Transport Layer Security 1

Transport Layer Security

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols
that provide security for communications over networks such as the Internet. TLS and SSL encrypt the segments of
network connections at the Application Layer to ensure secure end-to-end transit at the Transport Layer. TLS is also
the name of a working group of the Internet Engineering Task Force,[1] but in this article TLS refers to the protocol,
not the working group.
Several versions of the protocols are in widespread use in applications like web browsing, electronic mail, Internet
faxing, instant messaging and voice-over-IP (VoIP).
TLS is an IETF standards track protocol, last updated in RFC 5246, that was based on the earlier SSL specifications
developed by Netscape Corporation.[2]

Description
The TLS protocol allows client/server applications to communicate across a network in a way designed to prevent
eavesdropping and tampering. TLS provides endpoint authentication and communications confidentiality over the
Internet using cryptography. TLS provides RSA security with 1024 and 2048 bit strengths.
In typical end-user/browser usage, TLS authentication is unilateral: only the server is authenticated (the client
knows the server's identity), but not vice versa (the client remains unauthenticated or anonymous).
TLS also supports the more secure bilateral connection mode (typically used in enterprise applications), in which
both ends of the "conversation" can be assured with whom they are communicating (provided they diligently
scrutinize the identity information in the other party's certificate). This is known as mutual authentication, or 2SSL.
Mutual authentication requires that the TLS client-side also hold a certificate (which is not usually the case in the
end-user/browser scenario). Unless, that is, TLS-PSK, the Secure Remote Password (SRP) protocol, or some other
protocol is used that can provide strong mutual authentication in the absence of certificates.
Typically, the key information and certificates necessary for TLS are handled in the form of X.509 certificates,
which define required fields and data formats.
SSL operates in modular fashion. It is extensible by design, with support for forward and backward compatibility
and negotiation between peers.

Cipher suite
When a TLS or SSL connection is established, the client and server negotiate a CipherSuite, exchanging
CipherSuite codes in the client hello and server hello messages, which specifies a combination of cryptographic
algorithms to be used for the connection and establishes technical politeness between client and server, a necessary
component of all interactive server deployments.
The key exchange and authentication algorithms are typically public key algorithms, or as in TLS-PSK preshared
keys could be used. The message authentication codes are made up from cryptographic hash functions using the
HMAC construction for TLS, and a non-standard pseudorandom function for SSL.
Transport Layer Security 2

History and development

Secure Network Programming API

Early research efforts toward transport layer security included the Secure Network Programming (SNP)
application programming interface (API), which in 1993 explored the approach of having a secure transport layer
API closely resembling Berkeley sockets, to facilitate retrofitting preexisting network applications with security
measures.[3] The SNP project received the 2004 ACM Software System Award.[4]

SSL versions 1, 2, and 3

The SSL protocol was originally developed by Netscape. Version 1.0 was never publicly released; version 2.0 was
released in February 1995 but "contained a number of security flaws which ultimately led to the design of SSL
version 3.0". (Rescorla 2001) SSL version 3.0 was released in 1996.

TLS version 1.0

TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade to SSL Version 3.0. As stated in the RFC, "the
differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough that TLS 1.0 and
SSL 3.0 do not interoperate." TLS 1.0 does include a means by which a TLS implementation can downgrade the
connection to SSL 3.0.

TLS version 1.1

TLS 1.1 was defined in RFC 4346 in April 2006.[5] It is an update from TLS version 1.0. Significant differences in
this version include:
• Added protection against Cipher block chaining (CBC) attacks.
• The implicit Initialization Vector (IV) was replaced with an explicit IV.
• Change in handling of padding errors.
• Support for IANA registration of parameters.

TLS version 1.2

TLS 1.2 was defined in RFC 5246 in August 2008. It is based on the earlier TLS 1.1 specification. Major differences
include:
• The MD5/SHA-1 combination in the pseudorandom function (PRF) was replaced with SHA-256, with an option
to use cipher-suite specified PRFs.
• The MD5/SHA-1 combination in the Finished message hash was replaced with SHA-256, with an option to use
cipher-suite specific hash algorithms.
• The MD5/SHA-1 combination in the digitally-signed element was replaced with a single hash negotiated during
handshake, defaults to SHA-1.
• Enhancement in the client's and server's ability to specify which hash and signature algorithms they will accept.
• Expansion of support for authenticated encryption ciphers, used mainly for Galois/Counter Mode (GCM) and
CCM mode of AES encryption.
• TLS Extensions definition and Advanced Encryption Standard (AES) CipherSuites were added.
Transport Layer Security 3

