What's the purpose of the TLS Client Hello and Server Hello messages, and what does each negotiate?
Client Hello = "here's everything I support, you pick." Server Hello = "I picked X, here's my random number, here comes my certificate." This negotiates the cipher suite and starts the handshake.
* The TLS handshake: hellos negotiate the cipher, then cert, keys and encryption. *
Client Hello sends:
| Field | Purpose |
|---|---|
| TLS version | Highest version client supports (e.g., TLS 1.3) |
| Random (32 bytes) | Used in key derivation (prevents replay) |
| Session ID | If resuming a previous session |
| Cipher Suites | List of supported algorithm combinations |
| Compression methods | Usually null (CRIME attack killed compression) |
| Extensions | SNI (which hostname), ALPN (HTTP version), supported curves, signature algorithms… |
Server Hello sends:
| Field | Purpose |
|---|---|
| TLS version | The version both will use (lowest mutually supported) |
| Random (32 bytes) | Server's random for key derivation |
| Session ID | For session resumption |
| Chosen cipher suite | Server's pick from client's list |
| Extensions | Server's responses (e.g., chosen ALPN) |
What "cipher suite" means:
A bundle of algorithms for: key exchange, authentication, bulk encryption, MAC. Example:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
└─key exch─┘ └─encryption─┘ └─hash─┘
└auth┘
Means: ECDHE for key exchange, RSA for server auth, AES-128-GCM for encryption, SHA-256 as the hash used in key derivation / handshake integrity. (Note: with a GCM cipher, message integrity comes from GCM itself — it's an AEAD mode — so SHA-256 here is the PRF/handshake hash, not a separate per-record MAC. In older CBC suites the trailing hash was the per-record HMAC.)
The two random numbers:
Client random + Server random + the negotiated pre-master secret → derive the session keys via a Key Derivation Function (KDF). Both sides generate the same keys independently — the keys never travel over the wire.
SNI (Server Name Indication):
Client tells the server which hostname it wants — essential for hosting many HTTPS sites on one IP. Privacy concern: SNI is sent in plaintext! ESNI/ECH (Encrypted ClientHello) addresses this.
Tip: In Wireshark, tls.handshake.type == 1 shows Client Hellos, tls.handshake.type == 2 shows Server Hellos. Inspect the cipher suite list — outdated clients/servers reveal themselves by what they support.
Go deeper:
TLS handshake (Wikipedia) — the ClientHello/ServerHello exchange and cipher-suite negotiation.
RFC 8446 — TLS 1.3 — the current spec defining the Hello messages and their extensions.