1994年，网景公司开发出浏览器 Mosaic Netscape 0.9 的时候就有了https的概念，也就是SSL1.0。因为SSL1.0存在严重漏洞所以没发布，接着在1995年发布SSL2.0直到1996年的SSL3.0问世之后被IETF“招安”了，标准化为TLS1.0。所以后续的SSL版本都是由TLS来维护。
TLS1.2 2006年-2006年 草案撰写，同年发布RFC5246
TLS1.3 2014年-2018年 草案撰写，同年发布RFC8446
The MD5/SHA-1 combination in the pseudorandom function (PRF) has
been replaced with cipher-suite-specified PRFs. All cipher suites
in this document use P_SHA256.
– The MD5/SHA-1 combination in the digitally-signed element has been
replaced with a single hash. Signed elements now include a field
that explicitly specifies the hash algorithm used.
– Substantial cleanup to the client’s and server’s ability to
specify which hash and signature algorithms they will accept.
Note that this also relaxes some of the constraints on signature
and hash algorithms from previous versions of TLS.
– Addition of support for authenticated encryption with additional
– TLS Extensions definition and AES Cipher Suites were merged in
from external [TLSEXT] and [TLSAES].
– Tighter checking of EncryptedPreMasterSecret version numbers.
– Tightened up a number of requirements.
– Verify_data length now depends on the cipher suite (default is
– Cleaned up description of Bleichenbacher/Klima attack defenses.
– Alerts MUST now be sent in many cases.
– After a certificate_request, if no certificates are available,
clients now MUST send an empty certificate list.
– TLS_RSA_WITH_AES_128_CBC_SHA is now the mandatory to implement
– Added HMAC-SHA256 cipher suites.
– Removed IDEA and DES cipher suites. They are now deprecated and
will be documented in a separate document.
– Support for the SSLv2 backward-compatible hello is now a MAY, not
a SHOULD, with sending it a SHOULD NOT. Support will probably
become a SHOULD NOT in the future.
– Added limited “fall-through” to the presentation language to allow
multiple case arms to have the same encoding.
– Added an Implementation Pitfalls sections
– The usual clarifications and editorial work.
– The list of supported symmetric encryption algorithms has beenhttps://datatracker.ietf.org/doc/rfc8446/?include_text=1
pruned of all algorithms that are considered legacy. Those that
remain are all Authenticated Encryption with Associated Data
(AEAD) algorithms. The cipher suite concept has been changed to
separate the authentication and key exchange mechanisms from the
record protection algorithm (including secret key length) and a
hash to be used with both the key derivation function and
handshake message authentication code (MAC).
– A zero round-trip time (0-RTT) mode was added, saving a round trip
at connection setup for some application data, at the cost of
certain security properties.
– Static RSA and Diffie-Hellman cipher suites have been removed; all
public-key based key exchange mechanisms now provide forward
– All handshake messages after the ServerHello are now encrypted.
The newly introduced EncryptedExtensions message allows various
extensions previously sent in the clear in the ServerHello to also
enjoy confidentiality protection.
– The key derivation functions have been redesigned. The new design
allows easier analysis by cryptographers due to their improved key
separation properties. The HMAC-based Extract-and-Expand Key
Derivation Function (HKDF) is used as an underlying primitive.
– The handshake state machine has been significantly restructured to
be more consistent and to remove superfluous messages such as
ChangeCipherSpec (except when needed for middlebox compatibility).
– Elliptic curve algorithms are now in the base spec, and new
signature algorithms, such as EdDSA, are included. TLS 1.3
removed point format negotiation in favor of a single point format
for each curve.
– Other cryptographic improvements were made, including changing the
RSA padding to use the RSA Probabilistic Signature Scheme
(RSASSA-PSS), and the removal of compression, the Digital
Signature Algorithm (DSA), and custom Ephemeral Diffie-Hellman
– The TLS 1.2 version negotiation mechanism has been deprecated in
favor of a version list in an extension. This increases
compatibility with existing servers that incorrectly implemented
– Session resumption with and without server-side state as well as
the PSK-based cipher suites of earlier TLS versions have been
replaced by a single new PSK exchange.
– References have been updated to point to the updated versions of
RFCs, as appropriate (e.g., RFC 5280 rather than RFC 3280).