Standards
The current approved version of TLS is version 1.2, which is specified in:
• RFC 5246: “The Transport Layer Security (TLS) Protocol Version 1.2”.
The current standard obsoletes these former versions:
• RFC 2246: “The TLS Protocol Version 1.0”.
• RFC 4346: “The Transport Layer Security (TLS) Protocol Version 1.1”.
Other RFCs subsequently extended TLS, including:
• RFC 2595: “Using TLS with IMAP, POP3 and ACAP”. Specifies an extension to the IMAP, POP3 and ACAP
services that allow the server and client to use transport-layer security to provide private, authenticated
communication over the Internet.
• RFC 2712: “Addition of Kerberos Cipher Suites to Transport Layer Security (TLS)”. The 40-bit ciphersuites
defined in this memo appear only for the purpose of documenting the fact that those ciphersuite codes have
already been assigned.
• RFC 2817: “Upgrading to TLS Within HTTP/1.1”, explains how to use the Upgrade mechanism in HTTP/1.1 to
initiate Transport Layer Security (TLS) over an existing TCP connection. This allows unsecured and secured
HTTP traffic to share the same well known port (in this case, http: at 80 rather than https: at 443).
• RFC 2818: “HTTP Over TLS”, distinguishes secured traffic from insecure traffic by the use of a different 'server
port'.
• RFC 3207: “SMTP Service Extension for Secure SMTP over Transport Layer Security”. Specifies an extension to
the SMTP service that allows an SMTP server and client to use transport-layer security to provide private,
authenticated communication over the Internet.
• RFC 3268: “AES Ciphersuites for TLS”. Adds Advanced Encryption Standard (AES) ciphersuites to the
previously existing symmetric ciphers.
• RFC 3546: “Transport Layer Security (TLS) Extensions”, adds a mechanism for negotiating protocol extensions
during session initialisation and defines some extensions. Made obsolete by RFC 4366.
• RFC 3749: “Transport Layer Security Protocol Compression Methods”, specifies the framework for compression
methods and the DEFLATE compression method.
• RFC 3943: “Transport Layer Security (TLS) Protocol Compression Using Lempel-Ziv-Stac (LZS)”.
• RFC 4132: “Addition of Camellia Cipher Suites to Transport Layer Security (TLS)”.
• RFC 4162: “Addition of SEED Cipher Suites to Transport Layer Security (TLS)”.
• RFC 4217: “Securing FTP with TLS”.
• RFC 4279: “Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)”, adds three sets of new ciphersuites
for the TLS protocol to support authentication based on pre-shared keys.
• RFC 4347: “Datagram Transport Layer Security” specifies a TLS variant that works over datagram protocols
(such as UDP).
• RFC 4366: “Transport Layer Security (TLS) Extensions” describes both a set of specific extensions, and a generic
extension mechanism.
• RFC 4492: “Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)”.
• RFC 4507: “Transport Layer Security (TLS) Session Resumption without Server-Side State”.
• RFC 4680: “TLS Handshake Message for Supplemental Data”.
• RFC 4681: “TLS User Mapping Extension”.
• RFC 4785: “Pre-Shared Key (PSK) Ciphersuites with NULL Encryption for Transport Layer Security (TLS)”.
• RFC 5054: “Using the Secure Remote Password (SRP) Protocol for TLS Authentication”.
• RFC 5746: “Transport Layer Security (TLS) Renegotiation Indication Extension”.
Transport Layer Security 4

Applications
In applications design, TLS is usually implemented on top of any of the Transport Layer protocols, encapsulating the
application-specific protocols such as HTTP, FTP, SMTP, NNTP, and XMPP. Historically it has been used primarily
with reliable transport protocols such as the Transmission Control Protocol (TCP). However, it has also been
implemented with datagram-oriented transport protocols, such as the User Datagram Protocol (UDP) and the
Datagram Congestion Control Protocol (DCCP), usage which has been standardized independently using the term
Datagram Transport Layer Security (DTLS).
A prominent use of TLS is for securing World Wide Web traffic carried by HTTP to form HTTPS. Notable
applications are electronic commerce and asset management. Increasingly, the Simple Mail Transfer Protocol
(SMTP) is also protected by TLS (RFC 3207). These applications use public key certificates to verify the identity of
endpoints.
An increasing number of client and server products support TLS natively, but many still lack support. As an
alternative, users may wish to use standalone TLS products like Stunnel. Wrappers such as Stunnel rely on being
able to obtain a TLS connection immediately, by simply connecting to a separate port reserved for the purpose. For
example, by default the TCP port for HTTPS is 443, to distinguish it from HTTP on port 80.
TLS can also be used to tunnel an entire network stack to create a VPN, as is the case with OpenVPN. Many vendors
now marry TLS's encryption and authentication capabilities with authorization. There has also been substantial
development since the late 1990s in creating client technology outside of the browser to enable support for
client/server applications. When compared against traditional IPsec VPN technologies, TLS has some inherent
advantages in firewall and NAT traversal that make it easier to administer for large remote-access populations.
TLS is also a standard method to protect Session Initiation Protocol (SIP) application signaling. TLS can be used to
provide authentication and encryption of the SIP signaling associated with VoIP and other SIP-based applications.

Security
TLS/SSL have a variety of security measures:
• The client may use the certificate authority's (CA's) public key to validate the CA's digital signature of the server
certificate. If the digital signature can be verified, the client accepts the server certificate as a valid certificate
issued by a trusted CA.
• The client verifies that the issuing CA is on its list of trusted CAs.
• The client checks the server's certificate validity period. The authentication process stops if the current date and
time fall outside of the validity period.
• Protection against a downgrade of the protocol to a previous (less secure) version or a weaker cipher suite.
• Numbering all the Application records with a sequence number, and using this sequence number in the message
authentication codes (MACs).
• Using a message digest enhanced with a key (so only a key-holder can check the MAC). The HMAC construction
used by most TLS ciphersuites is specified in RFC 2104 (SSLv3 used a different hash-based MAC).
• The message that ends the handshake ("Finished") sends a hash of all the exchanged handshake messages seen by
both parties.
• The pseudorandom function splits the input data in half and processes each one with a different hashing algorithm
(MD5 and SHA-1), then XORs them together to create the MAC. This provides protection even if one of these
algorithms is found to be vulnerable. TLS only.
• SSL v3 improved upon SSL v2 by adding SHA-1 based ciphers, and support for certificate authentication.
Additional improvements in SSL v3 include better handshake protocol flow and increased resistance to
man-in-the-middle attacks.
Transport Layer Security 5

