Without SSL enforcement what happens:
PACKETS ARE CAPTURES BY WIRESHARKFOR THAT WEBSITE WHICH DOESN'T ENFORCE SSL
In that certificate authority checks the Domain ownership,organisational information and legal existence of organization.its trust level is very high.
- Client sends "Hello message" to server.
- Client sends some details to server like which TLS/SSL version it is running and what cipher suites it can used and what type of encryption it want to used.
- Sever checks highest version of TLS/SSL client can support,picks the cipher suite and encryption method.
- After all these negotiation completed between client and server.
- Sever sends the certificate and symmetric key exchange.
- Handshake finished.
Note: client can be browser
example: capture the packets through Wireshark. click on image for better view.
|COMMUNICATION BETWEEN CLIENT AND SERVER |
WHILE ENFORCING SSL