Surprising Differences between TLS and SSL Protocol

TLS is just a successor to SSL 3.0. TLS is a protocol that ensures encryption and data integrity between the communication channels. SSL 3.0 is the basis of TLS 1.0.

SSL or TLS What is good?

We are used to thinking that TLS 1.0 is the successor to SSL 3.0. As we know, SSL3.0 is very old, and recent attacks such as POODLE, BEAST and other attack vectors have made SSL3.0 a lifeless security protocol.

Due to the POODLE attack SSL v3 is completely disabled on websites worldwide.

Next, a BEAST attack that completely destroys websites running on the old SSL v3.0 and TLS v1.0 protocols..

Unfortunately, some sites still do not use TLS. You can check the configuration of your site with the Comodo SSL Analyzer.

Handshake Protocol TLS

When the TLS client and the TLS server communicate for the first time, they negotiate the protocol version, select cryptographic algorithms, authenticate each other and use public-key encryption techniques to generate shared secrets.

The TLS handshake protocol consists of the following steps:

  1. Exchange greetings to customize algorithms, exchange arbitrary
    values and view session history.
  2. Exchanges the cryptographic parameters needed to let the client and the
    server negotiate pre-master secrets.
  3. Exchange certificates and cryptographic information that allow the
    client and server to authenticate.
  4. Generate a master secret from the pastor’s secret and exchange random values from one to the other.
  5. Make security settings for the recording level.
  6. Ask the client and the server to check if their
    counterpart has calculated the same security settings and if the
    handshake has been executed without the intervention of an attacker.

TLS and SSL messages

When a connection problem occurs, a warning message is displayed on each page that detects the problem. Here you will find some cheap Wildcard SSL certificates.

Warnings Descriptions SSL


This message informs the receiver that the sender will no longer send messages via this connection.


An inappropriate message was received. This warning is always fatal and should never be taken into account when using the product correctly.


This warning is returned when a record is received with an incorrect MAC. This warning is returned when it is sent because the TLSC text has been decoded incorrectly: either it was not even a multiple of the block length, or the lining values were wrong during the


This warning was used in some previous versions of TLS, and may have allowed some attacks in CBC mode.

Pick up the overflow

Receiving a TLSC text record greater than 2^14+2048 bytes or a decoded record before compressing TLSC greater than 2^14+1024 bytes.


The decompression function has received an incorrect input (e.g. data extended to an excessive length). This message is always fatal and should never be considered in combination with proper implementation.

The decompression function has received an incorrect input (e.g. data extended to an excessive length). This message is always fatal and should never be considered in combination with proper implementation.

Shake hands

The reception of the handshake_failure warning indicates that the sender could not agree on an acceptable set of safety parameters given the options available. It’s a fatal mistake.


This warning was used in SSLv3, but not in any version of TLS. They MUST NOT be sent from compatible implementations.


The certificate was damaged, contained signatures that had not been properly verified, etc. The certificate was damaged and not properly signed.


The certificate was of an unsubstantiated type.

withdrawn certificate

The certificate has been withdrawn by the subscriber.

Read it:  Fast and comprehensive SSL scan for incorrect settings on TLS/SSL servers – detailed analysis

Additional description of the TLS notification


The certificate has expired or is currently invalid.

Certificate_not known

Another (unspecified) problem occurred during the processing of the certificate, making it unacceptable.

Invalid settings

The handshake field was out of reach or did not coincide with other fields. That message is always fatal.


A valid chain or sub-chain of certificates was received, but the certificate was not accepted because the CA certificate could not be found or compared to a known and trusted CA. That message is always fatal.


A valid certificate was obtained, but when access control was applied, the sender decided not to negotiate further. That message is always fatal.

Decoding error

The message cannot be decoded because a field is out of range or because the length of the message is incorrect. This message is always deadly and should never be taken into account in the interaction between correct implementations (unless the messages on the network are damaged).

Deciphering the error

It was not possible to perform cryptographic handshake operations or to verify the signature correctly or to confirm the finished message. This message always leads to a fatal outcome.

Export restriction_RESERVED

This warning was used in some of the early versions of the TLS. They MUST NOT be sent from compatible implementations.

Protocol version

The version of the protocol the client tried to negotiate is accepted, but not supported. (For example, older versions of the log can be avoided for safety reasons) This message is always fatal.

Insufficient safety

Shows instead of handshake_failure if the negotiation failed because the server needs more secure numbers than the client supports. That message is always fatal.


An internal error that does not refer to an equivalent node or the accuracy of the protocol (e.g. a memory allocation error) makes it impossible to continue working. That message is always fatal.

Cancelled by the user

This handshake will be cancelled for any reason not related to the rejection of the protocol. If the user cancels the process once the handshake is over, the best way to close the connection is to simply send a close_notification message. This warning must be followed by a closed note. This message is usually a warning.


Sent by the client in response to a greeting request or by the server in response to the client’s greeting after the first handshake. Each of these items is generally verified; if this is not advisable, the recipient should respond with this warning. At this point, the original applicant may decide to continue the connection.

One of the cases where this is appropriate is when the server has generated the process to meet the request; the process may receive security settings (key length, authentication, etc.) at startup and it may then be difficult to pass changes to these settings. This message is always a warning.

Not supported_extension

sent by clients who receive an extended greeting from the server with an extension they have not included in the client’s respective greeting This message is always fatal.

TLSand SSLcompatibility

Since there are different versions of TLS (1.0, 1.1, 1.2 and all future versions) and SSL (2.0 and 3.0), resources are needed to harmonise the specific version of the protocol.

The TLS protocol provides an integrated mechanism for the matching of versions in order to avoid that other components of the protocol are disturbed by difficulties in the selection of the version.

A TLS 1.2 client that wants to negotiate with such old servers sends a customary TLS 1.2 ClientHello salute with { 3, 3 }. (TLS 1.2) in ClientHello.client_version.

If the server does not support this version, it responds with the old version number of ServerHello. If the client agrees to the use of this version, negotiations will continue in accordance with the agreed protocol.

If the TLS server receives ClientHello with a version number higher than the maximum supported version of the server, it MUST respond according to the maximum supported version of the server.

For example, if the server supports TLS 1.0, 1.1 and 1.2 and the client version is TLS 1.0 then the server is running with the TLS 1.0 ServerHello protocol. If the server only supports (or wants to use) versions higher than the client_version, it MUST send the protocol_version warning and close the connection.

If a client already knows the highest version of the protocol the server knows (for example, when resuming a session), it MUST connect to this native protocol.

I’m sure there are a few extra features and the difference is bigger. For more information on the attributes and characteristics of TLS, see RFC5246.

Download : Free comic book GDPR – The importance of the following general data protection rules (GDPR) for the protection of your company’s data and users’ privacy

You can follow us on Linkedin, Twitter, Facebook for daily cyber security updates and you can also take the best online cyber security course to keep you up to date.

Related Tags:

tls vs ssl 2019,tsl full form in network,dtls vs ssl,difference between ssl and tls pdf,difference between ssl and set protocol,tls vs ssh,at what layer does ssl/tls operate?,ssl and tcl,ssl vsl tls,tls venafi,difference between ssl and tls geeksforgeeks,difference between ssl and tls stack overflow