idnits 2.17.00 (12 Aug 2021) /tmp/idnits535/draft-ietf-tls-tls13-vectors-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 02, 2018) is 1479 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 2852 == Outdated reference: draft-ietf-tls-tls13 has been published as RFC 8446 Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 TLS M. Thomson 3 Internet-Draft Mozilla 4 Intended status: Standards Track May 02, 2018 5 Expires: November 3, 2018 7 Example Handshake Traces for TLS 1.3 8 draft-ietf-tls-tls13-vectors-04 10 Abstract 12 Examples of TLS 1.3 handshakes are shown. Private keys and inputs 13 are provided so that these handshakes might be reproduced. 14 Intermediate values, including secrets, traffic keys and ivs are 15 shown so that implementations might be checked incrementally against 16 these values. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at https://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on November 3, 2018. 35 Copyright Notice 37 Copyright (c) 2018 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (https://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. Private Keys . . . . . . . . . . . . . . . . . . . . . . . . 2 54 3. Simple 1-RTT Handshake . . . . . . . . . . . . . . . . . . . 3 55 4. Resumed 0-RTT Handshake . . . . . . . . . . . . . . . . . . . 15 56 5. HelloRetryRequest . . . . . . . . . . . . . . . . . . . . . . 26 57 6. Client Authentication . . . . . . . . . . . . . . . . . . . . 38 58 7. Compatibility Mode . . . . . . . . . . . . . . . . . . . . . 49 59 8. Security Considerations . . . . . . . . . . . . . . . . . . . 59 60 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 60 61 9.1. Normative References . . . . . . . . . . . . . . . . . . 60 62 9.2. Informative References . . . . . . . . . . . . . . . . . 60 63 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 60 64 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 60 66 1. Introduction 68 TLS 1.3 [TLS13] defines a new key schedule and a number new 69 cryptographic operations. This document includes sample handshakes 70 that show all intermediate values. This allows an implementation to 71 be verified incrementally, examining inputs and outputs of each 72 cryptographic computation independently. 74 A private key is included with the traces so that implementations can 75 be checked by importing these values and verifying that the same 76 outputs are produced. 78 2. Private Keys 80 Ephemeral private keys are shown as they are generated in the traces. 82 The server in most examples uses an RSA certificate with a private 83 key of: 85 modulus (public): b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 86 0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab 87 bc 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 88 a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f 89 da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 90 3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 91 3f 93 public exponent: 01 00 01 95 private exponent: 04 de a7 05 d4 3a 6e a7 20 9d d8 07 21 11 a8 3c 81 96 e3 22 a5 92 78 b3 34 80 64 1e af 7c 0a 69 85 b8 e3 1c 44 f6 de 62 97 e1 b4 c2 30 9f 61 26 e7 7b 7c 41 e9 23 31 4b bf a3 88 13 05 dc 12 98 17 f1 6c 81 9c e5 38 e9 22 f3 69 82 8d 0e 57 19 5d 8c 84 88 46 02 99 07 b2 fa a7 26 bc f7 08 bb d7 db 7f 67 9f 89 34 92 fc 2a 62 2e 08 100 97 0a ac 44 1c e4 e0 c3 08 8d f2 5a e6 79 23 3d f8 a3 bd a2 ff 99 101 41 103 prime1: e4 35 fb 7c c8 37 37 75 6d ac ea 96 ab 7f 59 a2 cc 10 69 db 104 7d eb 19 0e 17 e3 3a 53 2b 27 3f 30 a3 27 aa 0a aa bc 58 cd 67 46 105 6a f9 84 5f ad c6 75 fe 09 4a f9 2c 4b d1 f2 c1 bc 33 dd 2e 05 15 107 prime2: ca bd 3b c0 e0 43 86 64 c8 d4 cc 9f 99 97 7a 94 d9 bb fe ad 108 8e 43 87 0a ba e3 f7 eb 8b 4e 0e ee 8a f1 d9 b4 71 9b a6 19 6c f2 109 cb ba ee eb f8 b3 49 0a fe 9e 9f fa 74 a8 8a a5 