TLS Handshake
What is TLS Handshake?
TLS HandshakeThe initial protocol exchange in Transport Layer Security that authenticates the server (and optionally the client) and derives the symmetric keys used to encrypt the rest of the session.
The TLS handshake negotiates the protocol version, cipher suite, server identity, and session keys before any application data is sent. In TLS 1.2 (RFC 5246) the handshake takes two round trips and uses ClientHello, ServerHello, Certificate, ServerKeyExchange, plus a Finished pair that confirms the negotiated transcript. TLS 1.3 (RFC 8446, 2018) collapses this to one round trip, encrypts everything after ServerHello, removes legacy primitives (RC4, CBC modes without AEAD, static RSA key exchange, compression), and supports 0-RTT resumption — fast but vulnerable to replay, so it should only carry idempotent requests.
Both modern versions mandate ephemeral (EC)DHE for forward secrecy and authenticate the server via an X.509 certificate validated up a trust chain. The handshake's transcript hash and Finished MAC are what historically broke downgrade and renegotiation attacks: POODLE (2014) forced victims down to SSL 3.0's CBC padding, FREAK and Logjam (2015) coerced export-grade RSA/DH, and BEAST exploited TLS 1.0 CBC IVs. TLS 1.3's downgrade-protection sentinel in the server random now signals tampering. Other failure modes that matter operationally include weak or deprecated cipher suites, expired or mis-issued certificates, missing OCSP stapling, and SNI/certificate mismatches on shared infrastructure.
sequenceDiagram participant C as Client participant S as Server C->>S: ClientHello (versions, cipher suites, key share) S->>C: ServerHello (chosen suite, key share) S->>C: Certificate + CertificateVerify S->>C: Finished Note over C,S: Both derive symmetric keys via (EC)DHE C->>S: Finished C->>S: Encrypted application data
● Examples
- 01
A browser opens TLS 1.3 to https://example.com in one round trip, negotiating x25519 and AES-GCM.
- 02
An older client falls back to TLS 1.2 with ECDHE-RSA-AES256-GCM-SHA384 against the same server.
● Frequently asked questions
What is TLS Handshake?
The initial protocol exchange in Transport Layer Security that authenticates the server (and optionally the client) and derives the symmetric keys used to encrypt the rest of the session. It belongs to the Network Security category of cybersecurity.
What does TLS Handshake mean?
The initial protocol exchange in Transport Layer Security that authenticates the server (and optionally the client) and derives the symmetric keys used to encrypt the rest of the session.
How do you defend against TLS Handshake?
Defences for TLS Handshake typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for TLS Handshake?
Common alternative names include: TLS handshake protocol.