SSL and Java

I recently provided a talk on SSL describing what it is, how it works, and what it looks like in Java. I’ll try to transcribe the talk in to this blog post and hopefully it would be useful to someone!

A Diagram

The following is a picture, taken from, which offers a good explanation of how an SSL enabled connection is established.


If the diagram doesn’t help, the following paraphrases the description in Wikipedia. I’ve simplified things drastically but hopefully the explanation is still clear.

Hello! (Negotiation phase)

  1. A client sends a ClientHello message specifying the highest TLS protocol version it supports, a random number, a list of suggested cipher suites and suggested compression methods.
  2. The server responds with a ServerHello message, containing the chosen protocol version, a random number, CipherSuite and compression method from the choices offered by the client.
  3. The server sends its Certificate message
  4. The server sends its ServerKeyExchange message.
  5. The server sends a ServerHelloDone message, indicating it is done with handshake negotiation.
  6. The client responds with a ClientKeyExchange message, which may contain a PreMasterSecret, public key, or nothing.

“Down to business” (Change Cipher Spec)

Once the negotiation has been completed, it’s time for the client and server to switch to use encryption.


  • Says “Everything I tell you from now on will be authenticated (and encrypted if encryption parameters were present in the server certificate).”
  • The client sends an authenticated and encrypted Finished message, containing a hash and MAC over the previous handshake messages.


  •   The server will attempt to decrypt the client’s Finished message and verify the hash and MAC.
  •   Says “Everything I tell you from now on will be authenticated (and encrypted, if encryption was negotiated).”
  •   The server sends its authenticated and encrypted Finished message.


  •  The client will attempt to decrypt the server’s Finished message and verify the hash and MAC.

The Example

It’s always nicer to see these things in action which is why I’ve created a simple test project here;

Just check out the test project and create a keystore called “testing” with the password “testing” in the root of the project. Feel free to change these as required. To create your keystore you can use the following command;

$ keytool -keystore testing -genkey -alias client

You will be prompted for a few details but all that really matters for the example is that the password matches what the server is expecting.

Once that’s done you need to run the server, and then the client. There’s additional logging to show you some of the output for example you may see;

*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1454917935 bytes = etc
Session ID:  {}
Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256, etc

As per above, this is the client’s initial hello!

You can type messages in to the clients console to see the server accept and then decrypt the message, complete with the additional padding. It’s quite interesting to watch!

Please feel free to offer any suggestions, comments or corrections!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s