HTTPS is defined in RFC 2818 . In short, the browser first establishes an SSL / TLS connection with the server, and then sends HTTP requests / responses on that connection.
To establish the SSL / TLS channel, the client initiates a handshake during which the server sends its X.509 certificate. In addition to the SSL / TLS connectivity mechanisms, the browser checks the certificate for a list of trusted names (trusted certificates) and the name it is trying to obtain (the host name in the URL must match the certificate as defined in RFC 2818 Section 3.1 ). Most of them are usually implemented in SSL / TLS stacks, but some browsers can allow you to get around this by adding exceptions (sometimes persistent exceptions), so browsers also have a fallback mechanism if the SSL / TLS stack cannot accept the certificate successfully.
SSL / TLS (and its handshake) are defined in SSLv3 , TLS 1.0 , 1.1, and 1.2 .
Using the server’s public key in the server certificate, the client and server can perform authenticated key exchange, after which they share a common key. The master secret, and then the common symmetric keys used to encrypt the application data, are obtained from this preliminary secret key.
The mechanisms used for this authenticated key exchange depend on a set of ciphers . For more information, see the TLS specification itself .
If you want to learn by example, it's worth looking at Wireshark sample data (as shown in this answer ).
The " first few milliseconds of an HTTPS connection " should also be interesting.
Bruno source share