An approach for preventing denial-of-service attacks on Secure Sockets Layer ("SSL") protocol is described. Queues are generated for handshake state connections and data transmission connections. A connection object representing a new SSL connection is time-stamped as it enters the handshake portion of the SSL protocol. A connection pointer to the connection object is placed at the head of the handshake queue. As new SSL messages are transferred between client and SSL server, the time-stamp is updated when the entire message is received, the connection pointer is repositioned to the head of the queue. A timer event periodically surveys the queues. If connection packet transmission gaps remain below a specified maximum handshake gap time, a connection is allowed to progress to the data transmission state. If any connection exceeds the specified gap time, the SSL connection is dropped.