When developing a web application, ensuring secure communication between the client and server is critical. This is where SSL/TLS encryption comes in, protecting sensitive data from eavesdropping, tampering, and forgery.
But how does it actually work? What happens behind the scenes when a client connects to a secure server? In this blog, we'll break down the SSL/TLS handshake, the role of public/private keys, and the importance of session keys in both production and local development environments.
1. How SSL/TLS Works: The Handshake Process
When a client (browser, mobile app, etc.) connects to a server over HTTPS, an SSL/TLS handshake happens before any data is exchanged. Here's the step-by-step breakdown:
Step 1: Client Hello
- The client sends a request to the server, indicating it wants a secure connection.
- It includes a list of supported TLS versions and encryption algorithms.
Step 2: Server Hello & Certificate Exchange
- The server responds with a digital certificate (
cert.pem) that proves its authenticity. - This certificate contains the server’s public key and is signed by a trusted Certificate Authority (CA).
- The client verifies this certificate to confirm it's talking to the right server.
Step 3: Session Key Generation
- The client generates a random session key.
- It encrypts this session key using the server’s public key (from the certificate) and sends it to the server.
- The server decrypts it using its private key (
key.pem).
Step 4: Secure Communication Begins
- Both the client and server now use the same session key for encrypting and decrypting messages.
- This session key is used with symmetric encryption algorithms like AES (Advanced Encryption Standard) to ensure fast and secure data exchange.
Why Use a Session Key Instead of Public/Private Keys for Every Request?
✔ Performance – Asymmetric encryption (public/private key) is slow, but symmetric encryption (session key) is much faster.
✔ Efficiency – The session key allows secure communication without needing to re-encrypt every request with the server’s public key.
✔ Security – Even if the session key is compromised, it only affects one session (not all future communications).
2. Setting Up HTTPS in Local Development
In local development, you don’t get a certificate from a Certificate Authority (CA). Instead, you can generate a self-signed certificate using OpenSSL.
Run the following command in your terminal:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodesThis creates:
-
key.pem– The private key (never share this) -
cert.pem– The self-signed certificate (used to prove authenticity)
Configuring HTTPS in Express (Node.js)
import https from 'https';
import fs from 'fs';
import express from 'express';
const app = express();
const options = {
key: fs.readFileSync("key.pem"),
cert: fs.readFileSync("cert.pem")
};
https.createServer(options, app).listen(443, () => {
console.log("Server running on https://localhost:443");
});💡 Important: Add key.pem and cert.pem to .gitignore so they don’t get pushed to GitHub.
echo "key.pem" >> .gitignore
echo "cert.pem" >> .gitignore3. Implementing HTTPS in Production
In production, you’ll use a trusted CA like:
- Let’s Encrypt (free SSL certificates)
- Cloudflare SSL (free/proxy-based SSL)
- Paid certificates from companies like DigiCert, GoDaddy, etc.
Using Nginx for HTTPS (Production Setup)
If you’re using Nginx as a reverse proxy, configure it like this:
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/ssl/certs/fullchain.pem;
ssl_certificate_key /etc/ssl/private/privkey.pem;
location / {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}Run the following command to obtain an SSL certificate with Let’s Encrypt:
sudo certbot --nginx -d example.comThis automatically configures SSL for Nginx.
4. How Clients Verify HTTPS
Once the SSL handshake is complete:
✔ The browser checks the certificate (ensuring it's valid and issued by a trusted CA).
✔ The session key is established (allowing encrypted communication).
✔ All requests and responses are encrypted (protecting user data).
You can check SSL details in the browser:
- Click the lock icon in the address bar.
- View certificate information.
5. Conclusion
By understanding SSL/TLS encryption, you ensure that your web application is secure both in development and production.
- 🔐 In local development, use self-signed certificates.
- 🔐 In production, get a trusted CA certificate and configure Nginx/Apache.
- 🔑 Session keys are used for efficient, secure communication.
Implementing HTTPS properly builds trust with users, prevents security breaches, and ensures compliance with security best practices. 🚀