Content deleted Content added
Aprogrammer (talk | contribs) m (forgot to comment on this revision; will resubmit) |
→Extensions: {{Sum RFC}} |
||
Line 1:
{{short description|Cryptographic protocols for securing data in transit}}
'''Transport Layer Security''' ('''TLS''') is a [[cryptographic protocol]] designed to provide communications security over a computer network, such as the [[Internet]]. The [[communication protocol|protocol]] is widely used in [[Application software|applications]] such as [[email]], [[instant messaging]], and [[voice over IP]], but its use in securing [[HTTPS]] remains the most publicly visible.
The TLS protocol aims primarily to provide security, including [[privacy]] (confidentiality), integrity, and authenticity through the use of [[cryptography]], such as the use of [[public key certificate|certificates]], between two or more communicating computer applications. It runs in the [[presentation layer]] and is itself composed of two layers: the TLS record and the TLS [[Handshake (computing)|handshake protocols]].
The closely related [[DTLS|Datagram Transport Layer Security (DTLS)]] is a [[communications protocol]] that provides [[communications security|security]] to [[datagram]]-based applications. In technical writing, references to "(D)TLS" are often seen when it applies to both versions.<ref>i.e. {{Cite news |title=Delegated Credentials for (D)TLS |url=https://datatracker.ietf.org/doc/html/draft-ietf-tls-subcerts-15 |access-date=2024-06-26 |newspaper=Ietf |language=en |archive-date=2024-06-26 |archive-url=https://web.archive.org/web/20240626174852/https://datatracker.ietf.org/doc/html/draft-ietf-tls-subcerts-15 |url-status=live }}</ref>
TLS is a proposed [[Internet Engineering Task Force]] (IETF) standard, first defined in 1999, and the current version is TLS 1.3, defined in August 2018. TLS builds on the now-deprecated '''SSL''' ('''Secure Sockets Layer''') specifications (1994, 1995, 1996) developed by [[Netscape Communications]] for adding the [[HTTPS]] protocol to their [[Netscape Navigator]] web browser.
==Description==
[[Client–server model|Client–server]] applications use the TLS [[cryptographic protocol|protocol]] to communicate across a network in a way designed to prevent [[eavesdropping]] and [[tamper-evident|tampering]].
Since applications can communicate either with or without TLS (or SSL), it is necessary for the [[client (computing)|client]] to request that the [[server (computing)|server]] set up a TLS connection.<ref name=":0">{{cite IETF|last1=Lawrence|first1=Scott|last2=Khare|first2=Rohit|title=Upgrading to TLS Within HTTP/1.1|rfc=2817|publisher=Internet Engineering Task Force|date=May 2000}}</ref> One of the main ways of achieving this is to use a different [[port (computer networking)|port number]] for TLS connections. Port 80 is typically used for unencrypted [[Hypertext Transfer Protocol|HTTP]] traffic while port 443 is the common port used for encrypted [[HTTPS]] traffic. Another mechanism is to make a protocol-specific [[opportunistic TLS|STARTTLS]] request to the server to switch the connection to TLS – for example, when using some mail and [[usenet|news]] protocols.
Once the client and server have agreed to use TLS, they negotiate a [[state (computer science)|stateful]] connection by using a handshaking procedure (see {{slink||TLS_handshake}}).<ref>{{cite web|url=https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc785811(v=ws.10)|title=SSL/TLS in Detail|department=[[Microsoft TechNet|TechNet]]|website=[[Microsoft Docs]]|date=October 8, 2009|access-date=2021-10-24|archive-date=2022-08-13|archive-url=https://web.archive.org/web/20220813015525/https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc785811(v=ws.10)|url-status=live}}</ref> The protocols use a handshake with an [[asymmetric cipher]] to establish not only cipher settings but also a session-specific shared key with which further communication is encrypted using a [[symmetric cipher]]. During this handshake, the client and server agree on various parameters used to establish the connection's security:
*The handshake begins when a client connects to a TLS-enabled server requesting a secure connection and the client presents a list of supported [[cipher suite]]s ([[encryption|ciphers]] and [[hash function]]s).
*From this list, the server picks a cipher and hash function that it also supports and notifies the client of the decision.
*The server usually then provides identification in the form of a [[Public key certificate|digital certificate]]. The certificate contains the [[hostname|server name]], the trusted [[certificate authority]] (CA) that vouches for the authenticity of the certificate, and the server's public encryption key.
*The client confirms the validity of the certificate before proceeding.
*To generate the session keys used for the secure connection, the client either:
**encrypts a [[random number generation|random number]] (''PreMasterSecret'') with the server's public key and sends the result to the server (which only the server should be able to decrypt with its private key); both parties then use the random number to generate a unique session key for subsequent encryption and decryption of data during the session, or
**uses [[Diffie–Hellman key exchange]] (or its variant [[Elliptic-curve Diffie–Hellman|elliptic-curve DH]]) to securely generate a random and unique session key for encryption and decryption that has the additional property of [[forward secrecy]]: if the server's private key is disclosed in future, it cannot be used to decrypt the current session, even if the session is intercepted and recorded by a third party.
This concludes the handshake and begins the secured connection, which is encrypted and decrypted with the session key until the connection closes. If any one of the above steps fails, then the TLS handshake fails and the connection is not created.
TLS and SSL do not fit neatly into any single layer of the [[OSI model]] or the [[internet protocol suite|TCP/IP model]].<ref name=ccnp>{{cite book|last1=Hooper|first1=Howard|title=CCNP Security VPN 642–648 Official Cert Guide|date=2012|publisher=Cisco Press|isbn=9780132966382|page=22|edition=2|url=https://books.google.com/books?id=5PJisOKJ0k8C&pg=PA22}}</ref><ref name="stackex_layer">{{cite web|url=https://security.stackexchange.com/a/93338|title=What layer is TLS?|website=Information Security Stack Exchange|first1=Andrew|last1=Spott|first2=Tom|last2=Leek|display-authors=etal|access-date=2017-04-13|archive-date=2021-02-13|archive-url=https://web.archive.org/web/20210213050549/https://security.stackexchange.com/questions/93333/what-layer-is-tls/93338|url-status=live}}</ref> TLS runs "on top of some reliable transport protocol (e.g., [[Transmission Control Protocol|TCP]]),"{{Ref RFC|8446|rsection=1}} which would imply that it is above the [[transport layer]]. It serves encryption to higher layers, which is normally the function of the [[presentation layer]]. However, applications generally use TLS as if it were a transport layer,<ref name=ccnp/><ref name="stackex_layer"/> even though applications using TLS must actively control initiating TLS handshakes and handling of exchanged authentication certificates.{{Ref RFC|8446|rsection=1}}
When secured by TLS, connections between a client (e.g., a web browser) and a server (e.g., wikipedia.org) will have all of the following properties:{{Ref RFC|8446|rsection=1}}
*The connection is ''private'' (or has ''confidentiality'') because a [[symmetric-key algorithm]] is used to encrypt the data transmitted. The keys for this symmetric encryption are generated uniquely for each connection and are based on a shared secret that was negotiated at the start of the session. The server and client negotiate the details of which encryption algorithm and cryptographic keys to use before the first byte of data is transmitted (see below). The negotiation of a shared secret is both secure (the negotiated secret is unavailable to eavesdroppers and cannot be obtained, even by an attacker who places themselves in the middle of the connection) and reliable (no attacker can modify the communications during the negotiation without being detected).
*The identity of the communicating parties can be ''authenticated'' using [[public-key cryptography]]. This authentication is required for the server and optional for the client.
*The connection is ''reliable'' (or has ''integrity'') because each message transmitted includes a message integrity check using a [[message authentication code]] to prevent undetected loss or alteration of the data during transmission.
TLS supports many different methods for exchanging keys, encrypting data, and authenticating message integrity. As a result, secure configuration of TLS involves many configurable parameters, and not all choices provide all of the privacy-related properties described in the list above (see the tables below [[#Key exchange or key agreement|§ Key exchange]], [[#Cipher|§ Cipher security]], and {{slink||Data integrity}}).
Attempts have been made to subvert aspects of the communications security that TLS seeks to provide, and the protocol has been revised several times to address these security threats. Developers of web browsers have repeatedly revised their products to defend against potential security weaknesses after these were discovered (see TLS/SSL support history of web browsers).
=== Datagram Transport Layer Security ===
Datagram Transport Layer Security, abbreviated DTLS, is a related [[communications protocol]] providing [[communications security|security]] to [[datagram]]-based applications by allowing them to communicate in a way designed<ref name="RFC 4347">{{cite IETF|rfc=4347|title=Datagram Transport Layer Security|first1=Eric|last1=Rescorla|first2=Nagendra|last2=Modadugu|date=April 2006}}</ref><ref name="RFC 6347">{{cite IETF|rfc=6347|title=Datagram Transport Layer Security Version 1.2|first1=Eric|last1=Rescorla|first2=Nagendra|last2=Modadugu|date=January 2012}}</ref> to prevent [[eavesdropping]], [[man in the middle attack|tampering]], or [[message forgery]]. The DTLS protocol is based on the [[Stream (computing)|stream]]-oriented Transport Layer Security (TLS) protocol and is intended to provide similar security guarantees. However, unlike TLS, it can be used with most datagram oriented protocols including [[User Datagram Protocol]] (UDP), [[Datagram Congestion Control Protocol]] (DCCP), [[CAPWAP|Control And Provisioning of Wireless Access Points]] (CAPWAP), [[Stream Control Transmission Protocol]] (SCTP) encapsulation, and [[Secure Real-time Transport Protocol]] (SRTP).
As the DTLS protocol datagram preserves the semantics of the underlying transport, the application does not suffer from the delays associated with stream protocols. However, the application has to deal with [[packet reordering]], loss of datagram and data larger than the size of a datagram [[network packet]]. Because DTLS uses UDP or SCTP rather than TCP, it avoids the [[TCP meltdown problem]],<ref>{{cite web
| url=http://sites.inka.de/bigred/devel/tcp-tcp.html
| title=Why TCP Over TCP Is A Bad Idea
| first=Olaf
| last=Titz
| date=2001-04-23
| access-date=2015-10-17
| archive-date=2023-03-10
| archive-url=https://web.archive.org/web/20230310043036/http://sites.inka.de/bigred/devel/tcp-tcp.html
| url-status=live
}}</ref><ref>{{cite conference
| bibcode=2005SPIE.6011..138H
| title=Understanding TCP over TCP: effects of TCP tunneling on end-to-end throughput and latency
|author1=Honda, Osamu |author2=Ohsaki, Hiroyuki |author3=Imase, Makoto |author4=Ishizuka, Mika |author5=Murayama, Junichi | s2cid=8945952
|book-title=Performance, Quality of Service, and Control of Next-Generation Communication and Sensor Networks III
| volume=6011
| date=October 2005
| doi=10.1117/12.630496
| citeseerx=10.1.1.78.5815
| editor1-last=Atiquzzaman
| editor1-first=Mohammed
| editor2-last=Balandin
| editor2-first=Sergey I
}}</ref> when being used to create a VPN tunnel.
The original 2006 release of DTLS version 1.0 was not a standalone document. It was given as a series of deltas to TLS 1.1.<ref>{{IETF RFC|4347|link=no}} § 4</ref> Similarly the follow-up 2012 release of DTLS is a delta to TLS 1.2. It was given the version number of DTLS 1.2 to match its TLS version. Lastly, the 2022 DTLS 1.3 is a delta to TLS 1.3. Like the two previous versions, DTLS 1.3 is intended to provide "equivalent security guarantees [to TLS 1.3] with the exception of order protection/non-replayability".<ref>{{cite IETF |rfc=9147 | title=The Datagram Transport Layer Security (DTLS) Protocol Version 1.3 | date=April 21, 2022 | last1=Rescorla | first1=Eric | last2=Tschofenig | first2=Hannes | last3=Modadugu | first3=Nagena }}</ref>
Many [[Virtual private network|VPN clients]] including [[Cisco]] [[AnyConnect]]<ref>{{cite web
| url=http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116312-qanda-anyconnect-00.html
| title=AnyConnect FAQ: tunnels, reconnect behavior, and the inactivity timer
| publisher=[[Cisco]]
| access-date=26 February 2017
| archive-date=26 February 2017
| archive-url=https://web.archive.org/web/20170226131243/http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116312-qanda-anyconnect-00.html
| url-status=live
}}</ref> & InterCloud Fabric,<ref>{{cite web
| url=http://www.cisco.com/c/en/us/td/docs/solutions/Hybrid_Cloud/Intercloud/Intercloud_Fabric/Intercloud_Fabric_2.pdf
| title=Cisco InterCloud Architectural Overview
| publisher=[[Cisco Systems]]
| access-date=2022-11-29
| archive-date=2022-08-09
| archive-url=https://web.archive.org/web/20220809111605/https://www.cisco.com/c/en/us/td/docs/solutions/Hybrid_Cloud/Intercloud/Intercloud_Fabric/Intercloud_Fabric_2.pdf
| url-status=live
}}</ref> [[OpenConnect]],<ref>{{cite web |title=OpenConnect |url=https://www.infradead.org/openconnect/ |access-date=26 February 2017 |publisher=[[OpenConnect]] |archive-date=2 February 2017 |archive-url=https://web.archive.org/web/20170202104439/http://www.infradead.org/openconnect/ |url-status=live }}</ref> [[Zscaler|ZScaler]] tunnel,<ref>{{cite web
| url=https://help.zscaler.com/z-app/about-z-tunnel-1.0-z-tunnel-2.0
| title=ZScaler ZTNA 2.0 Tunnel
| publisher=[[ZScaler]]
| access-date=2022-11-29
| archive-date=2022-11-29
| archive-url=https://web.archive.org/web/20221129041020/https://help.zscaler.com/z-app/about-z-tunnel-1.0-z-tunnel-2.0
| url-status=live
}}</ref> F5 Networks [[F5 Networks#BIG-IP product modules|Edge VPN Client]],<ref>{{cite web
| url=https://f5.com/glossary/datagram-transport-layer-security-dtls
| title=f5 Datagram Transport Layer Security (DTLS)
| publisher=[[f5 Networks]]
| access-date=2022-11-29
| archive-date=2022-11-29
| archive-url=https://web.archive.org/web/20221129041024/https://www.f5.com/glossary/datagram-transport-layer-security-dtls
| url-status=live
}}</ref> and Citrix Systems [[Citrix Systems#Networking and cloud|NetScaler]]<ref>{{cite web |title=Configuring a DTLS Virtual Server |url=http://docs.citrix.com/en-us/netscaler/11/traffic-management/ssl/config-ssloffloading/config-dtls-vserver.html |publisher=[[Citrix Systems]] |access-date=2022-11-29 |archive-date=2016-12-21 |archive-url=https://web.archive.org/web/20161221020000/http://docs.citrix.com/en-us/netscaler/11/traffic-management/ssl/config-ssloffloading/config-dtls-vserver.html |url-status=live }}</ref> use DTLS to secure UDP traffic. In addition all modern web browsers support DTLS-SRTP<ref>{{cite web
|url=https://sites.google.com/site/webrtc/interop
|title=WebRTC Interop Notes
|url-status=dead
|archive-url=https://web.archive.org/web/20130511043959/https://sites.google.com/site/webrtc/interop
|archive-date=2013-05-11
}}</ref> for [[WebRTC]].
==History and development==
{|class="wikitable sortable"style=float:right;text-align:center;margin-left:1em
|+SSL and TLS protocols
|-
!scope=col|Protocol
!scope=col|Published
!scope=col|Status
|-
|scope=row {{Version |o |SSL 1.0}}
|{{N/A|Unpublished}}
|{{N/A|Unpublished}}
|-
|scope=row {{Version |o |SSL 2.0}}
|1995
|Deprecated in 2011 ({{IETF RFC|6176|link=no}})
|-
|scope=row {{Version |o |SSL 3.0}}
|1996
|Deprecated in 2015 ({{IETF RFC|7568|link=no}})
|-
|scope=row {{Version |o |TLS 1.0}}
|1999
|Deprecated in 2021 ({{IETF RFC|8996|link=no}})<ref name="tls-deprecation"/><ref name=":3">{{cite web|url=https://www.ghacks.net/2020/03/10/here-is-what-is-new-and-changed-in-firefox-74-0-stable|title=Here is what is new and changed in Firefox 74.0 Stable – gHacks Tech News|website=www.ghacks.net|date=10 March 2020|access-date=2020-03-10|archive-date=2020-03-11|archive-url=https://web.archive.org/web/20200311120434/https://www.ghacks.net/2020/03/10/here-is-what-is-new-and-changed-in-firefox-74-0-stable/|url-status=live}}</ref><ref name=":4">{{cite web|url=https://chromestatus.com/feature/5759116003770368|title=TLS 1.0 and TLS 1.1 – Chrome Platform Status|website=chromestatus.com|access-date=2020-03-10|archive-date=2023-07-07|archive-url=https://web.archive.org/web/20230707094450/https://chromestatus.com/feature/5759116003770368|url-status=live}}</ref>
|-
|scope=row {{Version |o |TLS 1.1}}
|2006
|Deprecated in 2021 ({{IETF RFC|8996|link=no}})<ref name="tls-deprecation"/><ref name=":3"/><ref name=":4"/>
|-
|scope=row {{Version |co |TLS 1.2}}
|2008
|In use since 2008{{Ref RFC|5246}}<ref name="ncsc">{{cite web|title=Using TLS to protect data|url=https://www.ncsc.gov.uk/guidance/using-tls-to-protect-data|archive-url=https://web.archive.org/web/20210721072543/http://ncsc.gov.uk/guidance/using-tls-to-protect-data|archive-date=July 21, 2021|access-date=August 24, 2022|website=www.ncsc.gov.uk|url-status=live}}</ref>
|-
|scope=row {{Version |c |TLS 1.3}}
|2018
|In use since 2018<ref name="ncsc"/><ref>{{cite web|title=TLS 1.3: One Year Later|url=https://www.ietf.org/blog/tls13-adoption|archive-url=https://web.archive.org/web/20200708030455/https://www.ietf.org/blog/tls13-adoption|archive-date=July 8, 2020|access-date=August 24, 2022|website=IETF|url-status=live}}</ref>
|-
|colspan="3" | {{Version|l|show=011100}}
|}
===Early research projects===
====Secure Data Network System====
{{Anchor|DNS}}
In August 1986, the National Security Agency, the National Bureau of Standards, the Defense Communications Agency launched a project, called the Secure Data Network System (SDNS), with the intent of designing the next generation of secure computer communications network and product specifications to be implemented for applications on public and private internets. It was intended to complement the rapidly emerging new OSI internet standards moving forward both in the U.S. government's GOSIP Profiles and in the huge ITU-ISO JTC1 internet effort internationally.<ref>{{cite web|url=https://www.circleid.com/posts/20190124_creating_tls_the_pioneering_role_of_ruth_nelson|title=Creating TLS: The Pioneering Role of Ruth Nelson|access-date=2020-07-04|archive-date=2020-06-24|archive-url=https://web.archive.org/web/20200624123447/http://www.circleid.com/posts/20190124_creating_tls_the_pioneering_role_of_ruth_nelson/|url-status=live}}</ref>
As part of the project, researchers designed a protocol called SP4 (''security protocol'' in layer 4 of the OSI system). This was later renamed the Transport Layer Security Protocol (TLSP) and subsequently published in 1995 as international standard ITU-T X.274|ISO/IEC 10736:1995.<ref>{{cite web|url=https://www.itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-X.274-199407-I!!PDF-E&type=items|title=Information technology – Telecommunication and information exchange between systems – Transport layer security protocol|access-date=2025-05-03|archive-date=2025-05-03|archive-url=https://web.archive.org/web/20250503170309/https://www.itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-X.274-199407-I!!PDF-E&type=items|url-status=live}}</ref> Despite the name similarity, this is distinct from today's TLS.
===={{Anchor|SNP}}Secure Network Programming (SNP)====
Other efforts towards transport layer security included the [[Secure Network Programming]] (SNP) [[application programming interface]] (API), which in 1993 explored the approach of having a secure transport layer API closely resembling [[Berkeley sockets]], to facilitate retrofitting pre-existing network applications with security measures. SNP was published and presented in the 1994 [[USENIX]] Summer Technical Conference.<ref name="Woo94">{{cite conference |first1=Thomas Y. C. |last1=Woo |first2=Raghuram |last2=Bindignavle |first3=Shaowen |last3=Su |first4=Simon S. |last4=Lam |author-link4=Simon S. Lam |url=http://www.cs.utexas.edu/users/lam/Vita/Cpapers/WBSL94.pdf |title=SNP: An interface for secure network programming |conference=Proceedings USENIX Summer Technical Conference |date=June 1994 |access-date=2023-07-05 |archive-date=2014-12-12 |archive-url=https://web.archive.org/web/20141212000043/http://www.cs.utexas.edu/users/lam/Vita/Cpapers/WBSL94.pdf |url-status=live }}</ref><ref>{{cite web |url=https://www.usenix.org/legacy/publications/library/proceedings/bos94/ |title=1994 USENIX Summer Technical Conference Program, Boston, 6–10 June 1994 |access-date=21 January 2024 |archive-date=6 October 2023 |archive-url=https://web.archive.org/web/20231006204601/https://www.usenix.org/legacy/publications/library/proceedings/bos94/ |url-status=live }}</ref> The SNP project was funded by a grant from [[National Security Agency|NSA]] to Professor [[Simon Lam]] at [[University of Texas at Austin|UT-Austin]] in 1991.<ref>[[Simon S. Lam]] (PI/PD), "Applying a Theory of Modules and Interfaces to Security Verification," NSA INFOSEC University Research Program grant no. MDA 904-91-C-7046, 6/28/91 to 6/27/93.</ref> [[Secure Network Programming]] won the 2004 [[ACM Software System Award]].<ref>{{cite web|url=https://awards.acm.org/award_winners/lam_1287606.cfm|title=2004 ACM Software System Award citation|publisher=[[Association for Computing Machinery|ACM]]|access-date=25 July 2012|archive-date=17 June 2013|archive-url=https://web.archive.org/web/20130617014921/http://awards.acm.org/award_winners/lam_1287606.cfm|url-status=live}}</ref><ref>{{cite web|url=https://www.cs.utexas.edu/~lam/Awards/SoftwareSystemAward/ACM%20Press%20Release,%20March%2015,%202005.htm|title=ACM Press Release, March 15, 2005|publisher=[[Association for Computing Machinery|ACM]]|access-date=25 July 2012|archive-date=10 January 2016|archive-url=https://web.archive.org/web/20160110063723/http://www.cs.utexas.edu/~lam/Awards/SoftwareSystemAward/ACM%20Press%20Release,%20March%2015,%202005.htm|url-status=live}}</ref> Simon Lam was inducted into the [[Internet Hall of Fame]] for "inventing secure sockets and implementing the first secure sockets layer, named SNP, in 1993."<ref>{{cite web| url=https://www.internethalloffame.org/inductee/simon-s-lam| title=Internet Hall of Fame inductee Simon S. Lam| access-date=3 Mar 2024| archive-date=6 February 2024| archive-url=https://web.archive.org/web/20240206211215/https://www.internethalloffame.org/inductee/simon-s-lam/| url-status=live}}</ref><ref>{{cite web|url=https://cns.utexas.edu/news/accolades/computer-scientist-inducted-internet-hall-fame|title=Computer Scientist Inducted into Internet Hall of Fame|access-date=3 Mar 2024|archive-date=8 March 2024|archive-url=https://web.archive.org/web/20240308192655/https://cns.utexas.edu/news/accolades/computer-scientist-inducted-internet-hall-fame|url-status=live}}</ref>
===SSL 1.0, 2.0, and 3.0===
{{redirect|SSL 1|the enzyme|Presqualene diphosphate synthase}}
Netscape developed the original SSL protocols, and [[Taher Elgamal]], chief scientist at [[Netscape|Netscape Communications]] from 1995 to 1998, has been described as the "father of SSL".<ref name="Messmer">{{cite news|last=Messmer|first=Ellen|title=Father of SSL, Dr. Taher Elgamal, Finds Fast-Moving IT Projects in the Middle East|url=http://www.networkworld.com/news/2012/120412-elgamal-264739.html|work=Network World|access-date=30 May 2014|url-status=dead|archive-url=https://web.archive.org/web/20140531105537/http://www.networkworld.com/news/2012/120412-elgamal-264739.html|archive-date=31 May 2014}}</ref><ref name="Greene">{{cite news|last=Greene|first=Tim|title=Father of SSL says despite attacks, the security linchpin has lots of life left|url=http://www.networkworld.com/news/2011/101111-elgamal-251806.html|work=Network World|access-date=30 May 2014|url-status=dead|archive-url=https://web.archive.org/web/20140531105257/http://www.networkworld.com/news/2011/101111-elgamal-251806.html|archive-date=31 May 2014}}</ref><ref name=Oppliger>{{cite book|title=SSL and TLS: Theory and Practice|edition=2nd|last=Oppliger|first=Rolf|year=2016|chapter=Introduction|chapter-url=https://books.google.com/books?id=jm6uDgAAQBAJ&pg=PA15|page=13|publisher=[[Artech House]]|isbn=978-1-60807-999-5|via=Google Books|access-date=2018-03-01}}</ref><ref>{{cite web|archive-url=https://web.archive.org/web/19970614020952/http://home.netscape.com/newsref/std/SSL.html|archive-date=14 June 1997|title=THE SSL PROTOCOL|url=http://home.netscape.com/newsref/std/SSL.html|publisher=Netscape Corporation|year=2007}}</ref> SSL version 1.0 was never publicly released because of serious security flaws in the protocol. Version 2.0, after being released in February 1995 was quickly found to contain a number of security and usability flaws. It used the same cryptographic keys for message authentication and encryption. It had a weak MAC construction that used the MD5 hash function with a secret prefix, making it vulnerable to length extension attacks. It also provided no protection for either the opening handshake or an explicit message close, both of which meant [[man-in-the-middle attacks]] could go undetected. Moreover, SSL 2.0 assumed a single service and a fixed ___domain certificate, conflicting with the widely used feature of virtual hosting in Web servers, so most websites were effectively impaired from using SSL.
