| Internet protocol suite |
|---|
| Application layer |
| Transport layer |
| Internet layer |
| Link layer |
Transport Layer Security (TLS) is acryptographic protocol designed to provide communications security over a computer network, such as theInternet. Theprotocol is widely used in applications such asemail,instant messaging, andvoice over IP, but its use in securingHTTPS remains the most publicly visible.
The TLS protocol aims primarily to provide security, includingprivacy (confidentiality), integrity, and authenticity through the use ofcryptography, such as the use ofcertificates, between two or more communicating computer applications. It runs in thepresentation layer and is itself composed of two layers: the TLS record and the TLShandshake protocols.
The closely relatedDatagram Transport Layer Security (DTLS) is acommunications protocol that providessecurity todatagram-based applications. In technical writing, references to "(D)TLS" are often seen when it applies to both versions.[1]
TLS is a proposedInternet Engineering Task Force (IETF) standard, first defined in 1999, and the current version is TLS 1.3, defined in August 2018. TLS builds on the now-deprecatedSSL (Secure Sockets Layer) specifications (1994, 1995, 1996) developed byNetscape Communications for adding the HTTPS protocol to theirNetscape Navigator web browser.
Client-server applications use the TLSprotocol to communicate across a network in a way designed to preventeavesdropping andtampering.
Since applications can communicate either with or without TLS (or SSL), it is necessary for theclient to request that theserver set up a TLS connection.[2] One of the main ways of achieving this is to use a differentport number for TLS connections. Port 80 is typically used for unencryptedHTTP traffic while port 443 is the common port used for encryptedHTTPS traffic. Another mechanism is to make a protocol-specificSTARTTLS request to the server to switch the connection to TLS – for example, when using the mail andnews protocols.
Once the client and server have agreed to use TLS, they negotiate astateful connection by using a handshaking procedure (see§ TLS handshake).[3] The protocols use a handshake with anasymmetric cipher to establish not only cipher settings but also a session-specific shared key with which further communication is encrypted using asymmetric cipher. During this handshake, the client and server agree on various parameters used to establish the connection's security:
This concludes the handshake and begins the secured connection, which is encrypted and decrypted with the session key until the connection closes. If any one of the above steps fails, then the TLS handshake fails and the connection is not created.
TLS and SSL do not fit neatly into any single layer of theOSI model or theTCP/IP model.[4][5] TLS runs "on top of some reliable transport protocol (e.g., TCP),"[6]: §1 which would imply that it is above thetransport layer. It serves encryption to higher layers, which is normally the function of thepresentation layer. However, applications generally use TLS as if it were a transport layer,[4][5] even though applications using TLS must actively control initiating TLS handshakes and handling of exchanged authentication certificates.[6]: §1
When secured by TLS, connections between a client (e.g., a web browser) and a server (e.g., wikipedia.org) will have all of the following properties:[6]: §1
TLS supports many different methods for exchanging keys, encrypting data, and authenticating message integrity. As a result, secure configuration of TLS involves many configurable parameters, and not all choices provide all of the privacy-related properties described in the list above (see the tables below§ Key exchange,§ Cipher security, and§ Data integrity).
Attempts have been made to subvert aspects of the communications security that TLS seeks to provide, and the protocol has been revised several times to address these security threats. Developers of web browsers have repeatedly revised their products to defend against potential security weaknesses after these were discovered (see TLS/SSL support history of web browsers).
Datagram Transport Layer Security, abbreviated DTLS, is a relatedcommunications protocol providingsecurity todatagram-based applications by allowing them to communicate in a way designed[7][8] to preventeavesdropping,tampering, ormessage forgery. The DTLS protocol is based on thestream-oriented Transport Layer Security (TLS) protocol and is intended to provide similar security guarantees. However, unlike TLS, it can be used with most datagram oriented protocols includingUser Datagram Protocol (UDP),Datagram Congestion Control Protocol (DCCP),Control And Provisioning of Wireless Access Points (CAPWAP),Stream Control Transmission Protocol (SCTP) encapsulation, andSecure Real-time Transport Protocol (SRTP).
As the DTLS protocol datagram preserves the semantics of the underlying transport, the application does not suffer from the delays associated with stream protocols. However, the application has to deal withpacket reordering, loss of datagram and data larger than the size of a datagramnetwork packet. Because DTLS uses UDP or SCTP rather than TCP, it avoids theTCP meltdown problem,[9][10] when being used to create a VPN tunnel.
The original 2006 release of DTLS version 1.0 was not a standalone document. It was given as a series of deltas to TLS 1.1.[11] Similarly the follow-up 2012 release of DTLS is a delta to TLS 1.2. It was given the version number of DTLS 1.2 to match its TLS version. Lastly, the 2022 DTLS 1.3 is a delta to TLS 1.3. Like the two previous versions, DTLS 1.3 is intended to provide "equivalent security guarantees [to TLS 1.3] with the exception of order protection/non-replayability".[12]
ManyVPN clients includingCiscoAnyConnect[13] & InterCloud Fabric,[14]OpenConnect,[15]ZScaler tunnel,[16] F5 NetworksEdge VPN Client,[17] and Citrix SystemsNetScaler[18] use DTLS to secure UDP traffic. In addition all modern web browsers support DTLS-SRTP[19] forWebRTC.
| Protocol | Published | Status |
|---|---|---|
| Old version, not maintained: SSL 1.0 | Unpublished | Unpublished |
| Old version, not maintained: SSL 2.0 | 1995 | Deprecated in 2011 (RFC 6176) |
| Old version, not maintained: SSL 3.0 | 1996 | Deprecated in 2015 (RFC 7568) |
| Old version, not maintained: TLS 1.0 | 1999 | Deprecated in 2021 (RFC 8996)[20][21][22] |
| Old version, not maintained: TLS 1.1 | 2006 | Deprecated in 2021 (RFC 8996)[20][21][22] |
| Old version, still maintained: TLS 1.2 | 2008 | In use since 2008[23][24] |
| Latest version:TLS 1.3 | 2018 | In use since 2018[24][25] |
Legend: Old version, not maintained Old version, still maintained Latest version Latest preview version Future version | ||
The Transport Layer Security Protocol (TLS), together with several other basic network security platforms, was developed through a joint initiative begun in August 1986, among the National Security Agency, the National Bureau of Standards, the Defense Communications Agency, and twelve communications and computer corporations who initiated a special project called the Secure Data Network System (SDNS).[26] The program was described in September 1987 at the 10th National Computer Security Conference in an extensive set of published papers.
The innovative research program focused on designing the next generation of secure computer communications network and product specifications to be implemented for applications on public and private internets. It was intended to complement the rapidly emerging new OSI internet standards moving forward both in the U.S. government's GOSIP Profiles and in the huge ITU-ISO JTC1 internet effort internationally. Originally known as the SP4 protocol, it was renamed TLS and subsequently published in 1995 as international standard ITU-T X.274|ISO/IEC 10736:1995.
