How to Improve TLS/SSL Handshake time

Home » Documentation » How to Improve TLS/SSL Handshake time

You want to the time that it takes for your server to respond to any request to output data to be a short as possible. This includes the time it takes for the TLS.SSL handshake to be performed.

If you’ve never heard of the TLS/SSL handshake before and how to improve it, let’s explain. The handshake is a series of steps that a client (think browser, for example) and server take to establish a secure connection. It’s the internet’s way of ensuring that your data doesn’t fall into the wrong hands.

Why do we need to improve the TLS/SSL handshake?

Now, you might wonder, “Why does the speed of the handshake matter?” Imagine your visitors are in a queue waiting for that secret handshake. The longer they wait, the more likely they are to leave.

We’re aiming for a handshake that’s as quick as a street magician’s sleight of hand. The aim should be to have all parts of what determine a speedy website be fast. Not just a couple.

So, before we can look at things we can do to improve the TLS/SSL handshake time, we first need to understand which steps are involved.

Handshake Steps

Let’s break down this cryptographic handshake into its core steps.

Step 1: Initiating the Handshake

It all begins when a client, such as your web browser, attempts to connect securely with a server. The client sends a “ClientHello” message, which includes the TLS version it supports, a list of suggested cipher suites, and a string of random bytes known as the “client random.”

Step 2: Server Response

The server picks up the pace by responding with a “ServerHello” message. This message contains the chosen cipher suite, the server’s SSL certificate, and the “server random”—another string of random bytes.

Step 3: Authentication and Pre-Master Secret

Now, the client verifies the server’s SSL certificate with the issuing Certificate Authority (CA). This is like checking an ID card to ensure it’s valid and hasn’t expired. Once verified, the client creates a “pre-master secret” for the session.

Step 4: Decryption and Master Secret

The server receives the pre-master secret, encrypted with the server’s public key. The server decrypts it with its private key. Both parties then use this pre-master secret to generate a “master secret.”

Step 5: Generating Session Keys

With the master secret in hand, the client and server create session keys. These keys are what they’ll use to encrypt and decrypt the information they exchange during the session.

Step 6: Final Handshake Messages

To finish up, the client sends a “Finished” message encrypted with the session key. The server decrypts this and sends its own “Finished” message. If all goes well, both parties confirm that the handshake was successful.

Steps Conclusion

As we’ve established, the TLS/SSL handshake is a complex dance that ensures secure communication over the internet. It involves the exchange of messages, verification of identities, and the creation of shared secrets and keys.

By following these steps, clients and servers can communicate with the assurance that their conversation is private and their data is secure.

How to Improve the Handshake

Before diving into improvements, let’s measure the current handshake time. Tools like SSL Labs’ SSL Test or Chrome’s DevTools can help, but of course you can find those details exactly inside your site’s Scanfully Dashboard overview.

Choose the Right Cipher Suite

Cipher suites are like the ingredients in a secret sauce. Some are zesty and quick; others are like a slow-cooked stew. Opt for cipher suites that support forward secrecy and are faster to compute, such as those using ECDHE (Elliptic Curve Diffie-Hellman Ephemeral).

Reduce the Number of Handshakes

Reusing an established handshake can cut down wait times. It’s like having a VIP pass at a concert. Implement session resumption protocols like Session IDs or TLS tickets to reuse secure connections.

Utilize OCSP Stapling

Online Certificate Status Protocol (OCSP) stapling is like getting your ID checked before you hit the club. By attaching the OCSP response to the handshake, you save a roundtrip to the CA, keeping the line moving smoothly.

Implement HTTP/2

HTTP/2 is like upgrading from a bicycle to a motorcycle. It’s not just about the handshake, but the overall performance. HTTP/2 reduces latency and allows multiplexing, making your website zip along.

Optimize Your Certificates

Heavy certificates are like bulky wallets; they slow you down. Trim down the fat by removing unnecessary intermediate certificates and keeping certificate chains short and sweet.

DNS Optimization

DNS resolution is like asking for directions. If it takes too long, you’re late to the party. Employ DNS caching and consider using a DNS service that offers quick response times.

Server Location Matters

The physical distance between your server and the client can feel like a long-distance relationship. It’s all about reducing latency, so consider a Content Delivery Network (CDN) to bring your content closer to your users.

Final Optimization Tips

Most of the above solutions to improve the performance of your TLS/SSL Handshake are solved by adding Cloudflare in front of your website. You’ll still need to configure Cloudflare properly, of course. As well the basics like keeping your server software up to date and monitoring your performance regularly.

It’s like tuning your car before a race; you want to be in top shape before you hit the track, and that means everything needs to be prepared for speed. Your brakes, your tires, your engine, your suspension, your fuel are just the basics for a fast race car.

It’s always every single component.


By now, you should be well-equipped to turbocharge your TLS/SSL handshake. Remember, the goal is to make your website’s handshake faster than a New York minute.

Execute on all the above mentioned tips, and watch as your website become ever so slightly faster. Keep measuring, keep optimizing, and always aim for that seamless, speedy user experience.