These flaws necessitated the complete redesign of the protocol to SSL version 3.0.<ref>{{harvnb|Rescorla|2001}}</ref><ref name=Oppliger/> Released in 1996, it was produced by [[Paul Carl Kocher|Paul Kocher]] working with Netscape engineers Phil Karlton and Alan Freier, with a reference implementation by Christopher Allen and Tim Dierks of Certicom. Newer versions of SSL/TLS are based on SSL 3.0. The 1996 draft of SSL 3.0 was published by IETF as a historical document in {{IETF RFC|6101}}.
SSL 2.0 was deprecated in 2011 by {{IETF RFC|6176}}. In 2014, SSL 3.0 was found to be vulnerable to the [[POODLE]] attack that affects all [[block cipher]]s in SSL; [[RC4]], the only non-block cipher supported by SSL 3.0, is also feasibly broken as used in SSL 3.0.<ref name="Poodle">{{cite web|url=https://access.redhat.com/articles/1232123|title=POODLE: SSLv3 vulnerability (CVE-2014-3566)|access-date=21 October 2014|url-status=live|archive-url=https://web.archive.org/web/20141205124712/https://access.redhat.com/articles/1232123|archive-date=5 December 2014}}</ref> SSL 3.0 was deprecated in June 2015 by {{IETF RFC|7568}}.
===TLS 1.0===
TLS 1.0 was first defined in {{IETF RFC|2246}} in January 1999 as an upgrade of SSL Version 3.0, and written by Christopher Allen and Tim Dierks of Certicom. As stated in the RFC, "the differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough to preclude interoperability between TLS 1.0 and SSL 3.0". Tim Dierks later wrote that these changes, and the renaming from "SSL" to "TLS", were a face-saving gesture to Microsoft, "so it wouldn't look [like] the IETF was just rubberstamping Netscape's protocol".<ref>{{cite web|url=http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html|title=Security Standards and Name Changes in the Browser Wars|access-date=2020-02-29|archive-date=2020-02-29|archive-url=https://web.archive.org/web/20200229221707/http://tim.dierks.org/2014/05/security-standards-and-name-changes-in.html|url-status=live}}</ref>
The [[Payment Card Industry Security Standards Council|PCI Council]] suggested that organizations migrate from TLS 1.0 to TLS 1.1 or higher before June 30, 2018.<ref>{{cite web|url=https://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls|title=Date Change for Migrating from SSL and Early TLS|author=Laura K. Gray|date=2015-12-18|website=[[Payment Card Industry Security Standards Council]] blog|access-date=2018-04-05|archive-date=2015-12-20|archive-url=https://web.archive.org/web/20151220190802/http://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls|url-status=live}}</ref><ref>{{Cite news|url=https://www.forbes.com/sites/thesba/2018/05/30/changes-to-pci-compliance-are-coming-june-30-is-your-ecommerce-business-ready|title=Changes to PCI Compliance are Coming June 30. Is Your Ecommerce Business Ready?|work=Forbes|access-date=2018-06-20|language=en|archive-date=2018-06-21|archive-url=https://web.archive.org/web/20180621020422/https://www.forbes.com/sites/thesba/2018/05/30/changes-to-pci-compliance-are-coming-june-30-is-your-ecommerce-business-ready/|url-status=live}}</ref> In October 2018, [[Apple Inc.|Apple]], [[Google]], [[Microsoft]], and [[Mozilla]] jointly announced they would deprecate TLS 1.0 and 1.1 in March 2020.<ref name="tls-deprecation">{{cite web|url=https://arstechnica.com/gadgets/2018/10/browser-vendors-unite-to-end-support-for-20-year-old-tls-1-0|title=Apple, Google, Microsoft, and Mozilla come together to end TLS 1.0|last=Bright|first=Peter|date=17 October 2018|access-date=17 October 2018|archive-date=17 October 2018|archive-url=https://web.archive.org/web/20181017000107/https://arstechnica.com/gadgets/2018/10/browser-vendors-unite-to-end-support-for-20-year-old-tls-1-0/|url-status=live}}</ref> TLS 1.0 and 1.1 were formally deprecated in {{IETF RFC|8996}} in March 2021.
==
TLS 1.1 was defined in RFC 4346 in April 2006.{{Ref RFC|4346}} It is an update from TLS version 1.0. Significant differences in this version include:
*Added protection against [[Block cipher mode of operation#Cipher Block Chaining (CBC)|cipher-block chaining]] (CBC) attacks.
**The implicit [[initialization vector]] (IV) was replaced with an explicit IV.
**Change in handling of [[Block cipher mode of operation#Padding|padding errors]].
*Support for [[Internet Assigned Numbers Authority|IANA]] registration of parameters.<ref name="urlnvlpubs.nist.gov">{{Cite web |title=Transport Layer Security Parameters – Cipher Suites |url=https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 |access-date=2022-12-16 |website=Internet Assigned Numbers Authority (IANA) |archive-date=2016-12-21 |archive-url=https://web.archive.org/web/20161221223613/http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 |url-status=live }}</ref>
Support for TLS versions 1.0 and 1.1 was widely deprecated by web sites around 2020,<ref>{{cite web|last1=Mackie|first1=Kurt|title=Microsoft Delays End of Support for TLS 1.0 and 1.1 -|url=https://mcpmag.com/articles/2020/04/02/microsoft-tls-1-0-and-1-1.aspx|website=Microsoft Certified Professional Magazine Online|access-date=2021-06-14|archive-date=2021-06-14|archive-url=https://web.archive.org/web/20210614004948/https://mcpmag.com/articles/2020/04/02/microsoft-tls-1-0-and-1-1.aspx|url-status=live}}</ref> disabling access to [[Firefox]] versions before 24 and [[Chromium (web browser)|Chromium-based browsers]] before 29,<ref>{{Cite web|url=https://answers.psionline.com/knowledgebase/tls-1-2-faq|title=TLS 1.2 FAQ – Knowledge Base|website=Answers.psionline.com|access-date=20 February 2022|archive-date=20 February 2022|archive-url=https://web.archive.org/web/20220220051112/https://answers.psionline.com/knowledgebase/tls-1-2-faq/|url-status=dead}}</ref> though third-party fixes can be applied to Netscape Navigator and older versions of Firefox to add TLS 1.2 support.<ref>{{cite web|title=Using Netscape 9 in 2022|url=https://msfn.org/board/topic/183515-using-netscape-9-in-2022|website=MSFN|access-date=2025-04-24|archive-date=2025-04-18|archive-url=https://web.archive.org/web/20250418030114/https://msfn.org/board/topic/183515-using-netscape-9-in-2022/|url-status=live}}</ref>
===TLS 1.2===
TLS 1.2 was defined in {{IETF RFC|5246}} in August 2008.{{Ref RFC|5246}} It is based on the earlier TLS 1.1 specification. Major differences include:
*The [[MD5]] and [[SHA-1]] combination in the [[Pseudorandom function family|pseudorandom function]] (PRF) was replaced with [[SHA-256]], with an option to use [[cipher suite]] specified PRFs.
*The MD5 and SHA-1 combination in the finished message [[Hash function|hash]] was replaced with SHA-256, with an option to use cipher suite specific hash algorithms. However, the size of the hash in the finished message must still be at least 96 [[bit]]s.{{Ref RFC|5246|rsection=7.4.9}}
*The MD5 and SHA-1 combination in the digitally signed element was replaced with a single hash negotiated during [[Handshake (computing)|handshake]], which defaults to SHA-1.
*Enhancement in the client's and server's ability to specify which hashes and signature algorithms they accept.
*Expansion of support for [[authenticated encryption]] ciphers, used mainly for [[Galois/Counter Mode]] (GCM) and [[CCM mode]] of [[Advanced Encryption Standard]] (AES) encryption.
*TLS Extensions definition and AES cipher suites were added.<ref name="urlnvlpubs.nist.gov" />
All TLS versions were further refined in {{IETF RFC|6176}} in March 2011, removing their backward compatibility with SSL such that TLS sessions never negotiate the use of Secure Sockets Layer (SSL) version 2.0. As of April 2025 there is no formal date for TLS 1.2 to be deprecated. The specifications for TLS 1.2 became redefined as well by the Standards Track Document {{IETF RFC|8446}} to keep it as secure as possible; it is to be seen as a failover protocol now, meant only to be negotiated with clients which are unable to talk over TLS 1.3 (The original RFC 5246 definition for TLS 1.2 is since then obsolete).
===TLS 1.3===
TLS 1.3 was defined in RFC 8446 in August 2018.{{Ref RFC|8446}} It is based on the earlier TLS 1.2 specification. Major differences from TLS 1.2 include:<ref name="WolfSSL, 2019">{{cite web|url=https://www.wolfssl.com/differences-between-tls-12-and-tls-13-9|title=Differences between TLS 1.2 and TLS 1.3 (#TLS13)|access-date=2019-09-18|date=2019-09-18|website=WolfSSL|archive-url=https://web.archive.org/web/20190919000200/https://www.wolfssl.com/differences-between-tls-12-and-tls-13-9|archive-date=2019-09-19}}</ref>
*Separating key agreement and authentication algorithms from the cipher suites<ref name="urlnvlpubs.nist.gov" />{{Ref RFC|8446|rsection=11}}
*Removing support for weak and less-used named [[elliptic-curve cryptography|elliptic curves]]
*Removing support for MD5 and SHA-224 [[cryptographic hash function]]s
*Requiring digital signatures even when a previous configuration is used
*Integrating [[HKDF]] and the semi-ephemeral DH proposal
*Replacing resumption with [[TLS-PSK|PSK]] and tickets
*Supporting 1-[[Round-trip delay|RTT]] handshakes and initial support for 0-[[Round-trip delay|RTT]]
*Mandating perfect [[forward secrecy]], by means of using ephemeral keys during the (EC)DH key agreement
*Dropping support for many insecure or obsolete features including [[data compression|compression]], renegotiation, non-[[authenticated encryption|AEAD]] ciphers, [[Null encryption|null cipher]]s,<ref>{{Cite web |url=https://datatracker.ietf.org/meeting/116/materials/slides-116-tls-null-encryption-and-key-exchange-without-forward-secrecy-are-discouraged-00 |title=Archived copy |access-date=2024-03-17 |archive-date=2024-03-17 |archive-url=https://web.archive.org/web/20240317154304/https://datatracker.ietf.org/meeting/116/materials/slides-116-tls-null-encryption-and-key-exchange-without-forward-secrecy-are-discouraged-00 |url-status=live }}</ref> non-[[forward secrecy|PFS]] key exchange (among which are static [[RSA (cryptosystem)|RSA]] and static [[Diffie–Hellman key exchange|DH]] key exchanges), custom [[Diffie–Hellman key exchange|DHE]] groups, EC point format negotiation, Change Cipher Spec protocol, Hello message UNIX time, and the length field AD input to AEAD ciphers
*Prohibiting SSL or RC4 negotiation for backwards compatibility
*Integrating use of session hash
*Deprecating use of the record layer version number and freezing the number for improved backwards compatibility
*Moving some security-related algorithm details from an appendix to the specification and relegating ClientKeyShare to an appendix
*Adding the [[ChaCha20]] stream cipher with the [[Poly1305]] message authentication code
*Adding the [[Ed25519]] and [[Ed448]] digital signature algorithms
*Adding the [[x25519]] and [[x448]] key exchange protocols
*Adding support for sending multiple [[Online Certificate Status Protocol|OCSP]] responses
*Encrypting all handshake messages after the ServerHello, including [[server certificate]]
[[Network Security Services]] (NSS), the cryptography library developed by [[Mozilla]] and used by its web browser [[Firefox]], enabled TLS 1.3 by default in February 2017.<ref name=NSS-3.29>{{cite web|url=https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.29_release_notes|title=NSS 3.29 release notes|date=February 2017|publisher=Mozilla Developer Network|url-status=live|archive-url=https://web.archive.org/web/20170222052829/https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.29_release_notes|archive-date=2017-02-22}}</ref> TLS 1.3 support was subsequently added — but due to compatibility issues for a small number of users, not automatically enabled<ref>{{cite web|url=https://bugzilla.mozilla.org/show_bug.cgi?id=1310516|title=Enable TLS 1.3 by default|date=16 October 2016|publisher=Bugzilla@Mozilla|access-date=10 October 2017|archive-date=12 August 2018|archive-url=https://web.archive.org/web/20180812021410/https://bugzilla.mozilla.org/show_bug.cgi?id=1310516|url-status=live}}</ref> — to [[History of Firefox#Firefox 52 through 59|Firefox 52.0]], which was released in March 2017. TLS 1.3 was enabled by default in May 2018 with the release of [[History of Firefox#Firefox 60 through 67|Firefox 60.0]].<ref>{{cite web|url=https://www.mozilla.org/en-US/firefox/60.0/releasenotes|title=Firefox — Notes (60.0)|website=Mozilla|language=en-US|access-date=2018-05-10|archive-date=2018-05-09|archive-url=https://web.archive.org/web/20180509230339/https://www.mozilla.org/en-US/firefox/60.0/releasenotes/|url-status=live}}</ref>
[[Google Chrome]] set TLS 1.3 as the default version for a short time in 2017. It then removed it as the default, due to incompatible middleboxes such as [[Blue Coat Systems|Blue Coat web proxies]].<ref>{{cite web|url=http://bluecoat.force.com/knowledgebase/articles/Technical_Alert/000032878|title=ProxySG, ASG and WSS will interrupt SSL connections when clients using TLS 1.3 access sites also using TLS 1.3|date=16 May 2017|work=BlueTouch Online|access-date=11 September 2017|url-status=live|archive-url=https://web.archive.org/web/20170912061432/http://bluecoat.force.com/knowledgebase/articles/Technical_Alert/000032878|archive-date=12 September 2017}}</ref>
The intolerance of the new version of TLS was [[protocol ossification]]; middleboxes had ossified the protocol's version parameter. As a result, version 1.3 mimics the [[wire image (networking)|wire image]] of version 1.2. This change occurred very late in the design process, only having been discovered during browser deployment.<ref>{{Cite web|url=https://blog.cloudflare.com/why-tls-1-3-isnt-in-browsers-yet/|title=Why TLS 1.3 isn't in browsers yet|date=2017-12-26|website=The Cloudflare Blog|language=en|access-date=2020-03-14|last=Sullivan|first=Nick|archive-date=2017-12-26|archive-url=https://web.archive.org/web/20171226210134/https://blog.cloudflare.com/why-tls-1-3-isnt-in-browsers-yet/|url-status=live}}</ref> The discovery of this intolerance also led to the prior version negotiation strategy, where the highest matching version was picked, being abandoned due to unworkable levels of ossification.<ref name=Thomson>{{ cite ietf | rfc = 9170 | title = Long-Term Viability of Protocol Extension Mechanisms | date = December 2021 | last1 = Thomson | first1 = Martin | last2 = Pauly | first2 = Tommy }}</ref> '[[Grease (networking)|Greasing]]' an extension point, where one protocol participant claims support for non-existent extensions to ensure that unrecognised-but-actually-existent extensions are tolerated and so to resist ossification, was originally designed for TLS, but it has since been adopted elsewhere.<ref name=Thomson/>
During the IETF 100 [[Hackathon]], which took place in [[Singapore]] in 2017, the TLS Group worked on adapting [[Open-source software|open-source applications]] to use TLS 1.3.<ref>{{cite web|url=https://datatracker.ietf.org/meeting/100/materials/slides-100-hackathon-sessa-tls-13|title=TLS 1.3 IETF 100 Hackathon|url-status=dead|archive-url=https://web.archive.org/web/20180115220635/https://datatracker.ietf.org/meeting/100/materials/slides-100-hackathon-sessa-tls-13|archive-date=2018-01-15}}</ref><ref name="ietf-hackathon">{{Citation|last=IETF – Internet Engineering Task Force|title=IETF Hackathon Presentations and Awards|date=2017-11-12|url=https://www.youtube.com/watch?v=33XW5yzjtME&t=2338|archive-url=https://ghostarchive.org/varchive/youtube/20211028/33XW5yzjtME|archive-date=2021-10-28|access-date=2017-11-14}}{{cbignore}}</ref> The TLS group was made up of individuals from Japan, United Kingdom, and Mauritius via the cyberstorm.mu team.<ref name="ietf-hackathon"/> This work was continued in the IETF 101 Hackathon in [[London]],<ref>{{Cite news|url=https://www.theregister.co.uk/2018/03/27/with_tls_13_signed_off_its_implementation_time|title=Hurrah! TLS 1.3 is here. Now to implement it and put it into software|access-date=2018-03-28|language=en|archive-date=2018-03-27|archive-url=https://web.archive.org/web/20180327213242/https://www.theregister.co.uk/2018/03/27/with_tls_13_signed_off_its_implementation_time/|url-status=live}}</ref> and the IETF 102 Hackathon in Montreal.<ref>{{Citation|last=IETF – Internet Engineering Task Force|title=IETF102-HACKATHON-20180715-1400|date=2018-07-15|url=https://www.youtube.com/watch?v=u6rz4PWA_As&t=4526|archive-url=https://ghostarchive.org/varchive/youtube/20211028/u6rz4PWA_As|archive-date=2021-10-28|access-date=2018-07-18}}{{cbignore}}</ref>
[[wolfSSL]] enabled the use of TLS 1.3 as of version 3.11.1, released in May 2017.<ref>{{cite web|url=https://www.wolfssl.com/wolfssl-tls-1-3-beta-release-now-available|title=wolfSSL TLS 1.3 BETA Release Now Available|date=11 May 2017|publisher=info@wolfssl.com|access-date=11 May 2017|archive-date=9 July 2018|archive-url=https://web.archive.org/web/20180709065543/https://www.wolfssl.com/wolfssl-tls-1-3-beta-release-now-available/|url-status=live}}</ref> As the first commercial TLS 1.3 implementation, wolfSSL 3.11.1 supported Draft 18 and now supports Draft 28,<ref>{{cite web|url=https://www.wolfssl.com/docs/tls13|title=TLS 1.3 PROTOCOL SUPPORT|publisher=info@wolfssl.com|access-date=2018-07-09|archive-date=2018-07-09|archive-url=https://web.archive.org/web/20180709065545/https://www.wolfssl.com/docs/tls13/|url-status=live}}</ref> the final version, as well as many older versions. A series of blogs were published on the performance difference between TLS 1.2 and 1.3.<ref>{{cite web|url=https://www.wolfssl.com/tls-1-3-draft-28-support-wolfssl|title=TLS 1.3 Draft 28 Support in wolfSSL|date=14 June 2018|publisher=info@wolfssl.com|access-date=14 June 2018|archive-date=9 July 2018|archive-url=https://web.archive.org/web/20180709065545/https://www.wolfssl.com/tls-1-3-draft-28-support-wolfssl/|url-status=live}}</ref>
In <time datetime=2018-09-11T12:00:00+00:00>September 2018</time>, the popular [[OpenSSL]] project released version 1.1.1 of its library, in which support for TLS 1.3 was "the headline new feature".<ref>{{cite web|url=https://openssl-library.org/post/2018-09-11-release111/ |title=OpenSSL 1.1.1 Is Released|date=11 Sep 2018 <!--12:00:00 GMT-->|publisher=Matt Caswell|access-date=2024-10-11|archive-date=8 December 2018|archive-url=https://web.archive.org/web/20181208141108/https://www.openssl.org/blog/blog/2018/09/11/release111/|url-status=live}}</ref>
Support for TLS 1.3 was added to [[Security Support Provider Interface|Secure Channel]] (schannel) for the {{Abbr|GA|General Availability}} releases of [[Windows 11]] and [[Windows Server 2022]].<ref>{{cite web|title=Protocols in TLS/SSL (Schannel SSP)|url=https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-|website=Microsoft Docs|date=May 25, 2022|access-date=21 February 2023|archive-date=25 January 2023|archive-url=https://web.archive.org/web/20230125160351/https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-|url-status=live}}</ref>
===
The [[Electronic Frontier Foundation]] praised TLS 1.3 and expressed concern about the variant protocol Enterprise Transport Security (ETS) that intentionally disables important security measures in TLS 1.3.<ref name=":5">{{cite web|url=https://www.eff.org/deeplinks/2019/02/ets-isnt-tls-and-you-shouldnt-use-it|title=ETS Isn't TLS and You Shouldn't Use It|last=Hoffman-Andrews|first=Jacob|date=2019-02-26|website=[[Electronic Frontier Foundation]]|language=en|access-date=2019-02-27|archive-date=2019-02-26|archive-url=https://web.archive.org/web/20190226214559/https://www.eff.org/deeplinks/2019/02/ets-isnt-tls-and-you-shouldnt-use-it|url-status=live}}</ref> Originally called Enterprise TLS (eTLS), ETS is a published standard known as the '[[ETSI]] TS103523-3', "Middlebox Security Protocol, Part3: Enterprise Transport Security". It is intended for use entirely within proprietary networks such as banking systems. ETS does not support forward secrecy so as to allow third-party organizations connected to the proprietary networks to be able to use their private key to monitor network traffic for the detection of malware and to make it easier to conduct audits.<ref>{{cite book|title=TS 103 523-3 – V1.1.1 – CYBER; Middlebox Security Protocol; Part 3: Profile for enterprise network and data centre access control|url=https://www.etsi.org/deliver/etsi_ts/103500_103599/10352303/01.01.01_60/ts_10352303v010101p.pdf#page=5|archive-url=https://web.archive.org/web/20181114104718/https://www.etsi.org/deliver/etsi_ts/103500_103599/10352303/01.01.01_60/ts_10352303v010101p.pdf|archive-date=November 14, 2018|format=[[PDF]]|publisher=[[ETSI]].org|url-status=live}}</ref><ref>{{cite web|title=Monumental Recklessness|url=https://boingboing.net/2019/02/26/monumental-recklessness.html|date=February 26, 2019|archive-url=https://web.archive.org/web/20190227071044/http://boingboing.net/2019/02/26/monumental-recklessness.html|archive-date=February 27, 2019|website=[[Boing Boing]]|author=[[Cory Doctorow]]|url-status=live}}</ref> Despite the claimed benefits, the EFF warned that the loss of forward secrecy could make it easier for data to be exposed along with saying that there are better ways to analyze traffic.<ref name=":5" />
==Digital certificates==
{{Main|Public key certificate}}
[[File:Let's Encrypt certificate example on Firefox 133 screenshot.webp|thumb|Example of a website with digital certificate]]
A digital certificate certifies the ownership of a public key by the named subject of the certificate, and indicates certain expected usages of that key. This allows others (relying parties) to rely upon signatures or on assertions made by the private key that corresponds to the certified public key. Keystores and trust stores can be in various formats, such as [[Privacy-Enhanced Mail|.pem]], .crt, [[PKCS 12|.pfx]], and [[Java KeyStore|.jks]].
