You’re probably using HTTPS everywhere — especially in Android APIs — but do you know what really happens in the first few milliseconds when a secure connection starts?
🔐 TLS Handshake (Transport Layer Security) – Simplified Breakdown
-
Client Hello (your app or browser):
-
Sends: TLS version, list of supported cipher suites, a random number.
-
Tells server: “Hey, here’s how I’d like to talk securely.”
-
-
Server Hello:
-
Picks one cipher suite from the client’s list.
-
Sends: server certificate (X.509), server random number, maybe a public key or DH params.
-
The certificate contains the public key and identity (e.g., api.myapp.com).
-
-
Certificate Validation (by client):
-
The client checks:
-
Is this certificate issued by a trusted Certificate Authority?
-
Is the domain name valid?
-
Has it expired?
-
-
If any of these checks fail — ⚠️ connection fails.
-
-
Key Exchange (Diffie-Hellman or RSA):
-
Both client and server use the shared info (random numbers + exchanged keys) to compute a shared session key.
-
This key will encrypt everything from now on.
-
-
Client Finished:
- The client sends an encrypted “Finished” message using the session key.
-
Server Finished:
- Server does the same.
✅ After this point, both parties have:
-
Verified identity
-
Agreed on encryption
-
Built a secure tunnel for all data
🧪 Dev Relevance:
-
If you’re building an Android app and the TLS handshake fails, it’s often because:
-
The server’s cert isn’t valid (wrong domain, expired).
-
You’re missing intermediate certificates.
-
There’s a proxy doing a MITM with an untrusted cert (e.g., during testing).
-
🔧 Tip: Use tools like openssl s_client
, Charles Proxy, or Wireshark
to inspect the TLS handshake in real time.