What to Use

Version	Status	Recommendation
SSL 2.0	Broken	Disable
SSL 3.0	Broken	Disable
TLS 1.0	Obsolete	Disable
TLS 1.1	Obsolete	Disable
TLS 1.2	Acceptable	Keep with care
TLS 1.3	Current, secure	Use

The TLS 1.3 Handshake

Client                           Server
  |                                 |
  |-- ClientHello (version, ciphers) -->
  |<-- ServerHello + Certificate ----
  |<-- (ephemeral ECDH key) ---------
  |-- (validate certificate) ------->
  |-- Finished (derived key) ------->
  |<-- Finished ---------------------
  |=== Encrypted communication with AES-GCM ===

TLS 1.3 uses ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) for key exchange, ensuring Perfect Forward Secrecy — even if the server’s private key leaks in the future, past sessions remain secure.

Inspecting a Server’s TLS

# Check version and cipher suite in use
openssl s_client -connect example.com:443 -tls1_3

# List support for older versions
nmap --script ssl-enum-ciphers -p 443 example.com

Known Attacks

BEAST (Browser Exploit Against SSL/TLS)

Affects TLS 1.0 with CBC mode. The attacker exploits IV predictability to decrypt bytes of the message.

Mitigation: disable TLS 1.0. Use TLS 1.2+ with AES-GCM.

POODLE (Padding Oracle On Downgraded Legacy Encryption)

Affects SSL 3.0. Exploits the padding scheme to decrypt encrypted traffic.

Mitigation: disable SSL 3.0 entirely. In Nginx:

ssl_protocols TLSv1.2 TLSv1.3;

Downgrade Attack

The attacker forces client and server to negotiate a weaker TLS version where vulnerabilities exist.

Mitigation: use the Strict-Transport-Security (HSTS) header and enforce minimum version on the server.

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;

Certificate in the Handshake

The server presents its X.509 certificate. The client verifies:

Signature from a trusted CA.
Validity date.
Domain name match (CN or SAN).

If any check fails, the browser shows an insecure connection warning.