0HTTP vs HTTPS - TLS Handshake & Certificate Chain
Client sends ClientHello
The client initiates the TLS handshake by sending a ClientHello message to the server. This message includes supported TLS versions, cipher suites, and a random nonce.
send(ClientHello)Server receives ClientHello and sends ServerHello
The server receives the ClientHello and responds with a ServerHello message. It selects the TLS version and cipher suite from the client's list and sends its own random nonce.
receive(ClientHello)
send(ServerHello)Server sends Certificate
The server sends its digital certificate to the client. This certificate contains the server's public key and is signed by a trusted Certificate Authority (CA).
send(Certificate)Server sends ServerHelloDone
The server sends a ServerHelloDone message indicating it has finished its part of the handshake messages.
send(ServerHelloDone)Client verifies Certificate
The client verifies the server's certificate by checking the CA signature and certificate validity.
verify_certificate(certificate)Client sends ClientKeyExchange
The client sends the ClientKeyExchange message containing the pre-master secret encrypted with the server's public key.
send(ClientKeyExchange)Client sends ChangeCipherSpec
The client sends a ChangeCipherSpec message to notify the server that subsequent messages will be encrypted using the negotiated keys.
send(ChangeCipherSpec)Client sends Finished message
The client sends the Finished message encrypted with the session key, containing a hash of all previous handshake messages to verify integrity.
send(Finished)Server sends ChangeCipherSpec
The server sends its ChangeCipherSpec message to notify the client that it will also switch to encrypted communication.
send(ChangeCipherSpec)Server sends Finished message
The server sends its Finished message encrypted with the session key, confirming the handshake integrity from its side.
send(Finished)Handshake complete, secure connection established
Both client and server have exchanged Finished messages and switched to encrypted communication. The TLS handshake is complete, and secure HTTP (HTTPS) communication can begin.
handshake_complete = Truedef tls_handshake():
# STEP 1
send(ClientHello()) # Client sends ClientHello
# STEP 2
server_hello = receive()
send(ServerHello(server_hello.selected_version, server_hello.selected_cipher)) # ServerHello
# STEP 3
send(Certificate(server_certificate)) # Server sends certificate
# STEP 4
send(ServerHelloDone()) # Server signals end of hello messages
# STEP 5
verify_certificate(server_certificate) # Client verifies certificate
# STEP 6
send(ClientKeyExchange(encrypt(pre_master_secret, server_public_key))) # Client sends key exchange
# STEP 7
send(ChangeCipherSpec()) # Client switches to encrypted communication
# STEP 8
send(Finished(hash_handshake_messages)) # Client sends Finished
# STEP 9
send(ChangeCipherSpec()) # Server switches to encrypted communication
# STEP 10
send(Finished(hash_handshake_messages)) # Server sends Finished
# STEP 11
handshake_complete = True # Handshake done
return handshake_completeKey Takeaways
Reading code alone hides the sequence and purpose of each message; visualization clarifies the flow and dependencies.
Visualizing certificate transmission and verification highlights their role in security, which is often abstracted in code.
Seeing these messages explicitly helps understand how encryption activation is coordinated.