Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Browser steps when opening HTTPS page

Tags:

https

ssl

I want to know steps that browser does when it opens HTTPS page to deeply understand every action that needs to be done by both parties(server and client). I know basic steps that it does but I want to get more into details. Links in Google that I have found describe general information but not the details.

Is there any source where I can read related info.

I've been thinking about looking into sources of Mozilla Firefox, but decided to ask here before.

Thank you.

like image 519
nomail Avatar asked May 15 '12 21:05

nomail


1 Answers

HTTPS is defined in RFC 2818. In short, the browser first establishes an SSL/TLS connection to the server and then sends HTTP requests/responses within this connection.

To establish the SSL/TLS channel, the client initiates a handshake, during which the server send its X.509 certificate. Besides the SSL/TLS handshake mechanisms, the browser verifies the certificate against a list of trust anchors it has (the trusted certificates) and against the name it's trying to access (the host name in the URL must match the certificate, as defined in RFC 2818 Section 3.1). Most of this is usually implemented within the SSL/TLS stacks, but some browsers can let you bypass this by adding exceptions (sometimes, permanent exceptions), so browsers also have a fallback mechanism in case the SSL/TLS stack fails to accept the certificate successfully.

The SSL/TLS protocol (and its handshake) are defined in the SSLv3, TLS 1.0, 1.1 and 1.2.

Using the server public key in the server certificate, the client and server is able to perform an authenticated key exchange, after which they have a pre master secret in common. The master secret and then the shared symmetric keys used for encrypting the application data are derived from this pre master secret.

The mechanisms used for this authenticated key exchange depend on the cipher suite. There are more details in the TLS specification itself.

If you want to learn by example, it's worth looking at the Wireshark sample data (as shown in this answer).

"The First Few Milliseconds of an HTTPS Connection" should also be of interest.

like image 176
Bruno Avatar answered Oct 02 '22 17:10

Bruno