===Certificate authorities===
{{Main|Certificate authority}}
TLS typically relies on a set of trusted third-party certificate authorities to establish the authenticity of certificates. Trust is usually anchored in a list of certificates distributed with user agent software,<ref>{{cite web|url=https://www.rsaconference.com/writable/presentations/file_upload/sec-t02_final.pdf|title=Alternatives to Certification Authorities for a Secure Web|last=Rea|first=Scott|date=2013|publisher=RSA Conference Asia Pacific|access-date=7 September 2016|url-status=live|archive-url=https://web.archive.org/web/20161007222635/https://www.rsaconference.com/writable/presentations/file_upload/sec-t02_final.pdf|archive-date=7 October 2016}}</ref> and can be modified by the relying party.
According to [[Netcraft]], who monitors active TLS certificates, the market-leading certificate authority (CA) has been [[NortonLifeLock|Symantec]] since the beginning of their survey (or [[Verisign|VeriSign]] before the authentication services business unit was purchased by Symantec). As of 2015, Symantec accounted for just under a third of all certificates and 44% of the valid certificates used by the 1 million busiest websites, as counted by Netcraft.<ref>{{Cite web|url=https://news.netcraft.com/archives/2015/05/13/counting-ssl-certificates.html|archive-url=https://web.archive.org/web/20150516035536/http://news.netcraft.com/archives/2015/05/13/counting-ssl-certificates.html|url-status=dead|title=Counting SSL certificates|archive-date=16 May 2015|access-date=20 February 2022}}</ref> In 2017, Symantec sold its TLS/SSL business to DigiCert.<ref>{{cite news|last1=Raymond|first1=Art|title=Lehi's DigiCert swallows web security competitor in $1 billion deal|url=https://www.deseretnews.com/article/865686081/Lehis-DigiCert-swallows-web-security-competitor-in-1-billion-deal.html|access-date=21 May 2020|work=Deseret News|date=3 August 2017|archive-date=29 September 2018|archive-url=https://web.archive.org/web/20180929171244/https://www.deseretnews.com/article/865686081/Lehis-DigiCert-swallows-web-security-competitor-in-1-billion-deal.html|url-status=dead}}</ref> In an updated report, it was shown that [[IdenTrust]], [[DigiCert]], and [[Sectigo]] are the top 3 certificate authorities in terms of market share since May 2019.<ref>{{cite web|title=Market share trends for SSL certificate authorities|url=https://w3techs.com/technologies/history_overview/ssl_certificate|website=W3Techs|access-date=21 May 2020}}</ref>
As a consequence of choosing [[X.509]] certificates, certificate authorities and a [[public key infrastructure]] are necessary to verify the relation between a certificate and its owner, as well as to generate, sign, and administer the validity of certificates. While this can be more convenient than verifying the identities via a [[web of trust]], the [[Global surveillance disclosures (2013–present)|2013 mass surveillance disclosures]] made it more widely known that certificate authorities are a weak point from a security standpoint, allowing [[man-in-the-middle attack]]s (MITM) if the certificate authority cooperates (or is compromised).<ref>{{cite magazine|url=https://www.wired.com/threatlevel/2010/03/packet-forensics|title=Law Enforcement Appliance Subverts SSL|archive-url=https://web.archive.org/web/20140412151324/http://www.wired.com/threatlevel/2010/03/packet-forensics|date=March 24, 2010|archive-date=April 12, 2014|magazine=[[wired (magazine)|wired]].com|author=[[Ryan Singel]]|url-status=live}}</ref><ref>{{cite web|title=New Research Suggests That Governments May Fake SSL Certificates|url=https://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl|archive-url=https://web.archive.org/web/20100325223422/http://www.eff.org/deeplinks/2010/03/researchers-reveal-likelihood-governments-fake-ssl|date=March 24, 2010|archive-date=March 25, 2010|author=[[Seth Schoen]]|website=[[Electronic Frontier Foundation|EFF]].org|url-status=live}}</ref>
On April 11, 2025, the [[CA/Browser Forum]] approved a ballot that will require all public TLS certificate lifespans to gradually reduce to 47 days by 2029 <ref>{{cite web |last=Schuman |first=Evan |title=Vendors vote to radically slash website certificate duration |url=https://www.computerworld.com/article/3960658/vendors-vote-to-radically-slash-website-certificate-duration.html |website=Computerworld |date=11 April 2025 |access-date=28 July 2025}}</ref>. The ballot was proposed by Apple.<ref>{{cite web |last=Lyons |first=Jessica |title=Sysadmins rage over Apple’s ‘nightmarish’ SSL/TLS cert lifespan cuts plot |url=https://www.theregister.com/2024/10/15/apples_security_cert_lifespan/ |website=The Register |date=15 October 2024 |access-date=28 July 2025}}</ref>
=== Importance of SSL Certificates ===
* '''Encryption''': SSL certificates encrypt data sent between a web server and a user’s browser, ensuring that sensitive information is protected throughout transmission. This encryption technology stops unauthorized parties from intercepting and interpreting data, so protecting it from possible risks such as hacking or data breaches.
* '''Authentication''': SSL certificates also offer authentication, certifying the integrity of a website and that visitors are connecting to the correct server rather than a malicious impostor. This authentication method helps consumers gain trust by ensuring that they are dealing with a trustworthy and secure website.
* '''Integrity''': Another important role of SSL certificates is to ensure data integrity. SSL uses cryptographic techniques to verify that data communicated between the server and the browser is intact and unmodified during transit. This keeps malevolent actors from interfering with the data, ensuring its integrity and trustworthiness.
==Algorithms==
{{see also|Cipher suite}}
===Key exchange or key agreement===
Before a client and server can begin to exchange information protected by TLS, they must securely exchange or agree upon an encryption key and a cipher to use when encrypting data (see {{section link||Cipher}}). Among the methods used for key exchange/agreement are: public and private keys generated with [[RSA (algorithm)|RSA]] (denoted TLS_RSA in the TLS handshake protocol), [[Diffie–Hellman]] (TLS_DH), ephemeral Diffie–Hellman (TLS_DHE), [[elliptic-curve Diffie–Hellman]] (TLS_ECDH), ephemeral elliptic-curve Diffie–Hellman (TLS_ECDHE), [[Key-agreement protocol#Exponential key exchange|anonymous Diffie–Hellman]] (TLS_DH_anon),{{Ref RFC|5246}} [[TLS-PSK|pre-shared key]] (TLS_PSK)<ref name=RFC4279>{{cite IETF|title=Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)|rfc=4279|publisher=Internet Engineering Task Force|access-date=9 September 2013|author=P. Eronen, Ed.|editor-first1=P |editor-first2=H |editor-last1=Eronen |editor-last2=Tschofenig |date=December 2005}}</ref> and [[TLS-SRP|Secure Remote Password]] (TLS_SRP).<ref name=RFC5054>{{cite IETF|rfc=5054|title=Using the Secure Remote Password (SRP) Protocol for TLS Authentication|publisher=Internet Engineering Task Force|access-date=December 21, 2014|author=D. Taylor, Ed.|date=November 2007}}</ref>
The TLS_DH_anon and TLS_ECDH_anon key agreement methods do not authenticate the server or the user and hence are rarely used because those are vulnerable to [[man-in-the-middle attack]]s. Only TLS_DHE and TLS_ECDHE provide [[#Forward secrecy|forward secrecy]].
Public key certificates used during exchange/agreement also vary in the size of the public/private encryption keys used during the exchange and hence the robustness of the security provided. In July 2013, [[Google]] announced that it would no longer use 1024-bit public keys and would switch instead to 2048-bit keys to increase the security of the TLS encryption it provides to its users because the encryption strength is directly related to the [[key size]].<ref>{{cite web|last=Gothard|first=Peter|title=Google updates SSL certificates to 2048-bit encryption|url=http://www.computing.co.uk/ctg/news/2285984/google-updates-ssl-certificates-to-2048bit-encryption|work=Computing|date=31 July 2013|publisher=Incisive Media|access-date=9 September 2013|url-status=live|archive-url=https://web.archive.org/web/20130922082322/http://www.computing.co.uk/ctg/news/2285984/google-updates-ssl-certificates-to-2048bit-encryption|archive-date=22 September 2013}}</ref><ref>{{Cite news|url=http://searchsecurity.techtarget.com/answer/From-1024-to-2048-bit-The-security-effect-of-encryption-key-length|title=The value of 2,048-bit encryption: Why encryption key length matters|work=SearchSecurity|access-date=2017-12-18|language=en-US|url-status=live|archive-url=https://web.archive.org/web/20180116081141/http://searchsecurity.techtarget.com/answer/From-1024-to-2048-bit-The-security-effect-of-encryption-key-length|archive-date=2018-01-16}}</ref>
{{anchor|keyexchange-table}}
{{sticky header}}
{|class="wikitable sticky-header"style=text-align:center
|+Key exchange/agreement and authentication
!scope=col|Algorithm
!scope=col|SSL 2.0
!scope=col|SSL 3.0
!scope=col|TLS 1.0
!scope=col|TLS 1.1
!scope=col|TLS 1.2
!scope=col|TLS 1.3
!scope=col|Status
|-
!{{Depends|[[RSA (cryptosystem)|RSA]]}}
|{{Yes}}||{{Yes}}||{{Yes}}||{{Yes}}||{{Yes}}||{{N/A|No}}||rowspan=21|Defined for TLS 1.2 in RFCs
|-
!{{Depends|[[Diffie–Hellman key exchange|DH]]-[[RSA (cryptosystem)|RSA]]}}
|{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{Yes}}||{{N/A|No}}
|-
!{{Good|[[Diffie–Hellman key exchange|DHE]]-[[RSA (cryptosystem)|RSA]] ([[#Forward secrecy|forward secrecy]])}}
|{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{Yes}}||{{Yes}}
|-
!{{Depends|[[Elliptic-curve Diffie–Hellman|ECDH]]-[[RSA (cryptosystem)|RSA]]}}
|{{No}}||{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{N/A|No}}
|-
!{{Good|[[Elliptic-curve Diffie–Hellman|ECDHE]]-[[RSA (cryptosystem)|RSA]] (forward secrecy)}}
|{{No}}||{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{Yes}}
|-
!{{Depends|[[Diffie–Hellman key exchange|DH]]-[[Digital Signature Algorithm|DSS]]}}
|{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{Yes}}||{{N/A|No}}
|-
!{{Good|[[Diffie–Hellman key exchange|DHE]]-[[Digital Signature Algorithm|DSS]] (forward secrecy)}}
|{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{Yes}}||{{N/A|No}}<ref>{{cite web|url=https://www.ietf.org/mail-archive/web/tls/current/msg17680.html|title=Consensus: remove DSA from TLS 1.3|date=September 17, 2015|author=Sean Turner|url-status=live|archive-url=https://web.archive.org/web/20151003193113/http://www.ietf.org/mail-archive/web/tls/current/msg17680.html|archive-date=October 3, 2015}}</ref>
|-
!{{Good|[[Diffie–Hellman key exchange|DHE]]-[[Elliptic Curve DSA|ECDSA]] (forward secrecy)}}
|{{N/A|No}}||{{N/A|No}}||{{N/A|No}}||{{N/A|No}}||{{N/A|No}}||{{Yes}}
|-
!{{Depends|[[Elliptic-curve Diffie–Hellman|ECDH]]-[[Elliptic Curve DSA|ECDSA]]}}
|{{No}}||{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{N/A|No}}
|-
!{{Good|[[Elliptic-curve Diffie–Hellman|ECDHE]]-[[Elliptic Curve DSA|ECDSA]] (forward secrecy)}}
|{{No}}||{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{Yes}}
|-
!{{Good|[[Diffie–Hellman key exchange|DHE]]-[[EdDSA]] (forward secrecy)}}
|{{N/A|No}}||{{N/A|No}}||{{N/A|No}}||{{N/A|No}}||{{N/A|No}}||{{Yes}}
|-
!{{Depends|[[Elliptic-curve Diffie–Hellman|ECDH]]-[[EdDSA]]}}
|{{No}}
|{{No}}
|{{Yes}}
|{{Yes}}
|{{Yes}}
|{{N/A|No}}
|-
!{{Good|[[Elliptic-curve Diffie–Hellman|ECDHE]]-[[EdDSA]] (forward secrecy)}}{{Ref RFC|8422}}
|{{No}}
|{{No}}
|{{Yes}}
|{{Yes}}
|{{Yes}}
|{{Yes}}
|-
!{{Depends|[[TLS-PSK|PSK]]}}
|{{No}}||{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{Yes}}
|-
!{{Depends|[[RSA (cryptosystem)|RSA]]-[[Pre-shared key|PSK]]}}
|{{No}}||{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{N/A|No}}
|-
!{{Good|[[Diffie–Hellman key exchange|DHE]]-[[Pre-shared key|PSK]] (forward secrecy)}}
|{{No}}||{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{Yes}}
|-
!{{Good|[[Elliptic-curve Diffie–Hellman|ECDHE]]-[[Pre-shared key|PSK]] (forward secrecy)}}
|{{No}}||{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{Yes}}
|-
!{{Depends|[[TLS-SRP|SRP]]}}
|{{No}}||{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{N/A|No}}
|-
!{{Depends|[[Secure Remote Password protocol|SRP]]-[[Digital Signature Algorithm|DSS]]}}
|{{No}}||{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{N/A|No}}
|-
!{{Depends|[[Secure Remote Password protocol|SRP]]-[[RSA (cryptosystem)|RSA]]}}
|{{No}}||{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{N/A|No}}
|-
!{{Depends|[[Kerberos (protocol)|Kerberos]]}}
|{{No}}||{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{dunno}}
|-
!{{Bad|[[Diffie–Hellman key exchange|DH]]-ANON (insecure)}}
|{{N/A|No}}||{{No|Yes}}||{{No|Yes}}||{{No|Yes}}||{{No|Yes}}||{{N/A|No}}
|-
!{{Bad|[[Elliptic-curve Diffie–Hellman|ECDH]]-ANON (insecure)}}
|{{N/A|No}}||{{N/A|No}}||{{No|Yes}}||{{No|Yes}}||{{No|Yes}}||{{N/A|No}}
|-
!{{Good|[[GOST|GOST R 34.10-2012]]<ref name=gostlink>{{IETF RFC|5830|6986|7091|7801|8891}}</ref>}}
|{{No}}||{{No}}||{{No}}||{{No}}||{{Yes}}||{{Yes}}
|Defined for TLS 1.2{{Ref RFC|9189}} and for TLS 1.3.{{Ref RFC|9367}}
|}
===Cipher===
{{see also|Cipher suite|Block cipher|Cipher security summary}}
{{Anchor|cipher-table}}
{{sticky header}}
{{sort under}}
{|class="wikitable sortable sticky-header-multi sort-under" style=text-align:center
|+[[Cipher]] security against publicly known feasible attacks
|-
!colspan=3|Cipher!!colspan=6|Protocol version!!rowspan=2|Status
|-
!Type
!Algorithm
!Nominal strength (bits)
!SSL 2.0
!SSL 3.0<br/><ref group="n"name="rfc5746">{{IETF RFC|5746}} must be implemented to fix a renegotiation flaw that would otherwise break this protocol.</ref><ref group="n"name="renegotiation">If libraries implement fixes listed in {{IETF RFC|5746}}, this violates the SSL 3.0 specification, which the IETF cannot change unlike TLS. Most current libraries implement the fix and disregard the violation that this causes.</ref><ref group="n"name="BEAST">The [[#BEAST attack|BEAST]] attack breaks all block ciphers (CBC ciphers) used in SSL 3.0 and TLS 1.0 unless mitigated by the client or the server. See {{section link||Web browsers}}.</ref><ref group="n"name="POODLEciphertable">The [[POODLE]] attack breaks all block ciphers (CBC ciphers) used in SSL 3.0 unless mitigated by the client or the server. See {{section link||Web browsers}}.</ref>
!TLS 1.0<br/><ref group="n"name="rfc5746"/><ref group="n"name="BEAST"/>
!TLS 1.1<br/><ref group="n"name="rfc5746"/>
!TLS 1.2<br/><ref group="n"name="rfc5746"/>
!TLS 1.3
|-
! rowspan="17" {{verth|va=middle|[[Block cipher]] with [[Block cipher mode of operation|mode of operation]]}}
![[Advanced Encryption Standard|AES]] [[Galois/Counter Mode|GCM]]<ref name="aes-gcm">{{IETF RFC|5288|5289}}</ref><ref group="n"name="aead">[[AEAD block cipher modes of operation|AEAD]] ciphers (such as [[Galois/Counter Mode|GCM]] and [[CCM mode|CCM]]) can only be used in TLS 1.2 or later.</ref>
|rowspan=3|256, 128
|{{N/A}}||{{N/A}}||{{N/A}}||{{N/A}}||{{Good|Secure}}||{{Good|Secure}}||rowspan="9"|Defined for TLS 1.2 in RFCs
|-
![[Advanced Encryption Standard|AES]] [[CCM mode|CCM]]<ref name="aes-ccm">{{IETF RFC|6655|7251}}</ref><ref group="n"name="aead"/>
|{{N/A}}||{{N/A}}||{{N/A}}||{{N/A}}||{{Good|Secure}}||{{Good|Secure}}
|-
![[Advanced Encryption Standard|AES]] [[Cipher block chaining|CBC]]<ref group="n"name=Lucky13/>
|{{N/A}}||{{Bad|Insecure}}||{{Depends|Depends on mitigations}}||{{Depends|Depends on mitigations}}||{{Depends|Depends on mitigations}}||{{N/A}}
|-
![[Camellia (cipher)|Camellia]] [[Galois/Counter Mode|GCM]]<ref name="camellia-gcm">{{IETF RFC|6367}}</ref><ref group="n"name="aead"/>
|rowspan=2|256, 128
|{{N/A}}||{{N/A}}||{{N/A}}||{{N/A}}||{{Good|Secure}}||{{N/A}}
|-
![[Camellia (cipher)|Camellia]] [[Cipher block chaining|CBC]]<ref name="camellia-cbc">{{IETF RFC|5932|6367}}</ref><ref group="n"name=Lucky13/>
|{{N/A}}||{{Bad|Insecure}}||{{Depends|Depends on mitigations}}||{{Depends|Depends on mitigations}}||{{Depends|Depends on mitigations}}||{{N/A}}
|-
![[ARIA (cipher)|ARIA]] [[Galois/Counter Mode|GCM]]{{Ref RFC|6209}}<ref group="n"name="aead"/>
|rowspan=2|256, 128
|{{N/A}}||{{N/A}}||{{N/A}}||{{N/A}}||{{Good|Secure}}||{{N/A}}
|-
![[ARIA (cipher)|ARIA]] [[Cipher block chaining|CBC]]{{Ref RFC|6209}}<ref group="n" name=Lucky13/>
|{{N/A}}||{{N/A}}||{{Depends|Depends on mitigations}}||{{Depends|Depends on mitigations}}||{{Depends|Depends on mitigations}}||{{N/A}}
|-
![[SEED (cipher)|SEED]] [[Cipher block chaining|CBC]]{{Ref RFC|4162}}<ref group="n" name=Lucky13/>
|128
|{{N/A}}||{{Bad|Insecure}}||{{Depends|Depends on mitigations}}||{{Depends|Depends on mitigations}}||{{Depends|Depends on mitigations}}||{{N/A}}
|-
![[Triple DES|3DES EDE]] [[Cipher block chaining|CBC]]<ref group="n"name=Lucky13>CBC ciphers can be attacked with the [[Lucky Thirteen attack]] if the library is not written carefully to eliminate timing side channels.</ref>{{refn|group="n"|name=Sweet32|The [[Sweet32]] attack breaks block ciphers with a block size of 64 bits.<ref name=Sweet32>{{cite web|url=https://sweet32.info/SWEET32_CCS16.pdf|title=On the Practical (In-)Security of 64-bit Block Ciphers — Collision Attacks on HTTP over TLS and OpenVPN|date=2016-10-28|access-date=2017-06-08|url-status=live|archive-url=https://web.archive.org/web/20170424021101/https://sweet32.info/SWEET32_CCS16.pdf|archive-date=2017-04-24}}</ref>}}
|112{{refn|group="n"|name="3des"|Although the key length of 3DES is 168 bits, effective security strength of 3DES is only 112 bits,<ref name=NIST_SP_800-57>{{cite web|url=http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf|title=NIST Special Publication 800-57 ''Recommendation for Key Management — Part 1: General (Revised)''|date=2007-03-08|access-date=2014-07-03|url-status=dead|archive-url=https://web.archive.org/web/20140606050814/http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf|archive-date=June 6, 2014}}</ref> which is below the recommended minimum of 128 bits.<ref name="best-practices">{{cite web|url=https://www.ssllabs.com/projects/best-practices/index.html|title=SSL/TLS Deployment Best Practices|author=Qualys SSL Labs|access-date=2 June 2015|url-status=live|archive-url=https://web.archive.org/web/20150704101956/https://www.ssllabs.com/projects/best-practices/index.html|archive-date=4 July 2015}}</ref>}}
|{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{N/A}}
|-
![[GOST (block cipher)|GOST R 34.12-2015 Magma]] [[Block cipher mode of operation#Counter (CTR)|CTR]]<ref name=gostlink/><ref group="n"name=Sweet32/>
|256
|{{N/A}}||{{N/A}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{N/A}}||Defined in {{IETF RFC|4357|9189}}
|-
![[Kuznyechik|GOST R 34.12-2015 Kuznyechik]] [[Block cipher mode of operation#Counter (CTR)|CTR]]<ref name=gostlink/>
|256
|{{N/A}}
|{{N/A}}
|{{N/A}}
|{{N/A}}
|{{Good|Secure}}
|{{N/A}}
|Defined in {{IETF RFC|9189}}
|-
![[GOST (block cipher)|GOST R 34.12-2015 Magma]] [[Authenticated encryption|MGM]]<ref name=gostlink/><ref group="n"name="aead"/><ref group="n"name=Sweet32/>
|256
|{{N/A}}
|{{N/A}}
|{{N/A}}
|{{N/A}}
|{{N/A}}
|{{Bad|Insecure}}
|Defined in {{IETF RFC|9367}}
|-
![[Kuznyechik|GOST R 34.12-2015 Kuznyechik]] [[Authenticated encryption|MGM]]<ref name=gostlink/><ref group="n"name="aead"/>
|256
|{{N/A}}
|{{N/A}}
|{{N/A}}
|{{N/A}}
|{{N/A}}
|{{Good|Secure}}
|Defined in {{IETF RFC|9367}}
|-
![[International Data Encryption Algorithm|IDEA]] [[Cipher block chaining|CBC]]<ref group="n"name=Lucky13/><ref group="n"name=Sweet32/>{{refn|group="n"|name="removal_from_tls1.2"|IDEA and DES have been removed from TLS 1.2.{{Ref RFC|5469}}}}
|128
|{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{N/A}}||{{N/A}}||rowspan="2"|Removed from TLS 1.2
|-
!rowspan=2|[[Data Encryption Standard|DES]] [[Cipher block chaining|CBC]]<ref group="n"name=Lucky13/><ref group="n"name=Sweet32/><ref group="n"name="removal_from_tls1.2"/>
|{{0}}56
|{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{N/A}}||{{N/A}}
|-
|{{0}}40<ref group="n"name="EXPORT">40-bit strength cipher suites were intentionally designed with reduced key lengths to comply with since-rescinded US regulations forbidding the export of cryptographic software containing certain strong encryption algorithms (see [[Export of cryptography from the United States]]). These weak suites are forbidden in TLS 1.1 and later.</ref>
|{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{N/A}}||{{N/A}}||{{N/A}}||rowspan=2|Forbidden in TLS 1.1 and later
|-
![[RC2]] [[Cipher block chaining|CBC]]<ref group="n"name=Lucky13/><ref group="n"name=Sweet32/>
|{{0}}40<ref group="n"name="EXPORT"/>
|{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{N/A}}||{{N/A}}||{{N/A}}
|-
!rowspan=3 {{verth|[[Stream cipher]]}}
![[ChaCha20]]-[[Poly1305]]{{Ref RFC|7905}}<ref group="n"name="aead"/>
|256
|{{N/A}}||{{N/A}}||{{N/A}}||{{N/A}}||{{Good|Secure}}||{{Good|Secure}}||Defined for TLS 1.2 in RFCs
|-
!rowspan="2"|[[RC4]]<ref group="n"name="RC4">Use of RC4 in all versions of TLS is prohibited because [[#RC4 attacks|RC4 attacks]] weaken or break RC4 used in SSL/TLS.</ref>
|128
|{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{N/A}}||rowspan="2"|Prohibited in all versions of TLS{{Ref RFC|7465}}
|-
|{{0}}40<ref group="n"name="EXPORT"/>
|{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{N/A}}||{{N/A}}||{{N/A}}
|-
!{{CNone|None}}
!{{CNone|Null}}<ref group="n">Authentication only, no encryption.</ref>
|–
|{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{N/A}}||Defined for TLS 1.2 in RFCs
|}
'''Notes'''
{{reflist|group="n"}}
===Data integrity===
A [[message authentication code]] (MAC) is used for data integrity. [[HMAC]] is used for [[cipher block chaining|CBC]] mode of block ciphers. [[Authenticated encryption]] (AEAD) such as [[Galois/Counter Mode|GCM]] and [[CCM mode]] uses AEAD-integrated MAC and does not use [[HMAC]].{{Ref RFC|8446|rsection=8.4}} HMAC-based [[pseudorandom function family|PRF]], or [[HKDF]] is used for TLS handshake.
