← Back to glossary

TLS Handshake

networking Intermediate

Also Known As

SSL handshake HTTPS handshake

TL;DR

The negotiation process between client and server that establishes an encrypted HTTPS connection, agreeing on cipher suites and exchanging keys.

Explanation

The TLS handshake authenticates the server (and optionally the client), negotiates the TLS version and cipher suite, and establishes session keys. TLS 1.3 completes in one round-trip vs TLS 1.2's two, significantly reducing connection latency. Understanding the handshake is essential for diagnosing certificate errors, choosing strong cipher suites, and implementing mutual TLS (mTLS) for service-to-service authentication.

Diagram

sequenceDiagram
    participant C as Client
    participant S as Server
    C->>S: ClientHello - TLS version, cipher suites
    S->>C: ServerHello - chosen cipher
    S->>C: Certificate with public key
    C->>C: Verify certificate chain
    C->>S: Key exchange encrypted with server public key
    C->>S: Finished encrypted
    S->>C: Finished encrypted
    Note over C,S: Symmetric encryption now active

Common Misconception

✗ TLS 1.2 and TLS 1.3 are interchangeable — TLS 1.3 removes weak cipher suites, reduces latency with 1-RTT, and provides forward secrecy by default.

Why It Matters

A misconfigured TLS handshake exposes connections to downgrade attacks, MITM interception, or connection failures — and adds unnecessary latency when not tuned.

Common Mistakes

Leaving TLS 1.0/1.1 enabled — both are deprecated and vulnerable to known downgrade attacks.
Not enabling OCSP stapling — clients make a separate round-trip to check certificate revocation.
Weak cipher suites (RC4, 3DES, NULL) still listed as acceptable in server config.
Not testing with ssllabs.com — misconfigurations are often invisible without external scanning.

Code Examples

✗ Vulnerable

# nginx — TLS misconfiguration:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;  # Should not include TLS 1.0/1.1
ssl_ciphers ALL;                          # Allows weak ciphers
# Missing: ssl_stapling on;
# Missing: ssl_session_cache

✓ Fixed

# nginx — secure TLS config:
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;

References

Tags

Added 15 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,444 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

No pings yesterday

Perplexity 7 Amazonbot 6 Unknown AI 2 Ahrefs 2 Google 1

Also referenced

Man-in-the-Middle Attack (MitM) 27 Insecure TLS / SSL 23 HTTP Strict Transport Security (HSTS) 23 Certificate Pinning 19

How they use it

crawler 18

Related categories

security 4k networking 500

⚡ DEV INTEL Tools & Severity

🟠 High ⚙ Fix effort: Low

⚡ Quick Fix

Enable TLS 1.3 in Nginx — it reduces the handshake to one round trip (vs two for TLS 1.2), improving TTFB by 50-100ms for new connections

📦 Applies To

any web

🔗 Prerequisites

SSL/TLS Certificate Types Asymmetric Encryption TCP/IP Model

🔍 Detection Hints

TLS 1.2 only when TLS 1.3 available; no session resumption; 0-RTT not enabled for returning clients

Auto-detectable: ✓ Yes ssllabs nginx-config openssl

⚠ Related Problems

SSL/TLS Certificate Types Insecure TLS / SSL performance degradation

🤖 AI Agent

Confidence: Medium False Positives: Medium ✗ Manual fix Fix: Medium Context: File

CWE-326 CWE-295