Early research efforts towards transport layer security included theSecure Network Programming (SNP)application programming interface (API), which in 1993 explored the approach of having a secure transport layer API closely resemblingBerkeley sockets, to facilitate retrofitting pre-existing network applications with security measures. SNP was published and presented in the 1994USENIX Summer Technical Conference.[27][28] The SNP project was funded by a grant fromNSA to ProfessorSimon Lam atUT-Austin in 1991.[29]Secure Network Programming won the 2004ACM Software System Award.[30][31] Simon Lam was inducted into theInternet Hall of Fame for "inventing secure sockets and implementing the first secure sockets layer, named SNP, in 1993."[32][33]
Netscape developed the original SSL protocols, andTaher Elgamal, chief scientist atNetscape Communications from 1995 to 1998, has been described as the "father of SSL".[34][35][36][37] SSL version 1.0 was never publicly released because of serious security flaws in the protocol. Version 2.0, after being released in February 1995 was quickly found to contain a number of security and usability flaws. It used the same cryptographic keys for message authentication and encryption. It had a weak MAC construction that used the MD5 hash function with a secret prefix, making it vulnerable to length extension attacks. It also provided no protection for either the opening handshake or an explicit message close, both of which meantman-in-the-middle attacks could go undetected. Moreover, SSL 2.0 assumed a single service and a fixed domain certificate, conflicting with the widely used feature of virtual hosting in Web servers, so most websites were effectively impaired from using SSL.
These flaws necessitated the complete redesign of the protocol to SSL version 3.0.[38][36] Released in 1996, it was produced byPaul Kocher working with Netscape engineers Phil Karlton and Alan Freier, with a reference implementation by Christopher Allen and Tim Dierks of Certicom. Newer versions of SSL/TLS are based on SSL 3.0. The 1996 draft of SSL 3.0 was published by IETF as a historical document inRFC 6101.
SSL 2.0 was deprecated in 2011 byRFC 6176. In 2014, SSL 3.0 was found to be vulnerable to thePOODLE attack that affects allblock ciphers in SSL;RC4, the only non-block cipher supported by SSL 3.0, is also feasibly broken as used in SSL 3.0.[39] SSL 3.0 was deprecated in June 2015 byRFC 7568.
TLS 1.0 was first defined inRFC 2246 in January 1999 as an upgrade of SSL Version 3.0, and written by Christopher Allen and Tim Dierks of Certicom. As stated in the RFC, "the differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough to preclude interoperability between TLS 1.0 and SSL 3.0". Tim Dierks later wrote that these changes, and the renaming from "SSL" to "TLS", were a face-saving gesture to Microsoft, "so it wouldn't look [like] the IETF was just rubberstamping Netscape's protocol".[40]
ThePCI Council suggested that organizations migrate from TLS 1.0 to TLS 1.1 or higher before June 30, 2018.[41][42] In October 2018,Apple,Google,Microsoft, andMozilla jointly announced they would deprecate TLS 1.0 and 1.1 in March 2020.[20] TLS 1.0 and 1.1 were formally deprecated inRFC 8996 in March 2021.
TLS 1.1 was defined in RFC 4346 in April 2006.[43] It is an update from TLS version 1.0. Significant differences in this version include:
Support for TLS versions 1.0 and 1.1 was widely deprecated by web sites around 2020, disabling access toFirefox versions before 24 andChromium-based browsers before 29.[45][46]
TLS 1.2 was defined inRFC 5246 in August 2008.[23] It is based on the earlier TLS 1.1 specification. Major differences include:
All TLS versions were further refined inRFC 6176 in March 2011, removing their backward compatibility with SSL such that TLS sessions never negotiate the use of Secure Sockets Layer (SSL) version 2.0. There is currently no formal date for TLS 1.2 to be deprecated. The specifications for TLS 1.2 became redefined as well by the Standards Track DocumentRFC 8446 to keep it as secure as possible; it is to be seen as a failover protocol now, meant only to be negotiated with clients which are unable to talk over TLS 1.3 (The original RFC 5246 definition for TLS 1.2 is since then obsolete).
TLS 1.3 was defined in RFC 8446 in August 2018.[6] It is based on the earlier TLS 1.2 specification. Major differences from TLS 1.2 include:[47]
Network Security Services (NSS), the cryptography library developed byMozilla and used by its web browserFirefox, enabled TLS 1.3 by default in February 2017.[49] TLS 1.3 support was subsequently added — but due to compatibility issues for a small number of users, not automatically enabled[50] — toFirefox 52.0, which was released in March 2017. TLS 1.3 was enabled by default in May 2018 with the release ofFirefox 60.0.[51]
Google Chrome set TLS 1.3 as the default version for a short time in 2017. It then removed it as the default, due to incompatible middleboxes such asBlue Coat web proxies.[52]
The intolerance of the new version of TLS wasprotocol ossification; middleboxes had ossified the protocol's version parameter. As a result, version 1.3 mimics thewire image of version 1.2. This change occurred very late in the design process, only having been discovered during browser deployment.[53] The discovery of this intolerance also led to the prior version negotiation strategy, where the highest matching version was picked, being abandoned due to unworkable levels of ossification.[54] 'Greasing' an extension point, where one protocol participant claims support for non-existent extensions to ensure that unrecognised-but-actually-existent extensions are tolerated and so to resist ossification, was originally designed for TLS, but it has since been adopted elsewhere.[54]
During the IETF 100Hackathon, which took place inSingapore in 2017, the TLS Group worked on adaptingopen-source applications to use TLS 1.3.[55][56] The TLS group was made up of individuals from Japan, United Kingdom, and Mauritius via the cyberstorm.mu team.[56] This work was continued in the IETF 101 Hackathon inLondon,[57] and the IETF 102 Hackathon in Montreal.[58]
wolfSSL enabled the use of TLS 1.3 as of version 3.11.1, released in May 2017.[59] As the first commercial TLS 1.3 implementation, wolfSSL 3.11.1 supported Draft 18 and now supports Draft 28,[60] the final version, as well as many older versions. A series of blogs were published on the performance difference between TLS 1.2 and 1.3.[61]
In, the popularOpenSSL project released version 1.1.1 of its library, in which support for TLS 1.3 was "the headline new feature".[62]
Support for TLS 1.3 was added toSecure Channel (schannel) for theGA releases ofWindows 11 andWindows Server 2022.[63]
TheElectronic Frontier Foundation praised TLS 1.3 and expressed concern about the variant protocol Enterprise Transport Security (ETS) that intentionally disables important security measures in TLS 1.3.[64] Originally called Enterprise TLS (eTLS), ETS is a published standard known as the 'ETSI TS103523-3', "Middlebox Security Protocol, Part3: Enterprise Transport Security". It is intended for use entirely within proprietary networks such as banking systems. ETS does not support forward secrecy so as to allow third-party organizations connected to the proprietary networks to be able to use their private key to monitor network traffic for the detection of malware and to make it easier to conduct audits.[65][66] Despite the claimed benefits, the EFF warned that the loss of forward secrecy could make it easier for data to be exposed along with saying that there are better ways to analyze traffic.[64]
A digital certificate certifies the ownership of a public key by the named subject of the certificate, and indicates certain expected usages of that key. This allows others (relying parties) to rely upon signatures or on assertions made by the private key that corresponds to the certified public key. Keystores and trust stores can be in various formats, such as.pem, .crt,.pfx, and.jks.
