TLS deep dive

TLS does three things at once: encrypts the data (confidentiality), authenticates the data (integrity, no tampering in flight), and proves the server is who it says it is (identity via certificate). It does NOT authenticate the client by default. Mutual TLS adds that.

The handshake establishes a shared symmetric key. Then everything else is symmetric AES-GCM or ChaCha20-Poly1305. TLS 1.3 reduced the handshake from 2 RTTs to 1 RTT, with optional 0-RTT for resumed sessions.

The certificate is the trust root. The server presents an X.509 cert signed by a CA. The client checks the signature chain back to a CA in its trust store (Mozilla CA list, OS keychain). If the chain validates and the cert's subject name matches the hostname, the server is authenticated.

The actual session key comes from ECDHE (Ephemeral Elliptic Curve Diffie-Hellman). Both sides exchange ephemeral public keys, derive the same shared secret independently, and use it. The certificate signs the server's ephemeral public key so the client knows it is talking to the real server. This gives forward secrecy: if the long-term cert key leaks tomorrow, today's traffic stays encrypted because the ephemeral keys are gone.

TLS 1.3 (2018) removed everything broken: RSA key exchange, CBC mode, MD5, SHA-1, RC4, static DH. Only AEAD ciphers (GCM, ChaCha20-Poly1305), only ECDHE for key exchange, only signature algorithms with forward secrecy. If you are using anything below TLS 1.3 in 2026, you have a config bug.

Cert renewal used to be painful. Let's Encrypt (2016) made it free and automated. If you are paying for a DV cert today, you are wasting money. EV certs no longer get the green bar in browsers either.