{{Anchor|integrity-table}}
{|class="wikitable"style=text-align:center
|+Data integrity
!scope=col|Algorithm
!scope=col|SSL 2.0
!scope=col|SSL 3.0
!scope=col|TLS 1.0
!scope=col|TLS 1.1
!scope=col|TLS 1.2
!scope=col|TLS 1.3
!scope=col|Status
|-
!scope=row|[[HMAC]]-[[MD5]]
|{{Yes}}||{{Yes}}||{{Yes}}||{{Yes}}||{{Yes}}||{{No}}||rowspan=4|Defined for TLS 1.2 in RFCs
|-
!scope=row|[[HMAC]]-[[SHA-1|SHA1]]
|{{No}}||{{Yes}}||{{Yes}}||{{Yes}}||{{Yes}}||{{No}}
|-
!scope=row|[[HMAC]]-[[SHA-2|SHA256/384]]
|{{No}}||{{No}}||{{No}}||{{No}}||{{Yes}}||{{No}}
|-
!scope=row|[[AEAD block cipher modes of operation|AEAD]]
|{{No}}||{{No}}||{{No}}||{{No}}||{{Yes}}||{{Yes}}
|-
!scope=row|[[GOST 28147-89|GOST 28147-89 IMIT]]<ref name=gostlink/>
|{{No}}||{{No}}||{{No}}||{{No}}||{{Yes}}||{{No}}||Defined for TLS 1.2 in {{IETF RFC|9189}}.
|-
!scope=row|[[Kuznyechik|GOST R 34.12-2015]] [[AEAD block cipher modes of operation|AEAD]]<ref name=gostlink/>
|{{No}}||{{No}}||{{No}}||{{No}}||{{No}}||{{Yes}}||Defined for TLS 1.3 in {{IETF RFC|9367}}.
|}
==Applications and adoption==
In applications design, TLS is usually implemented on top of Transport Layer protocols, encrypting all of the protocol-related data of protocols such as [[Hypertext Transfer Protocol|HTTP]], [[File Transfer Protocol|FTP]], [[Simple Mail Transfer Protocol|SMTP]], [[Network News Transfer Protocol|NNTP]] and [[XMPP]].
Historically, TLS has been used primarily with reliable transport protocols such as the [[Transmission Control Protocol]] (TCP). However, it has also been implemented with datagram-oriented transport protocols, such as the [[User Datagram Protocol]] (UDP) and the [[Datagram Congestion Control Protocol]] (DCCP), usage of which has been standardized independently using the term ''[[Datagram Transport Layer Security]]'' (''DTLS'').
===Websites===
A primary use of TLS is to secure [[World Wide Web]] traffic between a [[website]] and a [[web browser]] encoded with the HTTP protocol. This use of TLS to secure HTTP traffic constitutes the [[HTTPS]] protocol.<ref>{{cite web|url=https://www.instantssl.com/ssl-certificate-products/https.html|title=Http vs https|access-date=2015-02-12|url-status=live|archive-url=https://web.archive.org/web/20150212105201/https://www.instantssl.com/ssl-certificate-products/https.html|archive-date=2015-02-12}}</ref>
{|class="wikitable"style=text-align:center
|+Website protocol support (May 2024)
|-
!scope=col|Protocol<br />version
!scope=col|Website<br />support<ref name="trustworthy_ssl_pulse">As of Jun 1, 2025. {{cite web|title=SSL Pulse: Survey of the SSL Implementation of the Most Popular Websites|url=https://www.ssllabs.com/ssl-pulse/|access-date=2025-06-01|website=[[Qualys]]|archive-date=2021-03-08|archive-url=https://web.archive.org/web/20210308160353/https://web.archive.org/web/20171202155646/https://www.ssllabs.com/ssl-pulse/|url-status=live}}</ref>
!scope=col|Security<ref name="trustworthy_ssl_pulse"/><ref name="community.qualys">{{cite web|url=https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what|access-date=2013-07-30|publisher=Qualsys Security Labs|author=ivanr|title=RC4 in TLS is Broken: Now What?|date=19 March 2013|url-status=live|archive-url=https://web.archive.org/web/20130827044512/https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what|archive-date=2013-08-27}}</ref>
|-
!scope=row {{Version |o |SSL 2.0}}
|0.1%
|{{Bad|Insecure}}
|-
!scope=row {{Version |o |SSL 3.0}}
|1.0%
|{{Bad|Insecure<ref name="poodle_pdf"/>}}
|-
!scope=row {{Version |o |TLS 1.0}}
|23.5%
|{{Depends|Deprecated<ref name="tls-deprecation"/><ref name=":3"/><ref name=":4"/>}}
|-
!scope=row {{Version |o |TLS 1.1}}
|25.2%
|{{Depends|Deprecated<ref name="tls-deprecation"/><ref name=":3"/><ref name=":4"/>}}
|-
!scope=row {{Version |co |TLS 1.2}}
|100%
|{{Depends|Depends on cipher<ref group="n"name="ciphers">see {{section link||Cipher}} table above</ref> and client mitigations<ref group="n"name="mitigations">see {{section link||Web browsers}} and {{section link||Attacks against TLS/SSL}} sections</ref>}}
|-
!scope=row {{Version |c |TLS 1.3}}
|75.3%
|{{Good|Secure}}
|}
'''Notes'''
{{reflist|group="n"}}
===Web browsers===
{{citations needed|1=section|date=April 2025}}
{{Further|topic=TLS/SSL support in web browsers|Version history for TLS/SSL support in web browsers|Comparison of web browsers}}
{{As of|2025|03}}, the latest versions of all major web browsers support TLS 1.2 and 1.3 and have them enabled by default, with the exception of [[Internet_Explorer_11|IE 11]]. TLS 1.0 and 1.1 are disabled by default on the latest versions of all major browsers.
Mitigations against known attacks are not enough yet:
*Mitigations against [[#POODLE attack|POODLE attack]]: some browsers already prevent fallback to SSL 3.0; however, this mitigation needs to be supported by not only clients but also servers. Disabling SSL 3.0 itself, implementation of "anti-POODLE record splitting", or denying CBC ciphers in SSL 3.0 is required.
**Google Chrome: complete (TLS_FALLBACK_SCSV is implemented since version 33, fallback to SSL 3.0 is disabled since version 39, SSL 3.0 itself is disabled by default since version 40. Support of SSL 3.0 itself was dropped since version 44.)
**Mozilla Firefox: complete (support of SSL 3.0 itself is dropped since [[History of Firefox#Version 38–44|version 39]]. SSL 3.0 itself is disabled by default and fallback to SSL 3.0 are disabled since [[History of Firefox#Version 31–37|version 34]], TLS_FALLBACK_SCSV is implemented since version 35. In ESR, SSL 3.0 itself is disabled by default and TLS_FALLBACK_SCSV is implemented since ESR 31.3.0.)
**Internet Explorer: partial (only in version 11, SSL 3.0 is disabled by default since April 2015. Version 10 and older are still vulnerable against POODLE.)
**[[Opera (web browser)|Opera]]: complete (TLS_FALLBACK_SCSV is implemented since version 20, "anti-POODLE record splitting", which is effective only with client-side implementation, is implemented since version 25, SSL 3.0 itself is disabled by default since version 27. Support of SSL 3.0 itself will be dropped since version 31.)
**Safari: complete (only on OS X 10.8 and later and iOS 8, CBC ciphers during fallback to SSL 3.0 is denied, but this means it will use RC4, which is not recommended as well. Support of SSL 3.0 itself is dropped on OS X 10.11 and later and iOS 9.)
*Mitigation against [[#RC4 attacks|RC4 attacks]]:
**Google Chrome disabled RC4 except as a fallback since version 43. RC4 is disabled since Chrome 48.
**Firefox disabled RC4 except as a fallback since version 36. Firefox 44 disabled RC4 by default.
**Opera disabled RC4 except as a fallback since version 30. RC4 is disabled since Opera 35.
**Internet Explorer for [[Windows 7]]/Server 2008 R2 and for [[Windows 8]]/Server 2012 have set the priority of RC4 to lowest and can also disable RC4 except as a fallback through registry settings. Internet Explorer 11 Mobile 11 for [[Windows Phone 8.1]] disable RC4 except as a fallback if no other enabled algorithm works. Edge [Legacy] and IE 11 disable RC4 completely in August 2016.
*Mitigation against [[#FREAK|FREAK attack]]:
**The Android Browser included with [[Android Ice Cream Sandwich|Android 4.0]] and older is still vulnerable to the FREAK attack.
**Internet Explorer 11 Mobile is still vulnerable to the FREAK attack.
**Google Chrome, Internet Explorer (desktop), Safari (desktop & mobile), and Opera (mobile) have FREAK mitigations in place.
**Mozilla Firefox on all platforms and Google Chrome on Windows were not affected by FREAK.
===Libraries===
{{Main|Comparison of TLS implementations}}{{Further|topic=protocol version support in libraries|Comparison of TLS implementations#TLS version support}}
Most SSL and TLS programming libraries are [[free and open-source software]].
*[[BoringSSL]], a fork of OpenSSL for Chrome/Chromium and Android as well as other Google applications.
*[[Botan (programming library)|Botan]], a BSD-licensed cryptographic library written in C++.
*[[BSAFE]] Micro Edition Suite: a multi-platform implementation of TLS written in [[C (programming language)|C]] using a FIPS-validated cryptographic module
*[[BSAFE]] SSL-J: a TLS library providing both a proprietary API and [[Java Secure Socket Extension|JSSE]] API, using FIPS-validated cryptographic module
*[[cryptlib]]: a portable open source cryptography library (includes TLS/SSL implementation)
*[[Delphi (programming language)|Delphi]] programmers may use a library called Indy which utilizes [[OpenSSL]] or alternatively ICS which supports TLS 1.3 now.
*[[GnuTLS]]: a free implementation (LGPL licensed)
*[[Java Secure Socket Extension]] (JSSE): the [[Java (programming language)|Java]] API and provider implementation (named SunJSSE)<ref>{{cite web|title=Java Secure Socket Extension (JSSE) Reference Guide|url=https://docs.oracle.com/en/java/javase/17/security/java-secure-socket-extension-jsse-reference-guide.html|access-date=2021-12-24|website=Oracle Help Center|language=en-US|archive-date=2022-01-22|archive-url=https://web.archive.org/web/20220122070356/https://docs.oracle.com/en/java/javase/17/security/java-secure-socket-extension-jsse-reference-guide.html|url-status=live}}</ref>
*[[LibreSSL]]: a fork of OpenSSL by OpenBSD project.
*[[MatrixSSL]]: a dual licensed implementation
*[[Mbed TLS]] (previously PolarSSL): A tiny SSL library implementation for embedded devices that is designed for ease of use
*[[Network Security Services]]: [[FIPS 140]] validated open source library
*[[OpenSSL]]: a free implementation (BSD license with some extensions)
*[[Security Support Provider Interface|Schannel]]: an implementation of SSL and TLS [[Microsoft Windows]] as part of its package.
*[[Secure Transport]]: an implementation of SSL and TLS used in [[OS X]] and [[iOS]] as part of their packages.
*[[wolfSSL]] (previously CyaSSL): Embedded SSL/TLS Library with a strong focus on speed and size.
A paper presented at the 2012 [[Association for Computing Machinery|ACM]] [[computer security conference|conference on computer and communications security]]<ref>{{cite book|last1=Georgiev|first1=Martin|last2=Iyengar|first2=Subodh|last3=Jana|first3=Suman|last4=Anubhai|first4=Rishita|last5=Boneh|first5=Dan|last6=Shmatikov|first6=Vitaly|title=The most dangerous code in the world: validating SSL certificates in non-browser software. Proceedings of the 2012 ACM conference on Computer and communications security|year=2012|isbn=978-1-4503-1651-4|url=http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf|pages=38–49|publisher=Association for Computing Machinery |url-status=live|archive-url=https://web.archive.org/web/20171022194807/http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf|archive-date=2017-10-22}}</ref> showed that many applications used some of these SSL libraries incorrectly, leading to vulnerabilities. According to the authors:
<blockquote>"The root cause of most of these vulnerabilities is the terrible design of the APIs to the underlying SSL libraries. Instead of expressing high-level security properties of network tunnels such as confidentiality and authentication, these APIs expose low-level details of the SSL protocol to application developers. As a consequence, developers often use SSL APIs incorrectly, misinterpreting and misunderstanding their manifold parameters, options, side effects, and return values."</blockquote>
===Other uses===
The [[Simple Mail Transfer Protocol]] (SMTP) can also be protected by TLS. These applications use [[public key certificate]]s to verify the identity of endpoints.
TLS can also be used for tunneling an entire network stack to create a [[virtual private network|VPN]], which is the case with [[OpenVPN]] and [[OpenConnect]]. Many vendors have by now married TLS's encryption and authentication capabilities with authorization. There has also been substantial development since the late 1990s in creating client technology outside of Web-browsers, in order to enable support for client/server applications. Compared to traditional [[IPsec]] VPN technologies, TLS has some inherent advantages in firewall and [[network address translation|NAT]] traversal that make it easier to administer for large remote-access populations.
TLS is also a standard method for protecting [[Session Initiation Protocol]] (SIP) application signaling. TLS can be used for providing authentication and encryption of the SIP signaling associated with [[Voice over IP|VoIP]] and other SIP-based applications.<ref>{{cite IETF|rfc=5630|title=The Use of the SIPS URI Scheme in the Session Initiation Protocol (SIP)|year=2009 |doi=10.17487/RFC5630 |last1=Audet |first1=F. }}</ref>
==Security==
===Attacks against TLS/SSL===
Significant attacks against TLS/SSL are listed below.
In February 2015, IETF issued an informational RFC<ref>{{cite ietf|rfc=7457|title=Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS)|year=2015 |doi=10.17487/RFC7457 |last1=Sheffer |first1=Y. |last2=Holz |first2=R. |last3=Saint-Andre |first3=P. }}</ref> summarizing the various known attacks against TLS/SSL.
====Renegotiation attack====
A vulnerability of the renegotiation procedure was discovered in August 2009 that can lead to plaintext injection attacks against SSL 3.0 and all current versions of TLS.<ref>{{cite web|url=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555|title=CVE – CVE-2009-3555|url-status=live|archive-url=https://web.archive.org/web/20160104234608/http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555|archive-date=2016-01-04}}</ref> For example, it allows an attacker who can hijack an [[https]] connection to splice their own requests into the beginning of the conversation the client has with the web server. The attacker cannot actually decrypt the client–server communication, so it is different from a typical [[man-in-the-middle attack]]. A short-term fix is for web servers to stop allowing renegotiation, which typically will not require other changes unless [[client certificate]] authentication is used. To fix the vulnerability, a renegotiation indication extension was proposed for TLS. It will require the client and server to include and verify information about previous handshakes in any renegotiation handshakes.<ref>{{cite web|first=Eric|last=Rescorla|title=Understanding the TLS Renegotiation Attack|work=Educated Guesswork|access-date=2009-11-27|date=2009-11-05|url=http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html|url-status=live|archive-url=https://web.archive.org/web/20120211120608/http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html|archive-date=2012-02-11}}</ref> This extension has become a proposed standard and has been assigned the number {{IETF RFC|5746}}. The RFC has been implemented by several libraries.<ref>{{cite web|title=SSL_CTX_set_options SECURE_RENEGOTIATION|work=OpenSSL Docs|access-date=2010-11-18|date=2010-02-25|url=https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html#SECURE_RENEGOTIATION|url-status=live|archive-url=https://web.archive.org/web/20101126121933/http://openssl.org/docs/ssl/SSL_CTX_set_options.html#SECURE_RENEGOTIATION|archive-date=2010-11-26}}</ref><ref>{{cite web|title=GnuTLS 2.10.0 released|work=GnuTLS release notes|access-date=2011-07-24|date=2010-06-25|url=http://article.gmane.org/gmane.network.gnutls.general/2046|url-status=live|archive-url=https://web.archive.org/web/20151017033726/http://article.gmane.org/gmane.network.gnutls.general/2046|archive-date=2015-10-17}}</ref><ref>{{cite web|title=NSS 3.12.6 release notes|work=NSS release notes|access-date=2011-07-24|date=2010-03-03|url=https://developer.mozilla.org/NSS_3.12.6_release_notes|url-status=dead|archive-url=https://web.archive.org/web/20120306184633/https://developer.mozilla.org/NSS_3.12.6_release_notes|archive-date=March 6, 2012}}</ref>
===={{Anchor|Downgrade attacks}}Downgrade attacks: {{Anchor|FREAK}}FREAK attack and {{Anchor|Logjam attack|Logjam}}Logjam attack====
{{Main|Downgrade attack|FREAK|Logjam (computer security)}}
A protocol [[downgrade attack]] (also called a version rollback attack) tricks a web server into negotiating connections with previous versions of TLS (such as SSLv2) that have long since been abandoned as insecure.