A vulnerability of the renegotiation procedure was discovered in August 2009 that can lead to plaintext injection
attacks against SSLv3 and all current versions of TLS. For example, it allows an attacker who can hijack an https
connection to splice their own requests into the beginning of the conversation the client has with the web server. The
attacker can't actually decrypt the client-server communication, so it is different from a typical man-in-the-middle
attack. A short-term fix is for web servers to stop allowing renegotiation, which typically will not require other
changes unless client certificate authentication is used. To fix the vulnerability, a renegotiation indication extension
was proposed for TLS. It will require the client and server to include and verify information about previous
handshakes in any renegotiation handshakes.[6] When a user doesn't pay attention to their browser's indication that
the session is secure (typically a padlock icon), the vulnerability can be turned into a true man-in-the-middle attack[7]
This extension has become a proposed standard and has been assigned the number RFC 5746.
There are some attacks against the implementation rather than the protocol itself:
• Most CAs don't explicitly set basicConstraints CA=FALSE for leaf nodes, and a lot of browsers and other SSL
implementations (including IE, Konqueror, OpenSSL, etc.) don't check the field. This can be exploited for
man-in-the-middle attack on all potential SSL connections.
• Some implementations (including older versions of Microsoft Cryptographic API, Network Security Services, and
GnuTLS) stop reading any characters that follow the null character in the name field of the certificate, which can
be exploited to fool the client into reading the certificate as if it were one that came from the authentic site, e.g.
paypal.com\0.badguy.com would be mistaken as the site of paypal.com rather than badguy.com.
SSL v2 is flawed in a variety [8] of ways:
• Identical cryptographic keys are used for message authentication and encryption.
• MACs are unnecessarily weakened in the "export mode" required by U.S. export restrictions (symmetric key
length was limited to 40 bits in Netscape and Internet Explorer).
• SSL v2 has a weak MAC construction and relies solely on the MD5 hash function.
• SSL v2 does not have any protection for the handshake, meaning a man-in-the-middle downgrade attack can go
undetected.
• SSL v2 uses the TCP connection close to indicate the end of data. This means that truncation attacks are possible:
the attacker simply forges a TCP FIN, leaving the recipient unaware of an illegitimate end of data message (SSL
v3 fixes this problem by having an explicit closure alert).
• SSL v2 assumes a single service, and a fixed domain certificate, which clashes with the standard feature of virtual
hosting in webservers. This means that most websites are practically impaired from using SSL. TLS/SNI fixes
this but is not deployed in webservers as yet.
SSL v2 is disabled by default in Internet Explorer 7,[9] Mozilla Firefox 2 and Mozilla Firefox 3,[10] and Safari. After
it sends a TLS ClientHello, if Mozilla Firefox finds that the server is unable to complete the handshake, it will
attempt to fall back to using SSL 3.0 with an SSL 3.0 ClientHello in SSL v2 format to maximize the likelihood of
successfully handshaking with older servers.[11] Support for SSL v2 (and weak 40-bit and 56-bit ciphers) has been
removed completely from Opera as of version 9.5.[12]
Transport Layer Security 6

How it works
[13]
A TLS client and server negotiate a stateful connection by using a handshaking procedure. During this
handshake, the client and server agree on various parameters used to establish the connection's security.
• The handshake begins when a client connects to a TLS-enabled server requesting a secure connection, and
presents a list of supported CipherSuites (ciphers and hash functions).
• From this list, the server picks the strongest cipher and hash function that it also supports and notifies the client of
the decision.
• The server sends back its identification in the form of a digital certificate. The certificate usually contains the
server name, the trusted certificate authority (CA), and the server's public encryption key.
• The client may contact the server that issued the certificate (the trusted CA as above) and confirm that the
certificate is valid before proceeding.
• In order to generate the session keys used for the secure connection, the client encrypts a random number (RN)
with the server's public key (PbK), and sends the result to the server. Only the server should be able to decrypt it
(with its private key (PvK)): this is the one fact that makes the keys hidden from third parties, since only the
server and the client have access to this data. The client knows PbK and RN, and the server knows PvK and (after
decryption of the client's message) RN. A third party is only able to know RN if PvK has been compromised.
• From the random number, both parties generate key material for encryption and decryption.
This concludes the handshake and begins the secured connection, which is encrypted and decrypted with the key
material until the connection closes.
If any one of the above steps fails, the TLS handshake fails, and the connection is not created.

TLS handshake in detail

The TLS protocol exchanges records, which encapsulate the data to be exchanged. Each record can be compressed,
padded, appended with a message authentication code (MAC), or encrypted, all depending on the state of the
connection. Each record has a content type field that specifies the record, a length field, and a TLS version field.
When the connection starts, the record encapsulates another protocol — the handshake messaging protocol — which
has content type 22.

Simple TLS handshake

A simple connection example follows, illustrating a handshake where the server (but not the client) is authenticated
by its certificate:
1. Negotiation phase:
• A client sends a ClientHello message specifying the highest TLS protocol version it supports, a random
number, a list of suggested CipherSuites, and suggested compression methods. If the client is attempting to
perform a resumed handshake, it may send a session ID.
• The server responds with a ServerHello message, containing the chosen protocol version, a random number,
CipherSuite, and compression method from the choices offered by the client. To confirm or allow resumed
handshakes the server may send a session ID. The chosen protocol version should be the highest that both the
client and server support. For example, if the client supports TLS1.1 and the server supports TLS1.2, TLS1.1
should be selected; SSLv3 should not be selected.
• The server sends its Certificate message (depending on the selected cipher suite, this may be omitted by the
server).[14]
• The server sends a ServerHelloDone message, indicating it is done with handshake negotiation.
• The client responds with a ClientKeyExchange message, which may contain a PreMasterSecret, public key,
or nothing. (Again, this depends on the selected cipher.)
Transport Layer Security 7