1f c6 45 62 93 03 111 exponent1: 3f 57 34 5c 27 fe 1b 68 7e 6e 76 16 27 b7 8b 1b 82 64 33 112 dd 76 0f a0 be a6 a6 ac f3 94 90 aa 1b 47 cd a4 86 9d 68 f5 84 dd 113 5b 50 29 bd 32 09 3b 82 58 66 1f e7 15 02 5e 5d 70 a4 5a 08 d3 d3 114 19 116 exponent2: 18 3d a0 13 63 bd 2f 28 85 ca cb dc 99 64 bf 47 64 f1 51 117 76 36 f8 64 01 28 6f 71 89 3c 52 cc fe 40 a6 c2 3d 0d 08 6b 47 c6 118 fb 10 d8 fd 10 41 e0 4d ef 7e 9a 40 ce 95 7c 41 77 94 e1 04 12 d1 119 39 121 coefficient: 83 9c a9 a0 85 e4 28 6b 2c 90 e4 66 99 7a 2c 68 1f 21 122 33 9a a3 47 78 14 e4 de c1 18 33 05 0e d5 0d d1 3c c0 38 04 8a 43 123 c5 9b 2a cc 41 68 89 c0 37 66 5f e5 af a6 05 96 9f 8c 01 df a5 ca 124 96 9d 126 3. Simple 1-RTT Handshake 128 In this example, the simplest possible handshake is completed. The 129 server is authenticated, but the client remains anonymous. After 130 connecting, a few application data octets are exchanged. The server 131 sends a session ticket that permits the use of 0-RTT in any resumed 132 session. 134 {client} create an ephemeral x25519 key pair: 136 private key (32 octets): 33 21 0a 80 c1 a0 78 c8 52 0d 00 71 0a 137 06 7b 00 59 68 26 01 05 f4 bf b5 94 a7 13 2b 62 34 33 ab 139 public key (32 octets): fa 0c d2 25 02 a7 23 6a e7 59 9e e0 14 16 140 e8 05 d7 15 55 93 f0 28 b7 a6 f6 dd f4 9b ad 1a 6f 36 142 {client} send a ClientHello handshake message 144 {client} send handshake record: 146 payload (190 octets): 01 00 00 ba 03 03 3a 02 32 16 f4 df 71 db 147 f2 af d6 09 5f aa cd 8e b9 12 02 36 ca 79 90 c2 0d 40 cb 69 09 148 57 75 35 00 00 06 13 01 13 03 13 02 01 00 00 8b 00 00 00 0b 00 149 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 150 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 23 00 151 00 00 33 00 26 00 24 00 1d 00 20 fa 0c d2 25 02 a7 23 6a e7 59 152 9e e0 14 16 e8 05 d7 15 55 93 f0 28 b7 a6 f6 dd f4 9b ad 1a 6f 153 36 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 154 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 155 02 02 00 2d 00 02 01 01 157 ciphertext (195 octets): 16 03 01 00 be 01 00 00 ba 03 03 3a 02 158 32 16 f4 df 71 db f2 af d6 09 5f aa cd 8e b9 12 02 36 ca 79 90 159 c2 0d 40 cb 69 09 57 75 35 00 00 06 13 01 13 03 13 02 01 00 00 160 8b 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 161 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 162 03 01 04 00 23 00 00 00 33 00 26 00 24 00 1d 00 20 fa 0c d2 25 163 02 a7 23 6a e7 59 9e e0 14 16 e8 05 d7 15 55 93 f0 28 b7 a6 f6 164 dd f4 9b ad 1a 6f 36 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 165 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 166 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 168 {server} extract secret "early": 170 salt: (absent) 172 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 173 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 175 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 176 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 178 {server} create an ephemeral x25519 key pair: 180 private key (32 octets): 9d ae 7f c7 6c 00 9e 64 32 41 68 c6 27 181 99 1a 97 d3 95 9e 32 e7 c8 45 0c 14 f3 b5 30 bf 75 ef 87 183 public key (32 octets): aa 6c be 84 01 8c c1 a7 43 75 b6 d4 ea 18 184 ad 51 71 c1 50 ae 55 80 a8 4c 62 ef 05 21 a1 16 8a 25 186 {server} send a ServerHello handshake message 188 {server} derive secret for handshake "tls13 derived": 190 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 191 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 193 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 194 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 196 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 197 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 198 64 9b 93 4c a4 95 99 1b 78 52 b8 55 200 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 201 