The SSL protocol provides data encryption, data origin authentication, and message integrity. It also provides server and client authentication using X.509 certificates. SSL begins with a handshake during which the server is authenticated to the client using X.509 certificates. Also, the client can optionally be authenticated to the server. During the handshake, security session parameters, such as cryptographic algorithms, are negotiated and session keys are created. After the handshake, the data is protected during transmission with data origin authentication and optional encryption using the session keys.
The cryptographic algorithms that are used for the SSL session are based on the algorithms that the server and client are able to use. During the SSL handshake, the client and server exchange a list of algorithms. The algorithm that is selected is based on the best match between the client list and the server list. You can limit the selectable algorithms by configuring a subset of allowable algorithms at the server. Servers can support encryption by using AES, Triple DES, and other encryption algorithms (RC2, RC4, and DES). Cryptographic hardware, if available, is used for certain cryptographic algorithms.
SSL requires a server X.509 certificate, which is stored in its certificate key ring. The certificate is used as part of the SSL handshake server authentication process. The client validates the server certificate. SSL optionally uses a client X.509 certificate that is used as part of the SSL handshake client authentication process. In order to use client authentication, the client must have a client X.509 certificate. Successful client authentication requires that the Certificate Authority (CA) that signed the client certificate be considered trusted by the server. To be considered trusted, the certificate of the CA must be in the key ring of the server.
See Transport Layer Security for detailed information on obtaining certificates.
SSL is not defined by the Internet Engineering Task Force (IETF). TLS is based on SSL and is defined by the IETF in RFCs 2246, 4346, and 5246.