• The client and server then use the random numbers and PreMasterSecret to compute a common secret, called
the "master secret". All other key data for this connection is derived from this master secret (and the client- and
server-generated random values), which is passed through a carefully designed "pseudorandom function".
2. The client now sends a ChangeCipherSpec record, essentially telling the server, "Everything I tell you from now
on will be authenticated (and encrypted if encryption parameters were present in the server certificate)." The
ChangeCipherSpec is itself a record-level protocol with content type of 20.
• Finally, the client sends an authenticated and encrypted Finished message, containing a hash and MAC over
the previous handshake messages.
• The server will attempt to decrypt the client's Finished message, and verify the hash and MAC. If the
decryption or verification fails, the handshake is considered to have failed and the connection should be torn
down.
3. Finally, the server sends a ChangeCipherSpec, telling the client, "Everything I tell you from now on will be
authenticated (and encrypted with the server private key associated with the public key in the server certificate, if
encryption was negotiated)."
• The server sends its authenticated and encrypted Finished message.
• The client performs the same decryption and verification.
4. Application phase: at this point, the "handshake" is complete and the application protocol is enabled, with content
type of 23. Application messages exchanged between client and server will also be authenticated and optionally
encrypted exactly like in their Finished message. Otherwise, the content type will return 25 and the client will not
authenticate.

Client-authenticated TLS handshake

The following full example shows a client being authenticated (in addition to the server like above) via TLS using
certificates exchanged between both peers.
1. Negotiation phase:
• A client sends a ClientHello message specifying the highest TLS protocol version it supports, a random
number, a list of suggested cipher suites and compression methods.
• The server responds with a ServerHello message, containing the chosen protocol version, a random number,
cipher suite, and compression method from the choices offered by the client. The server may also send a
session id as part of the message to perform a resumed handshake.
• The server sends its Certificate message (depending on the selected cipher suite, this may be omitted by the
server).[14]
• The server requests a certificate from the client, so that the connection can be mutually authenticated, using a
CertificateRequest message.
• The server sends a ServerHelloDone message, indicating it is done with handshake negotiation.
• The client responds with a Certificate message, which contains the client's certificate.
• The client sends a ClientKeyExchange message, which may contain a PreMasterSecret, public key, or
nothing. (Again, this depends on the selected cipher.) This PreMasterSecret is encrypted using the public key
of the server certificate.
• The client sends a CertificateVerify message, which is a signature over the previous handshake messages
using the client's certificate's private key. This signature can be verified by using the client's certificate's public
key. This lets the server know that the client has access to the private key of the certificate and thus owns the
certificate.
• The client and server then use the random numbers and PreMasterSecret to compute a common secret, called
the "master secret". All other key data for this connection is derived from this master secret (and the client- and
server-generated random values), which is passed through a carefully designed "pseudorandom function".
Transport Layer Security 8

2. The client now sends a ChangeCipherSpec record, essentially telling the server, "Everything I tell you from now
on will be authenticated (and encrypted if encryption was negotiated)." The ChangeCipherSpec is itself a
record-level protocol, and has type 20, and not 22.
• Finally, the client sends an encrypted Finished message, containing a hash and MAC over the previous
handshake messages.
• The server will attempt to decrypt the client's Finished message, and verify the hash and MAC. If the
decryption or verification fails, the handshake is considered to have failed and the connection should be torn
down.
3. Finally, the server sends a ChangeCipherSpec, telling the client, "Everything I tell you from now on will be
authenticated (and encrypted if encryption was negotiated)."
• The server sends its own encrypted Finished message.
• The client performs the same decryption and verification.
4. Application phase: at this point, the "handshake" is complete and the application protocol is enabled, with content
type of 23. Application messages exchanged between client and server will also be encrypted exactly like in their
Finished message. The application will never again return TLS encryption information without a type 32 apology.

Resumed TLS handshake

Public key operations (e.g., RSA) are relatively expensive in terms of computational power. TLS provides a secure
shortcut in the handshake mechanism to avoid these operations. In an ordinary full handshake, the server sends a
session id as part of the ServerHello message. The client associates this session id with the server's IP address and
TCP port, so that when the client connects again to that server, it can use the session id to shortcut the handshake. In
the server, the session id maps to the cryptographic parameters previously negotiated, specifically the "master
secret". Both sides must have the same "master secret" or the resumed handshake will fail (this prevents an
eavesdropper from using a session id). The random data in the ClientHello and ServerHello messages virtually
guarantee that the generated connection keys will be different than in the previous connection. In the RFCs, this type
of handshake is called an abbreviated handshake. It is also described in the literature as a restart handshake.
1. Negotiation phase:
• A client sends a ClientHello message specifying the highest TLS protocol version it supports, a random
number, a list of suggested cipher suites and compression methods. Included in the message is the session id
from the previous TLS connection.
• The server responds with a ServerHello message, containing the chosen protocol version, a random number,
cipher suite, and compression method from the choices offered by the client. If the server recognizes the
session id sent by the client, it responds with the same session id. The client uses this to recognize that a
resumed handshake is being performed. If the server does not recognize the session id sent by the client, it
sends a different value for its session id. This tells the client that a resumed handshake will not be performed.
At this point, both the client and server have the "master secret" and random data to generate the key data to be
used for this connection.
2. The client now sends a ChangeCipherSpec record, essentially telling the server, "Everything I tell you from now
on will be encrypted." The ChangeCipherSpec is itself a record-level protocol, and has type 20, and not 22.
• Finally, the client sends an encrypted Finished message, containing a hash and MAC over the previous
handshake messages.
• The server will attempt to decrypt the client's Finished message, and verify the hash and MAC. If the
decryption or verification fails, the handshake is considered to have failed and the connection should be torn
down.
3. Finally, the server sends a ChangeCipherSpec, telling the client, "Everything I tell you from now on will be
encrypted."
Transport Layer Security 9

• The server sends its own encrypted Finished message.

• The client performs the same decryption and verification.
4. Application phase: at this point, the "handshake" is complete and the application protocol is enabled, with content
type of 23. Application messages exchanged between client and server will also be encrypted exactly like in their
Finished message.
Apart from the performance benefit, resumed sessions can also be used for single sign-on as it is guaranteed that
both the original session as well as any resumed session originate from the same client. This is of particular
importance for the FTP over TLS/SSL protocol which would otherwise suffer from a man in the middle attack in
which an attacker could intercept the contents of the secondary data connections.[15]

TLS record protocol

This is the general format of all TLS records.