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 203 {server} extract secret "handshake": 205 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 206 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 208 ikm (32 octets): de 19 c3 5f f1 64 46 31 c4 b4 59 9a 22 2c ee eb 209 31 aa 4c f3 03 ef 15 48 de 68 ea 83 c9 4b 78 1c 211 secret (32 octets): 95 96 d5 36 cf ab b0 51 28 69 b3 c3 66 39 1f 212 b2 97 59 36 a8 cd da 1f 8c 66 b5 f0 26 54 04 5e 6b 214 {server} derive secret "tls13 c hs traffic": 216 PRK (32 octets): 95 96 d5 36 cf ab b0 51 28 69 b3 c3 66 39 1f b2 217 97 59 36 a8 cd da 1f 8c 66 b5 f0 26 54 04 5e 6b 219 hash (32 octets): 58 53 80 f8 31 c7 62 08 c5 2c 34 8c 76 be 4a 4b 220 a6 17 fd 16 da 68 b0 a9 50 38 82 fe ea ff 81 dc 222 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 223 61 66 66 69 63 20 58 53 80 f8 31 c7 62 08 c5 2c 34 8c 76 be 4a 224 4b a6 17 fd 16 da 68 b0 a9 50 38 82 fe ea ff 81 dc 226 output (32 octets): ed 5d 2e 57 8f 39 41 2a 63 a1 8e 68 d4 52 e4 227 09 21 5b 42 a8 63 40 29 f2 4c c9 c7 bb 3c 4d 29 de 229 {server} derive secret "tls13 s hs traffic": 231 PRK (32 octets): 95 96 d5 36 cf ab b0 51 28 69 b3 c3 66 39 1f b2 232 97 59 36 a8 cd da 1f 8c 66 b5 f0 26 54 04 5e 6b 234 hash (32 octets): 58 53 80 f8 31 c7 62 08 c5 2c 34 8c 76 be 4a 4b 235 a6 17 fd 16 da 68 b0 a9 50 38 82 fe ea ff 81 dc 237 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 238 61 66 66 69 63 20 58 53 80 f8 31 c7 62 08 c5 2c 34 8c 76 be 4a 239 4b a6 17 fd 16 da 68 b0 a9 50 38 82 fe ea ff 81 dc 241 output (32 octets): 76 53 d6 19 95 c3 c7 b9 a7 db 6e f8 80 0d e0 242 63 e2 c4 10 1d 52 15 01 1c 8a 28 36 6e 8a 44 9b b3 244 {server} derive secret for master "tls13 derived": 246 PRK (32 octets): 95 96 d5 36 cf ab b0 51 28 69 b3 c3 66 39 1f b2 247 97 59 36 a8 cd da 1f 8c 66 b5 f0 26 54 04 5e 6b 249 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 250 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 252 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 253 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 254 64 9b 93 4c a4 95 99 1b 78 52 b8 55 256 output (32 octets): ff e0 3e bf eb 8e f7 7a b4 95 7f 14 95 2f be 257 d5 5a 1f 3b 9d 1c e9 4e 1e 00 f7 40 7d 99 72 99 1b 259 {server} extract secret "master": 261 salt (32 octets): ff e0 3e bf eb 8e f7 7a b4 95 7f 14 95 2f be d5 262 5a 1f 3b 9d 1c e9 4e 1e 00 f7 40 7d 99 72 99 1b 264 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 265 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 267 secret (32 octets): fa 2f 37 bc 3a 87 b5 9c 46 10 26 27 17 59 84 268 d8 4e 03 5f a5 64 75 9c 1e ec 3b 96 4c e9 7a 1f 14 270 {server} send handshake record: 272 payload (90 octets): 02 00 00 56 03 03 42 ec 65 e2 f1 86 19 05 8f 273 0a e6 42 76 a1 0d 47 b3 5d 5f 26 75 0b c5 a9 b7 aa c6 30 9f 19 274 75 71 00 13 01 00 00 2e 00 33 00 24 00 1d 00 20 aa 6c be 84 01 275 8c c1 a7 43 75 b6 d4 ea 18 ad 51 71 c1 50 ae 55 80 a8 4c 62 ef 276 05 21 a1 16 8a 25 00 2b 00 02 7f 1c 278 ciphertext (95 octets): 16 03 03 00 5a 02 00 00 56 03 03 42 ec 65 279 e2 f1 86 19 05 8f 0a e6 42 76 a1 0d 47 b3 5d 5f 26 75 0b c5 a9 280 b7 aa c6 30 9f 19 75 71 00 13 01 00 00 2e 00 33 00 24 00 1d 00 281 20 aa 6c be 84 01 8c c1 a7 43 75 b6 d4 ea 18 ad 51 71 c1 50 ae 282 55 80 a8 4c 62 ef 05 21 a1 16 8a 25 00 2b 00 02 7f 1c 284 {server} derive write traffic keys for handshake data: 286 PRK (32 octets): 76 53 d6 19 95 c3 c7 b9 a7 db 6e f8 80 0d e0 63 287 e2 c4 10 1d 52 15 01 1c 8a 28 36 6e 8a 44 9b b3 289 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 291 key output (16 octets): 6b de 0a 34 c4 42 3c f3 5b f4 a7 ec 1a b0 292 aa 06 294 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 296 iv output (12 octets): 22 07 9a 1b e6 53 89 9a 59 a4 e5 51 298 {server} send a EncryptedExtensions handshake message 300 {server} send a Certificate handshake message 302 {server} send a CertificateVerify handshake message 304 {server} calculate finished "tls13 finished": 306 PRK (32 octets): 76 53 d6 19 95 c3 c7 b9 a7 db 6e f8 80 0d e0 63 307 e2 c4 10 1d 52 15 01 1c 8a 28 36 6e 8a 44 9b b3 309 hash (0 octets): (empty) 311 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 312 64 00 314 output (32 octets): 1c a5 43 d9 08 b8 ec 1c b7 25 55 7f 83 c4 de 315 03 f1 71 85 07 b9 0a e4 39 ec 84 92 c2 22 5d 6e 75 317 {server} send a Finished handshake message 319 {server} send handshake record: 321 payload (651 octets): 08 00 00 1e 00 1c 00 0a 00 14 00 12 00 1d 322 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 0b 323 00 01 b9 00 00 01 b5 00 01 b0 30 82 01 ac 30 82 01 15 a0 03 02 324 01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 325 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 30 1e 17 0d 31 36 326 30 37 33 30 30 31 32 33 35 39 5a 17 0d 32 36 30 37 33 30 30 31 327 32 33 35 39 5a 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 328 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 329 00 30 81 89 02 81 81 00 b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 330 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 331 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed 332 43 12 09 98 e1 87 a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d 333 44 9a 6d 38 e2 2a 5f da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9 334 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28 335 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03 01 00 01 a3 1a 30 18 30 09 336 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 05 337 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 85 338 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 72 67 17 06 18 a5 4c 5f 8a 339 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea e8 f8 a5 8c 8f 81 72 f9 31 340 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 51 56 72 60 96 fd 33 5e 5e 341 67 f2 db f1 02 70 2e 60 8c ca e6 be c1 fc 63 a4 2a 99 be 5c 3e 342 b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b 1c 3b 84 e0 a8 b2 f7 59 40 343 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 96 12 29 ac 91 87 b4 2b 4d 344 e1 00 00 0f 00 00 84 08 04 00 80 60 79 53 73 40 82 02 3f d3 8f 345 e9 bd 96 ea f9 dd e4 45 12 7b ef 6f c8 5b 2a 29 82 27 a9 0d 26 346 12 28 11 7b 93 f7 6c 00 02 56 02 b8 5b e9 6e 6e 75 a2 5b 72 bd 347 d9 38 9d 7c 97 95 f3 14 24 60 17 18 9d 4b dd 30 b8 38 17 f5 9a 348 5b c3 66 9a 98 d6 41 64 fd c7 80 77 2d ca 3d 06 63 79 24 1a 21 349 32 c4 07 1e 21 f9 f3 f0 cd 1d f4 06 ab 1d 37 bd db 13 e1 c2 93 350 f8 a4 46 8b 8e 5b c9 09 e5 78 94 e0 f1 14 00 00 20 16 cb aa 5b 351 9c 4d 04 ea 5c 83 b2 0b 4c 88 04 7e 8f 95 d9 60 5b 71 24 d1 1d 352 de b1 91 bb 6b 6d 18 354 ciphertext (673 octets): 17 03 03 02 9c c7 ad d2 3a 51 68 b1 f3 355 49 b7 59 e3 6b 17 1d ab c9 0b aa 31 29 a9 83 81 35 a2 2d a4 d2 356 d5 96 c9 4b 86 f6 af be 4d 7e 6d 6d bd 07 0b 84 f7 0f 33 fa 57 357 91 7d 7f 44 b1 e0 6d 47 46 64 3b fb 8f 2c dd 0a 2e db 1d 43 b7 358 32 26 b1 be f9 5c 34 58 41 d1 20 fc 70 8d 49 09 bf a3 42 e4 99 359 33 c1 00 02 03 3f ee 1e 82 67 0b 26 50 ba 93 c5 3a 87 f8 6d 5c 360 bf 51 26 ad 05 58 6f 97 b1 31 4f 21 c0 b7 a2 0c 4b 4f 90 c3 66 361 ec 8e d8 49 be a6 d5 b2 e0 bb 88 4f 9e 98 d7 19 5a 42 8f f8 d1 362 26 5a 67 58 84 f3 8a 43 60 68 e3 72 9f 8a 50 99 1b f8 61 37 95 363 0c 5e 0e b3 ad a2 23 59 c2 5a f7 00 31 cb 18 00 8c 2f a6 e7 c8 364 dd 70 58 f8 ec e9 23 b0 96 7a c5 ed c0 39 7b 9d 9a ae cf 3f 0d 365 cc 59 83 a4 76 9e 26 0f 15 e6 83 78 74 18 ce 06 75 47 ad f9 fa 366 75 93 24 7d f7 d5 a1 60 32 7b de 57 f8 eb e4 74 55 6b 93 97 9f 367 ae 3c d2 fa 90 c3 b5 e7 77 d6 2f 3b 1b 11 bb 92 08 a6 8d 55 06 368 24 6f 76 ac ef b5 7d b1 b6 37 b4 60 38 24 1d aa 6a 07 b7 dd 8d 369 45 c4 7b e1 2f 7e 5a 71 a1 00 95 02 9e ed 7e 27 8d de a9 f4 46 370 2c 68 9e 1b c6 