Reputation: 5199
Confusion about HTTPS --> How is SSL handshake happing
I've always been an end consumer of HTTPS and have never really understood it that well but am looking to change that.
I am calling a RESTful web service over HTTPS. For example...
curl -X GET \
https://myCompanydns/rest/connect/v1.4/myEndpoint
With all my requests I send a basic authentication header i.e a username and password.
When I make these calls via my application I was expecting to have to add a certificate into like a jks (which I've had to do in the past) but on this occasion I've found that I can call the HTTPS web service without that.
For HTTPS to work I believe there is an SSL handshake? How is that happening successfully is this scenario without a jks?
Again, sorry for this beginner type question.
Upvotes: 0
Views: 91
Answers (1)
Reputation: 123501
When doing a https://... request the client needs to verify that the servers certificate is the expected one - and not some man in the middle. This is done (among other things) by making sure that the servers certificate was issued by a trusted certificate authority (CA). Which CA is trusted is setup in the local trust store (i.e. local to the client). In the above call where no explicit trust store is given curl is using its default trust store. In the case where you've explicitly gave a jks you've provided the application with a specific trust store it should use.
For more on how the server certificates gets validated see SSL Certificate framework 101: How does the browser actually verify the validity of a given server certificate?.
Upvotes: 1
Related Questions
- How does SSL really work?
- Understanding SSL
- How does SSL work?
- Simple understanding of https protocol
- what layer does SSL handshake happen?
- Clarification on SSL Handshake
- SSL Authentication
- How does SSL handshake/protocol work if client already has server certificate?
- Question on ssl handshake and behavior in java
- When does HTTPS handshake take place?