Deep dive into TLS/SSL Handshake using WireShark 🦈

Published in

Dev Genius

8 min readJun 1, 2021

In this article, we will try to understand how the browser and website create a secure connection to provide privacy and data integrity for communication between a server and a client. When we browse an HTTPS URL through a browser, we might not experience the SSL handshake. Although, the browser is creating an HTTPS secure connection using a one-way SSL handshake(Discussed later in this article). We will use an open-source packet analyzer tool i.e, Wireshark for briefly understanding the TLS handshake.

If you are born to solve problems, then you are in the right place! 😃

Prerequisite

Wireshark (for understanding the TLS handshake)
TCP overview
The ability to turn your coffee into code is a plus ☕

What is a TLS handshake?

The TLS stands for “Transport Layer Security”. It is an encryption protocol designed to secure internet communications. A TLS handshake is the process that starts this secure communication session that uses the TLS encryption technique.

During a TLS handshake the following processes will occur in the below order:

The client and server exchange messages to acknowledge each other.
Then they verify each other’s identity.
Establish the encryption algorithms they will use for securing the communicated messages.
And Agree on session keys.

If you don’t understand any steps Don’t worry! we will walk through each step later on.

Types of TLS Handshakes

The main purpose of an SSL handshake is to provide privacy for communication between a server and a client. During the Handshake, the server and client will exchange important information required to establish a secure connection(We will learn later in this article about this important information that is being exchanged 😊).

There are two types of SSL handshakes described as follows:

One-Way SSL — In a one-way SSL, only the client validates the identity of the server. When we browse HTTPS websites usually one-way SSL is being used where only our browser(client) validates the identity of the website(server).
Two-Way SSL: In two-way SSL, both client and server validate the identity of each other. Usually, in server-to-server communication two-way SSL is being used.

TLS vs. SSL

TLS is actually just a more recent version of SSL (Secure Sockets Layer). It fixes some security vulnerabilities in the earlier SSL protocols. SSL 2.0 was first released in February 1995 (SSL 1.0 was never publicly released because of security flaws). Although SSL 2.0 was publicly released, it also contained security flaws and was quickly replaced by SSL 3.0 in 1996. Then, in 1999, the first version of TLS (1.0) was released as an upgrade to SSL 3.0. Since then, there have been three more TLS releases, with the most recent release being TLS 1.3 in August 2018.

At this point, both public SSL releases have been deprecated and have known security vulnerabilities.

When does a TLS handshake occur?

Basically, we will encounter the TLS handshake whenever we search for a website that runs over HTTPS protocol and the browser first begins to query the website’s origin server. Also, TLS handshakes occur after a TCP connection is being opened via a TCP handshake.

What happens during a TLS handshake?

During the course of a TLS handshake, the client and server together will do the following things:

Specify which version of TLS (TLS 1.0, 1.2, 1.3, etc.) they will use.
Decide on which cipher suites (described below) they will use.
Authenticate the identity of the server via the server’s public key and the SSL certificate authority’s digital signature.
Generate session keys in order to use symmetric encryption after the handshake is complete.

Configuring WireShark

Let’s walk through each step involved in the TLS handshake. We will first configure Wireshark for understanding each step in this TLS handshake. Following are the steps required for configuring Wireshark:

Find the IP address of your machine — We can use the below command for finding IP.

ipconfig getifaddr en0

We need to make a curl request to any website which supports HTTPS protocol and find its IP— We will use the “https://google.com” website here. For finding the IP Address we can use the below command.

curl https://google.com -v

In the output of the above command, we will get the IP address then, copy that IP address, and use it in the below step.

Now finally, we need to add the source and destination IP address in the Wireshark filter

Steps involved in TLS handshake

Now we can finally learn the steps involved in TLS handshake and we can verify each of these steps using the Wireshark console also. During an SSL handshake, the server and the client follow the below set of steps.

Client Hello

The client sends a message to the server saying that “I’d like to set up an encrypted session. Here is a list of cipher suites and the SSL/TLS versions I am willing to use. I am also sending my public key which can be used by you at a later point in time”

In the above log, we can see that the client is sending “Hello” with TLS version 1.2. By this, the client notifies the server that it has the support for TLS[1] versions 1.2 and below. Also, it sends the list of cipher suites (46 here) that are supported by the client. Out of this list, the server will select a cipher suite that it supports. If the list contains cipher suites that the server does not support, the server will ignore those ciphers. If any of the cipher suites were found to be not supported by the server then, a failure alert will be sent and the server will close the connection.

Server Hello

The Server responds with “Hey there! Let’s use this particular cipher suite from your list. I also checked that I can use your TLS version, so we’re good to go. Now here’s is my certificate, including my public key.”

Along with the Server Hello, the server will send the certificate of the server with the certificate chain. The certificate chain will be validated by the client against the client's trust store. We can see the log of certificates send by the server as follows.

Authentication

The client verifies the server’s certificate then extracts the public key. The client uses the public key to encrypt a new “pre-master key”, then sends it to the server. We can see in the below log that client is sending this encrypted key to the server as follows.

Pre-Master Key Decryption

The server uses its Private Key to decrypt the Pre-master key

Session keys created

Both client and server generate session keys from the client public key, the server public key, and the premaster key. They should arrive at the same results.

Client is ready

The client sends a “finished” message that is encrypted with a session key.

Server is ready

The server sends a “finished” message encrypted with a session key.

Secure symmetric encryption achieved

The handshake is completed, and communication continues using the session keys.

What is the difference between HTTP and HTTPS?

The only difference which makes HTTP and HTTPS protocol so different is the SSL certificate. Basically, HTTPS is an HTTP protocol with additional security. And this additional security is extremely important when we deal with sensitive data of users, such as credit card information, passwords, and bank details, etc.

Also, HTTPS is secured via TLS(Transport Layer Security) which we have learned above. TLS helps to provide data integrity, which helps prevent the transfer of data from being modified or corrupted, and authentication, which proves the identity of servers with whom we are communicating.

Greetings!

We have successfully followed all the steps involved in TLS/SSL handshake. Also, we have cross-checked these steps using Wireshark(packet analyzer) tool.

The entire SSL handshake process takes place in a few hundred milliseconds and it’s all behind the scenes. It’s the first thing that must happen in an HTTPS connection, even preceding fetching the webpage content from the webserver.

When an SSL handshake is completed, then an encrypted connection is being established between client and server. Now all the data that is being sent either from client to server or server to client is protected using the session key.

The SSL/TLS handshake is a fascinating process that is important for securing the internet, and yet it happens quickly and quietly behind the scenes where most people never get it’s working at first.