Negotiating SSL/TLS Communication
The telnet connection is made first when an SSL/TLS HostExplorer session initiates communication with a server that supports SSL/TLS. During this process, HostExplorer and the server negotiate how to carry out the server (and possibly the client) authentication. They also agree on a common key for symmetric encryption using the key exchange algorithm.
|
Note: |
The actual sequence of negotiation depends on the server and client configuration. |
The SSL/TLS negotiation occurs as follows:
- HostExplorer sends an initial SSL/TLS “client hello” message to the server.
- The server responds with a “server hello” message to HostExplorer.
- The server sends its certificate to HostExplorer. The certificate can be validated with a digital signature by computing and then encrypting a message digest. The certificate can be signed by a certificate authority (CA) or it can be self-signed.
- The server may also send a request for a user certificate depending on the security of the server.
- HostExplorer uses the public key of the server certificate to decrypt the message digest. HostExplorer re-computes the digest using the encryption algorithm specified in the digital signature and compares the two digests. If the two digests are the same, then it proves that the certificate was not modified during the transmission. Therefore, it can be trusted.
- After several other SSL/TLS messages, HostExplorer and the server agree on a common key to be used in subsequent communications using symmetric encryption, as well as the symmetric encryption algorithm itself.
Security Folder—SSL/TLS Category
Verifying the Success of SSL/TLS Negotiation