TLS typically relies on a set of trusted third-party certificate authorities to establish the authenticity of certificates. Trust is usually anchored in a list of certificates distributed with user agent software,[67] and can be modified by the relying party.
According toNetcraft, who monitors active TLS certificates, the market-leading certificate authority (CA) has beenSymantec since the beginning of their survey (orVeriSign before the authentication services business unit was purchased by Symantec). As of 2015, Symantec accounted for just under a third of all certificates and 44% of the valid certificates used by the 1 million busiest websites, as counted by Netcraft.[68] In 2017, Symantec sold its TLS/SSL business to DigiCert.[69] In an updated report, it was shown thatIdenTrust,DigiCert, andSectigo are the top 3 certificate authorities in terms of market share since May 2019.[70]
As a consequence of choosingX.509 certificates, certificate authorities and apublic key infrastructure are necessary to verify the relation between a certificate and its owner, as well as to generate, sign, and administer the validity of certificates. While this can be more convenient than verifying the identities via aweb of trust, the2013 mass surveillance disclosures made it more widely known that certificate authorities are a weak point from a security standpoint, allowingman-in-the-middle attacks (MITM) if the certificate authority cooperates (or is compromised).[71][72]
Before a client and server can begin to exchange information protected by TLS, they must securely exchange or agree upon an encryption key and a cipher to use when encrypting data (see§ Cipher). Among the methods used for key exchange/agreement are: public and private keys generated withRSA (denoted TLS_RSA in the TLS handshake protocol),Diffie–Hellman (TLS_DH), ephemeral Diffie–Hellman (TLS_DHE),elliptic-curve Diffie–Hellman (TLS_ECDH), ephemeral elliptic-curve Diffie–Hellman (TLS_ECDHE),anonymous Diffie–Hellman (TLS_DH_anon),[23]pre-shared key (TLS_PSK)[73] andSecure Remote Password (TLS_SRP).[74]
The TLS_DH_anon and TLS_ECDH_anon key agreement methods do not authenticate the server or the user and hence are rarely used because those are vulnerable toman-in-the-middle attacks. Only TLS_DHE and TLS_ECDHE provideforward secrecy.
Public key certificates used during exchange/agreement also vary in the size of the public/private encryption keys used during the exchange and hence the robustness of the security provided. In July 2013,Google announced that it would no longer use 1024-bit public keys and would switch instead to 2048-bit keys to increase the security of the TLS encryption it provides to its users because the encryption strength is directly related to thekey size.[75][76]
| Algorithm | SSL 2.0 | SSL 3.0 | TLS 1.0 | TLS 1.1 | TLS 1.2 | TLS 1.3 | Status |
|---|---|---|---|---|---|---|---|
| RSA | Yes | Yes | Yes | Yes | Yes | No | Defined for TLS 1.2 in RFCs |
| DH-RSA | No | Yes | Yes | Yes | Yes | No | |
| DHE-RSA (forward secrecy) | No | Yes | Yes | Yes | Yes | Yes | |
| ECDH-RSA | No | No | Yes | Yes | Yes | No | |
| ECDHE-RSA (forward secrecy) | No | No | Yes | Yes | Yes | Yes | |
| DH-DSS | No | Yes | Yes | Yes | Yes | No | |
| DHE-DSS (forward secrecy) | No | Yes | Yes | Yes | Yes | No[77] | |
| DHE-ECDSA (forward secrecy) | No | No | No | No | No | Yes | |
| ECDH-ECDSA | No | No | Yes | Yes | Yes | No | |
| ECDHE-ECDSA (forward secrecy) | No | No | Yes | Yes | Yes | Yes | |
| DHE-EdDSA (forward secrecy) | No | No | No | No | No | Yes | |
| ECDH-EdDSA | No | No | Yes | Yes | Yes | No | |
| ECDHE-EdDSA (forward secrecy)[78] | No | No | Yes | Yes | Yes | Yes | |
| PSK | No | No | Yes | Yes | Yes | Yes | |
| RSA-PSK | No | No | Yes | Yes | Yes | No | |
| DHE-PSK (forward secrecy) | No | No | Yes | Yes | Yes | Yes | |
| ECDHE-PSK (forward secrecy) | No | No | Yes | Yes | Yes | Yes | |
| SRP | No | No | Yes | Yes | Yes | No | |
| SRP-DSS | No | No | Yes | Yes | Yes | No | |
| SRP-RSA | No | No | Yes | Yes | Yes | No | |
| Kerberos | No | No | Yes | Yes | Yes | ? | |
| DH-ANON (insecure) | No | Yes | Yes | Yes | Yes | No | |
| ECDH-ANON (insecure) | No | No | Yes | Yes | Yes | No | |
| GOST R 34.10-2012[79] | No | No | No | No | Yes | Yes | Defined for TLS 1.2 and for TLS 1.3 inRFC 9189,9367. |
| Cipher | Protocol version | Status | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Type | Algorithm | Nominal strength (bits) | SSL 2.0 | SSL 3.0 [n 1][n 2][n 3][n 4] | TLS 1.0 [n 1][n 3] | TLS 1.1 [n 1] | TLS 1.2 [n 1] | TLS 1.3 | |
| AESGCM[80][n 5] | 256, 128 | — | — | — | — | Secure | Secure | Defined for TLS 1.2 in RFCs | |
| AESCCM[81][n 5] | — | — | — | — | Secure | Secure | |||
| AESCBC[n 6] | — | Insecure | Depends on mitigations | Depends on mitigations | Depends on mitigations | — | |||
| CamelliaGCM[82][n 5] | 256, 128 | — | — | — | — | Secure | — | ||
| CamelliaCBC[83][n 6] | — | Insecure | Depends on mitigations | Depends on mitigations | Depends on mitigations | — | |||
| ARIAGCM[84][n 5] | 256, 128 | — | — | — | — | Secure | — | ||
| ARIACBC[84][n 6] | — | — | Depends on mitigations | Depends on mitigations | Depends on mitigations | — | |||
| SEEDCBC[85][n 6] | 128 | — | Insecure | Depends on mitigations | Depends on mitigations | Depends on mitigations | — | ||
| 3DES EDECBC[n 6][n 7] | 112[n 8] | Insecure | Insecure | Insecure | Insecure | Insecure | — | ||
| GOST R 34.12-2015 MagmaCTR[79][n 7] | 256 | — | — | Insecure | Insecure | Insecure | — | Defined inRFC 4357,9189 | |
| GOST R 34.12-2015 KuznyechikCTR[79] | 256 | — | — | — | — | Secure | — | Defined inRFC 9189 | |
| GOST R 34.12-2015 MagmaMGM[79][n 5][n 7] | 256 | — | — | — | — | — | Insecure | Defined inRFC 9367 | |
| GOST R 34.12-2015 KuznyechikMGM[79][n 5] | 256 | — | — | — | — | — | Secure | Defined inRFC 9367 | |
| IDEACBC[n 6][n 7][n 9] | 128 | Insecure | Insecure | Insecure | Insecure | — | — | Removed from TLS 1.2 | |
| DESCBC[n 6][n 7][n 9] | 56 | Insecure | Insecure | Insecure | Insecure | — | — | ||
| 40[n 10] | Insecure | Insecure | Insecure | — | — | — | Forbidden in TLS 1.1 and later | ||
| RC2CBC[n 6][n 7] | 40[n 10] | Insecure | Insecure | Insecure | — | — | — | ||
| ChaCha20-Poly1305[90][n 5] | 256 | — | — | — | — | Secure | Secure | Defined for TLS 1.2 in RFCs | |
| RC4[n 11] | 128 | Insecure | Insecure | Insecure | Insecure | Insecure | — | Prohibited in all versions of TLS byRFC 7465 | |
| 40[n 10] | Insecure | Insecure | Insecure | — | — | — | |||
| None | Null[n 12] | – | Insecure | Insecure | Insecure | Insecure | Insecure | — | Defined for TLS 1.2 in RFCs |
Amessage authentication code (MAC) is used for data integrity.HMAC is used forCBC mode of block ciphers.Authenticated encryption (AEAD) such asGCM andCCM mode uses AEAD-integrated MAC and does not useHMAC.[6]: §8.4 HMAC-basedPRF, orHKDF is used for TLS handshake.