Previous modifications to the original protocols, like '''False Start'''<ref>{{cite journal|title=Transport Layer Security (TLS) False Start|url=http://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00|journal=Internet Engineering Task Force|publisher=IETF|access-date=2013-07-31|author1=A. Langley|author2=N. Modadugu|author3=B. Moeller|date=2010-06-02|url-status=live|archive-url=https://web.archive.org/web/20130905215608/http://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00|archive-date=2013-09-05}}</ref> (adopted and enabled by Google Chrome<ref>{{cite web|first=Wolfgang|last=Gruener|title=False Start: Google Proposes Faster Web, Chrome Supports It Already|url=http://www.conceivablytech.com/3299/products/false-start-google-proposes-faster-web-chrome-supports-it-already|access-date=2011-03-09|archive-url=https://web.archive.org/web/20101007061707/http://www.conceivablytech.com/3299/products/false-start-google-proposes-faster-web-chrome-supports-it-already|archive-date=2010-10-07}}</ref>) or '''Snap Start''', reportedly introduced limited TLS protocol downgrade attacks<ref>{{cite web|first=Brian|last=Smith|title=Limited rollback attacks in False Start and Snap Start|url=http://www.ietf.org/mail-archive/web/tls/current/msg06933.html|access-date=2011-03-09|url-status=live|archive-url=https://web.archive.org/web/20110504014418/http://www.ietf.org/mail-archive/web/tls/current/msg06933.html|archive-date=2011-05-04}}</ref> or allowed modifications to the cipher suite list sent by the client to the server. In doing so, an attacker might succeed in influencing the cipher suite selection in an attempt to downgrade the cipher suite negotiated to use either a weaker symmetric encryption algorithm or a weaker key exchange.<ref>{{cite web|first=Adrian|last=Dimcev|title=False Start|url=http://www.carbonwind.net/blog/post/Random-SSLTLS-101-False-Start.aspx|work=Random SSL/TLS 101|access-date=2011-03-09|url-status=live|archive-url=https://web.archive.org/web/20110504060256/http://www.carbonwind.net/blog/post/Random-SSLTLS-101-False-Start.aspx|archive-date=2011-05-04}}</ref> A paper presented at an [[Association for Computing Machinery|ACM]] [[Computer security conference|conference on computer and communications security]] in 2012 demonstrated that the False Start extension was at risk: in certain circumstances it could allow an attacker to recover the encryption keys offline and to access the encrypted data.<ref>{{cite book|author1=Mavrogiannopoulos, Nikos|author2=Vercautern, Frederik|author3=Velichkov, Vesselin|author4=Preneel, Bart|title=A cross-protocol attack on the TLS protocol. Proceedings of the 2012 ACM conference on Computer and communications security|year=2012|isbn=978-1-4503-1651-4|url=https://www.cosic.esat.kuleuven.be/publications/article-2216.pdf|pages=62–72|publisher=Association for Computing Machinery |url-status=live|archive-url=https://web.archive.org/web/20150706104327/https://www.cosic.esat.kuleuven.be/publications/article-2216.pdf|archive-date=2015-07-06}}</ref>
Encryption downgrade attacks can force servers and clients to negotiate a connection using cryptographically weak keys. In 2014, a [[man-in-the-middle]] attack called FREAK was discovered affecting the [[OpenSSL]] stack, the default [[Android (operating system)|Android]] web browser, and some [[Safari (web browser)|Safari]] browsers.<ref>{{cite web|title=SMACK: State Machine AttaCKs|url=https://www.smacktls.com|url-status=live|archive-url=https://web.archive.org/web/20150312074827/https://www.smacktls.com|archive-date=2015-03-12}}</ref> The attack involved tricking servers into negotiating a TLS connection using cryptographically weak 512 bit encryption keys.
Logjam is a [[security exploit]] discovered in May 2015 that exploits the option of using legacy [[Arms Export Control Act|"export-grade"]] 512-bit [[Diffie–Hellman key exchange|Diffie–Hellman]] groups dating back to the 1990s.<ref>{{cite web|url=https://arstechnica.com/security/2015/05/https-crippling-attack-threatens-tens-of-thousands-of-web-and-mail-servers|title=HTTPS-crippling attack threatens tens of thousands of Web and mail servers|first=Dan|last=Goodin|work=Ars Technica|date=2015-05-20|url-status=live|archive-url=https://web.archive.org/web/20170519130937/https://arstechnica.com/security/2015/05/https-crippling-attack-threatens-tens-of-thousands-of-web-and-mail-servers|archive-date=2017-05-19}}</ref> It forces susceptible servers to downgrade to cryptographically weak 512-bit Diffie–Hellman groups. An attacker can then deduce the keys the client and server determine using the [[Diffie–Hellman key exchange]].
====Cross-protocol attacks: DROWN====
{{Main|DROWN attack}}
The [[DROWN attack]] is an exploit that attacks servers supporting contemporary SSL/TLS protocol suites by exploiting their support for the obsolete, insecure, SSLv2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure.<ref>{{cite web|url=https://www.theregister.com/2016/03/01/drown_tls_protocol_flaw|title=One-third of all HTTPS websites open to DROWN attack|last=Leyden|first=John|date=1 March 2016|website=The Register|access-date=2016-03-02|url-status=live|archive-url=https://web.archive.org/web/20160301215536/http://www.theregister.co.uk/2016/03/01/drown_tls_protocol_flaw|archive-date=1 March 2016}}</ref><ref name=ars201603>{{cite web|url=https://arstechnica.com/information-technology/2016/03/more-than-13-million-https-websites-imperiled-by-new-decryption-attack|title=More than 11 million HTTPS websites imperiled by new decryption attack|website=Ars Technica|date=March 2016|access-date=2016-03-02|url-status=live|archive-url=https://web.archive.org/web/20160301191108/http://arstechnica.com/security/2016/03/more-than-13-million-https-websites-imperiled-by-new-decryption-attack|archive-date=2016-03-01}}</ref> DROWN exploits a vulnerability in the protocols used and the configuration of the server, rather than any specific implementation error. Full details of DROWN were announced in March 2016, together with a patch for the exploit. At that time, more than 81,000 of the top 1 million most popular websites were among the TLS protected websites that were vulnerable to the DROWN attack.<ref name=ars201603/>
===={{Anchor|BEAST}}BEAST attack====
On September 23, 2011, researchers Thai Duong and Juliano Rizzo demonstrated a proof of concept called '''BEAST''' ('''Browser Exploit Against SSL/TLS''')<ref name=DuongRizzo>{{cite web|url=https://bug665814.bugzilla.mozilla.org/attachment.cgi?id=540839|title=Here Come The ⊕ Ninjas|date=2011-05-13|author1=Thai Duong|author2=Juliano Rizzo|name-list-style=amp|url-status=live|archive-url=https://web.archive.org/web/20140603102506/https://bug665814.bugzilla.mozilla.org/attachment.cgi?id=540839|archive-date=2014-06-03}}</ref> using a [[Java applet]] to violate [[same origin policy]] constraints, for a long-known [[cipher block chaining]] (CBC) vulnerability in TLS 1.0:<ref name=DanGoodin>{{cite web|url=https://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl|title=Hackers break SSL encryption used by millions of sites|date=2011-09-19|first=Dan|last=Goodin|website=[[The Register]]|url-status=live|archive-url=https://web.archive.org/web/20120210185309/http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl|archive-date=2012-02-10}}</ref><ref name=combinator>{{cite web|url=http://news.ycombinator.com/item?id=3015498|title=Y Combinator comments on the issue|date=2011-09-20|url-status=live|archive-url=https://web.archive.org/web/20120331225714/http://news.ycombinator.com/item?id=3015498|archive-date=2012-03-31}}</ref> an attacker observing 2 consecutive ciphertext blocks C0, C1 can test if the plaintext block P1 is equal to x by choosing the next plaintext block {{nowrap|1=P2 = x ⊕ C0 ⊕ C1}}; as per CBC operation, {{nowrap|1=C2 = E(C1 ⊕ P2) = E(C1 ⊕ x ⊕ C0 ⊕ C1) = E(C0 ⊕ x)}}, which will be equal to C1 if {{nowrap|1=x = P1}}. Practical [[exploit (computer security)|exploits]] had not been previously demonstrated for this [[vulnerability (computing)|vulnerability]], which was originally discovered by [[Phillip Rogaway]]<ref>{{cite web|url=http://www.openssl.org/~bodo/tls-cbc.txt|archive-url=https://web.archive.org/web/20120630143111/http://www.openssl.org/~bodo/tls-cbc.txt|archive-date=2012-06-30|title=Security of CBC Ciphersuites in SSL/TLS: Problems and Countermeasures|date=2004-05-20}}</ref> in 2002. The vulnerability of the attack had been fixed with TLS 1.1 in 2006, but TLS 1.1 had not seen wide adoption prior to this attack demonstration.
[[RC4]] as a stream cipher is immune to BEAST attack. Therefore, RC4 was widely used as a way to mitigate BEAST attack on the server side. However, in 2013, researchers found more weaknesses in RC4. Thereafter enabling RC4 on server side was no longer recommended.<ref>{{cite web|url=https://community.qualys.com/blogs/securitylabs/2013/09/10/is-beast-still-a-threat|title=Is BEAST Still a Threat?|date=Sep 10, 2013|access-date=8 October 2014|last=Ristic|first=Ivan|url-status=live|archive-url=https://web.archive.org/web/20141012121824/https://community.qualys.com/blogs/securitylabs/2013/09/10/is-beast-still-a-threat|archive-date=12 October 2014}}</ref>
Chrome and Firefox themselves are not vulnerable to BEAST attack,<ref name=ChromeBEAST>{{cite web|url=http://googlechromereleases.blogspot.jp/2011/10/chrome-stable-release.html|title=Chrome Stable Release|work=Chrome Releases|date=2011-10-25|access-date=2015-02-01|url-status=live|archive-url=https://web.archive.org/web/20150220020306/http://googlechromereleases.blogspot.jp/2011/10/chrome-stable-release.html|archive-date=2015-02-20}}</ref><ref name=FirefoxBEAST>{{cite web|url=https://blog.mozilla.org/security/2011/09/27/attack-against-tls-protected-communications|title=Attack against TLS-protected communications|work=Mozilla Security Blog|publisher=Mozilla|date=2011-09-27|access-date=2015-02-01|url-status=live|archive-url=https://web.archive.org/web/20150304221307/https://blog.mozilla.org/security/2011/09/27/attack-against-tls-protected-communications|archive-date=2015-03-04}}</ref> however, Mozilla updated their [[Network Security Services|NSS]] libraries to mitigate BEAST-like [[Attack (computing)|attacks]]. NSS is used by [[Mozilla Firefox]] and [[Google Chrome]] to implement SSL. Some [[web server]]s that have a broken implementation of the SSL specification may stop working as a result.<ref>{{cite web|url=https://bugzilla.mozilla.org/show_bug.cgi?id=665814|title=(CVE-2011-3389) Rizzo/Duong chosen plaintext attack (BEAST) on SSL/TLS 1.0 (facilitated by websockets-76)|date=2011-09-30|first=Brian|last=Smith|access-date=2011-11-01|archive-date=2012-02-10|archive-url=https://web.archive.org/web/20120210202750/https://bugzilla.mozilla.org/show_bug.cgi?id=665814|url-status=live}}</ref>
[[Microsoft]] released Security Bulletin MS12-006 on January 10, 2012, which fixed the BEAST vulnerability by changing the way that the Windows Secure Channel ([[Schannel]]) component transmits encrypted network packets from the server end.<ref name=MS12-006>{{cite tech report|author=MSRC|author-link=Microsoft Security Response Center|date=2012-01-10|url=https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-006|title=Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584)|website=Security Bulletins|number=MS12-006|access-date=2021-10-24|via=[[Microsoft Docs]]}}</ref> Users of Internet Explorer (prior to version 11) that run on older versions of Windows ([[Windows 7]], [[Windows 8]] and [[Windows Server 2008|Windows Server 2008 R2]]) can restrict use of TLS to 1.1 or higher.
[[Apple Inc.|Apple]] fixed BEAST vulnerability by implementing 1/n-1 split and turning it on by default in [[OS X Mavericks]], released on October 22, 2013.<ref>{{cite web|url=https://community.qualys.com/blogs/securitylabs/2013/10/31/apple-enabled-beast-mitigations-in-os-x-109-mavericks|title=Apple Enabled BEAST Mitigations in OS X 10.9 Mavericks|date=Oct 31, 2013|access-date=8 October 2014|last=Ristic|first=Ivan|url-status=live|archive-url=https://web.archive.org/web/20141012122536/https://community.qualys.com/blogs/securitylabs/2013/10/31/apple-enabled-beast-mitigations-in-os-x-109-mavericks|archive-date=12 October 2014}}</ref>
===={{Anchor|CRIME attack|BREACH attack|CRIME|BREACH}} CRIME and BREACH attacks====<!--This Anchor tag serves to provide a permanent target for incoming section links. Please do not move it out of the section heading, even though it disrupts edit summary generation (you can manually fix the edit summary before saving your changes). Please do not modify it, even if you modify the section title. It is always best to anchor an old section header that has been changed so that links to it won't be broken. See [[Template:Anchor]] for details. (This text: [[Template:Anchor comment]])-->
{{Main|CRIME|BREACH}}
The authors of the BEAST attack are also the creators of the later [[CRIME]] attack, which can allow an attacker to recover the content of web cookies when [[data compression]] is used along with TLS.<ref>{{cite web|url=https://arstechnica.com/security/2012/09/crime-hijacks-https-sessions|title=Crack in Internet's foundation of trust allows HTTPS session hijacking|website=Ars Technica|first=Dan|last=Goodin|date=2012-09-13|access-date=2013-07-31|url-status=live|archive-url=https://web.archive.org/web/20130801104610/http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions|archive-date=2013-08-01}}</ref><ref>{{cite web|url=http://threatpost.com/en_us/blogs/crime-attack-uses-compression-ratio-tls-requests-side-channel-hijack-secure-sessions-091312|title=CRIME Attack Uses Compression Ratio of TLS Requests as Side Channel to Hijack Secure Sessions|publisher=ThreatPost|date=September 13, 2012|last=Fisher|first=Dennis|access-date=2012-09-13|url-status=dead|archive-url=https://web.archive.org/web/20120915224635/http://threatpost.com/en_us/blogs/crime-attack-uses-compression-ratio-tls-requests-side-channel-hijack-secure-sessions-091312|archive-date=September 15, 2012}}</ref> When used to recover the content of secret [[authentication cookie]]s, it allows an attacker to perform [[session hijacking]] on an authenticated web session.
While the CRIME attack was presented as a general attack that could work effectively against a large number of protocols, including but not limited to TLS, and application-layer protocols such as [[SPDY]] or [[HTTP]], only exploits against TLS and SPDY were demonstrated and largely mitigated in browsers and servers. The CRIME exploit against [[HTTP compression]] has not been mitigated at all, even though the authors of CRIME have warned that this vulnerability might be even more widespread than SPDY and TLS compression combined. In 2013 a new instance of the CRIME attack against HTTP compression, dubbed [[BREACH]], was announced. Based on the CRIME attack a BREACH attack can extract login tokens, email addresses or other sensitive information from TLS encrypted web traffic in as little as 30 seconds (depending on the number of bytes to be extracted), provided the attacker tricks the victim into visiting a malicious web link or is able to inject content into valid pages the user is visiting (ex: a wireless network under the control of the attacker).<ref name=Gooin20130801>{{cite web|last=Goodin|first=Dan|title=Gone in 30 seconds: New attack plucks secrets from HTTPS-protected pages|url=https://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages|work=Ars Technica|publisher=Condé Nast|access-date=2 August 2013|date=1 August 2013|url-status=live|archive-url=https://web.archive.org/web/20130803181144/http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages|archive-date=3 August 2013}}</ref> All versions of TLS and SSL are at risk from BREACH regardless of the encryption algorithm or cipher used.<ref>{{cite web|last=Leyden|first=John|title=Step into the BREACH: New attack developed to read encrypted web data|url=https://www.theregister.co.uk/2013/08/02/breach_crypto_attack|work=The Register|access-date=2 August 2013|date=2 August 2013|url-status=live|archive-url=https://web.archive.org/web/20130805233414/http://www.theregister.co.uk/2013/08/02/breach_crypto_attack|archive-date=5 August 2013}}</ref> Unlike previous instances of CRIME, which can be successfully defended against by turning off TLS compression or SPDY header compression, BREACH exploits HTTP compression which cannot realistically be turned off, as virtually all web servers rely upon it to improve data transmission speeds for users.<ref name=Gooin20130801/> This is a known limitation of TLS as it is susceptible to [[chosen-plaintext attack]] against the application-layer data it was meant to protect.
====Timing attacks on padding====
Earlier TLS versions were vulnerable against the [[padding oracle attack]] discovered in 2002. A novel variant, called the [[Lucky Thirteen attack]], was published in 2013.
Some experts<ref name="best-practices"/> also recommended avoiding [[triple DES]] CBC. Since the last supported ciphers developed to support any program using [[Windows XP]]'s SSL/TLS library like Internet Explorer on Windows XP are [[RC4]] and Triple-DES, and since RC4 is now deprecated (see discussion of [[talk:RC4|RC4 attacks]]), this makes it difficult to support any version of SSL for any program using this library on XP.
A fix was released as the Encrypt-then-MAC extension to the TLS specification, released as {{IETF RFC|7366}}.<ref>{{cite IETF|publisher=Internet Engineering Task Force|rfc=7366|title=Encrypt-then-MAC for Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)|date=September 2014|author=P. Gutmann}}</ref> The Lucky Thirteen attack can be mitigated in TLS 1.2 by using only AES_GCM ciphers; AES_CBC remains vulnerable. SSL may safeguard email, VoIP, and other types of communications over insecure networks in addition to its primary use case of secure data transmission between a client and the server.<ref name=":0" />
===={{Anchor|POODLE}}POODLE attack====
{{Main|POODLE}}
On October 14, 2014, Google researchers published a vulnerability in the design of SSL 3.0, which makes [[CBC mode of operation]] with SSL 3.0 vulnerable to a [[padding oracle attack|padding attack]] ({{CVE|2014-3566}}). They named this attack '''POODLE''' ('''Padding Oracle On Downgraded Legacy Encryption'''). On average, attackers only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages.<ref name="poodle_pdf">{{cite web|url=https://www.openssl.org/~bodo/ssl-poodle.pdf|title=This POODLE Bites: Exploiting The SSL 3.0 Fallback|author1=Bodo Möller, Thai Duong|author2=Krzysztof Kotowicz|name-list-style=amp|access-date=2014-10-15|url-status=live|archive-url=https://web.archive.org/web/20141014224443/https://www.openssl.org/~bodo/ssl-poodle.pdf|archive-date=2014-10-14}}</ref>
Although this vulnerability only exists in SSL 3.0 and most clients and servers support TLS 1.0 and above, all major browsers voluntarily downgrade to SSL 3.0 if the handshakes with newer versions of TLS fail unless they provide the option for a user or administrator to disable SSL 3.0 and the user or administrator does so{{citation needed|date=February 2015}}. Therefore, the man-in-the-middle can first conduct a [[version rollback attack]] and then exploit this vulnerability.<ref name="poodle_pdf"/>
On December 8, 2014, a variant of POODLE was announced that impacts TLS implementations that do not properly enforce padding byte requirements.<ref name="poodleagain">{{cite web|url=https://www.imperialviolet.org/2014/12/08/poodleagain.html|title=The POODLE bites again|date=December 8, 2014|last=Langley|first=Adam|access-date=2014-12-08|url-status=live|archive-url=https://web.archive.org/web/20141208200653/https://www.imperialviolet.org/2014/12/08/poodleagain.html|archive-date=December 8, 2014}}</ref>
===={{Anchor|RC4}}RC4 attacks====
{{Main|RC4#Security}}
Despite the existence of attacks on [[RC4]] that broke its security, cipher suites in SSL and TLS that were based on RC4 were still considered secure prior to 2013 based on the way in which they were used in SSL and TLS. In 2011, the RC4 suite was actually recommended as a workaround for the [[BEAST (computer security)|BEAST]] attack.<ref>{{Cite web|url=https://serverfault.com/questions/315042/safest-ciphers-to-use-with-the-beast-tls-1-0-exploit-ive-read-that-rc4-is-im|title=ssl – Safest ciphers to use with the BEAST? (TLS 1.0 exploit) I've read that RC4 is immune|website=Serverfault.com|access-date=20 February 2022|archive-date=20 February 2022|archive-url=https://web.archive.org/web/20220220210446/https://serverfault.com/questions/315042/safest-ciphers-to-use-with-the-beast-tls-1-0-exploit-ive-read-that-rc4-is-im|url-status=live}}</ref> New forms of attack disclosed in March 2013 conclusively demonstrated the feasibility of breaking RC4 in TLS, suggesting it was not a good workaround for BEAST.<ref name="community.qualys"/> An attack scenario was proposed by AlFardan, Bernstein, Paterson, Poettering and Schuldt that used newly discovered statistical biases in the RC4 key table<ref>{{cite book|contribution=Discovery and Exploitation of New Biases in RC4|author1=Pouyan Sepehrdad|author2=Serge Vaudenay|author3=Martin Vuagnoux|title=Selected Areas in Cryptography: 17th International Workshop, SAC 2010, Waterloo, Ontario, Canada, August 12–13, 2010, Revised Selected Papers|series=Lecture Notes in Computer Science|editor1=Alex Biryukov|editor2=Guang Gong|editor2-link=Guang Gong|editor3=Douglas R. Stinson|year=2011|volume=6544|pages=74–91|doi=10.1007/978-3-642-19574-7_5|isbn=978-3-642-19573-0}}</ref> to recover parts of the plaintext with a large number of TLS encryptions.<ref>{{cite web|url=http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html|title=Attack of the week: RC4 is kind of broken in TLS|work=Cryptography Engineering|access-date=March 12, 2013|last=Green|first=Matthew|date=12 March 2013|url-status=live|archive-url=https://web.archive.org/web/20130314214026/http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html|archive-date=March 14, 2013}}</ref><ref>{{cite web|title=On the Security of RC4 in TLS|url=http://www.isg.rhul.ac.uk/tls|publisher=Royal Holloway University of London|access-date=March 13, 2013|first1=Nadhem|last1=AlFardan|first2=Dan|last2=Bernstein|first3=Kenny|last3=Paterson|first4=Bertram|last4=Poettering|first5=Jacob|last5=Schuldt|url-status=live|archive-url=https://web.archive.org/web/20130315084623/http://www.isg.rhul.ac.uk/tls|archive-date=March 15, 2013}}</ref> An attack on RC4 in TLS and SSL that requires 13 × 2<sup>20</sup> encryptions to break RC4 was unveiled on 8 July 2013 and later described as "feasible" in the accompanying presentation at a [[USENIX]] Security Symposium in August 2013.<ref>{{cite journal|first1=Nadhem J.|last1=AlFardan|first2=Daniel J.|last2=Bernstein|first3=Kenneth G.|last3=Paterson|first4=Bertram|last4=Poettering|first5=Jacob C. N.|last5=Schuldt|date=8 July 2013|title=On the Security of RC4 in TLS and WPA|access-date=2 September 2013|url=http://www.isg.rhul.ac.uk/tls/RC4biases.pdf|journal=Information Security Group|url-status=live|archive-url=https://web.archive.org/web/20130922170155/http://www.isg.rhul.ac.uk/tls/RC4biases.pdf|archive-date=22 September 2013}}</ref><ref>{{cite conference|url=https://www.usenix.org/sites/default/files/conference/protected-files/alfardan_sec13_slides.pdf|title=On the Security of RC4 in TLS|first1=Nadhem J.|last1=AlFardan|first2=Daniel J.|last2=Bernstein|first3=Kenneth G.|last3=Paterson|first4=Bertram|last4=Poettering|first5=Jacob C. N.|last5=Schuldt|date=15 August 2013|conference=22nd [[USENIX]] Security Symposium|access-date=2 September 2013|quote=Plaintext recovery attacks against RC4 in TLS are feasible although not truly practical|page=51|url-status=live|archive-url=https://web.archive.org/web/20130922133950/https://www.usenix.org/sites/default/files/conference/protected-files/alfardan_sec13_slides.pdf|archive-date=22 September 2013}}</ref> In July 2015, subsequent improvements in the attack make it increasingly practical to defeat the security of RC4-encrypted TLS.<ref>{{cite web|last1=Goodin|first1=Dan|title=Once-theoretical crypto attack against HTTPS now verges on practicality|url=https://arstechnica.com/security/2015/07/once-theoretical-crypto-attack-against-https-now-verges-on-practicality|website=[[Ars Technica]]|date=15 July 2015|publisher=Conde Nast|access-date=16 July 2015|url-status=live|archive-url=https://web.archive.org/web/20150716084138/http://arstechnica.com/security/2015/07/once-theoretical-crypto-attack-against-https-now-verges-on-practicality|archive-date=16 July 2015}}</ref>
As many modern browsers have been designed to defeat BEAST attacks (except Safari for Mac OS X 10.7 or earlier, for iOS 6 or earlier, and for Windows; see {{section link||Web browsers}}), RC4 is no longer a good choice for TLS 1.0. The CBC ciphers which were affected by the BEAST attack in the past have become a more popular choice for protection.<ref name="best-practices"/> Mozilla and Microsoft recommend disabling RC4 where possible.<ref>{{cite web|url=https://wiki.mozilla.org/Security/Server_Side_TLS|title=Mozilla Security Server Side TLS Recommended Configurations|publisher=Mozilla|access-date=2015-01-03|url-status=live|archive-url=https://web.archive.org/web/20150103093047/https://wiki.mozilla.org/Security/Server_Side_TLS|archive-date=2015-01-03}}</ref><ref>{{cite web|url=http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx|title=Security Advisory 2868725: Recommendation to disable RC4|date=2013-11-12|publisher=Microsoft|access-date=2013-12-04|url-status=live|archive-url=https://web.archive.org/web/20131118081816/http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx|archive-date=2013-11-18}}</ref> {{IETF RFC|7465}} prohibits the use of RC4 cipher suites in all versions of TLS.
