SSL Connection：一个SSL连接就是一个使用了SSL协议机制的TCP连接，每一个连接都与一个Session关联。

SSL Session：SSL Session是由握手（handshake）协议创建，是server与client之间的一种关联，每一个Session可以被多个Connection共享。每一个Session定义了一组密码安全参数，这些参数可以被多个Connection共享。Session的状态由一些参数决定，通过会话协商安全参数可以避免为每个连接进行代价高昂的安全参数协商。

An SSL connection is the same as an TCP connection that uses SSL. An SSL session can include many connections if the SSL session ID is reused. When this happens, it is said that the SSL session was resumed.

一个SSL会话包含连接、握手协商参数、传输数据、关闭连接四个过程。

An SSL session consists of the following general processing steps:

1.Connect

A remote client sends a connection request for an application server. If the application server is listening on a secure port, the TCP/IP (stack) server sends this request to the SSL server. The TCP/IP server also sends a label that identifies the certificate to be used for the secure connection, as well as the socket addresses of the client and the application server. The SSL server accepts the connection from the client and sends a connection request to the application server.

The SSL session is maintained as two separate connections: the connection from the remote client to the SSL server, and the connection from the SSL server to the application server. The intervention of the SSL server is transparent to the client and the application server; to them, it seems that they are communicating directly with each other.

2.Handshake

After its connection request is accepted, the client initiates a handshake protocol to produce the cryptographic parameters for the session. The SSL server (representing the application server) responds to the handshake and sends the application servers certificate to the client.

Clients that make use of SSL services generally have the certificates associated with the Well Known CAs in their certificate databases. The client compares the "signature" on the application servers certificate with the appropriate CA certificates to verify the authenticity of the server.

The client and the SSL server then agree on a protocol version, select cryptographic algorithms (known as cipher suites), and use asymmetric (public-key) encryption techniques to generate shared secrets. From the shared secrets, the SSL server and the client generate the symmetric (private) keys to be used for the encryption and decryption of data sent on the connection.

3.Data transmission

When the handshake completes, the client sends encrypted data over the network. The SSL server receives the encrypted data from the client, decrypts it, and sends it to the application server. The application server responds by sending unencrypted data to the SSL server. The SSL server receives the unencrypted data from the application server, encrypts it, and sends it to the client.

4.Close

When a close request is received from either the client or the application server, the SSL server sends a close request to the other party and cleans up the connection.

参考资料:

http://gec.kmu.edu.tw/~tjm/security/sec9/text3.html
http://docs.sun.com/source/817-0826-11/E_stats.html