| Algorithm | SSL 2.0 | SSL 3.0 | TLS 1.0 | TLS 1.1 | TLS 1.2 | TLS 1.3 | Status |
|---|---|---|---|---|---|---|---|
| HMAC-MD5 | Yes | Yes | Yes | Yes | Yes | No | Defined for TLS 1.2 in RFCs |
| HMAC-SHA1 | No | Yes | Yes | Yes | Yes | No | |
| HMAC-SHA256/384 | No | No | No | No | Yes | No | |
| AEAD | No | No | No | No | Yes | Yes | |
| GOST 28147-89 IMIT[79] | No | No | No | No | Yes | No | Defined for TLS 1.2 inRFC 9189. |
| GOST R 34.12-2015AEAD[79] | No | No | No | No | No | Yes | Defined for TLS 1.3 inRFC 9367. |
In applications design, TLS is usually implemented on top of Transport Layer protocols, encrypting all of the protocol-related data of protocols such asHTTP,FTP,SMTP,NNTP andXMPP.
Historically, TLS has been used primarily with reliable transport protocols such as theTransmission Control Protocol (TCP). However, it has also been implemented with datagram-oriented transport protocols, such as theUser Datagram Protocol (UDP) and theDatagram Congestion Control Protocol (DCCP), usage of which has been standardized independently using the termDatagram Transport Layer Security (DTLS).
A primary use of TLS is to secureWorld Wide Web traffic between awebsite and aweb browser encoded with the HTTP protocol. This use of TLS to secure HTTP traffic constitutes theHTTPS protocol.[91]
| Protocol version | Website support[92] | Security[92][93] |
|---|---|---|
| Old version, not maintained: SSL 2.0 | 0.1% | Insecure |
| Old version, not maintained: SSL 3.0 | 1.4% | Insecure[94] |
| Old version, not maintained: TLS 1.0 | 27.9% | Deprecated[20][21][22] |
| Old version, not maintained: TLS 1.1 | 30.0% | Deprecated[20][21][22] |
| Old version, still maintained: TLS 1.2 | 99.9% | Depends on cipher[n 1] and client mitigations[n 2] |
| Latest version:TLS 1.3 | 70.1% | Secure |
As of March 2025[update], the latest versions of all major web browsers support TLS 1.2 and 1.3 and have them enabled by default, with the exception ofIE 11. TLS 1.0 and 1.1 are disabled by default on the latest versions of all major browsers.
Mitigations against known attacks are not enough yet:
Most SSL and TLS programming libraries arefree and open-source software.
A paper presented at the 2012ACMconference on computer and communications security[96] showed that many applications used some of these SSL libraries incorrectly, leading to vulnerabilities. According to the authors:
"The root cause of most of these vulnerabilities is the terrible design of the APIs to the underlying SSL libraries. Instead of expressing high-level security properties of network tunnels such as confidentiality and authentication, these APIs expose low-level details of the SSL protocol to application developers. As a consequence, developers often use SSL APIs incorrectly, misinterpreting and misunderstanding their manifold parameters, options, side effects, and return values."
TheSimple Mail Transfer Protocol (SMTP) can also be protected by TLS. These applications usepublic key certificates to verify the identity of endpoints.
TLS can also be used for tunneling an entire network stack to create aVPN, which is the case withOpenVPN andOpenConnect. Many vendors have by now married TLS's encryption and authentication capabilities with authorization. There has also been substantial development since the late 1990s in creating client technology outside of Web-browsers, in order to enable support for client/server applications. Compared to traditionalIPsec VPN technologies, TLS has some inherent advantages in firewall andNAT traversal that make it easier to administer for large remote-access populations.
TLS is also a standard method for protectingSession Initiation Protocol (SIP) application signaling. TLS can be used for providing authentication and encryption of the SIP signaling associated withVoIP and other SIP-based applications.[97]
Significant attacks against TLS/SSL are listed below.
In February 2015, IETF issued an informational RFC[98] summarizing the various known attacks against TLS/SSL.
A vulnerability of the renegotiation procedure was discovered in August 2009 that can lead to plaintext injection attacks against SSL 3.0 and all current versions of TLS.[99] For example, it allows an attacker who can hijack anhttps connection to splice their own requests into the beginning of the conversation the client has with the web server. The attacker cannot actually decrypt the client–server communication, so it is different from a typicalman-in-the-middle attack. A short-term fix is for web servers to stop allowing renegotiation, which typically will not require other changes unlessclient certificate authentication is used. To fix the vulnerability, a renegotiation indication extension was proposed for TLS. It will require the client and server to include and verify information about previous handshakes in any renegotiation handshakes.[100] This extension has become a proposed standard and has been assigned the numberRFC 5746. The RFC has been implemented by several libraries.[101][102][103]
A protocoldowngrade attack (also called a version rollback attack) tricks a web server into negotiating connections with previous versions of TLS (such as SSLv2) that have long since been abandoned as insecure.
Previous modifications to the original protocols, likeFalse Start[104] (adopted and enabled by Google Chrome[105]) orSnap Start, reportedly introduced limited TLS protocol downgrade attacks[106] or allowed modifications to the cipher suite list sent by the client to the server. In doing so, an attacker might succeed in influencing the cipher suite selection in an attempt to downgrade the cipher suite negotiated to use either a weaker symmetric encryption algorithm or a weaker key exchange.[107] A paper presented at anACMconference on computer and communications security in 2012 demonstrated that the False Start extension was at risk: in certain circumstances it could allow an attacker to recover the encryption keys offline and to access the encrypted data.[108]
Encryption downgrade attacks can force servers and clients to negotiate a connection using cryptographically weak keys. In 2014, aman-in-the-middle attack called FREAK was discovered affecting theOpenSSL stack, the defaultAndroid web browser, and someSafari browsers.[109] The attack involved tricking servers into negotiating a TLS connection using cryptographically weak 512 bit encryption keys.