On September 1, 2015, Microsoft, Google, and Mozilla announced that RC4 cipher suites would be disabled by default in their browsers ([[Microsoft Edge Legacy|Microsoft Edge [Legacy]]], [[Internet Explorer 11]] on Windows 7/8.1/10, [[Firefox]], and [[Google Chrome|Chrome]]) in early 2016.<ref>{{cite web|url=https://blogs.windows.com/msedgedev/2015/09/01/ending-support-for-the-rc4-cipher-in-microsoft-edge-and-internet-explorer-11|title=Ending support for the RC4 cipher in Microsoft Edge and Internet Explorer 11|publisher=Microsoft Edge Team|date=September 1, 2015|url-status=live|archive-url=https://web.archive.org/web/20150902054341/http://blogs.windows.com/msedgedev/2015/09/01/ending-support-for-the-rc4-cipher-in-microsoft-edge-and-internet-explorer-11|archive-date=September 2, 2015}}</ref><ref>{{cite web|url=https://groups.google.com/a/chromium.org/forum/#!msg/security-dev/kVfCywocUO8/vgi_rQuhKgAJ|title=Intent to deprecate: RC4|date=Sep 1, 2015|last=Langley|first=Adam|access-date=September 2, 2015|archive-date=May 23, 2013|archive-url=https://web.archive.org/web/20130523081122/http://groups.google.com/a/chromium.org/group/chromium-os-dev/browse_thread/thread/337cca9a0da59ad6/9354a38894da5df5#!msg/security-dev/kVfCywocUO8/vgi_rQuhKgAJ|url-status=live}}</ref><ref>{{cite web|title=Intent to ship: RC4 disabled by default in Firefox 44|url=https://groups.google.com/forum/#!topic/mozilla.dev.platform/JIEFcrGhqSM/discussion|date=Sep 1, 2015|last=Barnes|first=Richard|url-status=live|archive-url=http://arquivo.pt/wayback/20110122130054/https://groups.google.com/forum/#!topic/mozilla.dev.platform/JIEFcrGhqSM/discussion|archive-date=2011-01-22}}</ref>
====Truncation attack====
A TLS (logout) truncation attack blocks a victim's account logout requests so that the user unknowingly remains logged into a web service. When the request to sign out is sent, the attacker injects an unencrypted [[Transmission Control Protocol|TCP]] FIN message (no more data from sender) to close the connection. The server therefore does not receive the logout request and is unaware of the abnormal termination.<ref name=register20130801>{{cite web|title=Gmail, Outlook.com and e-voting 'pwned' on stage in crypto-dodge hack|url=https://www.theregister.co.uk/2013/08/01/gmail_hotmail_hijacking|work=The Register|access-date=1 August 2013|author=John Leyden|date=1 August 2013|url-status=live|archive-url=https://web.archive.org/web/20130801193054/http://www.theregister.co.uk/2013/08/01/gmail_hotmail_hijacking|archive-date=1 August 2013}}</ref>
Published in July 2013,<ref>{{cite web|title=BlackHat USA Briefings|url=https://www.blackhat.com/us-13/briefings.html#Smyth|work=Black Hat 2013|access-date=1 August 2013|url-status=live|archive-url=https://web.archive.org/web/20130730124037/http://www.blackhat.com/us-13/briefings.html#Smyth|archive-date=30 July 2013}}</ref><ref>{{cite thesis|last1=Smyth|first1=Ben|last2=Pironti|first2=Alfredo|title=Truncating TLS Connections to Violate Beliefs in Web Applications|journal=7th USENIX Workshop on Offensive Technologies|date=2013|url=https://hal.inria.fr/hal-01102013|access-date=15 February 2016|url-status=live|archive-url=https://web.archive.org/web/20151106110117/https://hal.inria.fr/hal-01102013|archive-date=6 November 2015|type=report}}</ref> the attack causes web services such as [[Gmail]] and [[outlook.com|Hotmail]] to display a page that informs the user that they have successfully signed-out, while ensuring that the user's browser maintains authorization with the service, allowing an attacker with subsequent access to the browser to access and take over control of the user's logged-in account. The attack does not rely on installing malware on the victim's computer; attackers need only place themselves between the victim and the web server (e.g., by setting up a rogue wireless hotspot).<ref name=register20130801/> This vulnerability also requires access to the victim's computer.
Another possibility is when using FTP the data connection can have a false FIN in the data stream, and if the protocol rules for exchanging close_notify alerts is not adhered to a file can be truncated.
====Plaintext attack against DTLS====
In February 2013 two researchers from Royal Holloway, University of London discovered a timing attack<ref name="praad-tls">{{cite conference |title=Plaintext-recovery attacks against datagram TLS |last1=AlFardan |first1=Nadhem |last2=Paterson |first2=Kenneth G |conference=Network and distributed system security symposium (NDSS 2012) |year=2012 | url=http://www.isg.rhul.ac.uk/~kp/dtls.pdf | archive-url=https://web.archive.org/web/20120118070007/http://www.isg.rhul.ac.uk/~kp/dtls.pdf | archive-date=2012-01-18 | url-status=unfit}}</ref> which allowed them to recover (parts of the) plaintext from a DTLS connection using the OpenSSL or GnuTLS implementation of DTLS when [[Cipher Block Chaining]] mode encryption was used.
====Unholy PAC attack====
This attack, discovered in mid-2016, exploits weaknesses in the [[Web Proxy Autodiscovery Protocol]] (WPAD) to expose the URL that a web user is attempting to reach via a TLS-enabled web link.<ref>{{cite web|last1=Goodin|first1=Dan|title=New attack bypasses HTTPS protection on Macs, Windows, and Linux|url=https://arstechnica.com/security/2016/07/new-attack-that-cripples-https-crypto-works-on-macs-windows-and-linux|website=Ars Technica|date=26 July 2016|publisher=Condé Nast|access-date=28 July 2016|url-status=live|archive-url=https://web.archive.org/web/20160727160434/http://arstechnica.com/security/2016/07/new-attack-that-cripples-https-crypto-works-on-macs-windows-and-linux|archive-date=27 July 2016}}</ref> Disclosure of a URL can violate a user's privacy, not only because of the website accessed, but also because URLs are sometimes used to authenticate users. Document sharing services, such as those offered by Google and Dropbox, also work by sending a user a security token that is included in the URL. An attacker who obtains such URLs may be able to gain full access to a victim's account or data.
The exploit works against almost all browsers and operating systems.
====Sweet32 attack====
The Sweet32 attack breaks all 64-bit block ciphers used in CBC mode as used in TLS by exploiting a [[birthday attack]] and either a [[man-in-the-middle attack]] or injection of a malicious [[JavaScript]] into a web page. The purpose of the man-in-the-middle attack or the JavaScript injection is to allow the attacker to capture enough traffic to mount a birthday attack.<ref>{{Cite news|url=https://arstechnica.com/security/2016/08/new-attack-can-pluck-secrets-from-1-of-https-traffic-affects-top-sites|title=HTTPS and OpenVPN face new attack that can decrypt secret cookies|first=Dan|last=Goodin|newspaper=Ars Technica|date=August 24, 2016|access-date=August 24, 2016|url-status=live|archive-url=https://web.archive.org/web/20160824181630/http://arstechnica.com/security/2016/08/new-attack-can-pluck-secrets-from-1-of-https-traffic-affects-top-sites|archive-date=August 24, 2016}}</ref>
====Implementation errors: {{Anchor|Heartbleed}}Heartbleed bug, {{Anchor|BERserk}}BERserk attack, Cloudflare bug====
{{Main|Heartbleed|Cloudbleed}}
The [[Heartbleed]] bug is a serious vulnerability specific to the implementation of SSL/TLS in the popular [[OpenSSL]] cryptographic software library, affecting versions 1.0.1 to 1.0.1f. This weakness, reported in April 2014, allows attackers to steal [[Public-key cryptography|private keys]] from servers that should normally be protected.<ref>{{cite news|url=https://www.washingtonpost.com/blogs/style-blog/wp/2014/04/09/why-is-it-called-the-heartbleed-bug|title=Why is it called the 'Heartbleed Bug'?|newspaper=The Washington Post|date=2014-04-09|url-status=live|archive-url=https://web.archive.org/web/20141009063758/http://www.washingtonpost.com/blogs/style-blog/wp/2014/04/09/why-is-it-called-the-heartbleed-bug|archive-date=2014-10-09}}</ref> The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret private keys associated with the [[X.509|public certificates]] used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.<ref>{{cite web|url=https://blogs.comodo.com/e-commerce/heartbleed-bug-comodo-urges-openssl-users-to-apply-patch|title=Heartbleed Bug vulnerability [9 April 2014]|publisher=[[Comodo Group]]|url-status=live|archive-url=https://web.archive.org/web/20140705212748/https://blogs.comodo.com/e-commerce/heartbleed-bug-comodo-urges-openssl-users-to-apply-patch|archive-date=5 July 2014}}</ref> The vulnerability is caused by a [[buffer over-read]] bug in the OpenSSL software, rather than a defect in the SSL or TLS protocol specification.
In September 2014, a variant of [[Daniel Bleichenbacher]]'s PKCS#1 v1.5 RSA Signature Forgery vulnerability<ref>{{cite web|url=http://www.imc.org/ietf-openpgp/mail-archive/msg06063.html|title=Bleichenbacher's RSA signature forgery based on implementation error|date=August 2006|first=Daniel|last=Bleichenbacher|author-link=Daniel Bleichenbacher|url-status=dead|archive-url=https://web.archive.org/web/20141216203704/http://www.imc.org/ietf-openpgp/mail-archive/msg06063.html|archive-date=2014-12-16}}</ref> was announced by Intel Security Advanced Threat Research. This attack, dubbed BERserk, is a result of incomplete ASN.1 length decoding of public key signatures in some SSL implementations, and allows a man-in-the-middle attack by forging a public key signature.<ref>{{cite web|url=http://www.intelsecurity.com/advanced-threat-research|title=BERserk|date=September 2014|publisher=Intel Security: Advanced Threat Research|url-status=live|archive-url=https://web.archive.org/web/20150112153121/http://www.intelsecurity.com/advanced-threat-research|archive-date=2015-01-12}}</ref>
In February 2015, after media reported the hidden pre-installation of [[superfish]] adware on some Lenovo notebooks,<ref>{{cite web|url=https://arstechnica.com/information-technology/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections|title=Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections|last=Goodin|first=Dan|date=February 19, 2015|website=[[Ars Technica]]|access-date=December 10, 2017|url-status=live|archive-url=https://web.archive.org/web/20170912103610/https://arstechnica.com/information-technology/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections|archive-date=September 12, 2017}}</ref> a researcher found a trusted root certificate on affected Lenovo machines to be insecure, as the keys could easily be accessed using the company name, Komodia, as a passphrase.<ref>{{cite web|first=Filippo|last=Valsorda|url=https://blog.filippo.io/komodia-superfish-ssl-validation-is-broken|title=Komodia/Superfish SSL validation is broken|publisher=Filippo.io|date=2015-02-20|url-status=live|archive-url=https://web.archive.org/web/20150224112141/https://blog.filippo.io/komodia-superfish-ssl-validation-is-broken|archive-date=2015-02-24}}</ref> The Komodia library was designed to intercept client-side TLS/SSL traffic for parental control and surveillance, but it was also used in numerous adware programs, including Superfish, that were often surreptitiously installed unbeknownst to the computer user. In turn, these [[potentially unwanted program]]s installed the corrupt root certificate, allowing attackers to completely control web traffic and confirm false websites as authentic.
In May 2016, it was reported that dozens of Danish HTTPS-protected websites belonging to [[Visa Inc.]] were vulnerable to attacks allowing hackers to inject malicious code and forged content into the browsers of visitors.<ref name="forbidden">{{cite web|last1=Goodin|first1=Dan|title="Forbidden attack" makes dozens of HTTPS Visa sites vulnerable to tampering|url=https://arstechnica.com/security/2016/05/faulty-https-settings-leave-dozens-of-visa-sites-vulnerable-to-forgery-attacks|website=Ars Technica|date=26 May 2016|access-date=26 May 2016|url-status=live|archive-url=https://web.archive.org/web/20160526175713/http://arstechnica.com/security/2016/05/faulty-https-settings-leave-dozens-of-visa-sites-vulnerable-to-forgery-attacks|archive-date=26 May 2016}}</ref> The attacks worked because the TLS implementation used on the affected servers incorrectly reused random numbers ([[cryptographic nonce|nonces]]) that are intended to be used only once, ensuring that each [[#TLS handshake|TLS handshake]] is unique.<ref name=forbidden/>
In February 2017, an implementation error caused by a single mistyped character in code used to parse HTML created a buffer overflow error on [[Cloudflare]] servers. Similar in its effects to the Heartbleed bug discovered in 2014, this overflow error, widely known as [[Cloudbleed]], allowed unauthorized third parties to read data in the memory of programs running on the servers—data that should otherwise have been protected by TLS.<ref>{{cite web|last1=Clark Estes|first1=Adam|title=Everything You Need to Know About Cloudbleed, the Latest Internet Security Disaster|url=https://gizmodo.com/everything-you-need-to-know-about-cloudbleed-the-lates-1792710616|website=[[Gizmodo]]|date=February 24, 2017|access-date=2017-02-24|url-status=live|archive-url=https://web.archive.org/web/20170225013516/http://gizmodo.com/everything-you-need-to-know-about-cloudbleed-the-lates-1792710616|archive-date=2017-02-25}}</ref>
====Survey of websites vulnerable to attacks====
{{As of|2021|07}}, the Trustworthy Internet Movement estimated the ratio of websites that are vulnerable to TLS attacks.<ref name="trustworthy_ssl_pulse"/>
{|class="wikitable"style=text-align:center
|+Survey of the TLS vulnerabilities of the most popular websites
|-
!scope=col rowspan=2|Attacks
!scope=col colspan=4|Security
|-
!scope=col|Insecure
!scope=col|Depends
!scope=col|Secure
!scope=col|Other
|-
!scope=row|[[#Renegotiation attack|Renegotiation attack]]
|{{Bad|< 0.1%<br />support insecure renegotiation}}
|{{Partial|< 0.1%<br />support both}}
|{{Good|99.7%<br />support secure renegotiation}}
|{{CNone|0.3%<br />no support}}
|-
!scope=row|[[#RC4 attacks|RC4 attacks]]
|{{Bad|0.2%<br />support RC4 suites used with modern browsers}}
|{{Partial|3.0%<br />support some RC4 suites}}
|{{Good|96.9%<br />no support}}
|{{N/A}}
|-
!scope=row|[[#CRIME attack|TLS Compression (CRIME attack)]]
|{{Bad|0%<br />vulnerable}}
|{{N/A}}
|{{N/A}}
|{{N/A}}
|-
!scope=row|[[#Heartbleed|Heartbleed]]
|{{Bad|0%<br />vulnerable}}
|{{N/A}}
|{{N/A}}
|{{N/A}}
|-
!scope=row|[[CVE-2014-0224|ChangeCipherSpec injection attack]]
|{{Bad|< 0.1%<br />vulnerable and exploitable}}
|{{Partial|< 0.1%<br />vulnerable, not exploitable}}
|{{Good|99.5%<br />not vulnerable}}
|{{unknown|0.4%<br />unknown}}
|-
!scope=row|[[#POODLE attack|POODLE attack against TLS]]<br /><small>(Original POODLE against SSL 3.0 is not included)</small>
|{{Bad|< 0.1%<br />vulnerable and exploitable}}
|{{N/A}}
|{{Good|99.9%<br />not vulnerable}}
|{{unknown|0.1%<br />unknown}}
|-
!scope=row|[[#Downgrade attacks|Protocol downgrade]]
|{{Bad|4.1%<br />Downgrade defence not supported}}
|{{N/A}}
|{{Good|80.2%<br />Downgrade defence supported}}
|{{unknown|15.7%<br />unknown}}
|}
===Forward secrecy===
{{Main|Forward secrecy}}
Forward secrecy is a property of cryptographic systems which ensures that a session key derived from a set of public and private keys will not be compromised if one of the private keys is compromised in the future.<ref>{{cite journal|first1=Whitfield|last1=Diffie|last2=van Oorschot|first2=Paul C|last3=Wiener|first3=Michael J.|title=Authentication and Authenticated Key Exchanges|issue=2|journal=Designs, Codes and Cryptography|volume=2|pages=107–125|date=June 1992|doi=10.1007/BF00124891|url=http://citeseer.ist.psu.edu/diffie92authentication.html|access-date=2008-02-11|url-status=live|archive-url=https://web.archive.org/web/20080313081157/http://citeseer.ist.psu.edu/diffie92authentication.html|archive-date=2008-03-13|citeseerx=10.1.1.59.6682|s2cid=7356608}}</ref> Without forward secrecy, if the server's private key is compromised, not only will all future TLS-encrypted sessions using that server certificate be compromised, but also any past sessions that used it as well (provided that these past sessions were intercepted and stored at the time of transmission).<ref>{{Cite web|url=http://www1.ietf.org/mail-archive/web/tls/current/msg02134.html|archive-url=https://web.archive.org/web/20130922103746/http://www.ietf.org/mail-archive/web/tls/current/msg02134.html|url-status=dead|title=Discussion on the TLS mailing list in October 2007|archive-date=22 September 2013|access-date=20 February 2022}}</ref> An implementation of TLS can provide forward secrecy by requiring the use of ephemeral [[Diffie–Hellman key exchange]] to establish session keys, and some notable TLS implementations do so exclusively: e.g., [[Gmail]] and other Google HTTPS services that use [[OpenSSL]].<ref>{{cite web|url=http://googleonlinesecurity.blogspot.com.au/2011/11/protecting-data-for-long-term-with.html|title=Protecting data for the long term with forward secrecy|access-date=2012-11-05|url-status=live|archive-url=https://web.archive.org/web/20130506184654/http://googleonlinesecurity.blogspot.com.au/2011/11/protecting-data-for-long-term-with.html|archive-date=2013-05-06}}</ref> However, many clients and servers supporting TLS (including browsers and web servers) are not configured to implement such restrictions.<ref>{{cite web|url=https://vincent.bernat.ch/en/blog/2011-ssl-perfect-forward-secrecy|title=SSL/TLS & Perfect Forward Secrecy|first=Vincent|last=Bernat|date=28 November 2011|access-date=2012-11-05|url-status=live|archive-url=https://web.archive.org/web/20120827064047/https://vincent.bernat.ch/en/blog/2011-ssl-perfect-forward-secrecy|archive-date=2012-08-27}}</ref><ref>{{cite web|title=SSL Labs: Deploying Forward Secrecy|url=https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy|publisher=Qualys.com|access-date=2013-07-10|date=2013-06-25|url-status=live|archive-url=https://web.archive.org/web/20130626193314/https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy|archive-date=2013-06-26}}</ref> In practice, unless a web service uses Diffie–Hellman key exchange to implement forward secrecy, all of the encrypted web traffic to and from that service can be decrypted by a third party if it obtains the server's master (private) key; e.g., by means of a court order.<ref>{{cite web|last=Ristic|first=Ivan|title=SSL Labs: Deploying Forward Secrecy|url=https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy|publisher=Qualsys|access-date=2013-08-31|date=2013-08-05|url-status=live|archive-url=https://web.archive.org/web/20130920150259/https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy|archive-date=2013-09-20}}</ref>
Even where Diffie–Hellman key exchange is implemented, server-side session management mechanisms can impact forward secrecy. The use of [[#Resumed TLS handshake|TLS session tickets]] (a TLS extension) causes the session to be protected by AES128-CBC-SHA256 regardless of any other negotiated TLS parameters, including forward secrecy ciphersuites, and the long-lived TLS session ticket keys defeat the attempt to implement forward secrecy.<ref name="botchingpfs"/><ref name="ticketsecwp"/><ref name="ticketsecslides"/> Stanford University research in 2014 also found that of 473,802 TLS servers surveyed, 82.9% of the servers deploying ephemeral Diffie–Hellman (DHE) key exchange to support forward secrecy were using weak Diffie–Hellman parameters. These weak parameter choices could potentially compromise the effectiveness of the forward secrecy that the servers sought to provide.<ref>{{cite journal|author1=L.S. Huang|author2=S. Adhikarla|author3=D. Boneh|author4=C. Jackson|title=An Experimental Study of TLS Forward Secrecy Deployments|journal=IEEE Internet Computing|date=2014|volume=18|issue=6|pages=43–51|url=http://crypto.stanford.edu/~dabo/pubs/abstracts/websec_ecc.html|access-date=16 October 2015|url-status=live|archive-url=https://web.archive.org/web/20150920011317/http://crypto.stanford.edu/~dabo/pubs/abstracts/websec_ecc.html|archive-date=20 September 2015|doi=10.1109/MIC.2014.86|citeseerx=10.1.1.663.4653|s2cid=11264303}}</ref>
Since late 2011, Google has provided forward secrecy with TLS by default to users of its [[Gmail]] service, along with [[Google Docs]] and encrypted search, among other services.<ref name="googleLongTerm">{{cite web|url=http://googleonlinesecurity.blogspot.com.au/2011/11/protecting-data-for-long-term-with.html|title=Protecting data for the long term with forward secrecy|access-date=2014-03-07|url-status=live|archive-url=https://web.archive.org/web/20140212214518/http://googleonlinesecurity.blogspot.com.au/2011/11/protecting-data-for-long-term-with.html|archive-date=2014-02-12}}</ref>
Since November 2013, [[Twitter]] has provided forward secrecy with TLS to users of its service.<ref>{{cite web|last=Hoffman-Andrews|first=Jacob|title=Forward Secrecy at Twitter|url=https://blog.twitter.com/2013/forward-secrecy-at-twitter-0|publisher=Twitter|access-date=2014-03-07|url-status=live|archive-url=https://web.archive.org/web/20140216041202/https://blog.twitter.com/2013/forward-secrecy-at-twitter-0|archive-date=2014-02-16}}</ref> {{As of|2019|08}}, about 80% of TLS-enabled websites are configured to use cipher suites that provide forward secrecy to most web browsers.<ref name="trustworthy_ssl_pulse"/>
===TLS interception===
{{See also|Server Name Indication#Encrypted Client Hello}}
TLS interception (or [[HTTPS]] interception if applied particularly to that protocol) is the practice of intercepting an encrypted data stream in order to decrypt it, read and possibly manipulate it, and then re-encrypt it and send the data on its way again. This is done by way of a "[[transparent proxy]]": the interception software terminates the incoming TLS connection, inspects the HTTP plaintext, and then creates a new TLS connection to the destination.<ref name="Durumeric et al 2017">{{cite journal|last1=Durumeric|first1=Zakir|last2=Ma|first2=Zane|last3=Springall|first3=Drew|last4=Barnes|first4=Richard|last5=Sullivan|first5=Nick|last6=Bursztein|first6=Elie|last7=Bailey|first7=Michael|last8=Halderman|first8=J. Alex|last9=Paxson|first9=Vern|title=The Security Impact of HTTPS Interception|journal=NDSS Symposium|date=5 September 2017|doi=10.14722/ndss.2017.23456|url=https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/security-impact-https-interception|isbn=978-1-891562-46-4|access-date=11 March 2019|archive-date=22 March 2019|archive-url=https://web.archive.org/web/20190322145041/https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/security-impact-https-interception/|url-status=live|url-access=subscription}}</ref>
TLS/HTTPS interception is used as an [[information security]] measure by network operators in order to be able to scan for and protect against the intrusion of malicious content into the network, such as [[computer virus]]es and other [[malware]].<ref name="Durumeric et al 2017"/> Such content could otherwise not be detected as long as it is protected by encryption, which is increasingly the case as a result of the routine use of HTTPS and other secure protocols.
