In IMSS,
Transport Layer Security (TLS) provides a secure communication channel
between servers over the Internet, ensuring the privacy and integrity
of the data during transmission.
Two servers (Server A and Server B) establish a TLS connection
through a handshaking procedure as described below:
-
The handshake begins when Server B requests a secure
connection with Server A by sending a list of ciphers.
-
Server A then selects one cipher presented by Server B and
replies with its digital certificate that may have been signed by
a Certificate Authority (CA).
-
Server B verifies Server A's identity with the trusted CA
certificate. If the verification fails, Server B may choose to stop
the TLS handshake.
-
Upon verifying Server A’s identity, Server B proceeds to
generate the session keys by encrypting a message using a public
key.
-
This message can only be decrypted using the corresponding
private key. Server B’s identity is thus authenticated when Server
A is able to decrypt the message successfully using the private
key.
-
The handshake completes and the secure connection is established
after the servers have created the material required for encryption
and decryption.
IMSS applies
TLS on traffic entering IMSS and
traffic exiting IMSS,
not on incoming or outgoing message traffic.