Logjam is asecurity exploit discovered in May 2015 that exploits the option of using legacy"export-grade" 512-bitDiffie–Hellman groups dating back to the 1990s.[110] It forces susceptible servers to downgrade to cryptographically weak 512-bit Diffie–Hellman groups. An attacker can then deduce the keys the client and server determine using theDiffie–Hellman key exchange.
TheDROWN attack is an exploit that attacks servers supporting contemporary SSL/TLS protocol suites by exploiting their support for the obsolete, insecure, SSLv2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure.[111][112] DROWN exploits a vulnerability in the protocols used and the configuration of the server, rather than any specific implementation error. Full details of DROWN were announced in March 2016, together with a patch for the exploit. At that time, more than 81,000 of the top 1 million most popular websites were among the TLS protected websites that were vulnerable to the DROWN attack.[112]
On September 23, 2011, researchers Thai Duong and Juliano Rizzo demonstrated a proof of concept calledBEAST (Browser Exploit Against SSL/TLS)[113] using aJava applet to violatesame origin policy constraints, for a long-knowncipher block chaining (CBC) vulnerability in TLS 1.0:[114][115] an attacker observing 2 consecutive ciphertext blocks C0, C1 can test if the plaintext block P1 is equal to x by choosing the next plaintext blockP2 = x ⊕ C0 ⊕ C1; as per CBC operation,C2 = E(C1 ⊕ P2) = E(C1 ⊕ x ⊕ C0 ⊕ C1) = E(C0 ⊕ x), which will be equal to C1 ifx = P1. Practicalexploits had not been previously demonstrated for thisvulnerability, which was originally discovered byPhillip Rogaway[116] in 2002. The vulnerability of the attack had been fixed with TLS 1.1 in 2006, but TLS 1.1 had not seen wide adoption prior to this attack demonstration.
RC4 as a stream cipher is immune to BEAST attack. Therefore, RC4 was widely used as a way to mitigate BEAST attack on the server side. However, in 2013, researchers found more weaknesses in RC4. Thereafter enabling RC4 on server side was no longer recommended.[117]
Chrome and Firefox themselves are not vulnerable to BEAST attack,[118][119] however, Mozilla updated theirNSS libraries to mitigate BEAST-likeattacks. NSS is used byMozilla Firefox andGoogle Chrome to implement SSL. Someweb servers that have a broken implementation of the SSL specification may stop working as a result.[120]
Microsoft released Security Bulletin MS12-006 on January 10, 2012, which fixed the BEAST vulnerability by changing the way that the Windows Secure Channel (Schannel) component transmits encrypted network packets from the server end.[121] Users of Internet Explorer (prior to version 11) that run on older versions of Windows (Windows 7,Windows 8 andWindows Server 2008 R2) can restrict use of TLS to 1.1 or higher.
Apple fixed BEAST vulnerability by implementing 1/n-1 split and turning it on by default inOS X Mavericks, released on October 22, 2013.[122]
The authors of the BEAST attack are also the creators of the laterCRIME attack, which can allow an attacker to recover the content of web cookies whendata compression is used along with TLS.[123][124] When used to recover the content of secretauthentication cookies, it allows an attacker to performsession hijacking on an authenticated web session.
While the CRIME attack was presented as a general attack that could work effectively against a large number of protocols, including but not limited to TLS, and application-layer protocols such asSPDY orHTTP, only exploits against TLS and SPDY were demonstrated and largely mitigated in browsers and servers. The CRIME exploit againstHTTP compression has not been mitigated at all, even though the authors of CRIME have warned that this vulnerability might be even more widespread than SPDY and TLS compression combined. In 2013 a new instance of the CRIME attack against HTTP compression, dubbedBREACH, was announced. Based on the CRIME attack a BREACH attack can extract login tokens, email addresses or other sensitive information from TLS encrypted web traffic in as little as 30 seconds (depending on the number of bytes to be extracted), provided the attacker tricks the victim into visiting a malicious web link or is able to inject content into valid pages the user is visiting (ex: a wireless network under the control of the attacker).[125] All versions of TLS and SSL are at risk from BREACH regardless of the encryption algorithm or cipher used.[126] Unlike previous instances of CRIME, which can be successfully defended against by turning off TLS compression or SPDY header compression, BREACH exploits HTTP compression which cannot realistically be turned off, as virtually all web servers rely upon it to improve data transmission speeds for users.[125] This is a known limitation of TLS as it is susceptible tochosen-plaintext attack against the application-layer data it was meant to protect.
Earlier TLS versions were vulnerable against thepadding oracle attack discovered in 2002. A novel variant, called theLucky Thirteen attack, was published in 2013.
Some experts[88] also recommended avoidingtriple DES CBC. Since the last supported ciphers developed to support any program usingWindows XP's SSL/TLS library like Internet Explorer on Windows XP areRC4 and Triple-DES, and since RC4 is now deprecated (see discussion ofRC4 attacks), this makes it difficult to support any version of SSL for any program using this library on XP.
A fix was released as the Encrypt-then-MAC extension to the TLS specification, released asRFC 7366.[127] The Lucky Thirteen attack can be mitigated in TLS 1.2 by using only AES_GCM ciphers; AES_CBC remains vulnerable. SSL may safeguard email, VoIP, and other types of communications over insecure networks in addition to its primary use case of secure data transmission between a client and the server.[2]
On October 14, 2014, Google researchers published a vulnerability in the design of SSL 3.0, which makesCBC mode of operation with SSL 3.0 vulnerable to apadding attack (CVE-2014-3566). They named this attackPOODLE (Padding Oracle On Downgraded Legacy Encryption). On average, attackers only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages.[94]
Although this vulnerability only exists in SSL 3.0 and most clients and servers support TLS 1.0 and above, all major browsers voluntarily downgrade to SSL 3.0 if the handshakes with newer versions of TLS fail unless they provide the option for a user or administrator to disable SSL 3.0 and the user or administrator does so[citation needed]. Therefore, the man-in-the-middle can first conduct aversion rollback attack and then exploit this vulnerability.[94]
On December 8, 2014, a variant of POODLE was announced that impacts TLS implementations that do not properly enforce padding byte requirements.[128]
Despite the existence of attacks onRC4 that broke its security, cipher suites in SSL and TLS that were based on RC4 were still considered secure prior to 2013 based on the way in which they were used in SSL and TLS. In 2011, the RC4 suite was actually recommended as a workaround for theBEAST attack.[129] New forms of attack disclosed in March 2013 conclusively demonstrated the feasibility of breaking RC4 in TLS, suggesting it was not a good workaround for BEAST.[93] An attack scenario was proposed by AlFardan, Bernstein, Paterson, Poettering and Schuldt that used newly discovered statistical biases in the RC4 key table[130] to recover parts of the plaintext with a large number of TLS encryptions.[131][132] An attack on RC4 in TLS and SSL that requires 13 × 220 encryptions to break RC4 was unveiled on 8 July 2013 and later described as "feasible" in the accompanying presentation at aUSENIX Security Symposium in August 2013.[133][134] In July 2015, subsequent improvements in the attack make it increasingly practical to defeat the security of RC4-encrypted TLS.[135]
As many modern browsers have been designed to defeat BEAST attacks (except Safari for Mac OS X 10.7 or earlier, for iOS 6 or earlier, and for Windows; see§ Web browsers), RC4 is no longer a good choice for TLS 1.0. The CBC ciphers which were affected by the BEAST attack in the past have become a more popular choice for protection.[88] Mozilla and Microsoft recommend disabling RC4 where possible.[136][137]RFC 7465 prohibits the use of RC4 cipher suites in all versions of TLS.
On September 1, 2015, Microsoft, Google, and Mozilla announced that RC4 cipher suites would be disabled by default in their browsers (Microsoft Edge [Legacy],Internet Explorer 11 on Windows 7/8.1/10,Firefox, andChrome) in early 2016.[138][139][140]
A TLS (logout) truncation attack blocks a victim's account logout requests so that the user unknowingly remains logged into a web service. When the request to sign out is sent, the attacker injects an unencryptedTCP FIN message (no more data from sender) to close the connection. The server therefore does not receive the logout request and is unaware of the abnormal termination.[141]
Published in July 2013,[142][143] the attack causes web services such asGmail andHotmail to display a page that informs the user that they have successfully signed-out, while ensuring that the user's browser maintains authorization with the service, allowing an attacker with subsequent access to the browser to access and take over control of the user's logged-in account. The attack does not rely on installing malware on the victim's computer; attackers need only place themselves between the victim and the web server (e.g., by setting up a rogue wireless hotspot).[141] This vulnerability also requires access to the victim's computer.Another possibility is when using FTP the data connection can have a false FIN in the data stream, and if the protocol rules for exchanging close_notify alerts is not adhered to a file can be truncated.
In February 2013 two researchers from Royal Holloway, University of London discovered a timing attack[144] which allowed them to recover (parts of the) plaintext from a DTLS connection using the OpenSSL or GnuTLS implementation of DTLS whenCipher Block Chaining mode encryption was used.
This attack, discovered in mid-2016, exploits weaknesses in theWeb Proxy Autodiscovery Protocol (WPAD) to expose the URL that a web user is attempting to reach via a TLS-enabled web link.[145] Disclosure of a URL can violate a user's privacy, not only because of the website accessed, but also because URLs are sometimes used to authenticate users. Document sharing services, such as those offered by Google and Dropbox, also work by sending a user a security token that is included in the URL. An attacker who obtains such URLs may be able to gain full access to a victim's account or data.
The exploit works against almost all browsers and operating systems.
The Sweet32 attack breaks all 64-bit block ciphers used in CBC mode as used in TLS by exploiting abirthday attack and either aman-in-the-middle attack or injection of a maliciousJavaScript into a web page. The purpose of the man-in-the-middle attack or the JavaScript injection is to allow the attacker to capture enough traffic to mount a birthday attack.[146]
TheHeartbleed bug is a serious vulnerability specific to the implementation of SSL/TLS in the popularOpenSSL cryptographic software library, affecting versions 1.0.1 to 1.0.1f. This weakness, reported in April 2014, allows attackers to stealprivate keys from servers that should normally be protected.[147] The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret private keys associated with thepublic certificates used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.[148] The vulnerability is caused by abuffer over-read bug in the OpenSSL software, rather than a defect in the SSL or TLS protocol specification.
In September 2014, a variant ofDaniel Bleichenbacher's PKCS#1 v1.5 RSA Signature Forgery vulnerability[149] was announced by Intel Security Advanced Threat Research. This attack, dubbed BERserk, is a result of incomplete ASN.1 length decoding of public key signatures in some SSL implementations, and allows a man-in-the-middle attack by forging a public key signature.[150]
In February 2015, after media reported the hidden pre-installation ofsuperfish adware on some Lenovo notebooks,[151] a researcher found a trusted root certificate on affected Lenovo machines to be insecure, as the keys could easily be accessed using the company name, Komodia, as a passphrase.[152] The Komodia library was designed to intercept client-side TLS/SSL traffic for parental control and surveillance, but it was also used in numerous adware programs, including Superfish, that were often surreptitiously installed unbeknownst to the computer user. In turn, thesepotentially unwanted programs installed the corrupt root certificate, allowing attackers to completely control web traffic and confirm false websites as authentic.
In May 2016, it was reported that dozens of Danish HTTPS-protected websites belonging toVisa Inc. were vulnerable to attacks allowing hackers to inject malicious code and forged content into the browsers of visitors.[153] The attacks worked because the TLS implementation used on the affected servers incorrectly reused random numbers (nonces) that are intended to be used only once, ensuring that eachTLS handshake is unique.[153]
In February 2017, an implementation error caused by a single mistyped character in code used to parse HTML created a buffer overflow error onCloudflare servers. Similar in its effects to the Heartbleed bug discovered in 2014, this overflow error, widely known asCloudbleed, allowed unauthorized third parties to read data in the memory of programs running on the servers—data that should otherwise have been protected by TLS.[154]
As of July 2021[update], the Trustworthy Internet Movement estimated the ratio of websites that are vulnerable to TLS attacks.[92]
| Attacks | Security | |||
|---|---|---|---|---|
| Insecure | Depends | Secure | Other | |
| Renegotiation attack | < 0.1% support insecure renegotiation | < 0.1% support both | 99.7% support secure renegotiation | 0.3% no support |
| RC4 attacks | 0.2% support RC4 suites used with modern browsers | 3.0% support some RC4 suites | 96.9% no support | — |
| TLS Compression (CRIME attack) | 0% vulnerable | — | — | — |
| Heartbleed | 0% vulnerable | — | — | — |
| ChangeCipherSpec injection attack | < 0.1% vulnerable and exploitable | < 0.1% vulnerable, not exploitable | 99.5% not vulnerable | 0.4% unknown |
| POODLE attack against TLS (Original POODLE against SSL 3.0 is not included) | < 0.1% vulnerable and exploitable | — | 99.9% not vulnerable | 0.1% unknown |
| Protocol downgrade | 4.1% Downgrade defence not supported | — | 80.2% Downgrade defence supported | 15.7% unknown |
Forward secrecy is a property of cryptographic systems which ensures that a session key derived from a set of public and private keys will not be compromised if one of the private keys is compromised in the future.[155] Without forward secrecy, if the server's private key is compromised, not only will all future TLS-encrypted sessions using that server certificate be compromised, but also any past sessions that used it as well (provided that these past sessions were intercepted and stored at the time of transmission).[156] An implementation of TLS can provide forward secrecy by requiring the use of ephemeralDiffie–Hellman key exchange to establish session keys, and some notable TLS implementations do so exclusively: e.g.,Gmail and other Google HTTPS services that useOpenSSL.[157] However, many clients and servers supporting TLS (including browsers and web servers) are not configured to implement such restrictions.[158][159] In practice, unless a web service uses Diffie–Hellman key exchange to implement forward secrecy, all of the encrypted web traffic to and from that service can be decrypted by a third party if it obtains the server's master (private) key; e.g., by means of a court order.[160]
Even where Diffie–Hellman key exchange is implemented, server-side session management mechanisms can impact forward secrecy. The use ofTLS session tickets (a TLS extension) causes the session to be protected by AES128-CBC-SHA256 regardless of any other negotiated TLS parameters, including forward secrecy ciphersuites, and the long-lived TLS session ticket keys defeat the attempt to implement forward secrecy.[161][162][163] Stanford University research in 2014 also found that of 473,802 TLS servers surveyed, 82.9% of the servers deploying ephemeral Diffie–Hellman (DHE) key exchange to support forward secrecy were using weak Diffie–Hellman parameters. These weak parameter choices could potentially compromise the effectiveness of the forward secrecy that the servers sought to provide.[164]
Since late 2011, Google has provided forward secrecy with TLS by default to users of itsGmail service, along withGoogle Docs and encrypted search, among other services.[165]Since November 2013,Twitter has provided forward secrecy with TLS to users of its service.[166] As of August 2019[update], about 80% of TLS-enabled websites are configured to use cipher suites that provide forward secrecy to most web browsers.[92]
TLS interception (orHTTPS interception if applied particularly to that protocol) is the practice of intercepting an encrypted data stream in order to decrypt it, read and possibly manipulate it, and then re-encrypt it and send the data on its way again. This is done by way of a "transparent proxy": the interception software terminates the incoming TLS connection, inspects the HTTP plaintext, and then creates a new TLS connection to the destination.[167]
TLS/HTTPS interception is used as aninformation security measure by network operators in order to be able to scan for and protect against the intrusion of malicious content into the network, such ascomputer viruses and othermalware.[167] Such content could otherwise not be detected as long as it is protected by encryption, which is increasingly the case as a result of the routine use of HTTPS and other secure protocols.
