Integral to the SSL protocol is its use of cryptographic algorithms,
generally called ciphers. Ciphers are required
to authenticate the server and client to each other, transmit certificates,
and establish session keys. Clients and servers can support different
cipher suites, or sets of ciphers, depending on factors such as
the version of SSL they support, company policies regarding acceptable
encryption strength, and government restrictions on the export of
Among its other functions, the SSL handshake protocol determines
how the server and client negotiate which cipher suites they will
use to authenticate each other, to transmit certificates, and to
establish session keys. Key exchange algorithms such as RSA and
DH key exchange govern the way the server and client determine the
symmetric keys they will both use during an SSL session. The most
commonly used SSL cipher suites use RSA key exchange.
The SSL 2.0 and SSL 3.0 protocols support overlapping sets
of cipher suites. Administrators can enable or disable any of the
supported cipher suites for both clients and servers. When a particular
client and server exchange information during the SSL handshake,
they identify the strongest enabled cipher suites they have in common
and use those for the SSL session.
Decisions about which cipher suites a particular organization
decides to enable depend on trade-offs among the sensitivity of
the data involved, the speed of the cipher, and the applicability
of export rules.