A significant drawback of TLS/HTTPS interception is that it introduces new security risks of its own. One notable limitation is that it provides a point where network traffic is available unencrypted thus giving attackers an incentive to attack this point in particular in order to gain access to otherwise secure content. The interception also allows the network operator, or persons who gain access to its interception system, to perform [[man-in-the-middle attack]]s against network users. A 2017 study found that "HTTPS interception has become startlingly widespread, and that interception products as a class have a dramatically negative impact on connection security".<ref name="Durumeric et al 2017"/>
==Protocol details==
The TLS protocol exchanges ''records'', which encapsulate the data to be exchanged in a specific format (see below). Each record can be compressed, padded, appended with a [[message authentication code]] (MAC), or encrypted, all depending on the state of the connection. Each record has a ''content type'' field that designates the type of data encapsulated, a length field and a TLS version field. The data encapsulated may be control or procedural messages of the TLS itself, or simply the application data needed to be transferred by TLS. The specifications (cipher suite, keys etc.) required to exchange application data by TLS, are agreed upon in the "TLS handshake" between the client requesting the data and the server responding to requests. The protocol therefore defines both the structure of payloads transferred in TLS and the procedure to establish and monitor the transfer.
===TLS handshake===
[[File:Full TLS 1.2 Handshake.svg|thumb|Simplified illustration of the full TLS 1.2 handshake with timing information]]
When the connection starts, the record encapsulates a "control" protocol – the handshake messaging protocol (''content type'' 22). This protocol is used to exchange all the information required by both sides for the exchange of the actual application data by TLS. It defines the format of messages and the order of their exchange. These may vary according to the demands of the client and server – i.e., there are several possible procedures to set up the connection. This initial exchange results in a successful TLS connection (both parties ready to transfer application data with TLS) or an alert message (as specified below).
====Basic TLS handshake====
A typical connection example follows, illustrating a [[Handshake (computing)|handshake]] where the server (but not the client) is authenticated by its certificate:
#Negotiation phase:
#*A client sends a '''ClientHello''' message specifying the highest TLS protocol version it supports, a random number, a list of suggested [[cipher suite]]s and suggested compression methods. If the client is attempting to perform a resumed handshake, it may send a ''session ID''. If the client can use [[Application-Layer Protocol Negotiation]], it may include a list of supported application [[communications protocol|protocols]], such as [[HTTP/2]].
#*The server responds with a '''ServerHello''' message, containing the chosen protocol version, a random number, cipher suite and compression method from the choices offered by the client. To confirm or allow resumed handshakes the server may send a ''session ID''. The chosen protocol version should be the highest that both the client and server support. For example, if the client supports TLS version 1.1 and the server supports version 1.2, version 1.1 should be selected; version 1.2 should not be selected.
#*The server sends its '''Certificate''' message (depending on the selected cipher suite, this may be omitted by the server).<ref name="openpgp">These certificates are currently [[X.509]], but {{IETF RFC|6091}} also specifies the use of [[OpenPGP]]-based certificates.</ref>
#*The server sends its '''ServerKeyExchange''' message (depending on the selected cipher suite, this may be omitted by the server). This message is sent for all [[Diffie–Hellman key exchange|DHE]], [[ECDHE]] and DH_anon cipher suites.{{ref RFC|5246}}
#*The server sends a '''ServerHelloDone''' message, indicating it is done with handshake negotiation.
#*The client responds with a '''ClientKeyExchange''' message, which may contain a ''PreMasterSecret'', public key, or nothing. (Again, this depends on the selected cipher.) This ''PreMasterSecret'' is encrypted using the public key of the server certificate.
#*The client and server then use the random numbers and ''PreMasterSecret'' to compute a common secret, called the "master secret". All other key data ([[session key]]s such as [[initialization vector|IV]], [[symmetric encryption]] key, [[message authentication code|MAC]] key<ref>{{cite web|title=tls – Differences between the terms "pre-master secret", "master secret", "private key", and "shared secret"?|url=https://crypto.stackexchange.com/questions/27131/differences-between-the-terms-pre-master-secret-master-secret-private-key|access-date=2020-10-01|website=Cryptography Stack Exchange|archive-date=2020-09-22|archive-url=https://web.archive.org/web/20200922021454/https://crypto.stackexchange.com/questions/27131/differences-between-the-terms-pre-master-secret-master-secret-private-key|url-status=live}}</ref>) for this connection is derived from this master secret (and the client- and server-generated random values), which is passed through a carefully designed [[pseudorandomness|pseudorandom]] function.
#The client now sends a '''ChangeCipherSpec''' record, essentially telling the server, "Everything I tell you from now on will be authenticated (and encrypted if encryption parameters were present in the server certificate)." The ChangeCipherSpec is itself a record-level protocol with content type of 20.
#*The client sends an authenticated and encrypted '''Finished''' message, containing a hash and MAC over the previous handshake messages.
#*The server will attempt to decrypt the client's ''Finished'' message and verify the hash and MAC. If the decryption or verification fails, the handshake is considered to have failed and the connection should be terminated.
#Finally, the server sends a '''ChangeCipherSpec''', telling the client, "Everything I tell you from now on will be authenticated (and encrypted, if encryption was negotiated)."
#*The server sends its authenticated and encrypted '''Finished''' message.
#*The client performs the same decryption and verification procedure as the server did in the previous step.
#Application phase: at this point, the "handshake" is complete and the application protocol is enabled, with content type of 23. Application messages exchanged between client and server will also be authenticated and optionally encrypted exactly like in their ''Finished'' message. Otherwise, the content type will return 25 and the client will not authenticate.
====Client-authenticated TLS handshake====
The following ''full'' example shows a client being authenticated (in addition to the server as in the example above; see [[mutual authentication]]) via TLS using certificates exchanged between both peers.
#Negotiation Phase:
#*A client sends a '''ClientHello''' message specifying the highest TLS protocol version it supports, a random number, a list of suggested cipher suites and compression methods.
#*The server responds with a '''ServerHello''' message, containing the chosen protocol version, a random number, cipher suite and compression method from the choices offered by the client. The server may also send a ''session id'' as part of the message to perform a resumed handshake.
#*The server sends its '''Certificate''' message (depending on the selected cipher suite, this may be omitted by the server).<ref name="openpgp"/>
#*The server sends its '''ServerKeyExchange''' message (depending on the selected cipher suite, this may be omitted by the server). This message is sent for all DHE, ECDHE and DH_anon ciphersuites.{{Ref|5246|rsection=7.4.3}}
#*The server sends a '''CertificateRequest''' message, to request a certificate from the client.
#*The server sends a '''ServerHelloDone''' message, indicating it is done with handshake negotiation.
#*The client responds with a '''Certificate''' message, which contains the client's certificate, but not its private key.
#*The client sends a '''ClientKeyExchange''' message, which may contain a ''PreMasterSecret'', public key, or nothing. (Again, this depends on the selected cipher.) This ''PreMasterSecret'' is encrypted using the public key of the server certificate.
#*The client sends a '''CertificateVerify''' message, which is a signature over the previous handshake messages using the client's certificate's private key. This signature can be verified by using the client's certificate's public key. This lets the server know that the client has access to the private key of the certificate and thus owns the certificate.
#*The client and server then use the random numbers and ''PreMasterSecret'' to compute a common secret, called the "master secret". All other key data ("session keys") for this connection is derived from this master secret (and the client- and server-generated random values), which is passed through a carefully designed pseudorandom function.
#The client now sends a '''ChangeCipherSpec''' record, essentially telling the server, "Everything I tell you from now on will be authenticated (and encrypted if encryption was negotiated). "The ChangeCipherSpec is itself a record-level protocol and has type 20 and not 22.
#*Finally, the client sends an encrypted '''Finished''' message, containing a hash and MAC over the previous handshake messages.
#*The server will attempt to decrypt the client's ''Finished'' message and verify the hash and MAC. If the decryption or verification fails, the handshake is considered to have failed and the connection should be torn down.
#Finally, the server sends a '''ChangeCipherSpec''', telling the client, "Everything I tell you from now on will be authenticated (and encrypted if encryption was negotiated)."
#*The server sends its own encrypted '''Finished''' message.
#*The client performs the same decryption and verification procedure as the server did in the previous step.
#Application phase: at this point, the "handshake" is complete and the application protocol is enabled, with content type of 23. Application messages exchanged between client and server will also be encrypted exactly like in their ''Finished'' message.
====Resumed TLS handshake====
Public key operations (e.g., RSA) are relatively expensive in terms of computational power. TLS provides a secure shortcut in the handshake mechanism to avoid these operations: resumed sessions. Resumed sessions are implemented using session IDs or session tickets.
Apart from the performance benefit, resumed sessions can also be used for [[single sign-on]], as it guarantees that both the original session and any resumed session originate from the same client. This is of particular importance for the [[FTPS|FTP over TLS/SSL]] protocol, which would otherwise suffer from a man-in-the-middle attack in which an attacker could intercept the contents of the secondary data connections.<ref>{{cite web|author=Chris|url=http://scarybeastsecurity.blogspot.com/2009/02/vsftpd-210-released.html|title=vsftpd-2.1.0 released – Using TLS session resume for FTPS data connection authentication|publisher=Scarybeastsecurity. blogspot.com|date=2009-02-18|access-date=2012-05-17|url-status=live|archive-url=https://web.archive.org/web/20120707213409/http://scarybeastsecurity.blogspot.com/2009/02/vsftpd-210-released.html|archive-date=2012-07-07}}</ref>
====TLS 1.3 handshake====
The TLS 1.3 handshake was condensed to only one round trip compared to the two round trips required in previous versions of TLS/SSL.
To start the handshake, the client guesses which key exchange algorithm will be selected by the server and sends a '''ClientHello''' message to the server containing a list of supported ciphers (in order of the client's preference) and public keys for some or all of its key exchange guesses. If the client successfully guesses the key exchange algorithm, 1 round trip is eliminated from the handshake. After receiving the '''ClientHello''', the server selects a cipher and sends back a '''ServerHello''' with its own public key, followed by server '''Certificate''' and '''Finished''' messages.<ref>{{cite IETF|title= The Transport Layer Security (TLS) Protocol Version 1.3|rfc=8446|section=4.1.1 |sectionname=Cryptographic Negotiation|publisher=IETF |date=August 2018 |last1=Rescorla |first1=Eric }}</ref>
After the client receives the server's finished message, it now is coordinated with the server on which cipher suite to use.<ref>{{cite web|last=Valsorda|first=Filippo|title=An overview of TLS 1.3 and Q&A|url=https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a|website=The Cloudflare Blog|date=23 September 2016|access-date=3 May 2019|archive-date=3 May 2019|archive-url=https://web.archive.org/web/20190503043936/https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/|url-status=live}}</ref>
=====Session IDs=====
In an ordinary ''full'' handshake, the server sends a ''session id'' as part of the '''ServerHello''' message. The client associates this ''session id'' with the server's IP address and TCP port, so that when the client connects again to that server, it can use the ''session id'' to shortcut the handshake. In the server, the ''session id'' maps to the cryptographic parameters previously negotiated, specifically the "master secret". Both sides must have the same "master secret" or the resumed handshake will fail (this prevents an eavesdropper from using a ''session id''). The random data in the '''ClientHello''' and '''ServerHello''' messages virtually guarantee that the generated connection keys will be different from in the previous connection. In the RFCs, this type of handshake is called an ''abbreviated'' handshake. It is also described in the literature as a ''restart'' handshake.
#Negotiation phase:
#*A client sends a '''ClientHello''' message specifying the highest TLS protocol version it supports, a random number, a list of suggested cipher suites and compression methods. Included in the message is the ''session id'' from the previous TLS connection.
#*The server responds with a '''ServerHello''' message, containing the chosen protocol version, a random number, cipher suite and compression method from the choices offered by the client. If the server recognizes the ''session id'' sent by the client, it responds with the same ''session id''. The client uses this to recognize that a resumed handshake is being performed. If the server does not recognize the ''session id'' sent by the client, it sends a different value for its ''session id''. This tells the client that a resumed handshake will not be performed. At this point, both the client and server have the "master secret" and random data to generate the key data to be used for this connection.
#The server now sends a '''ChangeCipherSpec''' record, essentially telling the client, "Everything I tell you from now on will be encrypted." The ChangeCipherSpec is itself a record-level protocol and has type 20 and not 22.
#*Finally, the server sends an encrypted '''Finished''' message, containing a hash and MAC over the previous handshake messages.
#*The client will attempt to decrypt the server's ''Finished'' message and verify the hash and MAC. If the decryption or verification fails, the handshake is considered to have failed and the connection should be torn down.
#Finally, the client sends a '''ChangeCipherSpec''', telling the server, "Everything I tell you from now on will be encrypted."
#*The client sends its own encrypted '''Finished''' message.
#*The server performs the same decryption and verification procedure as the client did in the previous step.
#Application phase: at this point, the "handshake" is complete and the application protocol is enabled, with content type of 23. Application messages exchanged between client and server will also be encrypted exactly like in their ''Finished'' message.
=====Session tickets=====
{{IETF RFC|5077}} extends TLS via use of session tickets, instead of session IDs. It defines a way to resume a TLS session without requiring that session-specific state is stored at the TLS server.
When using session tickets, the TLS server stores its session-specific state in a session ticket and sends the session ticket to the TLS client for storing. The client resumes a TLS session by sending the session ticket to the server, and the server resumes the TLS session according to the session-specific state in the ticket. The session ticket is encrypted and authenticated by the server, and the server verifies its validity before using its contents.
One particular weakness of this method with [[OpenSSL]] is that it always limits encryption and authentication security of the transmitted TLS session ticket to <code>AES128-CBC-SHA256</code>, no matter what other TLS parameters were negotiated for the actual TLS session.<ref name="ticketsecwp">{{cite web|title=TLS "Secrets": Whitepaper presenting the security implications of the deployment of session tickets (RFC 5077) as implemented in OpenSSL|first=Florent|last=Daignière|publisher=Matta Consulting Limited|access-date=7 August 2013|url=https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-WP.pdf|url-status=live|archive-url=https://web.archive.org/web/20130806233112/https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-WP.pdf|archive-date=6 August 2013}}</ref> This means that the state information (the TLS session ticket) is not as well protected as the TLS session itself. Of particular concern is OpenSSL's storage of the keys in an application-wide context (<code>SSL_CTX</code>), i.e. for the life of the application, and not allowing for re-keying of the <code>AES128-CBC-SHA256</code> TLS session tickets without resetting the application-wide OpenSSL context (which is uncommon, error-prone and often requires manual administrative intervention).<ref name="ticketsecslides">{{cite web|title=TLS "Secrets": What everyone forgot to tell you…|first=Florent|last=Daignière|publisher=Matta Consulting Limited|access-date=7 August 2013|url=https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-Slides.pdf|url-status=live|archive-url=https://web.archive.org/web/20130805134805/https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-Slides.pdf|archive-date=5 August 2013}}</ref><ref name="botchingpfs">{{cite web|title=How to botch TLS forward secrecy|first=Adam|last=Langley|website=imperialviolet.org|date=27 June 2013|url=https://www.imperialviolet.org/2013/06/27/botchingpfs.html|url-status=live|archive-url=https://web.archive.org/web/20130808221614/https://www.imperialviolet.org/2013/06/27/botchingpfs.html|archive-date=8 August 2013}}</ref>
===TLS record===
This is the general format of all TLS records.
{|class="wikitable"style=width:95%;text-align:center
|+TLS record format, general
|-
!scope=col|Offset
!scope=col style=width:22%|Byte+0
!scope=col style=width:22%|Byte+1
!scope=col style=width:22%|Byte+2
!scope=col style=width:22%|Byte+3
|-
!scope=row|Byte<br />0
|style=background:#dfd|Content type
|colspan=3{{N/A}}
|-
!scope=row rowspan=2|Bytes<br />1–4
|colspan=2 style=background:#fdd|Legacy version
|colspan=2 style=background:#fdd|Length
|-style=background:#fdd
|''(Major)''
|''(Minor)''
|''(bits 15–8)''
|''(bits 7–0)''
|-
!scope=row|Bytes<br />5–(''m''−1)
|colspan=4|Protocol message(s)
|-
!scope=row|Bytes<br />''m''–(''p''−1)
|colspan=4 style=background:#fbb|[[message authentication code|MAC]] (optional)
|-
!scope=row|Bytes<br />''p''–(''q''−1)
|colspan=4 style=background:#fbb|Padding (block ciphers only)
|}
;Content type
:This field identifies the Record Layer Protocol Type contained in this record.
{|class=wikitable
|+Content types
|-
!scope=col|Hex
!scope=col|Dec
!scope=col|Type
|-
!scope=row|0×14
|20
|ChangeCipherSpec
|-
!scope=row|0×15
|21
|Alert
|-
!scope=row|0×16
|22
|Handshake
|-
!scope=row|0×17
|23
|Application
|-
!scope=row|0×18
|24
|Heartbeat
|}
;Legacy version
:This field identifies the major and minor version of TLS prior to TLS 1.3 for the contained message. For a ClientHello message, this need not be the ''highest'' version supported by the client. For TLS 1.3 and later, this must to be set 0x0303 and application must send supported versions in an extra message extension block.
{|class=wikitable
|+Versions
|-
!scope=col|Major<br />version
!scope=col|Minor<br />version
!scope=col|Version type
|-
!scope=row|3
|0
|SSL 3.0
|-
!scope=row|3
|1
|TLS 1.0
|-
!scope=row|3
|2
|TLS 1.1
|-
!scope=row|3
|3
|TLS 1.2
|-
!scope=row|3
|4
|TLS 1.3
|}
;Length
:The length of "protocol message(s)", "MAC" and "padding" fields combined (i.e. ''q''−5), not to exceed 2<sup>14</sup> bytes (16 KiB).
;Protocol message(s)
:One or more messages identified by the Protocol field. Note that this field may be encrypted depending on the state of the connection.
;MAC and padding
:A [[message authentication code]] computed over the "protocol message(s)" field, with additional key material included. Note that this field may be encrypted, or not included entirely, depending on the state of the connection.
:No "MAC" or "padding" fields can be present at end of TLS records before all cipher algorithms and parameters have been negotiated and handshaked and then confirmed by sending a CipherStateChange record (see below) for signalling that these parameters will take effect in all further records sent by the same peer.
====Handshake protocol====
Most messages exchanged during the setup of the TLS session are based on this record, unless an error or warning occurs and needs to be signaled by an Alert protocol record (see below), or the encryption mode of the session is modified by another record (see ChangeCipherSpec protocol below).
{|class="wikitable"style=width:95%;text-align:center
|+TLS record format for handshake protocol
|-
!scope=col|Offset
!scope=col style=width:22%|Byte+0
!scope=col style=width:22%|Byte+1
!scope=col style=width:22%|Byte+2
!scope=col style=width:22%|Byte+3
|-
!scope=row|Byte<br />0
|style=background:#dfd|22
|-
!scope=row rowspan=2|Bytes<br />1–4
|
|
|-style=background:#fdd
|''(Major)''
|''(Minor)''
|''(bits 15–8)''
|''(bits 7–0)''
|-
!scope=row rowspan=2|Bytes<br />5–8
|rowspan=2|Message type
|
|-style=font-size:90%;line-height:1.2
|''(bits 23–16)''
|''(bits 15–8)''
|''(bits 7–0)''
|-
!scope=row|Bytes<br />9–(''n''−1)
|
|-
!scope=row rowspan=2|Bytes<br />''n''–(''n''+3)
|rowspan=2 style=background:#fdd|Message type
|
|-style=background:#fdd
|''(bits 23–16)''
|''(bits 15–8)''
|''(bits 7–0)''
|-
!scope=row|Bytes<br />(''n''+4)–
|colspan=4 style=background:#fdd|Handshake message data
|}
;
: |-
!
!
|-
!scope=row|0
|HelloRequest
|-
!scope=row|1
|ClientHello
|-
!scope=row|2
|ServerHello
|-
!scope=row|4
|NewSessionTicket
|-
!scope=row|8
|EncryptedExtensions (TLS 1.3 only)
|-
!scope=row|11
|Certificate
|-
!scope=row|12
|ServerKeyExchange
|-
!scope=row|13
|CertificateRequest
|-
!scope=row|14
|ServerHelloDone
|-
!scope=row|15
|CertificateVerify
|-
!scope=row|16
|ClientKeyExchange
|-
!scope=row|20
|Finished
|}
;Handshake message data length
:This is a 3-byte field indicating the length of the handshake data, not including the header.
