For SSL, the basic unit of secure network activity is the SSL session. An SSL session represents the security contract (key and algorithm agreement information) that occurs over a connection between a client (SSL client) that is connected to a server (SSL server) using SSL. An SSL session is generally governed by security policies that control the SSL session parameter negotiations between a client and server during the SSL connection process.
SSL servers and clients are generally configured at startup to follow certain security policies. For an SSL server, the most important policy is generally the SSL server identity that it assumes and that has been authorized by a trusted Certification Authority (CA). When an SSL client attempts to connect to an SSL server, the client authenticates the server identity. The session can begin after the client has successfully authenticated the server identity and the client and server have agreed on a set of security algorithms.
The SSL session continues until the client or server terminates it or the underlying TCP connection is broken. Until then, the session proceeds with the interaction among various SSL session components used by the SSL client and server.
Note: The SSL technologies are typically invisible to users of an SSL session.
SSL session components can be summarized as follows:
