Is an SSL handshake the same as a TLS handshake?

In current usage, yes. People still say SSL handshake, but production HTTPS connections use TLS, usually TLS 1.2 or TLS 1.3. SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 are obsolete and should not be enabled on public services.

What does the TLS handshake actually do?

It negotiates the protocol version and cryptographic parameters, authenticates the server certificate, uses key exchange to derive shared secrets, and confirms that both client and server computed the same keys before encrypted application data is sent.

Does DNS happen before the SSL handshake?

Usually yes. A browser first resolves the hostname through DNS, opens a connection to the returned address, and then starts the TLS handshake. DNS records such as HTTPS, CAA, and TLSA can influence connection setup, certificate issuance policy, and certificate validation, but the handshake itself happens after the client has a network endpoint.

Why do SSL handshakes fail?

Common causes include an expired certificate, hostname mismatch, missing intermediate certificate, unsupported TLS version, incompatible cipher suites, SNI misconfiguration, a server presenting the wrong certificate, or DNS pointing clients to the wrong endpoint.

How do I test a TLS handshake from the command line?

Use openssl s_client -connect example.com:443 -servername example.com -showcerts to inspect the negotiated protocol, certificate chain, SNI behavior, and verification result. Use curl -vI https://example.com to see the same problem from an HTTP client's perspective.

Email & TLSBeginner

What Is an SSL Handshake? TLS Handshake Explained

Learn what an SSL/TLS handshake is, how ClientHello, ServerHello, certificates, cipher suites, and session keys work, and how to debug handshake failures.

Updated 10 June 2026

Start free Browse guides

Answer snapshot

An SSL handshake is the setup conversation that happens before encrypted traffic begins. In modern systems it is really a TLS handshake: the client and server agree on a TLS version, negotiate cryptographic parameters, authenticate the server certificate, derive shared session keys, and prove that both sides calculated the same keys. After that, HTTP, DNS over TLS, SMTP STARTTLS, or another application protocol can send encrypted data.

What you'll learn

Understand what people mean by SSL handshake and why modern connections use TLS
Follow the TLS 1.3 handshake from ClientHello to encrypted application data
Know where certificate chains, SNI, ALPN, HTTPS records, CAA, and TLSA fit
Diagnose common SSL handshake failures with OpenSSL, curl, and DNS checks

An SSL handshake is the setup phase that turns an ordinary network connection into an encrypted, authenticated one. The name is historical: SSL is the old protocol family, while modern HTTPS and other secure protocols use TLS. When someone says "SSL handshake" in 2026, they usually mean a TLS handshake.

The handshake happens before the browser sends the HTTP request body, before a DNS-over-TLS resolver sends a DNS query, and before an SMTP server sends mail over STARTTLS. It answers five questions:

Which TLS version will both sides use?
Which cryptographic algorithms and application protocol will they use?
Is the server really allowed to represent this hostname?
Can both sides derive the same shared encryption keys?
Has anyone tampered with the setup messages?

Once those checks pass, both sides switch to encrypted application data.

Where the Handshake Fits

For a normal first-time HTTPS visit, the path looks like this:

Browser
  -> DNS lookup for example.com
  -> TCP connection to the chosen IP address
  -> TLS handshake
  -> HTTP request and response over encrypted TLS

With HTTP/3, the transport changes because QUIC runs over UDP and includes TLS 1.3 inside the QUIC connection setup. The security goals are the same: authenticate the endpoint and derive fresh encryption keys before application data is exchanged.

HTTPS records can let a browser learn HTTP/3, ALPN, IP hints, and Encrypted Client Hello configuration from DNS before it connects. CAA records control which public CAs may issue the server certificate. TLSA records can publish certificate or public-key fingerprints for DANE-validating clients. Those DNS records do not replace the handshake, but they shape the trust and connection metadata around it.

TLS 1.3 Handshake Step by Step

TLS 1.3, defined in RFC 8446, simplified the handshake compared with TLS 1.2 and removed older negotiation paths. A typical full TLS 1.3 handshake looks like this:

Step	Message	What Happens
1	ClientHello	The client proposes TLS versions, cipher suites, supported groups, key shares, SNI, ALPN, and extensions.
2	ServerHello	The server chooses the TLS version, cipher suite, and key share. Both sides can now derive handshake secrets.
3	EncryptedExtensions	The server sends selected extensions such as ALPN under handshake encryption.
4	Certificate	The server sends its leaf certificate and intermediate certificates.
5	CertificateVerify	The server proves it controls the private key for the certificate.
6	Finished	The server proves it derived the same handshake transcript secrets.
7	Finished	The client verifies the server and sends its own Finished message.
8	Application data	HTTP, DNS, SMTP, or another protocol now travels encrypted.

The exact message flow can vary with session resumption, client certificates, HelloRetryRequest, or QUIC, but the main ideas stay consistent: negotiate parameters, authenticate the peer, derive keys, and protect the transcript.

ClientHello

The ClientHello is the client's opening offer. It usually contains:

Supported TLS versions
Supported cipher suites
Supported elliptic-curve groups
A key share for key exchange
The hostname through SNI (Server Name Indication)
Supported application protocols through ALPN
Optional extension data, such as ECH-related configuration in supporting deployments

SNI matters because many servers host multiple domains on one IP address. Without SNI, the server may not know which certificate to present. If SNI is missing or wrong, the client may see a certificate for another hostname and fail the handshake.

ALPN matters because it lets the client and server choose the application protocol inside TLS: for example h2 for HTTP/2 or http/1.1 for HTTP/1.1. HTTPS and SVCB records can advertise ALPN preferences before the connection starts, but the negotiated ALPN result still happens in the TLS handshake.

ServerHello

The ServerHello is the server's choice. The server selects one TLS version and one cipher suite from the client's offered set, and it sends its own key share. With modern ECDHE-based key exchange, neither side sends the final session key directly. Instead, each side combines its private key material with the other side's public key share and independently calculates the same shared secret.

That property is why modern TLS provides forward secrecy. If the server's certificate private key is compromised later, old captured TLS sessions should still remain protected, because the temporary key exchange material from those sessions is not recoverable from the certificate key alone.

Certificate Validation

The server then proves its identity with a certificate chain. The client checks:

The leaf certificate covers the hostname requested through SNI
The certificate is within its validity period
The certificate has the right key usage for TLS server authentication
The chain connects through intermediates to a trusted root CA
The certificate has not been revoked, where revocation checking is available
The server can prove possession of the certificate private key

For the chain details, see What Is an SSL Certificate Chain. For the certificate itself, see SSL and TLS Certificates Explained.

DNS can affect certificate trust before this point. CAA records publish which CAs are authorized to issue for your domain. ACME DNS-01 challenges let a CA verify domain control by checking a temporary TXT record. TLSA records, when protected by DNSSEC, let DANE-aware clients compare the presented certificate or public key with DNS-published data.

Finished Messages

The Finished messages are integrity checks over the handshake transcript. Each side sends a value derived from the negotiated secrets and every handshake message seen so far. If an attacker changed the version, cipher suite, certificate, key share, or extension data in transit, the Finished check would fail.

After both Finished messages validate, the client and server use application traffic keys. From this point on, HTTP headers and bodies, DNS messages inside DoT, or SMTP data after STARTTLS are encrypted and integrity-protected.

TLS 1.2 vs TLS 1.3

TLS 1.2 is still common, but TLS 1.3 is simpler and faster.

Area	TLS 1.2	TLS 1.3
Full handshake latency	Usually two round trips	Usually one round trip
Key exchange	Multiple legacy options, including RSA key transport in older configurations	Forward-secret key exchange only
Cipher suites	Mix authentication, key exchange, encryption, and hash choices	Simpler AEAD-based cipher suites
Handshake encryption	More handshake metadata visible	More handshake messages encrypted after ServerHello
Obsolete algorithms	Easier to misconfigure	Legacy algorithms removed from the protocol

TLS 1.0 and TLS 1.1 are deprecated by RFC 8996. Public services should support TLS 1.2 and TLS 1.3, with TLS 1.3 preferred where clients and servers support it.

Common SSL Handshake Failures

Expired Certificate

If the leaf certificate or an intermediate certificate is expired, clients refuse the connection.

openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | \
  openssl x509 -noout -subject -issuer -dates

Check notAfter. If the date has passed, renew the certificate and reload the service.

Hostname Mismatch

The certificate must cover the exact hostname the client requested. A certificate for www.example.com does not automatically cover api.example.com, and a wildcard like *.example.com does not cover a.b.example.com.

openssl s_client -connect 203.0.113.10:443 -servername api.example.com -showcerts

If the wrong certificate appears, check SNI configuration, virtual hosts, load balancer listener rules, and whether DNS points to the expected endpoint.

Missing Intermediate Certificate

Servers must usually send the leaf certificate plus intermediate certificates. If the server sends only the leaf, some clients cannot build a trusted chain.

openssl s_client -connect example.com:443 -servername example.com -showcerts

Look for the full chain and Verify return code: 0 (ok). If intermediates are missing, deploy the CA-provided fullchain.pem or equivalent bundle.

Unsupported TLS Version

Old clients may not support modern server settings. Old servers may not support modern client requirements. A public service should not keep obsolete protocols enabled just for compatibility; use a separate legacy endpoint if you truly need one.

# Test TLS 1.3
openssl s_client -connect example.com:443 -servername example.com -tls1_3
 
# Test TLS 1.2
openssl s_client -connect example.com:443 -servername example.com -tls1_2

Cipher Suite Mismatch

A cipher mismatch happens when client and server have no shared cipher suite. This is less common with TLS 1.3 because the cipher suite model is narrower, but it still happens with strict TLS 1.2 configurations, old Java runtimes, old appliances, and FIPS-only environments.

SNI Misconfiguration

If your server hosts multiple domains on one IP address, SNI chooses which certificate to present. A common failure is testing only the IP address or omitting -servername with OpenSSL:

# Often wrong for virtual hosts
openssl s_client -connect example.com:443
 
# Correct for SNI-aware testing
openssl s_client -connect example.com:443 -servername example.com

ALPN or Protocol Problems

The TLS handshake can succeed while the selected application protocol is wrong. For example, a client may expect HTTP/2 but the server only negotiates HTTP/1.1.

openssl s_client -connect example.com:443 -servername example.com -alpn h2,http/1.1

For web services, HTTPS records can advertise h3, h2, and related connection hints before the connection starts. The server still has to support the advertised protocol during the actual connection.

Quick Debug Checklist

Confirm DNS points to the expected service:

dig A example.com +short
dig AAAA example.com +short
dig HTTPS example.com +short

Inspect the live handshake:

openssl s_client -connect example.com:443 -servername example.com -showcerts

Check the HTTP client's view:
```
curl -vI https://example.com
```
Check certificate issuance policy:
```
dig CAA example.com +short
```
If you use DANE, check TLSA and DNSSEC:
```
dig +dnssec TLSA _443._tcp.example.com
```

How DNS Records Support TLS

TLS handshakes do not live inside DNS, but DNS is part of the operating model around TLS:

DNS Record	TLS Role
A / AAAA	Point clients to the server that will run the handshake.
HTTPS	Advertise HTTP/3, ALPN, ECH, port, target, and IP hints before connection setup.
CAA	Limit which CAs may issue public TLS certificates for the domain.
TXT	Used by ACME DNS-01 challenges for automated certificate issuance.
TLSA	Publish certificate or public-key associations for DANE-validating clients.
DS / DNSKEY	Build the DNSSEC chain required for trustworthy DANE/TLSA validation.

This is where DNScale fits: it does not terminate your website's TLS connection, but it manages the DNS records that influence certificate issuance, DNS-based validation, DANE, HTTPS service hints, and the endpoint clients reach before the handshake begins.

SSL and TLS Certificates Explained - certificate basics
What Is an SSL Certificate Chain - how CA trust chains validate during the handshake
What Is an HTTPS Record - ALPN, HTTP/3, ECH, and connection hints in DNS
DNS CAA Record Explained - control certificate issuance through DNS
DNS TLSA Record Explained - DANE certificate pinning through DNSSEC
Let's Encrypt DNS-01 Challenges with DNScale - automate certificate issuance with DNS
DNS over TLS Explained - DNS queries inside a TLS connection
DNSSEC - DNS authenticity for DANE and signed records

References

Conclusion

The SSL handshake is the negotiation that makes encrypted connections possible. In modern infrastructure, that means a TLS handshake: the client and server agree on protocol settings, authenticate the certificate, derive fresh session keys, and verify that the setup was not tampered with. DNS does not perform the handshake, but DNS determines where clients connect and can publish the records that make certificate issuance, DANE validation, HTTPS hints, and secure automation work reliably.

Frequently asked questions

Is an SSL handshake the same as a TLS handshake?: In current usage, yes. People still say SSL handshake, but production HTTPS connections use TLS, usually TLS 1.2 or TLS 1.3. SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 are obsolete and should not be enabled on public services.
What does the TLS handshake actually do?: It negotiates the protocol version and cryptographic parameters, authenticates the server certificate, uses key exchange to derive shared secrets, and confirms that both client and server computed the same keys before encrypted application data is sent.
Does DNS happen before the SSL handshake?: Usually yes. A browser first resolves the hostname through DNS, opens a connection to the returned address, and then starts the TLS handshake. DNS records such as HTTPS, CAA, and TLSA can influence connection setup, certificate issuance policy, and certificate validation, but the handshake itself happens after the client has a network endpoint.
Why do SSL handshakes fail?: Common causes include an expired certificate, hostname mismatch, missing intermediate certificate, unsupported TLS version, incompatible cipher suites, SNI misconfiguration, a server presenting the wrong certificate, or DNS pointing clients to the wrong endpoint.
How do I test a TLS handshake from the command line?: Use openssl s_client -connect example.com:443 -servername example.com -showcerts to inspect the negotiated protocol, certificate chain, SNI behavior, and verification result. Use curl -vI https://example.com to see the same problem from an HTTP client's perspective.

Related guides

Ready to manage your DNS with confidence?

DNScale provides anycast DNS hosting with a global network, real-time analytics, and an easy-to-use API.

Start free