Editing Transport Layer Security (section)

==Description==
[[Client–server model|Client-server]] applications use the TLS [[cryptographic protocol|protocol]] to communicate across a network in a way designed to prevent [[eavesdropping]] and [[tamper-evident|tampering]].

Since applications can communicate either with or without TLS (or SSL), it is necessary for the [[client (computing)|client]] to request that the [[server (computing)|server]] set up a TLS connection.<ref name=":0">{{cite IETF|last1=Lawrence|first1=Scott|last2=Khare|first2=Rohit|title=Upgrading to TLS Within HTTP/1.1|rfc=2817|publisher=Internet Engineering Task Force|date=May 2000}}</ref> One of the main ways of achieving this is to use a different [[port (computer networking)|port number]] for TLS connections. Port 80 is typically used for unencrypted [[Hypertext Transfer Protocol|HTTP]] traffic while port 443 is the common port used for encrypted [[HTTPS]] traffic. Another mechanism is to make a protocol-specific [[opportunistic TLS|STARTTLS]] request to the server to switch the connection to TLS – for example, when using the mail and [[usenet|news]] protocols.

Once the client and server have agreed to use TLS, they negotiate a [[state (computer science)|stateful]] connection by using a handshaking procedure (see {{slink||TLS_handshake}}).<ref>{{cite web|url=https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc785811(v=ws.10)|title=SSL/TLS in Detail|department=[[Microsoft TechNet|TechNet]]|website=[[Microsoft Docs]]|date=October 8, 2009|access-date=2021-10-24|archive-date=2022-08-13|archive-url=https://web.archive.org/web/20220813015525/https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc785811(v=ws.10)|url-status=live}}</ref> The protocols use a handshake with an [[asymmetric cipher]] to establish not only cipher settings but also a session-specific shared key with which further communication is encrypted using a [[symmetric cipher]]. During this handshake, the client and server agree on various parameters used to establish the connection's security:
*The handshake begins when a client connects to a TLS-enabled server requesting a secure connection and the client presents a list of supported [[cipher suite]]s ([[encryption|ciphers]] and [[hash function]]s).
*From this list, the server picks a cipher and hash function that it also supports and notifies the client of the decision.
*The server usually then provides identification in the form of a [[Public key certificate|digital certificate]]. The certificate contains the [[hostname|server name]], the trusted [[certificate authority]] (CA) that vouches for the authenticity of the certificate, and the server's public encryption key.
*The client confirms the validity of the certificate before proceeding.
*To generate the session keys used for the secure connection, the client either:
**encrypts a [[random number generation|random number]] (''PreMasterSecret'') with the server's public key and sends the result to the server (which only the server should be able to decrypt with its private key); both parties then use the random number to generate a unique session key for subsequent encryption and decryption of data during the session, or
**uses [[Diffie–Hellman key exchange]] (or its variant [[Elliptic-curve Diffie–Hellman|elliptic-curve DH]]) to securely generate a random and unique session key for encryption and decryption that has the additional property of [[forward secrecy]]: if the server's private key is disclosed in future, it cannot be used to decrypt the current session, even if the session is intercepted and recorded by a third party.
This concludes the handshake and begins the secured connection, which is encrypted and decrypted with the session key until the connection closes. If any one of the above steps fails, then the TLS handshake fails and the connection is not created.

TLS and SSL do not fit neatly into any single layer of the [[OSI model]] or the [[internet protocol suite|TCP/IP model]].<ref name=ccnp>{{cite book|last1=Hooper|first1=Howard|title=CCNP Security VPN 642–648 Official Cert Guide|date=2012|publisher=Cisco Press|isbn=9780132966382|page=22|edition=2|url=https://books.google.com/books?id=5PJisOKJ0k8C&pg=PA22}}</ref><ref name="stackex_layer">{{cite web|url=https://security.stackexchange.com/a/93338|title=What layer is TLS?|website=Information Security Stack Exchange|first1=Andrew|last1=Spott|first2=Tom|last2=Leek|display-authors=etal|access-date=2017-04-13|archive-date=2021-02-13|archive-url=https://web.archive.org/web/20210213050549/https://security.stackexchange.com/questions/93333/what-layer-is-tls/93338|url-status=live}}</ref> TLS runs "on top of some reliable transport protocol (e.g., TCP),"{{Ref RFC|8446|rsection=1}} which would imply that it is above the [[transport layer]]. It serves encryption to higher layers, which is normally the function of the [[presentation layer]]. However, applications generally use TLS as if it were a transport layer,<ref name=ccnp/><ref name="stackex_layer"/> even though applications using TLS must actively control initiating TLS handshakes and handling of exchanged authentication certificates.{{Ref RFC|8446|rsection=1}}

