{ "slug": "tls_handshake", "term": "TLS Handshake", "category": "networking", "difficulty": "intermediate", "short": "The negotiation process between client and server that establishes an encrypted HTTPS connection, agreeing on cipher suites and exchanging keys.", "long": "The TLS handshake authenticates the server (and optionally the client), negotiates the TLS version and cipher suite, and establishes session keys. TLS 1.3 completes in one round-trip vs TLS 1.2's two, significantly reducing connection latency. Understanding the handshake is essential for diagnosing certificate errors, choosing strong cipher suites, and implementing mutual TLS (mTLS) for service-to-service authentication.", "aliases": [ "SSL handshake", "HTTPS handshake" ], "tags": [ "tls", "https", "security", "networking", "encryption" ], "misconception": "TLS 1.2 and TLS 1.3 are interchangeable — TLS 1.3 removes weak cipher suites, reduces latency with 1-RTT, and provides forward secrecy by default.", "why_it_matters": "A misconfigured TLS handshake exposes connections to downgrade attacks, MITM interception, or connection failures — and adds unnecessary latency when not tuned.", "common_mistakes": [ "Leaving TLS 1.0/1.1 enabled — both are deprecated and vulnerable to known downgrade attacks.", "Not enabling OCSP stapling — clients make a separate round-trip to check certificate revocation.", "Weak cipher suites (RC4, 3DES, NULL) still listed as acceptable in server config.", "Not testing with ssllabs.com — misconfigurations are often invisible without external scanning." ], "when_to_use": [], "avoid_when": [], "related": [ "insecure_tls", "hsts", "certificate_pinning", "man_in_the_middle" ], "prerequisites": [ "ssl_certificate_types", "asymmetric_encryption", "tcp_ip_model" ], "refs": [ "https://developer.mozilla.org/en-US/docs/Web/Security/Transport_Layer_Security", "https://wiki.mozilla.org/Security/Server_Side_TLS" ], "bad_code": "# nginx — TLS misconfiguration:\nssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Should not include TLS 1.0/1.1\nssl_ciphers ALL; # Allows weak ciphers\n# Missing: ssl_stapling on;\n# Missing: ssl_session_cache", "good_code": "# nginx — secure TLS config:\nssl_protocols TLSv1.2 TLSv1.3;\nssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;\nssl_prefer_server_ciphers off;\nssl_stapling on;\nssl_stapling_verify on;\nssl_session_cache shared:SSL:10m;\nssl_session_timeout 1d;", "quick_fix": "Enable TLS 1.3 in Nginx — it reduces the handshake to one round trip (vs two for TLS 1.2), improving TTFB by 50-100ms for new connections", "severity": "high", "effort": "low", "created": "2026-03-15", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/tls_handshake", "html_url": "https://codeclaritylab.com/glossary/tls_handshake", "json_url": "https://codeclaritylab.com/glossary/tls_handshake.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[TLS Handshake](https://codeclaritylab.com/glossary/tls_handshake) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/tls_handshake" } } } }