Note that multiple
===
This record should normally not be sent during normal handshaking or application exchanges. However, this message can be sent at any time during the handshake and up to the closure of the session. If this is used to signal a fatal error, the session will be closed immediately after sending this record, so this record is used to give a reason for this closure. If the alert level is flagged as a warning, the remote can decide to close the session if it decides that the session is not reliable enough for its needs (before doing so, the remote may also send its own signal).
{|class="wikitable"style=width:95%;text-align:center
|+TLS record format for alert protocol
|-
!scope=col|Offset
!scope=col
!scope=col
!scope=col
!scope=col
|-
!scope=row|Byte<br />0
|style=background:#dfd|21
|colspan=3{{N/A}}
|-
!scope=row rowspan=2|Bytes<br />1–4
|
|
|-style=background:#fdd
|''(Major)''
|''(Minor)''
|0
|2
|-
!Bytes<br />5–6
|Level
|Description
|colspan=2{{N/A}}
|-
!Bytes<br />''7''–(''p''−1)
|colspan=4 style=background:#fbb|[[message authentication code|MAC]] (optional)
|-
!Bytes<br />''p''–(''q''−1)
|
|}
;Level
:This field identifies the level of alert. If the level is fatal, the sender should close the session immediately. Otherwise, the recipient may decide to terminate the session itself, by sending its own fatal alert and closing the session itself immediately after sending it. The use of Alert records is optional, however if it is missing before the session closure, the session may be resumed automatically (with its handshakes).
:Normal closure of a session after termination of the transported application should preferably be alerted with at least the ''Close notify'' Alert type (with a simple warning level) to prevent such automatic resume of a new session. Signalling explicitly the normal closure of a secure session before effectively closing its transport layer is useful to prevent or detect attacks (like attempts to truncate the securely transported data, if it intrinsically does not have a predetermined length or duration that the recipient of the secured data may expect).
{|class="wikitable"style=width:90%
|+Alert level types
|-
!scope=col|Code
!scope=col|Level type
!scope=col|Connection state
|-
!scope=row|1
|style=background:yellow;text-align:center|'''warning'''
|connection or security may be unstable.
|-
!scope=row|2
|style=background:red;text-align:center|'''fatal'''
|connection or security may be compromised, or an unrecoverable error has occurred.
|}
;Description
:This field identifies which type of alert is being sent.
{|class="wikitable"style=width:90%
|+Alert description types
|-
!scope=col|Code
!scope=col|Description
!scope=col|Level types
!scope=col|Note
|-
!scope=row|0
|Close notify
|style=background:orange;text-align:center|'''warning'''/'''fatal'''
|
|-
!scope=row|10
|Unexpected message
|style=background:red;text-align:center|'''fatal'''
|
|-
!scope=row|20
|Bad record MAC
|style=background:red;text-align:center|'''fatal'''
|Possibly a bad SSL implementation, or payload has been tampered with e.g. FTP firewall rule on [[FTPS]] server.
|-
!scope=row|21
|Decryption failed
|style=background:red;text-align:center|'''fatal'''
|TLS only, reserved
|-
!scope=row|22
|Record overflow
|style=background:red;text-align:center|'''fatal'''
|TLS only
|-
!scope=row|30
|Decompression failure
|style=background:red;text-align:center|'''fatal'''
|
|-
!scope=row|40
|Handshake failure
|style=background:red;text-align:center|'''fatal'''
|
|-
!scope=row|41
|No certificate
|style=background:orange;text-align:center|'''warning'''/'''fatal'''
|SSL 3.0 only, reserved
|-
!scope=row|42
|Bad certificate
|style=background:orange;text-align:center|'''warning'''/'''fatal'''
|
|-
!scope=row|43
|Unsupported certificate
|style=background:orange;text-align:center|'''warning'''/'''fatal'''
|e.g. certificate has only server authentication usage enabled and is presented as a client certificate
|-
!scope=row|44
|Certificate revoked
|style=background:orange;text-align:center|'''warning'''/'''fatal'''
|
|-
!scope=row|45
|Certificate expired
|style=background:orange;text-align:center|'''warning'''/'''fatal'''
|Check server certificate expire also check no certificate in the chain presented has expired
|-
!scope=row|46
|Certificate unknown
|style=background:orange;text-align:center|'''warning'''/'''fatal'''
|
|-
!scope=row|47
|Illegal parameter
|style=background:red;text-align:center|'''fatal'''
|
|-
!scope=row|48
|Unknown CA ([[Certificate authority]])
|style=background:red;text-align:center|'''fatal'''
|TLS only
|-
!scope=row|49
|Access denied
|style=background:red;text-align:center|'''fatal'''
|TLS only – e.g. no client certificate has been presented (TLS: Blank certificate message or SSLv3: No Certificate alert), but server is configured to require one.
|-
!scope=row|50
|Decode error
|style=background:red;text-align:center|'''fatal'''
|TLS only
|-
!scope=row|51
|Decrypt error
|style=background:orange;text-align:center|'''warning'''/'''fatal'''
|TLS only
|-
!scope=row|60
|Export restriction
|style=background:red;text-align:center|'''fatal'''
|TLS only, reserved
|-
!scope=row|70
|Protocol version
|style=background:red;text-align:center|'''fatal'''
|TLS only
|-
!scope=row|71
|Insufficient security
|style=background:red;text-align:center|'''fatal'''
|TLS only
|-
!scope=row|80
|Internal error
|style=background:red;text-align:center|'''fatal'''
|TLS only
|-
!scope=row|86
|Inappropriate fallback
|style=background:red;text-align:center|'''fatal'''
|TLS only
|-
!scope=row|90
|User canceled
|style=background:red;text-align:center|'''fatal'''
|TLS only
|-
!scope=row|100
|No renegotiation
|style=background:yellow;text-align:center|'''warning'''
|TLS only
|-
!scope=row|110
|Unsupported extension
|style=background:yellow;text-align:center|'''warning'''
|TLS only
|-
!scope=row|111
|Certificate unobtainable
|style=background:yellow;text-align:center|'''warning'''
|TLS only
|-
!scope=row|112
|Unrecognized name
|style=background:orange;text-align:center|'''warning'''/'''fatal'''
|TLS only; client's [[Server Name Indication|Server Name Indicator]] specified a [[hostname]] not supported by the server
|-
!scope=row|113
|Bad certificate status response
|style=background:red;text-align:center|'''fatal'''
|TLS only
|-
!scope=row|114
|Bad certificate hash value
|style=background:red;text-align:center|'''fatal'''
|TLS only
|-
!scope=row|115
|Unknown [[Pre-shared key|PSK]] identity (used in [[TLS-PSK]] and [[TLS-SRP]])
|style=background:red;text-align:center|'''fatal'''
|TLS only
|-
!scope=row|116
|Certificate required
|style=background:red;text-align:center|'''fatal'''
|TLS version 1.3 only
|-
!scope=row|120 or 255
|No application protocol
|style=background:red;text-align:center|'''fatal'''
|TLS version 1.3 only
|}
====ChangeCipherSpec protocol====
{|class="wikitable"style=width:95%;text-align:center
|+TLS record format for ChangeCipherSpec protocol
|-
!scope=col|Offset
!scope=col style=width:22%|Byte+0
!scope=col style=width:22%|Byte+1
!scope=col style=width:22%|Byte+2
!scope=col style=width:22%|Byte+3
|-
!scope=row|Byte<br />0
|style=background:#dfd|20
|colspan=3{{N/A}}
|-
!scope=row rowspan=2|Bytes<br />1–4
|colspan=2 style=background:#fdd|Legacy version
|colspan=2 style=background:#fdd|Length
|-style=background:#fdd
|''(Major)''
|''(Minor)''
|0
|1
|-
!Byte<br />5
|CCS protocol type
|colspan=3{{N/A}}
|}
;CCS protocol type
:Currently only 1.
==
{|class="wikitable"style=width:95%;text-align:center
|+TLS record format for application protocol
|-
!scope=col|Offset
!scope=col style=width:22%|Byte+0
!scope=col style=width:22%|Byte+1
!scope=col style=width:22%|Byte+2
!scope=col style=width:22%|Byte+3
|-
!scope=row|Byte<br />0
|style=background:#dfd|23
|colspan=3{{N/A}}
|-
!scope=row rowspan=2|Bytes<br />1–4
|colspan=2 style=background:#fdd|Legacy version
|colspan=2 style=background:#fdd|Length
|-style=background:#fdd
|''(Major)''
|''(Minor)''
|''(bits 15–8)''
|''(bits 7–0)''
|-
!Bytes<br />5–(''m''−1)
|colspan=4|Application data
|-
!Bytes<br />''m''–(''p''−1)
|colspan=4 style=background:#fbb|[[message authentication code|MAC]] (optional)
|-
!Bytes<br />''p''–(''q''−1)
|colspan=4 style=background:#fbb|Padding (block ciphers only)
|}
;Length
:Length of application data (excluding the protocol header and including the MAC and padding trailers)
;MAC
:32 bytes for the [[SHA-256]]-based [[HMAC]], 20 bytes for the [[SHA-1]]-based HMAC, 16 bytes for the [[MD5]]-based HMAC.
;Padding
:Variable length; last byte contains the padding length.
==Support for name-based virtual servers==
From the application protocol point of view, TLS belongs to a lower layer, although the TCP/IP model is too coarse to show it. This means that the TLS handshake is usually (except in the [[STARTTLS]] case) performed before the application protocol can start. In the [[Virtual ___domain|name-based virtual server]] feature being provided by the application layer, all co-hosted virtual servers share the same certificate because the server has to select and send a certificate immediately after the ClientHello message. This is a big problem in hosting environments because it means either sharing the same certificate among all customers or using a different IP address for each of them.
There are two known workarounds provided by [[X.509]]:
*If all virtual servers belong to the same ___domain, a [[wildcard certificate]] can be used.<ref>{{citation|url=https://www.sectigo.com/resource-library/multi-___domain-vs-wildcard-ssl-certificates|title=Multi-Domain vs Wildcard SSL Certificates: Differences & Uses|work=Sectigo Official Site |access-date=2025-06-06}}</ref> Besides the loose host name selection that might be a problem or not, there is no common agreement about how to match wildcard certificates. Different rules are applied depending on the application protocol or software used.<ref>{{citation|url=https://www.switch.ch/pki/meetings/2007-01/namebased_ssl_virtualhosts.pdf|title=Named-based SSL virtual hosts: how to tackle the problem|access-date=2012-05-17|url-status=live|archive-url=https://web.archive.org/web/20120803022659/https://www.switch.ch/pki/meetings/2007-01/namebased_ssl_virtualhosts.pdf|archive-date=2012-08-03}}</ref>
*Add every virtual host name in the subjectAltName extension. The major problem being that the certificate needs to be reissued whenever a new virtual server is added.
To provide the server name, {{IETF RFC|4366}} Transport Layer Security (TLS) Extensions allow clients to include a [[Server Name Indication]] extension (SNI) in the extended ClientHello message. This extension hints to the server immediately which name the client wishes to connect to, so the server
can select the appropriate certificate to send to the clients.
{{IETF RFC|2817}} also documents a method to implement name-based virtual hosting by upgrading HTTP to TLS via an [[HTTP/1.1 Upgrade header]]. Normally this is to securely implement HTTP over TLS within the main "http" [[URI scheme]] (which avoids forking the URI space and reduces the number of used ports), however, few implementations currently support this.{{citation needed|date=February 2019}}
==See also==
*[[Application-Layer Protocol Negotiation]] – a TLS extension used for SPDY and TLS False Start
*[[Bullrun (decryption program)]] – a secret anti-encryption program run by the U.S. National Security Agency
*[[Certificate authority]]
*[[Certificate Transparency]]
*[[Datagram Transport Layer Security|Datagram TLS]] (DTLS)
*[[Delegated credential]]
*[[HTTP Strict Transport Security]] – HSTS
*[[Key ring file]]
*[[Private Communications Technology]] (PCT) – a historic Microsoft competitor to SSL 2.0
*[[QUIC]] (Quick UDP Internet Connections) – "…was designed to provide security protection equivalent to TLS/SSL"; QUIC's main goal is to improve perceived performance of connection-oriented web applications that are currently using TCP
*[[Server-Gated Cryptography]]
*[[tcpcrypt]]
*[[Datagram Transport Layer Security]]
*[[TLS acceleration]]
==Further reading==
{{commons category|SSL and TLS}}
*{{cite conference|first=David|last=Wagner|author2=Schneier, Bruce|title=Analysis of the SSL 3.0 Protocol|book-title=The Second USENIX Workshop on Electronic Commerce Proceedings|publisher=USENIX Press|date=November 1996|pages=29–40|url=http://www.schneier.com/paper-ssl.pdf|access-date=2006-10-12|archive-date=2006-10-16|archive-url=https://web.archive.org/web/20061016180809/http://www.schneier.com/paper-ssl.pdf|url-status=live}}
*{{cite book|first=Eric |last=Rescorla|title=SSL and TLS: Designing and Building Secure Systems|publisher=Addison-Wesley Pub Co|___location=United States|year=2001|isbn=978-0-201-61598-2|url-access=registration|url=https://archive.org/details/ssltls00eric}}
*{{cite book|author=Stephen A. Thomas|title=SSL and TLS essentials securing the Web|publisher=Wiley|___location=New York|year=2000|isbn=978-0-471-38354-3}}
*{{cite journal|title=A Challenging But Feasible Blockwise-Adaptive Chosen-Plaintext Attack on SSL|journal=International Association for Cryptologic Research|year=2006|first=Gregory|last=Bard|issue=136|url=http://eprint.iacr.org/2006/136|access-date=2011-09-23|archive-date=2011-09-23|archive-url=https://web.archive.org/web/20110923202258/http://eprint.iacr.org/2006/136|url-status=live}}
*{{cite web|url=http://lasecwww.epfl.ch/memo/memo_ssl.shtml|title=Password Interception in a SSL/TLS Channel|access-date=2007-04-20|last=Canvel|first=Brice|archive-date=2016-04-20|archive-url=https://web.archive.org/web/20160420233852/http://lasecwww.epfl.ch/memo/memo_ssl.shtml|url-status=dead}}
*{{cite IETF|title=RFC of change for TLS Renegotiation|RFC=5746|year=2010 |doi=10.17487/RFC5746}}
*[http://www.linuxjournal.com/article/9916 Creating VPNs with IPsec and SSL/TLS] {{Webarchive|url=https://web.archive.org/web/20150412014613/http://www.linuxjournal.com/article/9916 |date=2015-04-12 }} Linux Journal article by Rami Rosen
*{{cite book|author=Joshua Davies|title=Implementing SSL/TLS|publisher=Wiley|year=2010|isbn=978-0470920411}}
*{{cite web|url=http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf|title=Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations|author1=Polk, Tim|author2=McKay, Kerry|author3=Chokhani, Santosh|date=April 2014|publisher=National Institute of Standards and Technology|archive-url=https://web.archive.org/web/20140508025330/http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf|archive-date=2014-05-08|url-status=dead|access-date=2014-05-07}}
*{{cite journal|first1=AbdelRahman|last1=Abdou|first2=Paul|last2=van Oorschot|title=Server Location Verification (SLV) and Server Location Pinning: Augmenting TLS Authentication|journal= ACM Transactions on Privacy and Security|date=August 2017|volume=21|issue=1|pages=1:1–1:26|doi=10.1145/3139294|s2cid=5869541|url=https://dl.acm.org/citation.cfm?id=3139294|access-date=2018-01-11|archive-date=2019-03-22|archive-url=https://web.archive.org/web/20190322145042/https://dl.acm.org/citation.cfm?id=3139294|url-status=live|url-access=subscription}}
*{{cite book|author=Ivan Ristic|title=Bulletproof TLS and PKI, Second Edition|publisher=Feisty Duck|year=2022|isbn=978-1907117091}}
==
*[https://datatracker.ietf.org/wg/tls Internet Engineering Task Force – TLS Workgroup] {{Webarchive|url=https://web.archive.org/web/20140111193101/http://datatracker.ietf.org/wg/tls/ |date=2014-01-11 }}
==[[IETF]] [[Request for comments]]==
===Primary standards===
The current approved version of (D)TLS is version 1.3, which is specified in:
*{{Sum RFC|8446|ref=yes}}
*{{Sum RFC|9147|ref=yes}}
The current standards replaces these former versions:
*{{Sum RFC|5246|ref=yes}}
*{{Sum RFC|6347|ref=yes}}
*{{Sum RFC|4346|ref=yes}}
*{{Sum RFC|2246|ref=yes}}
*{{Sum RFC|6101|ref=yes}}
*[//tools.ietf.org/html/draft-hickman-netscape-ssl-00 Internet Draft (1995)]: "The SSL Protocol"
==
Other [[Request for Comments|RFCs]] subsequently extended (D)TLS.
Extensions to (D)TLS 1.3 include:
*{{Sum RFC|9367|ref=yes}}
Extensions to (D)TLS 1.2 include:
*{{IETF RFC|5288}}: "AES [[Galois/Counter Mode|Galois Counter Mode]] (GCM) Cipher Suites for TLS".
*{{IETF RFC|5289}}: "TLS Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM)".
*{{IETF RFC|5746}}: "Transport Layer Security (TLS) Renegotiation Indication Extension".
*{{IETF RFC|5878}}: "Transport Layer Security (TLS) Authorization Extensions".
*{{IETF RFC|5932}}: "Camellia Cipher Suites for TLS"
*{{Sum RFC|6066|ref=yes}} Includes [[Server Name Indication]] and [[OCSP stapling]].
*{{Sum RFC|6091|ref=yes}}
*{{Sum RFC|6176|ref=yes}}
*{{Sum RFC|6209|ref=yes}}
*{{Sum RFC|6347|ref=yes}} The definition is now part of the TLS 1.3 specification.
*{{IETF RFC|6367}}: "Addition of the Camellia Cipher Suites to Transport Layer Security (TLS)".
*{{IETF RFC|6460}}: "Suite B Profile for Transport Layer Security (TLS)".
*{{IETF RFC|6655}}: "AES-CCM Cipher Suites for Transport Layer Security (TLS)".
*{{IETF RFC|7027}}: "Elliptic Curve Cryptography (ECC) Brainpool Curves for Transport Layer Security (TLS)".
*{{IETF RFC|7251}}: "AES-CCM Elliptic Curve Cryptography (ECC) Cipher Suites for TLS".
*{{IETF RFC|7301}}: "Transport Layer Security (TLS) [[Application-Layer Protocol Negotiation]] Extension".
*{{IETF RFC|7366}}: "Encrypt-then-MAC for Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)".
*{{Sum RFC|7465|ref=yes}}
*{{Sum RFC|7507|ref=yes}}
*{{Sum RFC|7568|ref=yes}}
*{{IETF RFC|7627}}: "Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension".
*{{IETF RFC|7685}}: "A Transport Layer Security (TLS) ClientHello Padding Extension".
*{{Sum RFC|9189|ref=yes}}
Extensions to (D)TLS 1.1 include:
*{{IETF RFC|4366}}: "Transport Layer Security (TLS) Extensions" describes both a set of specific extensions and a generic extension mechanism.
*{{IETF RFC|4492}}: "[[Elliptic Curve Cryptography]] (ECC) Cipher Suites for Transport Layer Security (TLS)".
*{{IETF RFC|4680}}: "TLS Handshake Message for Supplemental Data".
*{{IETF RFC|4681}}: "TLS User Mapping Extension".
*{{IETF RFC|4785}}: "Pre-Shared Key (PSK) Ciphersuites with NULL Encryption for Transport Layer Security (TLS)".
*{{IETF RFC|5054}}: "Using the [[Secure Remote Password protocol|Secure Remote Password]] (SRP) Protocol for TLS Authentication". Defines the [[TLS-SRP]] ciphersuites.
*{{IETF RFC|5077}}: "Transport Layer Security (TLS) Session Resumption without Server-Side State".
*{{IETF RFC|5081}}: "Using [[OpenPGP]] Keys for Transport Layer Security (TLS) Authentication", obsoleted by {{IETF RFC|6091}}.
*{{IETF RFC|5216}}: "The [[Extensible Authentication Protocol|EAP]]-TLS Authentication Protocol"
Extensions to TLS 1.0 include:
*{{IETF RFC|2595}}: "Using TLS with IMAP, POP3 and ACAP". Specifies an extension to the IMAP, POP3 and ACAP services that allow the server and client to use transport-layer security to provide private, authenticated communication over the Internet.
*{{IETF RFC|2712}}: "Addition of [[kerberos (protocol)|Kerberos]] Cipher Suites to Transport Layer Security (TLS)". The 40-bit cipher suites defined in this memo appear only for the purpose of documenting the fact that those cipher suite codes have already been assigned.
*{{IETF RFC|2817}}: "Upgrading to TLS Within HTTP/1.1", explains how to use the [[HTTP/1.1 Upgrade header|Upgrade mechanism in HTTP/1.1]] to initiate Transport Layer Security (TLS) over an existing TCP connection. This allows unsecured and secured HTTP traffic to share the same ''well known'' port (in this case, http: at 80 rather than https: at 443).
*{{IETF RFC|2818}}: "HTTP Over TLS", distinguishes secured traffic from insecure traffic by the use of a different 'server port'.
*{{IETF RFC|3207}}: "SMTP Service Extension for Secure SMTP over Transport Layer Security". Specifies an extension to the SMTP service that allows an SMTP server and client to use transport-layer security to provide private, authenticated communication over the Internet.
*{{IETF RFC|3268}}: "AES Ciphersuites for TLS". Adds [[Advanced Encryption Standard]] (AES) cipher suites to the previously existing symmetric ciphers.
*{{IETF RFC|3546}}: "Transport Layer Security (TLS) Extensions", adds a mechanism for negotiating protocol extensions during session initialisation and defines some extensions. Made obsolete by {{IETF RFC|4366}}.
*{{IETF RFC|3749}}: "Transport Layer Security Protocol Compression Methods", specifies the framework for compression methods and the [[DEFLATE]] compression method.
*{{IETF RFC|3943}}: "Transport Layer Security (TLS) Protocol Compression Using Lempel-Ziv-Stac (LZS)".
*{{IETF RFC|4132}}: "Addition of [[Camellia (cipher)|Camellia]] Cipher Suites to Transport Layer Security (TLS)".
*{{IETF RFC|4162}}: "Addition of [[SEED]] Cipher Suites to Transport Layer Security (TLS)".
*{{IETF RFC|4217}}: "Securing [[FTPS|FTP with TLS]]".
*{{IETF RFC|4279}}: "Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)", adds three sets of new cipher suites for the TLS protocol to support authentication based on pre-shared keys.
===Informational RFCs===
*{{IETF RFC|7457}}: "Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS)"
*{{IETF RFC|7525}}: "Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)"
==References==
{{reflist|colwidth=30em}}
{{SSL/TLS}}
{{VPN}}
{{Web browsers}}
[[Category:Internet properties established in 1999]]
[[Category:Transport Layer Security]]
[[Category:Cryptographic protocols]]
[[Category:Presentation layer protocols]]
| |||