You’re probably using HTTPS everywhere — especially in Android APIs — but do you know what really happens in the first few milliseconds when a secure connection starts?


🔐 TLS Handshake (Transport Layer Security) – Simplified Breakdown

  1. Client Hello (your app or browser):

    • Sends: TLS version, list of supported cipher suites, a random number.

    • Tells server: “Hey, here’s how I’d like to talk securely.”

  2. Server Hello:

    • Picks one cipher suite from the client’s list.

    • Sends: server certificate (X.509), server random number, maybe a public key or DH params.

    • The certificate contains the public key and identity (e.g., api.myapp.com).

  3. Certificate Validation (by client):

    • The client checks:

      • Is this certificate issued by a trusted Certificate Authority?

      • Is the domain name valid?

      • Has it expired?

    • If any of these checks fail — ⚠️ connection fails.

  4. Key Exchange (Diffie-Hellman or RSA):

    • Both client and server use the shared info (random numbers + exchanged keys) to compute a shared session key.

    • This key will encrypt everything from now on.

  5. Client Finished:

    • The client sends an encrypted “Finished” message using the session key.
  6. Server Finished:

    • Server does the same.

✅ After this point, both parties have:

  • Verified identity

  • Agreed on encryption

  • Built a secure tunnel for all data


🧪 Dev Relevance:

  • If you’re building an Android app and the TLS handshake fails, it’s often because:

    • The server’s cert isn’t valid (wrong domain, expired).

    • You’re missing intermediate certificates.

    • There’s a proxy doing a MITM with an untrusted cert (e.g., during testing).

🔧 Tip: Use tools like openssl s_client, Charles Proxy, or Wireshark to inspect the TLS handshake in real time.