What Is TLS? Transport Layer Security Explained
TLS, Transport Layer Security, is the encryption protocol that secures network connections, giving HTTPS its privacy, integrity, and server authentication.
TLS is the successor to SSL and the thing that makes the lock icon appear in a browser. It wraps any TCP connection in encryption and verifies the identity of the server you are talking to. Pipelines depend on TLS for every secure call they make, and TLS misconfiguration is a common cause of deploy and API failures.
The handshake
Before any data flows, client and server perform a TLS handshake: they agree on a protocol version and cipher, the server proves its identity with a certificate, and both derive shared session keys. Only then does encrypted application data begin.
What TLS guarantees
- Confidentiality: traffic is encrypted end to end.
- Integrity: tampering in transit is detected.
- Authentication: the server proves who it is via a certificate.
Versions matter
TLS 1.2 and 1.3 are current; older SSL and early TLS versions are deprecated and often refused. A runner with an outdated TLS library can fail to connect to a server that requires a modern version.
TLS in CI/CD
Registry pulls, API calls, and artifact transfers all ride on TLS. Deploys frequently provision or renew certificates, and TLS termination at a load balancer is a routine part of shipping a web service.
Reading TLS errors
Handshake failures, "certificate verify failed", and "unsupported protocol" are configuration problems: a missing CA, a clock skew that makes a certificate look expired, or a version mismatch. These do not resolve on retry.
Transient vs configuration
A connection that resets during the handshake can be a transient network blip, while a verification failure is a real misconfiguration. Latchkey runners retry the transient resets automatically and let the genuine TLS errors through so you can fix the root cause.
Key takeaways
- TLS encrypts and authenticates connections and is what makes HTTPS secure.
- The handshake negotiates a cipher and validates the server certificate before data flows.
- Most TLS errors in CI are configuration issues, not retryable blips.