SSL/TLS Handshake Explained With Wireshark Screenshot

An encrypted connection is established betwen the browser or other client with the server through a series of handshakes. In this article I will explain the SSL/TLS handshake with wireshark.

Step1. Client Hello

The client begins the communication. The first step is called client hello. The client lists the versions of SSL/TLS and cipher suites it’s able to use.

SSL/TLS Handshake Explained

Step2. Server Hello

The server will see the list of SSL/TLS versions and cipher suites and pick the newest the server is able to use. Then the server send a message to the client containing the SSL/TLS version and cipher suite it chose.

SSL/TLS Handshake Explained

Step3. Server Key Exchange

After the server and client agress on the SSL/TLS version and cipher suite, then server sends two things. The first is its SSL/TLS certificate to the client. The client (web browser) validates the server’s certificate. Web browsers store a list of Root CA(Certificate Authority) in itself. These root CAs are third parties that are trusted by web browsers. The server’s certificate is issued by root CA or immediate CA. Immediate CA is a CA that is trusted by root CA.

Web browsers trust Root CA. Root CA trust immediate CA. If the server’s certificate is issued by a trusted root CA or immediate CA, then the browser turst the server’s certificate. I will tell you how to find these root CAs in your web browser at the end of this article.

server key exchange

The second thing the server sends is its public key and signature. The public key is actually included in the certificate. The client and the server encrypt message with the public key and it can only be decrypted with the private key. The server never share its private key with anyone.

server key exchange

At the end of server key exchange, the server sends a server hello done message.

Step4. Client Key Exchange

Until now, all the infomation sent between the client and server is unencrypted. Now the client receives the server’s public key and generate a new session key (aka pre-master key) encrypted with the public key and sends it to the server. The session key can only be decrypted with the private key and because only the server has the private key so only the client and server know the session key. This session key is only valid in one session. If the user close the client and visit the same server next day, a new session key will be generated by the client.

client key exchange

Step 5. Change Cipher Spec

The change cipher spec message is sent by both the client and server to notify the receiving party that subsequent records will be protected under the just-negotiated CipherSpec and keys.

Step 6. Encrypted Handshake

The client and the server sends to each other an encrypted message saying the key information is correct.

Now the client (web browser) will see a green lock in the address bar. The client and server encrypt http traffic with the session key.

 How to View Root CAs in Your Browser


Go to Tools > Options > Advanced > Certificate > View Certificate.

firefox certificate manager


Go to settings > show advanced settings > manage certificate > authorities.

chrome certificate manager

Rate this tutorial
[Total: 15 Average: 4.4]

4 Responses to “SSL/TLS Handshake Explained With Wireshark Screenshot

  • Thank you. That was very helpful!

  • Biman Chandra Roy
    2 years ago

    You wrote “pubkey is actually the session key”. Are you sure?

  • Great article! one slight correction….”immediate CA” should instead be listed as “intermediate CA”.

  • João Campos
    2 years ago


    First all, thank you very much fort this. However I have a question, when I have a invalid certificate (its outdated, etc…), Or I dont have a
    certificate. In which of the handshake steps the communication will be terminated ?

    Thanks in advance and
    best regards

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community ( for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.

The maximum upload file size: 2 MB. You can upload: image. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here