Fexyn
Fexyn

Glossary

What is TLS

Transport Layer Security — the protocol that puts the S in HTTPS, encrypting connections between clients and servers.

Transport Layer Security — TLS — is the protocol that turns plaintext network connections into encrypted ones. It's the S in HTTPS. It's also what wraps the control channels of OpenVPN, what VLESS Reality imitates exactly, and what every secure email client uses to talk to mail servers.

The current modern version is TLS 1.3, released in 2018. TLS 1.2 still exists in the wild for compatibility but is being phased out. TLS 1.0 and 1.1 were deprecated; if a system requires them, treat it as broken.

What TLS does

Three things, in order:

  1. Authentication. Verify you're actually talking to who you think. Done via certificates signed by trusted authorities.
  2. Key exchange. Agree on a shared secret without ever sending it in the clear. TLS 1.3 uses Diffie-Hellman over elliptic curves (typically X25519).
  3. Encryption. Use that shared secret to encrypt and authenticate every byte that follows. Modern TLS uses AEAD ciphers (AES-256-GCM or ChaCha20-Poly1305).

The handshake takes one round-trip in TLS 1.3, sometimes zero (0-RTT) for resumed sessions. That's a big win over TLS 1.2's two round-trips.

What TLS doesn't hide

The contents of the connection: encrypted. Who you're talking to: visible.

Specifically:

  • The destination IP. Routing requires it.
  • The destination domain via SNI. Sent unencrypted in the first handshake message.
  • Traffic timing and size. Even with content encrypted, patterns are visible. A 100-byte request followed by a 5 MB response looks different from a steady audio stream.

This is why "HTTPS everywhere" doesn't equal full privacy. Your ISP can't read what you sent, but they know what site you sent it to.

TLS 1.3 vs TLS 1.2

The biggest changes in 1.3:

  • Forward secrecy is mandatory. Old TLS 1.2 ciphers without forward secrecy are removed. If a server's private key leaks later, recorded traffic from past sessions can't be retroactively decrypted.
  • Cipher suite list slashed. TLS 1.2 has dozens of cipher suites, many weak. TLS 1.3 has five. Less to misconfigure, fewer downgrade paths.
  • Faster handshake. One round-trip instead of two. Visible on every page load.
  • Encrypted handshake. More of the handshake metadata is encrypted than in 1.2. Servers no longer leak their certificate in the clear during negotiation.

TLS 1.3 is what every modern site should be running. Tools like SSL Labs let you verify a site's TLS version and configuration.

TLS in VPN context

OpenVPN wraps a TLS-based control channel. The control channel handles authentication and key exchange; the data channel uses the keys derived from that handshake. A modern OpenVPN config uses TLS 1.3 + ECDSA + AES-256-GCM.

VLESS Reality doesn't just use TLS — it does an actual TLS 1.3 handshake to a real public site, then carries VPN data inside the established session. The TLS isn't a wrapper; it's camouflage that uses real certificates and real servers.

WireGuard doesn't use TLS at all — it has its own protocol with fixed cryptography. Different design philosophy.

Read more about short-lived certificates for how the certificate side affects VPN security, or the security overview for the broader picture.

Try Fexyn free for 7 days — three protocols, modern TLS where it applies, fixed cryptography where it doesn't.

Related terms

Try Fexyn free for 7 days

Windows app available now in Beta. WireGuard, VLESS Reality, and OpenVPN with no browsing-history, DNS-query, or traffic-content logs.

See pricing
What is TLS — What It Is and Why It Matters | Fexyn VPN