A significant drawback of TLS/HTTPS interception is that it introduces new security risks of its own. One notable limitation is that it provides a point where network traffic is available unencrypted thus giving attackers an incentive to attack this point in particular in order to gain access to otherwise secure content. The interception also allows the network operator, or persons who gain access to its interception system, to performman-in-the-middle attacks against network users. A 2017 study found that "HTTPS interception has become startlingly widespread, and that interception products as a class have a dramatically negative impact on connection security".[167]
The TLS protocol exchangesrecords, which encapsulate the data to be exchanged in a specific format (see below). Each record can be compressed, padded, appended with amessage authentication code (MAC), or encrypted, all depending on the state of the connection. Each record has acontent type field that designates the type of data encapsulated, a length field and a TLS version field. The data encapsulated may be control or procedural messages of the TLS itself, or simply the application data needed to be transferred by TLS. The specifications (cipher suite, keys etc.) required to exchange application data by TLS, are agreed upon in the "TLS handshake" between the client requesting the data and the server responding to requests. The protocol therefore defines both the structure of payloads transferred in TLS and the procedure to establish and monitor the transfer.
When the connection starts, the record encapsulates a "control" protocol – the handshake messaging protocol (content type 22). This protocol is used to exchange all the information required by both sides for the exchange of the actual application data by TLS. It defines the format of messages and the order of their exchange. These may vary according to the demands of the client and server – i.e., there are several possible procedures to set up the connection. This initial exchange results in a successful TLS connection (both parties ready to transfer application data with TLS) or an alert message (as specified below).
A typical connection example follows, illustrating ahandshake where the server (but not the client) is authenticated by its certificate:
The followingfull example shows a client being authenticated (in addition to the server as in the example above; seemutual authentication) via TLS using certificates exchanged between both peers.
Public key operations (e.g., RSA) are relatively expensive in terms of computational power. TLS provides a secure shortcut in the handshake mechanism to avoid these operations: resumed sessions. Resumed sessions are implemented using session IDs or session tickets.
Apart from the performance benefit, resumed sessions can also be used forsingle sign-on, as it guarantees that both the original session and any resumed session originate from the same client. This is of particular importance for theFTP over TLS/SSL protocol, which would otherwise suffer from a man-in-the-middle attack in which an attacker could intercept the contents of the secondary data connections.[170]
The TLS 1.3 handshake was condensed to only one round trip compared to the two round trips required in previous versions of TLS/SSL.
To start the handshake, the client guesses which key exchange algorithm will be selected by the server and sends aClientHello message to the server containing a list of supported ciphers (in order of the client's preference) and public keys for some or all of its key exchange guesses. If the client successfully guesses the key exchange algorithm, 1 round trip is eliminated from the handshake. After receiving theClientHello, the server selects a cipher and sends back aServerHello with its own public key, followed by serverCertificate andFinished messages.[171]
After the client receives the server's finished message, it now is coordinated with the server on which cipher suite to use.[172]
In an ordinaryfull handshake, the server sends asession id as part of theServerHello message. The client associates thissession id with the server's IP address and TCP port, so that when the client connects again to that server, it can use thesession id to shortcut the handshake. In the server, thesession id maps to the cryptographic parameters previously negotiated, specifically the "master secret". Both sides must have the same "master secret" or the resumed handshake will fail (this prevents an eavesdropper from using asession id). The random data in theClientHello andServerHello messages virtually guarantee that the generated connection keys will be different from in the previous connection. In the RFCs, this type of handshake is called anabbreviated handshake. It is also described in the literature as arestart handshake.
RFC 5077 extends TLS via use of session tickets, instead of session IDs. It defines a way to resume a TLS session without requiring that session-specific state is stored at the TLS server.
When using session tickets, the TLS server stores its session-specific state in a session ticket and sends the session ticket to the TLS client for storing. The client resumes a TLS session by sending the session ticket to the server, and the server resumes the TLS session according to the session-specific state in the ticket. The session ticket is encrypted and authenticated by the server, and the server verifies its validity before using its contents.
One particular weakness of this method withOpenSSL is that it always limits encryption and authentication security of the transmitted TLS session ticket toAES128-CBC-SHA256, no matter what other TLS parameters were negotiated for the actual TLS session.[162] This means that the state information (the TLS session ticket) is not as well protected as the TLS session itself. Of particular concern is OpenSSL's storage of the keys in an application-wide context (SSL_CTX), i.e. for the life of the application, and not allowing for re-keying of theAES128-CBC-SHA256 TLS session tickets without resetting the application-wide OpenSSL context (which is uncommon, error-prone and often requires manual administrative intervention).[163][161]
This is the general format of all TLS records.
| Offset | Byte+0 | Byte+1 | Byte+2 | Byte+3 |
|---|---|---|---|---|
| Byte 0 | Content type | — | ||
| Bytes 1–4 | Legacy version | Length | ||
| (Major) | (Minor) | (bits 15–8) | (bits 7–0) | |
| Bytes 5–(m−1) | Protocol message(s) | |||
| Bytes m–(p−1) | MAC (optional) | |||
| Bytes p–(q−1) | Padding (block ciphers only) | |||
| Hex | Dec | Type |
|---|---|---|
| 0×14 | 20 | ChangeCipherSpec |
| 0×15 | 21 | Alert |
| 0×16 | 22 | Handshake |
| 0×17 | 23 | Application |
| 0×18 | 24 | Heartbeat |
| Major version | Minor version | Version type |
|---|---|---|
| 3 | 0 | SSL 3.0 |
| 3 | 1 | TLS 1.0 |
| 3 | 2 | TLS 1.1 |
| 3 | 3 | TLS 1.2 |
| 3 | 4 | TLS 1.3 |
Most messages exchanged during the setup of the TLS session are based on this record, unless an error or warning occurs and needs to be signaled by an Alert protocol record (see below), or the encryption mode of the session is modified by another record (see ChangeCipherSpec protocol below).
