Blog Post

IIS Support Blog
4 MIN READ

From Hello to Secure: The SSL/TLS Handshake Explained Like a Conversation

meenakshiBalekar's avatar
Sep 02, 2025

A Deep Dive for Curious Minds, to understand what happens Behind the HTTPS Lock, Demystifying the SSL/TLS Handshake

Hey everyone! 
Welcome back to the blog — today, we’re going to break down something that powers almost every secure interaction on the internet, but sounds way more intimidating than it is: the SSL/TLS handshake.

You can read on how to setup SSL on IIS here :

Access Denied | Microsoft Community Hub 


You’ve probably heard of SSL or TLS when someone talks about “HTTPS” or “secure websites.” But what’s really happening under the hood when your browser says "Secure"? Let’s find out together.

 

First Things First: What Is SSL/TLS?

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols. Their job is to:

  • Encrypt data between client and server (so no one else can read it)
  • Verify that the server (and optionally the client) is who it says it is
  • Ensure data hasn’t been tampered with during transit

SSL is the older version, and TLS is its improved, more secure successor. Nowadays, when people say “SSL,” they usually mean “TLS.”

 

What Is the SSL/TLS Handshake?

Before secure communication begins, the client (like your browser) and the server (like microsoft.com) go through a process to:

  • Agree on how to communicate securely
  • Authenticate each other
  • Exchange keys for encryption

That process is called the SSL/TLS handshake.

Think of it like this:
The browser and server meet each other at a masquerade party. Before dancing (i.e., securely exchanging data), they check IDs, agree on the music, and lock the dancefloor so no one else can sneak in.

Step-by-Step: How the SSL/TLS Handshake Works (TLS 1.2)

Let’s break it down using TLS 1.2 (most widely used, though TLS 1.3 is also common now).

1. ClientHello

The browser initiates the handshake with:

  • Supported TLS versions
  • List of supported cipher suites (ways to encrypt)
  • Random number (client_random)
  • Optional: Server name (via SNI extension)

 This is the browser saying, “Hey, here are the languages I speak. Can we talk securely?”

2. ServerHello

The server responds with:

  • Chosen TLS version
  • Selected cipher suite
  • Its own random number (server_random)
  • Digital certificate (proves its identity)
  • Optional: ServerKeyExchange (for some cipher suites)

 This is the server saying, “Sure, I’ll speak this encryption language. Here’s my ID (certificate) to prove I am who I say I am.”

3. Certificate Verification (on client side)

The client checks if:

  • The certificate is valid and trusted (via CA)
  • The hostname matches
  • It’s not expired or revoked

 Think of it like checking if a driver's license is real and matches the person.

4. Pre-Master Secret Generation

  • Client generates a Pre-Master Secret (a temporary, shared value)
  • It encrypts this using the server’s public key (from certificate)
  • Sends it to the server

Only the server can decrypt this because only it has the private key.

5. Key Derivation (on both sides)

Using:

  • Pre-Master Secret
  • client_random
  • server_random

Both the client and the server derive the same symmetric session key, which will be used to encrypt communication.

6. Finished Messages

  • Client sends a “Finished” message (encrypted with the new key)
  • Server sends its own “Finished” message

Now both sides know the connection is secure. The handshake is complete!

From here on, your data (like passwords, credit card info, chats) is encrypted.

What Does This Look Like in a Network Trace?

Let’s peek into a real-world network trace using Microsoft Network Monitor (NetMon) or Wireshark. 

TLS:TLS Rec Layer-1 HandShake: Client Hello.
TLS:TLS Rec Layer-1 HandShake: Server Hello.; TLS Rec Layer-2 HandShake: Certificate.
TLS:Continued Data: 1378 Bytes
TLS:TLS Rec Layer-1 HandShake: Client Key Exchange.; TLS Rec Layer-2 Cipher Change Spec; TLS Rec Layer-3 HandShake: Encrypted Handshake Message.
TLS:TLS Rec Layer-1 HandShake: Encrypted Handshake Message.; TLS Rec Layer-2 Cipher Change Spec; TLS Rec Layer-3 HandShake: Encrypted Handshake Message.
TLS:TLS Rec Layer-1 SSL Application Data
TLS:TLS Rec Layer-1 SSL Application Data
TLS:TLS Rec Layer-1 SSL Application Data

What’s Happening Here?

Frame 1: ClientHello

You’ll see the cipher suites listed and maybe an SNI (like www.domain.com).

Frame 2: ServerHello + Certificate

This frame includes:

  • Server's selected cipher suite
  • Digital certificate with public key

Expand the certificate section to view fields like CN (Common Name), issuer, and validity dates.

Frame 3: ClientKeyExchange

The Pre-Master Secret is sent (encrypted with the server’s public key).

Then you’ll also see ChangeCipherSpec — this says, “From now on, I’m speaking in encrypted form.”

Frame 4: Server Finished

The server also sends ChangeCipherSpec and finishes the handshake. From this point forward, application data (like your login info) is encrypted.

Final Thoughts

And there you go! That’s the SSL/TLS handshake, explained step-by-step with a peek into what it looks like on the wire. 

It might seem complicated at first, but once you break it down, it's just a smart conversation between two computers deciding how to talk securely — kind of like two spies agreeing on a secret code before chatting.

Got Questions?

Drop your questions in the comments — I love digging into anything nerdy. 

Until next time — stay curious and stay secure!

 

Updated Jul 01, 2025
Version 1.0
No CommentsBe the first to comment