+ Byte +0 Byte +1 Byte +2 Byte +3

Byte Content type

0

Bytes Version Length

1..4
(Major) (Minor) (bits 15..8) (bits 7..0)

Bytes Protocol message(s)

5..(m-1)

Bytes MAC (optional)

m..(p-1)

Bytes Padding (block ciphers only)

p..(q-1)

Content type
This field identifies the Record Layer Protocol Type contained in this Record.

Content types
Hex Dec Type

0x14 20 ChangeCipherSpec

0x15 21 Alert

0x16 22 Handshake

0x17 23 Application

Version
This field identifies the major and minor version of TLS for the contained message. For a ClientHello
message, this need not be the highest version supported by the client.
Transport Layer Security 10

Versions
Major Version Minor Version Version Type

3 0 SSLv3

3 1 TLS 1.0

3 2 TLS 1.1

3 3 TLS 1.2

Length
The length of Protocol message(s), not to exceed 214 bytes (16 KiB).
Protocol message(s)
One or more messages identified by the Protocol field. Note that this field may be encrypted depending on the
state of the connection.
MAC and Padding
A message authentication code computed over the Protocol message, with additional key material included.
Note that this field may be encrypted, or not included entirely, depending on the state of the connection.
No MAC or Padding can be present at end of TLS records before all cipher algorithms and parameters have
been negotiated and handshaked, and then confirmed by sending a CipherStateChange record (see below) for
signaling that these parameters will take effect in all further records sent by the same peer.

Handshake protocol
Most messages exchanged during the setup of the TLS session are based on this record, unless an error or warning
occurs and needs to be signaled by an Alert protocol record (see below), or the encryption mode of the session is
modified by another record (see ChangeCipherSpec protocol below).

+ Byte +0 Byte +1 Byte +2 Byte +3

Byte 22
0

Bytes Version Length

1..4
(Major) (Minor) (bits 15..8) (bits 7..0)

Bytes Message type Handshake message data length

5..8
(bits 23..16) (bits 15..8) (bits 7..0)

Bytes Handshake message data

9..(n-1)

Bytes Message type Handshake message data length

n..(n+3)
(bits 23..16) (bits 15..8) (bits 7..0)

Bytes Handshake message data

(n+4)..

Message type
This field identifies the Handshake message type.
Transport Layer Security 11

Message Types

Code Description

0 HelloRequest

1 ClientHello

2 ServerHello

11 Certificate

12 ServerKeyExchange

13 CertificateRequest

14 ServerHelloDone

15 CertificateVerify

16 ClientKeyExchange

20 Finished

Handshake message data length

This is a 3-byte field indicating the length of the handshake data, not including the header.
Note that multiple Handshake messages may be combined within one record.

Alert protocol
This record should normally not be sent during normal handshaking or application exchanges. However, this
message can be sent at any time during the handshake and up to the closure of the session. If this is used to signal a
fatal error, the session will be closed immediately after sending this record, so this record is used to give a reason for
this closure. If the alert level is flagged as a warning, the remote can decide to close the session if it decides that the
session is not reliable enough for its needs (before doing so, the remote may also send its own signal).

+ Byte +0 Byte +1 Byte +2 Byte +3

Byte 21
0

Bytes Version Length

1..4
(Major) (Minor) 0 2

Bytes Level Description

5..6

Bytes MAC (optional)

7..(p-1)

Bytes Padding (block ciphers only)

p..(q-1)

Level
This field identifies the level of alert. If the level is fatal, the sender should close the session immediately.
Otherwise, the recipient may decide to terminate the session itself, by sending its own fatal alert and closing
the session itself immediately after sending it. The use of Alert records is optional, however if it is missing
before the session closure, the session may be resumed automatically (with its handshakes).
Normal closure of a session after termination of the transported application should preferably be alerted with
at least the Close notify Alert type (with a simple warning level) to prevent such automatic resume of a new
session. Signaling explicitly the normal closure of a secure session before effectively closing its transport layer
Transport Layer Security 12

is useful to prevent or detect attacks (like attempts to truncate the securely transported data, if it intrinsically
does not have a predetermined length or duration that the recipient of the secured data may expect).

Alert level types

Code Level type Connection state

1 warning connection or security may be unstable.

2 fatal connection or security may be compromised, or an unrecoverable error has occurred.

Description
This field identifies which type of alert is being sent.

Alert description types

Code Description Level types Note

0 Close notify warning/fatal

10 Unexpected message fatal

20 Bad record MAC fatal Possibly a bad SSL implementation, or payload has been tampered with. E.g., FTP
firewall rule on FTPS server.

21 Decryption failed fatal TLS only, reserved

22 Record overflow fatal TLS only

30 Decompression failure fatal

40 Handshake failure fatal

41 No certificate warning/fatal SSL v3 only, reserved

42 Bad certificate warning/fatal

43 Unsupported certificate warning/fatal E.g. certificate has only Server authentication usage enabled, and is presented as a client
certificate

44 Certificate revoked warning/fatal

45 Certificate expired warning/fatal

46 Certificate unknown warning/fatal

47 Illegal parameter fatal

48 Unknown CA (Certificate fatal TLS only

authority)

49 Access denied fatal TLS only

50 Decode error fatal TLS only

51 Decrypt error warning/fatal TLS only

60 Export restriction fatal TLS only, reserved

70 Protocol version fatal TLS only

71 Insufficient security fatal TLS only

80 Internal error fatal TLS only

90 User cancelled fatal TLS only

100 No renegotiation warning TLS only

110 Unsupported extension warning TLS only

Transport Layer Security 13

ChangeCipherSpec protocol

+ Byte +0 Byte +1 Byte +2 Byte +3

Byte 20
0

Bytes Version Length

1..4
(Major) (Minor) 0 1

Byte CCS protocol type

5

CCS protocol type

Currently only 1.