eb c6 b8 84 da b7 f9 de e7 6f 30 08 73 63 85 05 371 f9 00 3c de 12 e4 28 24 ff 3a 17 64 3d a1 a7 62 7c 16 6c 89 38 372 5c de 80 87 4b be 7a 19 ff 5c 5e 1a cd 94 eb 26 1b d4 90 4d 4e 373 70 85 24 f3 8d 51 0d 17 2c 6d 61 79 fe e3 dc bb 80 85 b2 f4 3f 374 fe 1c 39 b6 4e 49 34 a3 4c d0 91 fe fe ce 76 1c 74 0e 63 d1 e0 375 4a 83 b0 55 75 15 26 0d 8b 40 b0 86 1b d7 75 91 4b 81 24 d6 ec 376 42 e6 74 fb e4 8b c6 cf 5a 08 cf fa 98 00 15 08 61 33 27 85 6e 377 d7 3f 95 2d b6 fd 9f eb 08 85 56 6d 91 79 3e 50 34 ac da 39 8b 378 40 3b 6a ce 62 35 47 d5 2f f7 19 98 fe 31 a1 ef d7 f6 fb 85 ea 379 b2 06 94 db f4 d5 00 0f 22 10 bc 3d 31 24 22 f9 d5 8d e9 d3 60 380 39 bf 8f ae e9 e8 38 33 8c bf 36 b2 b4 82 bd b5 2c 1d 52 32 3b 381 a7 4f b2 42 30 64 f9 3f e7 dc 11 54 4f cd ac 52 10 b8 78 91 a1 382 7a 14 9b 3c 83 a8 f5 f4 ed b7 63 53 82 01 f7 77 d6 0a e0 5f 36 383 a8 2a d6 50 a0 8d a3 64 0e 97 4d 90 ab a9 31 c1 4d 81 c6 ed 19 384 1f 32 36 28 72 d1 0b f9 a6 b7 3a c2 a9 e2 89 7b a0 df 61 c6 97 385 35 37 a1 10 e5 d4 6c 35 62 75 89 65 36 f3 16 18 72 2a 56 ff 7d 386 b2 8a 53 c6 c7 73 3c bb 47 388 {server} derive secret "tls13 c ap traffic": 390 PRK (32 octets): fa 2f 37 bc 3a 87 b5 9c 46 10 26 27 17 59 84 d8 391 4e 03 5f a5 64 75 9c 1e ec 3b 96 4c e9 7a 1f 14 393 hash (32 octets): 87 c5 9a d5 4c f0 89 e9 40 06 d8 eb b0 80 8f 8e 394 32 e5 44 b1 b0 79 18 3b 8b eb 89 8e 80 b6 5a 6c 396 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 397 61 66 66 69 63 20 87 c5 9a d5 4c f0 89 e9 40 06 d8 eb b0 80 8f 398 8e 32 e5 44 b1 b0 79 18 3b 8b eb 89 8e 80 b6 5a 6c 400 output (32 octets): f7 1a e9 97 5d 12 75 6a 41 53 17 a4 4c 63 01 401 6e 98 39 5d 1e cd da 48 9b cc af 4a 3e 86 3f 87 35 403 {server} derive secret "tls13 s ap traffic": 405 PRK (32 octets): fa 2f 37 bc 3a 87 b5 9c 46 10 26 27 17 59 84 d8 406 4e 03 5f a5 64 75 9c 1e ec 3b 96 4c e9 7a 1f 14 408 hash (32 octets): 87 c5 9a d5 4c f0 89 e9 40 06 d8 eb b0 80 8f 8e 409 32 e5 44 b1 b0 79 18 3b 8b eb 89 8e 80 b6 5a 6c 411 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 412 61 66 66 69 63 20 87 c5 9a d5 4c f0 89 e9 40 06 d8 eb b0 80 8f 413 8e 32 e5 44 b1 b0 79 18 3b 8b eb 89 8e 80 b6 5a 6c 415 output (32 octets): e4 25 33 b9 1b e3 2a 43 fb 9e 5b 7d 9a 00 2d 416 59 d8 c7 47 b0 83 b5 72 76 ed 98 bd 46 89 33 f6 72 418 {server} derive secret "tls13 exp master": 420 PRK (32 octets): fa 2f 37 bc 3a 87 b5 9c 46 10 26 27 17 59 84 d8 421 4e 03 5f a5 64 75 9c 1e ec 3b 96 4c e9 7a 1f 14 423 hash (32 octets): 87 c5 9a d5 4c f0 89 e9 40 06 d8 eb b0 80 8f 8e 424 32 e5 44 b1 b0 79 18 3b 8b eb 89 8e 80 b6 5a 6c 426 info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 427 74 65 72 20 87 c5 9a d5 4c f0 89 e9 40 06 d8 eb b0 80 8f 8e 32 428 e5 44 b1 b0 79 18 3b 8b eb 89 8e 80 b6 5a 6c 430 output (32 octets): 14 2d 61 52 63 bc e0 27 60 74 9e c8 d3 8e ac 431 7a b0 ce 85 0f c1 e3 87 85 a0 33 8b 7e 74 d4 65 b2 433 {server} derive write traffic keys for application data: 435 PRK (32 octets): e4 25 33 b9 1b e3 2a 43 fb 9e 5b 7d 9a 00 2d 59 436 d8 c7 47 b0 83 b5 72 76 ed 98 bd 46 89 33 f6 72 438 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 440 key output (16 octets): 4e 01 d3 e4 ac 71 a2 83 4b b5 71 29 bb 88 441 bf d6 443 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 445 iv output (12 octets): a4 45 9e a6 d6 d7 fb 65 91 6b b8 fa 447 {server} derive read traffic keys for handshake data: 449 PRK (32 octets): ed 5d 2e 57 8f 39 41 2a 63 a1 8e 68 d4 52 e4 09 450 21 5b 42 a8 63 40 29 f2 4c c9 c7 bb 3c 4d 29 de 452 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 454 key output (16 octets): fd 24 5c 26 ad 85 0f e2 d3 1b f9 6d 87 fe 455 f2 56 457 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 459 iv output (12 octets): bd 1f de f0 52 bb 30 8c 0a 88 c1 1c 461 {client} extract secret "early": 463 salt: (absent) 465 