Detailed HTTPS Handshake Analysis Using Wireshark

HTTPS Introduction

HTTPS adds an SSL/TLS encryption layer on top of HTTP, providing secure communication over computer networks. It is not a separate protocol but the regular HTTP protocol operating over an encrypted TLS/SSL connection.

HyperText Transfer Protocol Secure (HTTPS) is a protocol for secure communication over a computer network.

HTTPS works at the application layer, with the security protocol sitting below HTTP and above the transport layer, providing a socket‑like interface for encrypted data exchange.

Traditional HTTP transmits data in clear text, exposing three main risks: eavesdropping, data tampering, and site impersonation. HTTPS mitigates these risks by adding SSL/TLS.

Test Website

A minimal page (https://www.gaotenglife.com/test.html) is deployed on a server for analysis. The site uses a free Let’s Encrypt certificate.

Let’s Encrypt: https://letsencrypt.org/zh-cn/getting-started/

Packet Capture Tool

Wireshark is used to capture and analyze the network packets. A shared PPT and the captured .pcapng file are provided for reference.

Capture filter: ip.addr == 121.42.204.194 and tcp.port==443

curl https://www.gaotenglife.com/test.html
test

HTTPS Packet Analysis

The HTTPS handshake consists of two parts. First, the TCP three‑way handshake establishes a connection:

client → server SYN (Seq=0)

server → client SYN‑ACK (Seq=0, Ack=1)

client → server ACK (Seq=1, Ack=1)

After TCP is established, the TLS handshake begins.

Client → Server (Client Hello)

The client sends supported protocols, TLS version, and a random number (Random1).

The Cipher Suites field lists 46 supported suites (curl) or 18 (Chrome).

Server → Client (Server Hello)

The server returns its own random number (Random2) and selects a cipher suite, e.g., TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384.

ECDHE : Ephemeral Elliptic Curve Diffie‑Hellman key exchange.

RSA : Signature algorithm for authentication.

AES‑128_GCM : Symmetric encryption algorithm.

SHA384 : Hash algorithm for integrity.

Server → Client (Certificate, Server Key Exchange, Server Hello Done)

The server sends its certificate chain, the server key exchange parameters (ECDHE curve and public key), and a Server Hello Done message.

Client → Server (Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message)

The client sends its key exchange data, notifies the server to switch to the newly negotiated cipher, and sends an encrypted handshake message to verify the integrity of the exchange.

Server → Client (Change Cipher Spec, Encrypted Handshake Message)

The server performs the same steps, confirming that both sides now share the same symmetric key.

After the handshake, subsequent packets contain Encrypted Application Data, completing the HTTPS request.

Appendix

Wireshark usage guide: http://qiniu.gaotenglife.com/Wireshark%20%E4%BD%BF%E7%94%A8%E8%AF%B4%E6%98%8E.pptx

Captured packet file: http://qiniu.gaotenglife.com/gaotenglife_2022.pcapng