7 ways to HTTP over TLS

HTTPS is used to encrypt communications between a web client and server. There are many configurations that HTTPS can be in which affects latency and performance. In all cases, the goal for both the client and the server is to agree on a symmetric encryption algorithm, a key exchange algorithm, exchange the symmetric key and use the key to encrypt and decrypt the HTTP requests and responses.

In this post I explore 7 of the configurations.

1. HTTPS over TCP 1.2

Usually common with HTTP/1.1 and HTTP/2 protocols since those use the TCP transport. The client establishes a TCP connection with three-way handshake, followed by the TLS 1.2 handshake where the client provides the server with a buffet of options this includes the list of symmetric key and key exchanges algorithms in a client hello message. It is up to the client TLS implementation to pick the “right” parameters here. The server responds with the selected symmetric key algorithm and key exchange algorithm plus its certificate to prove its identity (the client can also supply a certificate to prove its identity that’s mTLS which might be another post) in a server hello message. The client prepares the private and public key exchange parameters based on the agreed key exchange algorithm and symmetric encryption. The client shares the public part with the server, the server does the same and both finally have the symmetric key. The client then uses the symmetric key to encrypt the GET request, which the server decrypts with the same key. Server…