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 466 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 468 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 469 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 471 {client} derive secret for handshake "tls13 derived": 473 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 474 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 476 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 477 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 479 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 480 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 481 64 9b 93 4c a4 95 99 1b 78 52 b8 55 483 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 484 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 486 {client} extract secret "handshake": 488 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 489 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 491 ikm (32 octets): de 19 c3 5f f1 64 46 31 c4 b4 59 9a 22 2c ee eb 492 31 aa 4c f3 03 ef 15 48 de 68 ea 83 c9 4b 78 1c 494 secret (32 octets): 95 96 d5 36 cf ab b0 51 28 69 b3 c3 66 39 1f 495 b2 97 59 36 a8 cd da 1f 8c 66 b5 f0 26 54 04 5e 6b 497 {client} derive secret "tls13 c hs traffic" (same as server) 499 {client} derive secret "tls13 s hs traffic" (same as server) 501 {client} derive secret for master "tls13 derived" (same as server) 503 {client} extract secret "master" (same as server) 505 {client} derive read traffic keys for handshake data: 507 PRK (32 octets): 76 53 d6 19 95 c3 c7 b9 a7 db 6e f8 80 0d e0 63 508 e2 c4 10 1d 52 15 01 1c 8a 28 36 6e 8a 44 9b b3 510 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 512 key output (16 octets): 6b de 0a 34 c4 42 3c f3 5b f4 a7 ec 1a b0 513 aa 06 515 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 517 iv output (12 octets): 22 07 9a 1b e6 53 89 9a 59 a4 e5 51 519 {client} calculate finished "tls13 finished" (same as server) 521 {client} derive secret "tls13 c ap traffic" (same as server) 523 {client} derive secret "tls13 s ap traffic" (same as server) 525 {client} derive secret "tls13 exp master" (same as server) 526 {client} derive write traffic keys for handshake data (same as 527 server read traffic keys) 529 {client} derive read traffic keys for application data (same as 530 server write traffic keys) 532 {client} calculate finished "tls13 finished": 534 PRK (32 octets): ed 5d 2e 57 8f 39 41 2a 63 a1 8e 68 d4 52 e4 09 535 21 5b 42 a8 63 40 29 f2 4c c9 c7 bb 3c 4d 29 de 537 hash (0 octets): (empty) 539 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 540 64 00 542 output (32 octets): 3a db dd 16 1f ca 16 ee 0b 3e ee c3 58 09 98 543 0a 62 86 14 6f ac 25 d2 7b a9 7b 2a fa 3a 66 f9 b0 545 {client} send a Finished handshake message 547 {client} send handshake record: 549 payload (36 octets): 14 00 00 20 e4 dd f9 c5 4e 5c 65 83 5b e0 e9 550 f2 57 03 09 b1 06 f6 72 6e c0 88 2f ca e7 13 8b d7 93 cc c7 1b 552 ciphertext (58 octets): 17 03 03 00 35 e8 a7 c0 73 d2 d5 90 fb a2 553 33 02 b7 1e 8c 3c ba 0b d4 54 28 97 0c ec de d3 ae 95 24 95 98 554 12 7a af 08 ed 15 b8 86 7b 08 67 e2 71 1d 9c e3 97 38 21 e9 a9 555 ca dd 557 {client} derive write traffic keys for application data: 559 PRK (32 octets): f7 1a e9 97 5d 12 75 6a 41 53 17 a4 4c 63 01 6e 560 98 39 5d 1e cd da 48 9b cc af 4a 3e 86 3f 87 35 562 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 564 key output (16 octets): ac 85 66 33 d0 d3 1c 93 c8 53 ba 4a 51 b5 565 de f8 567 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 569 iv output (12 octets): 0d a9 f7 fe 9e 8d f9 98 05 12 e5 46 571 {client} derive secret "tls13 res master": 573 PRK (32 octets): fa 2f 37 bc 3a 87 b5 9c 46 10 26 27 17 59 84 d8 574 4e 03 5f a5 64 75 9c 1e ec 3b 96 4c e9 7a 1f 14 576 hash (32 octets): 80 ec 58 20 f2 d2 75 b0 7a 13 77 80 c4 ad 21 40 577 4f 