Over a million developers have joined DZone.

Implementing Effective SSL/TLS Security

DZone's Guide to

Implementing Effective SSL/TLS Security

In this tutorial, learn the basics and the history of SSL/TLS, along with how you can easily implement SSL/TLS security in your web application.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

In this tutorial, learn how to implement effective SSL/TLS security into a web application. 

SSL (Secure Socket Layer)

SSL is designed for providing security at the transport layer. There are many applications of SSL in existence since it is capable of securing any transmission over TCP.

Development History of SSL

It was developed by Netscape with version 1.0 in 1994. SSL 2.0 was developed about a year later and was released with version 1.0 of Netscape Navigator. SSL 3.0 was released in 1999. After that, Netscape allowed IETF to develop future versions.

Two Behaviors of SSL

There are two main behaviors of SSL: one-way and two-way.

1. One-Way SSL Behavior

Image title

In this model, the server is validating its identity, then providing an encrypted means of communication. We are not concerned with the client's identity.

2. Two-Way SSL Behavior

Image title

In this model, the client also validates its identity and has its own keystore to provide a certificate. The server has its own truststore to validate the key/cert.

Nowadays, sending information over the internet is increasing, so securing information is a must. And for securing information in web applications, we have SSL. To apply the SSL protocol to a websystem, some requirements must be met since the SSL protocol is integrated into most web browsers.

Configuration is relatively simple from the server side of the communication equation:

  1. The web server administrator must acquire a digital certificate provided by Certification Authority (CA) such as VeriSign or RSA Data Security.

  2. The proper configuration of the web server to allow SSL connections.

  3. Add an accelerator to the web server.

There are four protocol layers for SSL. They encapsulate all communication between the client machine and the server

  1. Record layer: Provides a header for each message and a hash generated from a Message Authentication Code (MAC) at the end.

  2. ChangeCipherSpec protocol: Composed of one message that signals the beginning of secure communications between the client and server.

  3. Alert protocol: Sends errors, problems, or warnings about the connection between the two parties.

  4. Handshake protocol: Messages are passed back and forth between the user’s browser (client) and web application (server) to establish a handshake that begins a secure connection.

TLS (Transport Layer Security Protocol) 

Transport Layer Security (TLS) is a protocol that provides privacy and data integrity between two communicating applications. Nowadays, it is used for web browsers and other applications that require data to be securely exchanged over a network.

Development History of TLS

The name of future versions of the SSL protocol will be changed to TLS, with version numbers of the protocol beginning at 1.0. All the versions of TLS were developed by ITEF.

TLS 1.2 is the current version; they are planning to release TLS 1.3 in the future. There are two protocols layer for TLS:

  1. TLS record protocol: Negotiates a private, reliable connection between the client and the server.

  2. TLS handshake protocol: Allows authenticated communication to commence between the server and client.


They are six major difference between SSL and TLS.

1. Protocol Version in Messages

To differentiate TLS Version 1.0 and SSL Version 3.0, the protocol version number negotiated by a client and server communicating through TLS version 1 is version number 3.1.

2. Alert Protocol Message Types

These message types are allowed as Alert Descriptions within the TLS protocol.

3. Message Authentication

TLS implements a standardized MAC (H-MAC) that has been proven in many other implementations. The main benefit to this change is that H-MAC operates with any hash function, not just MD5 or SHA, as explicitly stated by the SSL protocol.

4. Key Material Generation

TLS uses the HMAC standard and its pseudorandom function (PRF) output to generate key material and SLS uses RSA, Diffie-Hellman or Fortezza/DMS.

5. Certificate Verify

In SSL, the Certificate Verify message requires a complex procedure of messages. With TLS, however, the verified information is completely contained in the handshake messages previously exchanged during the session.

6. Finished

In TLS, the PRF output of the H-MAC algorithm is used with the master secret and either a “client finished” or a “server finished” designation to create the finished message.

In SSL, the finished message is created in the same ad hoc manner that key material is generated using a combination of hash output, selected ciphersuite, and parameter information.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

secuirty ,ssl ,tls ,web application ,tutorial

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}