What is SSL?

SSL (Secure Sockets Layer) is a deprecated cryptographic protocol that originally provided encrypted, authenticated communication between a client and a server over a network. Netscape developed SSL 1.0, which never saw public release, followed by SSL 2.0 in 1995 (RFC 6101 documents its specification) and SSL 3.0 in 1996. The protocol operates between the transport layer (TCP) and the application layer, meaning an application like HTTPS (HTTP over SSL) sends regular HTTP data through the SSL layer, which encrypts the payload before handing it to TCP.

SSL uses a handshake procedure to negotiate cipher suites, exchange certificates, and derive session keys. The handshake begins with the client sending a ClientHello message listing supported TLS/SSL versions and cipher suites. The server responds with its chosen version and cipher suite, its certificate, and optionally a request for the client's certificate. After key exchange (typically RSA or Diffie-Hellman in SSL), both sides compute shared encryption keys and finish the handshake. The record layer then encrypts application data using symmetric ciphers such as RC4, 3DES, or AES, each with different security characteristics.

By the late 1990s, multiple vulnerabilities had been found in SSL 3.0, including the POODLE attack (CVE-2014-3566). The IETF published TLS 1.0 (RFC 2246) in 1999 as a minor upgrade to SSL 3.0, effectively deprecating SSL. TLS 1.1, 1.2, and 1.3 followed, adding stronger cipher suites, removing weak algorithms entirely, and improving handshake security. Today, SSL 2.0 and 3.0 are prohibited by PCI DSS and rejected by all major browsers and servers. The term "SSL" survives in product documentation, configuration file names (nginx.conf uses ssl_certificate), and everyday speech, but the protocol actually negotiated on the wire will be TLS 1.2 or TLS 1.3 for any modern connection.