36 36 f0 09 11 33 eb f4 0b 9e 83 4c a4 81 45 579 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 580 74 65 72 20 80 ec 58 20 f2 d2 75 b0 7a 13 77 80 c4 ad 21 40 4f 581 36 36 f0 09 11 33 eb f4 0b 9e 83 4c a4 81 45 583 output (32 octets): af b3 24 6c 40 8d c0 40 5b a4 c3 2f 40 3b df 584 bb 14 8c 27 ad 59 5a 92 0c f7 12 84 e8 60 8b 48 4d 586 {server} calculate finished "tls13 finished" (same as client) 588 {server} derive read traffic keys for application data (same as 589 client write traffic keys) 591 {server} derive secret "tls13 res master" (same as client) 593 {server} generate resumption secret "tls13 resumption": 595 PRK (32 octets): af b3 24 6c 40 8d c0 40 5b a4 c3 2f 40 3b df bb 596 14 8c 27 ad 59 5a 92 0c f7 12 84 e8 60 8b 48 4d 598 hash (2 octets): 00 00 600 info (22 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 75 6d 70 74 601 69 6f 6e 02 00 00 603 output (32 octets): cd 0b 4e db 66 32 41 4e 03 e9 a1 fb 9c bf 10 604 68 c1 3d 7e 0f 94 f7 1d a2 6a 69 51 ba f7 52 9e 76 606 {server} send a NewSessionTicket handshake message 608 {server} send handshake record: 610 payload (205 octets): 04 00 00 c9 00 00 00 1e 83 6a d9 92 02 00 611 00 00 b2 20 69 93 e6 82 7e f6 98 84 68 d2 55 00 00 00 00 6a 30 612 23 72 43 90 67 fc 81 f4 d3 17 f1 b1 ef 33 00 70 15 93 bc b0 32 613 cc ea 52 8c 5a 07 c3 7b 16 6f 89 7a 83 b7 15 48 18 b7 d1 1a 4e 614 90 7c da 4e 3f af 48 95 97 21 44 b3 a7 d9 96 8d 96 28 b6 e5 66 615 9c ce f4 26 0e 45 d6 4d 22 d3 b6 1a b5 7b 7f 59 dd f7 e2 cf 7a 616 19 6f 9a 32 a3 d9 4f ea 13 eb 25 ab 2d 73 35 78 83 80 dc e7 4d 617 47 76 8e cf f4 67 9e 88 af ac a6 18 97 b9 1c 53 ee 85 82 2c 9f 618 08 7b e4 05 8f ed 0d 6e b5 e2 68 e6 54 f4 ec 0c 67 5f fb 08 6e 619 06 7d 04 39 e3 9d ca f1 fb 60 31 98 db 00 08 00 2a 00 04 00 00 620 04 00 622 ciphertext (227 octets): 17 03 03 00 de a7 77 b6 77 11 b5 34 f1 623 0e 38 1f 45 1f 16 da 00 20 dd 9a af a4 9d b4 62 c2 35 dc cc 6d 624 bf c6 39 9c 7e ec 88 ae 2a d6 8b 97 ca 23 b1 72 15 59 e6 6f 67 625 7c e6 8c d1 06 7f 41 27 7b ac 40 bb b9 3e 5b 81 0d b4 3c 1c 80 626 bd 8b 72 17 17 ba 23 c6 a0 52 ef 78 b6 dc 2b be b4 da e0 06 77 627 8b ab 88 a7 a5 d1 7e a3 b6 3f 12 6c 24 67 33 cc 15 b6 28 b5 b7 628 43 71 6d 85 f8 f1 f6 77 32 91 c7 37 ae 06 f5 f6 ae 95 6b c3 00 629 5d f2 a0 64 94 b0 65 77 68 84 3a e8 fe 95 0e be 81 da 4a c9 9c 630 34 e8 e5 73 d5 99 63 75 bb 82 2b 51 67 b4 ae 3f 9c 06 76 f7 e7 631 94 a1 61 0f cb 12 e8 f7 9f 08 75 91 3d b9 67 c8 17 90 e9 6f 60 632 4e dd 6c 06 c7 70 a2 c0 a8 f6 50 27 8d 22 03 94 8e a6 b2 3c 14 633 d3 89 97 4a 635 {client} generate resumption secret "tls13 resumption" (same as 636 server) 638 {client} send application_data record: 640 payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 641 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 642 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 644 ciphertext (72 octets): 17 03 03 00 43 98 45 d6 12 28 f1 d9 a5 da 645 a3 2a 06 64 2c 43 68 1c cf 70 65 24 e2 8d 57 15 2f 6b 8f ac d0 646 89 fc 98 26 83 c3 30 a3 e1 1f 16 c5 f7 5d 2d 49 21 5c c0 8a 13 647 a1 ec fd 41 a4 1b b1 38 c9 63 48 92 ab 22 63 00 649 {server} send application_data record: 651 payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 652 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 653 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 655 ciphertext (72 octets): 17 03 03 00 43 01 0a 55 e6 e1 14 d0 51 60 656 0a b9 5e e7 a3 03 82 3a 23 ae c5 79 be df fa 3f c3 e0 30 18 01 657 95 f8 83 6b 58 3b af 9a 14 ae c3 77 be 43 73 a1 a5 ea a1 4e af 658 87 9d 3f ca 6f 9b 7e 46 bc 05 46 83 5d 76 71 e8 660 {client} send alert record: 662 payload (2 octets): 01 00 664 ciphertext (24 octets): 17 03 03 00 13 5f 93 e1 bd 82 9d 2b 00 9c 665 ad ac 13 3b 7f 0c 1e 8c 94 40 667 {server} send alert record: 669 payload (2 octets): 01 00 670 ciphertext (24 octets): 17 03 03 00 