Application protocol

+ Byte +0 Byte +1 Byte +2 Byte +3

Byte 23
0

Bytes Version Length

1..4
(Major) (Minor) (bits 15..8) (bits 7..0)

Bytes Application data

5..(m-1)

Bytes MAC (optional)

m..(p-1)

Bytes Padding (block ciphers only)

p..(q-1)

Length
Length of Application data (excluding the protocol header, and the MAC and padding trailers)
MAC
20 bytes for the SHA-1-based HMAC, 16 bytes for the MD5-based HMAC.
Padding
Variable length ; last byte contains the padding length.

Support for name-based virtual servers

From the application protocol point of view, TLS belongs to a lower layer, although the TCP/IP model is too coarse
to show it. This means that the TLS handshake is usually (except in the STARTTLS case) performed before the
application protocol can start. The name-based virtual server feature being provided by the application layer, all
co-hosted virtual servers share the same certificate because the server has to select and send a certificate immediately
after the ClientHello message. This is a big problem in hosting environments because it means either sharing the
same certificate among all customers or using a different IP address for each of them.
There are two known workarounds provided by X.509:
• If all virtual servers belong to the same domain, you can use a wildcard certificate [16]. Besides the loose host
name selection that might be a problem or not, there is no common agreement about how to match wildcard
Transport Layer Security 14

certificates. Different rules are applied depending on the application protocol or software used.[17]
• Add every virtual host name in the subjectAltName extension. The major problem being that you need to reissue
a certificate whenever you declare a new virtual server.
In order to provide the server name, RFC 4366 Transport Layer Security (TLS) Extensions allow clients to include a
Server Name Indication extension (SNI) in the extended ClientHello message. This extension hints the server
immediately which name the client wishes to connect to, so the server can select the appropriate certificate to send to
the client.

Government-imposed protocol limitations

Some early implementations of SSL used 40-bit symmetric keys because of US government restrictions on the
export of cryptographic technology. After several years of public controversy, a series of lawsuits, and eventual US
government recognition of cryptographic products with longer key sizes produced outside the US, the authorities
relaxed some aspects of the export restrictions.

Implementations
SSL and TLS have been widely implemented in several open source software projects. Programmers may use the
OpenSSL, NSS, or GnuTLS libraries for SSL/TLS functionality. Microsoft Windows includes an implementation of
SSL and TLS as part of its Secure Channel package. Delphi programmers may use a library called Indy.

Browser implementations
All the most recent web browsers support TLS:
• Apple's Safari supports TLS, but doesn't say which version.[18]
• Mozilla Firefox, versions 2 and above, support TLS 1.0.[19] As of April 2010, Firefox does not support TLS 1.1 or
1.2.[20]
• Internet Explorer 8 in Windows 7 and Windows Server 2008 R2 supports TLS 1.2.[21]
• As of Presto 2.2, featured in Opera 10, Opera supports TLS 1.2.[22]

See also
• Certificate authority
• Datagram Transport Layer Security
• Extended Validation Certificate
• Multiplexed Transport Layer Security
• Obfuscated TCP
• Public key certificate
• SEED
• Server gated cryptography
• SSL acceleration
• Virtual private network
• X.509
• tcpcrypt
Transport Layer Security 15

Software
• OpenSSL: a free implementation (BSD license with some extensions)
• GnuTLS: a free implementation (LGPL licensed)
• JSSE: a Java implementation included in the Java Runtime Environment
• Network Security Services (NSS): FIPS 140 validated open source library
• PolarSSL: A tiny TLS implementation for embedded devices
• CyaSSL: Embedded SSL/TLS Library with a strong focus on speed and size.

