An Overview of One-Way SSL and Two-Way SSL

SSL (Secure Socket Layer) is the standard technology used for enabling secure communication between a client and sever to ensure data security & integrity. SSL has evolved with time and several versions have been introduced to deal with any potential vulnerabilities. SSL V2 released in 1995 was the first public version of SSL followed by SSL V3 in 1996 followed by TLS V1.0 in 1999, TLS V1.1 in 2006 and TLS V1.2 in 2008. 
For ensuring security of the data being transferred between a client and server, SSL can be implemented either one-way or two-way. In this post, I will briefly explain the difference between One-Way SSL and Two-Way SSL (also known as Mutual SSL).
 

How One-Way SSL Works?

 
In one way SSL, only client validates the server to ensure that it receives data from the intended server. For implementing one-way SSL, server shares its public certificate with the clients. 
Below is the high level description of the steps involved in establishment of connection and transfer of data between a client and server in case of one-way SSL:
 
1. Client requests for some protected data from the server on HTTPS protocol. This initiates SSL/TLS handshake process. 
2. Server returns its public certificate to the client along with server hello message.
3. Client validates/verifies the received certificate. Client verifies the certificate through certification authority (CA) for CA signed certificates.
4. SSL/TLS client sends the random byte string that enables both the client and the server to compute the secret key to be used for encrypting subsequent message data. The random byte string itself is encrypted with the server’s public key.
5. After agreeing on this secret key, client and server communicate further for actual data transfer by encrypting/decrypting data using this key. 
Below is the pictorial description explaining how one way ssl works:

How Two-Way (Mutual) SSL works?

Contrary to one-way SSL; in case of two-way SSL, both client and server authenticate each other to ensure that both parties involved in the communication are trusted. Both parties share their public certificates to each other and then verification/validation is performed based on that.
 
Below is the high level description of the steps involved in establishment of connection and transfer of data between a client and server in case of two-way SSL:
1.Client requests a protected resource over HTTPS protocol and the SSL/TSL handshake process begins.
2 Server returns its public certificate to the client along with server hello. 
3. Client validates/verifies the received certificate. Client verifies the certificate through certification authority (CA) for CA signed certificates.
4. If Server certificate was validated successfully, client will provide its public certificate to the server.
5. Server validates/verifies the received certificate. Server verifies the certificate through certification authority (CA) for CA signed certificates.
6. After completion of handshake process, client and server communicate and transfer data with each other encrypted with the secret keys shared between the two during handshake. 
Below image explains the same in pictorial format:

 

I have also uploaded a video with a detailed explanation of differences between one-way and two-way ssl, how one-way and two-way SSL work and a in-depth explanation of how SSL handshake takes place between client and server for SSL communication.

Watch the video below and also don’t forget to subscribe to TutorialsPedia Youtube channel:

 

 

Further Reading:

An overview of SSL Certificate Chaining: How Chain of Trust Works in for SSL/TLS?

How to Generate Self-Signed Certificates Using Java KeyTool

How to Generate Self Signed Certificates, Keys and CSR using OpenSSL

Ajmal Abbasi

Ajmal Hussain Abbasi is Integration Consultant By Profession with 13+ years experience in Integration domain mainly with TIBCO products. He has extensive practical knowledge of TIBCO Business Works, TIBCO Cloud, TIBCO Flogo, TIBCO Mashery, TIBCO Spotfire, EMS and TIBCO ActiveSpaces. He has worked on a number of highly critical integration projects in various sectors by using his skills in TIBCO Flogo, TIBCO API Management (Mashery), TCI, Tibco Designer, TIBCO Business Studio, Adapters, TIBCO EMS, RV, Administrator, TIBCO BE, TIBCO ActiveSpaces etc. Ajmal Abbasi has experience with MuleSoft ESB as well. Ajmal Abbasi is also experienced in the area of API Management particularly with WSO2 API management platforms. Ajmal Abbasi is also experienced in developing solutions using Core Java and J2EE Technologies. You can contact Ajmal Abbasi for Consultancy, Technical Assistance and Technical Discussions.

More Posts - Website - Facebook - LinkedIn - YouTube

20 thoughts on “An Overview of One-Way SSL and Two-Way SSL

  1. arpit

    In Two-Way (Mutual) at point no 5, I am confused.

    Can you please confirm is it verify /validate by client or server. Ideally it should be validate by the server as client is sending its public certificate.

    Is it typo error?

    Reply
  2. SURESH

    Sir,
    Could you please explain how to generate certificate for client.

    Reply
  3. Dil

    Step 5 seems to be wrong. Isn’t it server who is validating and the random key string generation step seems to be pretty vague. Who generates it?

    Reply
  4. Pingback: Istio Multicluster on OpenShift – Red Hat OpenShift Blog

  5. Yasas

    Sir,
    I’m a student. I decided TWO-WAY SSL AUTHENTICATION as my final project. I hope to do this using CENTOS and APACHE server. I have already created a web page to do this, but I have some problems with the configuration part. Could you please help me to do this.

    Thank you.

    Reply
  6. Subodh

    If there is no CA Authority How it works. Does Client have both Client as well as Server certificates stored locally.

    Reply
  7. Pingback: SSL单向与双向认证 | 大专栏

  8. Akshay Khndarkar

    I am using the certificate from Sectigo/Comodo. Now I need to connect to one of our client with two way authentication using php. So anyone please suggest me something I am having any clue how to do the same.

    I also don’t know am I using Two Way ssl Certificate or not..
    Any Help will be really appreciated.

    Reply
  9. Pingback: SSH symmetric, asymmetric encryption and hashes – Tefter Webdeveloper.BG

  10. Pingback: One-Way SSL and Two-Way SSL – Tefter Webdeveloper.BG

  11. Md Sohrab alam

    I am getting this error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

    Reply
  12. Pingback: Https双向验证与Springboot整合测试-人来人往我只认你 | 28RG新闻网

  13. Pingback: Https双向验证与Springboot整合测试-人来人往我只认你 – Programming language

  14. pmanik

    In case of one way ssl, client sends the hello message, not the server as mentioned above

    Reply
  15. Pingback: SSL Certificate Chain: SSL/TLS Concepts, Root Certificate, Intermediate and Server Certificate and Chain of Trust Explained | TutorialsPedia

  16. Pingback: SSL Certificate: How SSL/TLS Works: SSL/TLS Introduction

  17. Pingback: API Security Best Practices : 8 APIs Security Best Practices

Leave a Reply

Your email address will not be published. Required fields are marked *