An SSL session is (as usual) initiated by the client, by connecting
to a server on port 443:
The initial connection ("Hello") message contains details of
the client's preferred symmetric encryption algorithms -- SSL
provides for a large number of different technologies --
so that the two parties can negotiate the use of a
a common algorithm.
The server's response consists of an X.509 site certificate
containing its public key and some other stuff, as well as its
preferred symmetric algorithms.
The client verifies the contents of the
server's site certificate, by checking both its contents (domain
name, date, etc) and that it has been signed by a
known and trusted CA. It also chooses an acceptable symmetric
algorithm from those available.
The client generates a new, random "session
key" appropriate to the negotiated symmetric algorithm.
This is encrypted using the server's public key and sent back to
the server.
All subsequent HTTP traffic between the client and the browser
is encrypted using the session key.