References and footnotes

[1] Appendix B of RFC 5246
[2] The SSL Protocol: Version 3.0 (http:/ / www. mozilla. org/ projects/ security/ pki/ nss/ ssl/ draft302. txt) Netscape's final SSL 3.0 draft
(November 18, 1996)
[3] Thomas Y. C. Woo, Raghuram Bindignavle, Shaowen Su, and Simon S. Lam, SNP: An interface for secure network programming
Proceedings USENIX Summer Technical Conference, June 1994
[4] Association for Computing Machinery, "ACM: Press Release, March 15, 2005" (http:/ / campus. acm. org/ public/ pressroom/ press_releases/
3_2005/ ss_award_3_15_2005. cfm), campus.acm.org, accessed December 26, 2007. (English version).
[5] Dierks, T. and E. Rescorla. "The Transport Layer Security (TLS) Protocol Version 1.1, RFC 4346" (http:/ / tools. ietf. org/ html/
rfc5246#ref-TLS1. 1). .
[6] Eric Rescorla (2009-11-05). "Understanding the TLS Renegotiation Attack" (http:/ / www. educatedguesswork. org/ 2009/ 11/
understanding_the_tls_renegoti. html). Educated Guesswork. . Retrieved 2009-11-27.
[7] McMillan, Robert (2009-11-20). "Security Pro Says New SSL Attack Can Hit Many Sites" (http:/ / www. pcworld. com/ article/ 182720/
security_pro_says_new_ssl_attack_can_hit_many_sites. html). PC World. . Retrieved 2009-11-27.
[8] http:/ / www. eucybervote. org/ Reports/ MSI-WP2-D7V1-V1. 0-02. htm
[9] Lawrence, Eric (2005-10-22). "IEBlog : Upcoming HTTPS Improvements in Internet Explorer 7 Beta 2" (http:/ / blogs. msdn. com/ ie/
archive/ 2005/ 10/ 22/ 483795. aspx). MSDN Blogs. . Retrieved 2007-11-25.
[10] "Bugzilla@Mozilla — Bug 236933 - Disable SSL2 and other weak ciphers" (https:/ / bugzilla. mozilla. org/ show_bug. cgi?id=236933).
Mozilla Corporation. . Retrieved 2007-11-25.
[11] "Firefox still sends SSLv2 handshake even though the protocol is disabled" (https:/ / bugzilla. mozilla. org/ show_bug. cgi?id=454759).
2008-09-11. .
[12] Pettersen, Yngve (2007-04-30). "10 years of SSL in Opera — Implementer's notes" (http:/ / my. opera. com/ yngve/ blog/ 2007/ 04/ 30/
10-years-of-ssl-in-opera). Opera Software. . Retrieved 2007-11-25.
[13] " SSL/TLS in Detail (http:/ / technet. microsoft. com/ en-us/ library/ cc785811. aspx)". Microsoft TechNet. Updated July 31, 2003.
[14] These certificates are currently X.509, but there is also a draft specifying the use of OpenPGP based certificates.
[15] vsftpd-2.1.0 released (http:/ / scarybeastsecurity. blogspot. com/ 2009/ 02/ vsftpd-210-released. html) Using TLS session resume for FTPS
data connection authentication. Retrieved on 2009-04-28.
[16] http:/ / wiki. cacert. org/ wiki/ WildcardCertificates
[17] Named-based SSL virtual hosts: how to tackle the problem (https:/ / www. switch. ch/ pki/ meetings/ 2007-01/ namebased_ssl_virtualhosts.
pdf), SWITCH.
[18] Apple (2009-06-10). "Features" (http:/ / www. apple. com/ safari/ features. html). . Retrieved 2009-06-10.
[19] Mozilla (2008-08-06/). "Security in Firefox 2" (https:/ / developer. mozilla. org/ en/ Security_in_Firefox_2). . Retrieved 2009-03-31.
[20] "Bug 480514 - Implement support for TLS 1.2 (RFC 5246)" (https:/ / bugzilla. mozilla. org/ show_bug. cgi?id=480514). 2010-03-17. .
Retrieved 2010-04-04.
[21] Microsoft (2009-02-27). "MS-TLSP Appendix A" (http:/ / msdn. microsoft. com/ en-us/ library/ dd208005(PROT. 13). aspx). . Retrieved
2009-03-19.
[22] Yngve Nysæter Pettersen (2009-02-25). "New in Opera Presto 2.2: TLS 1.2 Support" (http:/ / my. opera. com/ core/ blog/ 2009/ 02/ 25/
new-in-opera-presto-2-2-tls-1-2-support). . Retrieved 2009-02-25.
Transport Layer Security 16

Further reading
• Wagner, David; Schneier, Bruce (November 1996). "Analysis of the SSL 3.0 Protocol" (http://www.schneier.
com/paper-ssl.pdf). The Second USENIX Workshop on Electronic Commerce Proceedings (http://www.
schneier.com/paper-ssl.pdf). USENIX Press.
• Eric Rescorla (2001). SSL and TLS: Designing and Building Secure Systems. United States: Addison-Wesley Pub
Co. ISBN 0-201-61598-3.
• Stephen A. Thomas (2000). SSL and TLS essentials securing the Web. New York: Wiley. ISBN 0-471-38354-6.
• Bard, Gregory (2006). "A Challenging But Feasible Blockwise-Adaptive Chosen-Plaintext Attack On Ssl" (http:/
/citeseer.ist.psu.edu/bard04vulnerability.html). International Association for Cryptologic Research (136).
Retrieved 2007-04-20.
• Canvel, Brice. "Password Interception in a SSL/TLS Channel" (http://lasecwww.epfl.ch/memo/memo_ssl.
shtml). Retrieved 2007-04-20.
• IETF Multiple Authors. "RFC of change for TLS Renegotiation" (http://tools.ietf.org/html/rfc5746). Retrieved
2009-12-11.

External links
• SSL 2 specification (http://www.mozilla.org/projects/security/pki/nss/ssl/draft02.html) (published 1994)
• SSL 3.0 specification (http://www.freesoft.org/CIE/Topics/ssl-draft/3-SPEC.HTM) (published 1996)
• Netscape's final SSL 3.0 draft (1996) (http://www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt)
• The IETF (Internet Engineering Task Force) TLS Workgroup (http://www.ietf.org/html.charters/tls-charter.
html)
• SSL tutorial (http://www2.rad.com/networks/2001/ssl/index.htm)
• OpenSSL thread safe connections tutorial with example source code (http://ardoino.com/
40-openssl-thread-safe-secure-connections/)
• ECMAScript Secure Transform (Web 2 Secure Transform Method) (http://www.semnanweb.com/
ecmast-ecmascript-secure-transform/)
• OWASP: Transport Layer Protection Cheat Sheet (http://www.owasp.org/index.
php?title=Transport_Layer_Protection_Cheat_Sheet)
• A talk on SSL/TLS that tries to explain things in terms that people might understand. (http://computing.ece.vt.
edu/~jkh/Understanding_SSL_TLS.pdf)
• Simple overview of TLS/SSL, how they work, and their benefits (http://luxsci.com/blog/
how-does-secure-socket-layer-ssl-or-tls-work.html)
• SSL versus TLS – What's the difference? (http://luxsci.com/blog/ssl-versus-tls-whats-the-difference.html)
• SSL: Foundation for Web Security (http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_1-1/
ssl.html)
This article was originally based on material from the Free On-line Dictionary of Computing, which is licensed
under the GFDL.
Article Sources and Contributors 17

