An SSL session is (as usual) initiated by the client, by connecting
to a server on port 443:
The initial connection ("Hello") message contains details of
the client's preferred symmetric encryption algorithms -- SSL
provides for a large number of different technologies --
so that the two parties can negotiate the use of a
a common algorithm.
The server's response consists of an X.509 site certificate
containing its public key and some other stuff, as well as its
preferred symmetric algorithms.
The client verifies the contents of the server's site
certificate, by checking both its contents (domain name, date, etc)
and that it has been signed by a known and trusted CA. It also
chooses an acceptable symmetric algorithm from those available.
The client generates a new, random "session key" appropriate to
the negotiated symmetric algorithm. This is encrypted using the
server's public key and sent back to the server.
All HTTP traffic between the client and the browser is
encrypted using the session key.