When secured by TLS, connections between a client (e.g., a web browser) and a server (e.g., wikipedia.org) will have all of the following properties:{{Ref RFC|8446|rsection=1}}
*The connection is ''private'' (or has ''confidentiality'') because a [[symmetric-key algorithm]] is used to encrypt the data transmitted. The keys for this symmetric encryption are generated uniquely for each connection and are based on a shared secret that was negotiated at the start of the session. The server and client negotiate the details of which encryption algorithm and cryptographic keys to use before the first byte of data is transmitted (see below). The negotiation of a shared secret is both secure (the negotiated secret is unavailable to eavesdroppers and cannot be obtained, even by an attacker who places themselves in the middle of the connection) and reliable (no attacker can modify the communications during the negotiation without being detected).
*The identity of the communicating parties can be ''authenticated'' using [[public-key cryptography]]. This authentication is required for the server and optional for the client.
*The connection is ''reliable'' (or has ''integrity'') because each message transmitted includes a message integrity check using a [[message authentication code]] to prevent undetected loss or alteration of the data during transmission.

TLS supports many different methods for exchanging keys, encrypting data, and authenticating message integrity. As a result, secure configuration of TLS involves many configurable parameters, and not all choices provide all of the privacy-related properties described in the list above (see the tables below [[#Key exchange or key agreement|§&nbsp;Key exchange]], [[#Cipher|§&nbsp;Cipher security]], and {{slink||Data integrity}}).

Attempts have been made to subvert aspects of the communications security that TLS seeks to provide, and the protocol has been revised several times to address these security threats. Developers of web browsers have repeatedly revised their products to defend against potential security weaknesses after these were discovered (see TLS/SSL support history of web browsers).

=== Datagram Transport Layer Security ===
Datagram Transport Layer Security, abbreviated DTLS, is a related [[communications protocol]] providing [[communications security|security]] to [[datagram]]-based applications by allowing them to communicate in a way designed<ref name="RFC 4347">{{cite IETF|rfc=4347|title=Datagram Transport Layer Security|first1=Eric|last1=Rescorla|first2=Nagendra|last2=Modadugu|date=April 2006}}</ref><ref name="RFC 6347">{{cite IETF|rfc=6347|title=Datagram Transport Layer Security Version 1.2|first1=Eric|last1=Rescorla|first2=Nagendra|last2=Modadugu|date=January 2012}}</ref> to prevent [[eavesdropping]], [[man in the middle attack|tampering]], or [[message forgery]]. The DTLS protocol is based on the [[Stream (computing)|stream]]-oriented Transport Layer Security (TLS) protocol and is intended to provide similar security guarantees. However, unlike TLS, it can be used with most datagram oriented protocols including [[User Datagram Protocol]] (UDP), [[Datagram Congestion Control Protocol]] (DCCP), [[CAPWAP|Control And Provisioning of Wireless Access Points]] (CAPWAP), [[Stream Control Transmission Protocol]] (SCTP) encapsulation, and [[Secure Real-time Transport Protocol]] (SRTP).

As the DTLS protocol datagram preserves the semantics of the underlying transport, the application does not suffer from the delays associated with stream protocols. However, the application has to deal with [[packet reordering]], loss of datagram and data larger than the size of a datagram [[network packet]]. Because DTLS uses UDP or SCTP rather than TCP, it avoids the [[TCP meltdown problem]],<ref>{{cite web
| url=http://sites.inka.de/bigred/devel/tcp-tcp.html
| title=Why TCP Over TCP Is A Bad Idea
| first=Olaf
| last=Titz
| date=2001-04-23
| access-date=2015-10-17
| archive-date=2023-03-10
| archive-url=https://web.archive.org/web/20230310043036/http://sites.inka.de/bigred/devel/tcp-tcp.html
| url-status=live
}}</ref><ref>{{cite conference
| bibcode=2005SPIE.6011..138H
| title=Understanding TCP over TCP: effects of TCP tunneling on end-to-end throughput and latency
|author1=Honda, Osamu |author2=Ohsaki, Hiroyuki |author3=Imase, Makoto |author4=Ishizuka, Mika |author5=Murayama, Junichi | s2cid=8945952
|book-title=Performance, Quality of Service, and Control of Next-Generation Communication and Sensor Networks III
| volume=6011
| date=October 2005
| doi=10.1117/12.630496
| citeseerx=10.1.1.78.5815
| editor1-last=Atiquzzaman
| editor1-first=Mohammed
| editor2-last=Balandin
| editor2-first=Sergey I
}}</ref> when being used to create a VPN tunnel.

