In one way SSL, only client validates the server to ensure that it receives data from the intended server. For implementing one-way SSL, server shares its public certificate with the clients. Below is the high level description of the steps involved in establishment of connection and transfer of data between a client and server in case of one-way SSL:
- Client requests for some protected data from the server on HTTPS protocol. This initiates SSL/TLS handshake process.
- Server returns its public certificate to the client along with server hello message.
- Client validates/verifies the received certificate. Client verifies the certificate through certification authority (CA) for CA signed certificates.
- SSL/TLS client sends the random byte string that enables both the client and the server to compute the secret key to be used for encrypting subsequent message data. The random byte string itself is encrypted with the server’s public key.
- After agreeing on this secret key, client and server communicate further for actual data transfer by encryping/decrypting data using this key.
Contrary to one-way SSL; in case of two-way SSL, both client and server authenticate each other to ensure that both parties involved in the communication are trusted. Both parties share their public certificates to each other and then verification/validation is performed based on that.
Below is the high level description of the steps involved in establishment of connection and transfer of data between a client and server in case of two-way SSL:
- Client requests a protected resource over HTTPS protocol and the SSL/TSL handshake process begins.
- Server returns its public certificate to the client along with server hello.
- Client validates/verifies the received certificate. Client verifies the certificate through certification authority (CA) for CA signed certificates.
- If Server certificate was validated successfully, client will provide its public certificate to the server.
- Server validates/verifies the received certificate. Server verifies the certificate through certification authority (CA) for CA signed certificates.
- After completion of handshake process, client and server communicate and transfer data with each other encrypted with the secret keys shared between the two during handshake.