Article Sources and Contributors

Transport Layer Security  Source: http://en.wikipedia.org/w/index.php?oldid=394403366  Contributors: 0x6adb015, 5ko, 806f0F, Abaybas, Abdull, AbsolutDan, Acodring, Adam Conover,
Aka042, Albedo, Aldie, Alec it, Alias Flood, AlistairMcMillan, Amenel, Anclation, Andre Engels, Andrew Hampe, Andrzej P. Wozniak, Anna512, Anon lynx, Ant honey, Antientropic,
Apankrat, Aprogrammer, Arkoon, Armour Hotdog, Arsenikk, Ashdurbat, Avbentem, AxelBoldt, Barakw, Barek, Beetstra, Beland, Bender235, Beno1000, Biot, Blackbearded, Blodulv, Boblord,
Borb, Bovineone, Branko, Branlon, Bryan Derksen, Bunnyhop11, Burke Libbey, C1010, CKlunck, Cajunbill, Calton, CanadianLinuxUser, CanisRufus, Cellmate707, Cfp, Chealer, Chris conlon,
Ciphers, ClementSeveillac, Colenso, Colonies Chris, CommonsDelinker, Conseguenza, Conversion script, Crossland, Czhower, DARTH SIDIOUS 2, David-Sarah Hopwood, Davidfstr,
Davidoff, Davodd, Dawnseeker2000, Debresser, Digi-cs, Discospinster, Doedoejohn, Dogbyter, Dougjih, Dreamafter, Ed Brey, Edward, Emperorbma, Enjoi4586, Ericnay, Erth64net,
Eruionnyron, Etu, Everyking, Evice, FBarber, Feezo, Felixcatuk, FloydRTurbo, Frap, Freyr, Fritzophrenic, Fryed-peach, Furrykef, GABaker, Gerbrant, Ghalas, Ghettoblaster, Giftlite, GoodStuff,
Graham87, Greatwhitesharkbear, GreyCat, Guthrg007, Gzorg, Haakon, HaeB, Haham hanuka, Hairy Dude, HamburgerRadio, Hawk-Eagle, Hgfernan, Hottdee, Iangfc, Iida-yosiaki, Interiot, Intgr,
Isilanes, Itahmed, J-p krelli, JTN, JWilk, JaGa, Jamelan, Jc monk, Jclemens, Jef-Infojef, Jesse Viviano, Jigen III, Jlehen, Jmaister, Jmorgan, JoanneB, JoaoRicardo, Joblack, JonHarder, Juhovh,
Julie Deanna, Kbrose, Kelson, Kgaughan, Kgfleischmann, Kinema, Koeplinger, Kpsmithuk, Krellis, Ksn, Kyng, Lakshmin, LeoNomis, Leotohill, Levin, Loftenter, Lotje, Lradrama, Lukegilman,
Lundse, Lunkwill, Lzyiii, M. B., Jr., Mabdul, Mac, Madigral, Magioladitis, Mange01, Mani1, Marrowmonkey, Martinkunev, Matt Crypto, Matthew V Ball, Maxim Razin, Mayevski, Meetabu,
Mgcsinc, Michael Hardy, MichaelCoates, Michaelfowler, Michaelkrauklis, Mickraus, Mike Rosoft, Mild Bill Hiccup, Mindmatrix, MinorContributor, Mischling, MisterSSL, Mmernex, Molf, Mr
Heine, Mrbbking, Msiddalingaiah, Mundocani, Mwanner, Mydogategodshat, Mårten Berglund, N.MacInnes, Nagle, Nealcardwell, Nealmcb, Nerwal, Nikai, Nill smith, Nils, Ninels, Niqueco,
Nitrogenx, Nk, Nonno88, Noq, Ntsimp, Nubiatech, Nurg, Nuujinn, Nyco, ObscurO, Oconnor663, Olegos, Olivier Debre, Omniplex, Oscardt, PHansen, Papadopa, Pasi Eronen, Paul Foxworthy,
Paul1337, PeterB, Pfortuny, Phoenix-forgotten, Pilotguy, Plustgarten, Ppelleti, Produke, Psz, RP459, Raanoo, Rarut, Rasmus Faber, Raviaulakh, Ray Dassen, Remember the dot, Rettetast,
ReyBrujo, Rholton, Rich Farmbrough, RichiH, Rick Block, Ripsss, Rlcantwell, Robinalden, SPCartman, Sanxiyn, Sara Wright, Scetoaux, Schlafly, Schmalls, Seneces, Sesu Prime, Sfisher,
Shaddack, Shadowjams, ShakataGaNai, Siddhant, Simetrical, Simon.may.007, Sleske, Smyth, Spartan-James, Speaker to Lampposts, SpeedyGonsales, Star General, Startcom, Stefonic, Stupid
Corn, SunCreator, Superm401, Suruena, Sweeper tamonten, TDM, THEN WHO WAS PHONE?, TJJFV, Ta bu shi da yu, Tacke, Tbutzon, Ternto333, The Anome, TheWishy, Themfromspace,
Thomas Springer, Thomasgud, Thorne, Thumperward, Thunderbritches, Tim Ivorson, Titiri, Tommy2010, Tony esopi patra, Toyotabedzrock, Tqbf, TwelveBaud, Twkd, Typhoonhurricane,
VAcharon, Verdy p, Versageek, VictorAnyakin, Vijay.kotari, Vinayr rao, VishalJBhatt, Webguynik, Weyes, Wiarthurhu, Wilfrednilsen, William Avery, Wizofaus, Wmahan, Wmasterj, WojPob,
Writermonique, Wutherings, Ww, Xizhi.zhu, Yadirh, Yaronf, Youremyjuliet, Ysimonson, Zigkill, Zimbabweed, Zundark, Zzuuzz, 661 anonymous edits

License
Creative Commons Attribution-Share Alike 3.0 Unported
http:/ / creativecommons. org/ licenses/ by-sa/ 3. 0/