The original 2006 release of DTLS version 1.0 was not a standalone document. It was given as a series of deltas to TLS 1.1.<ref>{{IETF RFC|4347|link=no}} § 4</ref> Similarly the follow-up 2012 release of DTLS is a delta to TLS 1.2. It was given the version number of DTLS 1.2 to match its TLS version. Lastly, the 2022 DTLS 1.3 is a delta to TLS 1.3. Like the two previous versions, DTLS 1.3 is intended to provide "equivalent security guarantees [to TLS 1.3] with the exception of order protection/non-replayability".<ref>{{cite IETF |rfc=9147 | title=The Datagram Transport Layer Security (DTLS) Protocol Version 1.3 | date=April 21, 2022 | last1=Rescorla | first1=Eric | last2=Tschofenig | first2=Hannes | last3=Modadugu | first3=Nagena }}</ref>

Many [[Virtual private network|VPN clients]] including [[Cisco]] [[AnyConnect]]<ref>{{cite web
| url=http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116312-qanda-anyconnect-00.html
| title=AnyConnect FAQ: tunnels, reconnect behavior, and the inactivity timer
| publisher=[[Cisco]]
| access-date=26 February 2017
| archive-date=26 February 2017
| archive-url=https://web.archive.org/web/20170226131243/http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116312-qanda-anyconnect-00.html
| url-status=live
}}</ref> & InterCloud Fabric,<ref>{{cite web
| url=http://www.cisco.com/c/en/us/td/docs/solutions/Hybrid_Cloud/Intercloud/Intercloud_Fabric/Intercloud_Fabric_2.pdf
| title=Cisco InterCloud Architectural Overview
| publisher=[[Cisco Systems]]
| access-date=2022-11-29
| archive-date=2022-08-09
| archive-url=https://web.archive.org/web/20220809111605/https://www.cisco.com/c/en/us/td/docs/solutions/Hybrid_Cloud/Intercloud/Intercloud_Fabric/Intercloud_Fabric_2.pdf
| url-status=live
}}</ref> [[OpenConnect]],<ref>{{cite web |title=OpenConnect |url=https://www.infradead.org/openconnect/ |access-date=26 February 2017 |publisher=[[OpenConnect]] |archive-date=2 February 2017 |archive-url=https://web.archive.org/web/20170202104439/http://www.infradead.org/openconnect/ |url-status=live }}</ref> [[Zscaler|ZScaler]] tunnel,<ref>{{cite web
| url=https://help.zscaler.com/z-app/about-z-tunnel-1.0-z-tunnel-2.0
| title=ZScaler ZTNA 2.0 Tunnel
| publisher=[[ZScaler]]
| access-date=2022-11-29
| archive-date=2022-11-29
| archive-url=https://web.archive.org/web/20221129041020/https://help.zscaler.com/z-app/about-z-tunnel-1.0-z-tunnel-2.0
| url-status=live
}}</ref> F5 Networks [[F5 Networks#BIG-IP product modules|Edge VPN Client]],<ref>{{cite web
| url=https://f5.com/glossary/datagram-transport-layer-security-dtls
| title=f5 Datagram Transport Layer Security (DTLS)
| publisher=[[f5 Networks]]
| access-date=2022-11-29
| archive-date=2022-11-29
| archive-url=https://web.archive.org/web/20221129041024/https://www.f5.com/glossary/datagram-transport-layer-security-dtls
| url-status=live
}}</ref> and Citrix Systems [[Citrix Systems#Networking and cloud|NetScaler]]<ref>{{cite web |title=Configuring a DTLS Virtual Server |url=http://docs.citrix.com/en-us/netscaler/11/traffic-management/ssl/config-ssloffloading/config-dtls-vserver.html |publisher=[[Citrix Systems]] |access-date=2022-11-29 |archive-date=2016-12-21 |archive-url=https://web.archive.org/web/20161221020000/http://docs.citrix.com/en-us/netscaler/11/traffic-management/ssl/config-ssloffloading/config-dtls-vserver.html |url-status=live }}</ref> use DTLS to secure UDP traffic. In addition all modern web browsers support DTLS-SRTP<ref>{{cite web
 |url=https://sites.google.com/site/webrtc/interop
 |title=WebRTC Interop Notes
 |url-status=dead
 |archive-url=https://web.archive.org/web/20130511043959/https://sites.google.com/site/webrtc/interop
 |archive-date=2013-05-11
}}</ref> for [[WebRTC]].