| Offset | Byte+0 | Byte+1 | Byte+2 | Byte+3 |
|---|---|---|---|---|
| Byte 0 | 22 | — | ||
| Bytes 1–4 | Legacy version | Length | ||
| (Major) | (Minor) | (bits 15–8) | (bits 7–0) | |
| Bytes 5–8 | Message type | Handshake message data length | ||
| (bits 23–16) | (bits 15–8) | (bits 7–0) | ||
| Bytes 9–(n−1) | Handshake message data | |||
| Bytes n–(n+3) | Message type | Handshake message data length | ||
| (bits 23–16) | (bits 15–8) | (bits 7–0) | ||
| Bytes (n+4)– | Handshake message data | |||
| Code | Description |
|---|---|
| 0 | HelloRequest |
| 1 | ClientHello |
| 2 | ServerHello |
| 4 | NewSessionTicket |
| 8 | EncryptedExtensions (TLS 1.3 only) |
| 11 | Certificate |
| 12 | ServerKeyExchange |
| 13 | CertificateRequest |
| 14 | ServerHelloDone |
| 15 | CertificateVerify |
| 16 | ClientKeyExchange |
| 20 | Finished |
Note that multiple handshake messages may be combined within one record.
This record should normally not be sent during normal handshaking or application exchanges. However, this message can be sent at any time during the handshake and up to the closure of the session. If this is used to signal a fatal error, the session will be closed immediately after sending this record, so this record is used to give a reason for this closure. If the alert level is flagged as a warning, the remote can decide to close the session if it decides that the session is not reliable enough for its needs (before doing so, the remote may also send its own signal).
| Offset | Byte+0 | Byte+1 | Byte+2 | Byte+3 |
|---|---|---|---|---|
| Byte 0 | 21 | — | ||
| Bytes 1–4 | Legacy version | Length | ||
| (Major) | (Minor) | 0 | 2 | |
| Bytes 5–6 | Level | Description | — | |
| Bytes 7–(p−1) | MAC (optional) | |||
| Bytes p–(q−1) | Padding (block ciphers only) | |||
| Code | Level type | Connection state |
|---|---|---|
| 1 | warning | connection or security may be unstable. |
| 2 | fatal | connection or security may be compromised, or an unrecoverable error has occurred. |
| Code | Description | Level types | Note |
|---|---|---|---|
| 0 | Close notify | warning/fatal | |
| 10 | Unexpected message | fatal | |
| 20 | Bad record MAC | fatal | Possibly a bad SSL implementation, or payload has been tampered with e.g. FTP firewall rule onFTPS server. |
| 21 | Decryption failed | fatal | TLS only, reserved |
| 22 | Record overflow | fatal | TLS only |
| 30 | Decompression failure | fatal | |
| 40 | Handshake failure | fatal | |
| 41 | No certificate | warning/fatal | SSL 3.0 only, reserved |
| 42 | Bad certificate | warning/fatal | |
| 43 | Unsupported certificate | warning/fatal | e.g. certificate has only server authentication usage enabled and is presented as a client certificate |
| 44 | Certificate revoked | warning/fatal | |
| 45 | Certificate expired | warning/fatal | Check server certificate expire also check no certificate in the chain presented has expired |
| 46 | Certificate unknown | warning/fatal | |
| 47 | Illegal parameter | fatal | |
| 48 | Unknown CA (Certificate authority) | fatal | TLS only |
| 49 | Access denied | fatal | TLS only – e.g. no client certificate has been presented (TLS: Blank certificate message or SSLv3: No Certificate alert), but server is configured to require one. |
| 50 | Decode error | fatal | TLS only |
| 51 | Decrypt error | warning/fatal | TLS only |
| 60 | Export restriction | fatal | TLS only, reserved |
| 70 | Protocol version | fatal | TLS only |
| 71 | Insufficient security | fatal | TLS only |
| 80 | Internal error | fatal | TLS only |
| 86 | Inappropriate fallback | fatal | TLS only |
| 90 | User canceled | fatal | TLS only |
| 100 | No renegotiation | warning | TLS only |
| 110 | Unsupported extension | warning | TLS only |
| 111 | Certificate unobtainable | warning | TLS only |
| 112 | Unrecognized name | warning/fatal | TLS only; client'sServer Name Indicator specified ahostname not supported by the server |
| 113 | Bad certificate status response | fatal | TLS only |
| 114 | Bad certificate hash value | fatal | TLS only |
| 115 | UnknownPSK identity (used inTLS-PSK andTLS-SRP) | fatal | TLS only |
| 116 | Certificate required | fatal | TLS version 1.3 only |
| 120 or 255 | No application protocol | fatal | TLS version 1.3 only |
| Offset | Byte+0 | Byte+1 | Byte+2 | Byte+3 |
|---|---|---|---|---|
| Byte 0 | 20 | — | ||
| Bytes 1–4 | Legacy version | Length | ||
| (Major) | (Minor) | 0 | 1 | |
| Byte 5 | CCS protocol type | — | ||
| Offset | Byte+0 | Byte+1 | Byte+2 | Byte+3 |
|---|---|---|---|---|
| Byte 0 | 23 | — | ||
| Bytes 1–4 | Legacy version | Length | ||
| (Major) | (Minor) | (bits 15–8) | (bits 7–0) | |
| Bytes 5–(m−1) | Application data | |||
| Bytes m–(p−1) | MAC (optional) | |||
| Bytes p–(q−1) | Padding (block ciphers only) | |||
From the application protocol point of view, TLS belongs to a lower layer, although the TCP/IP model is too coarse to show it. This means that the TLS handshake is usually (except in theSTARTTLS case) performed before the application protocol can start. In thename-based virtual server feature being provided by the application layer, all co-hosted virtual servers share the same certificate because the server has to select and send a certificate immediately after the ClientHello message. This is a big problem in hosting environments because it means either sharing the same certificate among all customers or using a different IP address for each of them.
There are two known workarounds provided byX.509:
To provide the server name,RFC 4366 Transport Layer Security (TLS) Extensions allow clients to include aServer Name Indication extension (SNI) in the extended ClientHello message. This extension hints to the server immediately which name the client wishes to connect to, so the servercan select the appropriate certificate to send to the clients.
RFC 2817 also documents a method to implement name-based virtual hosting by upgrading HTTP to TLS via anHTTP/1.1 Upgrade header. Normally this is to securely implement HTTP over TLS within the main "http"URI scheme (which avoids forking the URI space and reduces the number of used ports), however, few implementations currently support this.[citation needed]
{{cite web}}: CS1 maint: archived copy as title (link)Plaintext recovery attacks against RC4 in TLS are feasible although not truly practical
The current approved version of (D)TLS is version 1.3, which is specified in:
The current standards replaces these former versions, which are now considered obsolete:
OtherRFCs subsequently extended (D)TLS.
Extensions to (D)TLS 1.3 include:
Extensions to (D)TLS 1.2 include:
Extensions to (D)TLS 1.1 include:
Extensions to TLS 1.0 include: