Chapter 9

Transport Layer Security: SSLv3 and TLSv1

Secure Sockets Layer version 3 (SSLv3) was introduced by Netscape Communications Corporation in 1995. SSLeay implements both SSLv2 and SSLv3 and TLSv1 as of the release of SSLeay-0.9.0. SSLv3 was designed with public review and input from industry and was published as an Internet-Draft document. After reaching a consensus of opinion to Internet standardization, the Transport Layer Security (TLS) Working Group was formed within Internet Engineering Task Force (IETF) in order to develop an initial version of TLS as an Internet standard. The first version of TLS is very closely compatible with SSLv3. The TLSv1 protocol provides communications privacy and data integrity between two communicating parties over the Internet. Both the SSL and TLS protocols allow client/server applications to communicate in such a way that they prevent eavesdropping, tampering, or message forgery. The SSL (or TLS) protocol is composed of two layers: the SSL (or TLS) Record Protocol and the SSL (or TLS) Handshake Protocol.

This chapter is devoted to a full discussion of the protocols of both SSLv3 and TLSv1.

9.1 SSL Protocol

SSL is a layered protocol. It is not a single protocol but rather two layers of protocols. At the lower level, the SSL Record Protocol is layered on top of some reliable transport protocol such as TCP. The SSL Record Protocol is also used to encapsulate various higher-level protocols. A higher-level protocol can layer on top of the ...