13 09 39 38 d7 0c 6a 9b 1c 9c 671 2e 35 6b 60 58 80 70 27 cd 6e 673 4. Resumed 0-RTT Handshake 675 This handshake resumes from the handshake in Section 3. Since the 676 server provided a session ticket that permitted 0-RTT, and the client 677 is configured for 0-RTT, the client is able to send 0-RTT data. 679 {client} create an ephemeral x25519 key pair: 681 private key (32 octets): 7f cf 6e 8b fb 63 48 3f 0a 1d 23 99 fb 682 ce e4 d0 69 39 6c 17 02 62 fb d9 f2 46 81 11 af 24 ab 34 684 public key (32 octets): b5 b4 ca 2e 51 9a c8 32 92 3e af 84 f4 13 685 3d 53 b2 00 53 63 d5 a7 ad 8e 07 0b d0 fd 15 d6 92 08 687 {client} extract secret "early": 689 salt: (absent) 691 ikm (32 octets): cd 0b 4e db 66 32 41 4e 03 e9 a1 fb 9c bf 10 68 692 c1 3d 7e 0f 94 f7 1d a2 6a 69 51 ba f7 52 9e 76 694 secret (32 octets): 90 a6 5b c0 8e 4a 66 d4 a9 cf 3c f7 ec 2d 85 695 be d7 ae 08 af 83 1d 05 d7 0d 6c c0 a9 39 9c 1e 63 697 {client} send a ClientHello handshake message 699 {client} calculate finished "tls13 finished": 701 PRK (32 octets): 04 5f b4 75 3e d5 65 30 5b 33 d2 04 0b 21 57 2d 702 7d 24 b3 ee 18 e7 63 bd 1a 1b 20 cf 2a a6 1a 92 704 hash (0 octets): (empty) 706 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 707 64 00 709 output (32 octets): 89 60 f7 a3 5f 8e e3 52 30 20 1e cf 77 f8 b1 710 29 8f 77 73 0f 0d 84 ab 51 31 a4 bb 00 9b 4f 3d 1f 712 {client} send handshake record: 714 payload (512 octets): 01 00 01 fc 03 03 0b 27 b6 14 3a d0 49 dd 715 d0 4e 5c b7 bb 33 22 d3 60 f6 0a 9b 8e 65 07 bc 79 69 84 19 5b 716 d4 e8 cb 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00 717 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 718 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00 719 26 00 24 00 1d 00 20 b5 b4 ca 2e 51 9a c8 32 92 3e af 84 f4 13 720 3d 53 b2 00 53 63 d5 a7 ad 8e 07 0b d0 fd 15 d6 92 08 00 2a 00 721 00 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 722 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 723 02 02 00 2d 00 02 01 01 00 15 00 5d 00 00 00 00 00 00 00 00 00 724 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 725 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 726 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 727 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 728 00 29 00 dd 00 b8 00 b2 20 69 93 e6 82 7e f6 98 84 68 d2 55 00 729 00 00 00 6a 30 23 72 43 90 67 fc 81 f4 d3 17 f1 b1 ef 33 00 70 730 15 93 bc b0 32 cc ea 52 8c 5a 07 c3 7b 16 6f 89 7a 83 b7 15 48 731 18 b7 d1 1a 4e 90 7c da 4e 3f af 48 95 97 21 44 b3 a7 d9 96 8d 732 96 28 b6 e5 66 9c ce f4 26 0e 45 d6 4d 22 d3 b6 1a b5 7b 7f 59 733 dd f7 e2 cf 7a 19 6f 9a 32 a3 d9 4f ea 13 eb 25 ab 2d 73 35 78 734 83 80 dc e7 4d 47 76 8e cf f4 67 9e 88 af ac a6 18 97 b9 1c 53 735 ee 85 82 2c 9f 08 7b e4 05 8f ed 0d 6e b5 e2 68 e6 54 f4 ec 0c 736 67 5f fb 08 6e 06 7d 04 39 e3 9d ca f1 fb 60 31 98 db 83 6a d9 737 95 00 21 20 58 34 0e ab 95 8d 02 3c 39 84 b4 82 81 0b 58 ec 53 738 7c d3 d1 c6 a9 9d ca 87 1c 73 57 54 1d 45 2f 740 ciphertext (517 octets): 16 03 01 02 00 01 00 01 fc 03 03 0b 27 741 b6 14 3a d0 49 dd d0 4e 5c b7 bb 33 22 d3 60 f6 0a 9b 8e 65 07 742 bc 79 69 84 19 5b d4 e8 cb 00 00 06 13 01 13 03 13 02 01 00 01 743 cd 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 744 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 745 03 01 04 00 33 00 26 00 24 00 1d 00 20 b5 b4 ca 2e 51 9a c8 32 746 92 3e af 84 f4 13 3d 53 b2 00 53 63 d5 a7 ad 8e 07 0b d0 fd 15 747 d6 92 08 00 2a 00 00 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 748 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 749 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 15 00 5d 00 00 00 750 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 751 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 752 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 753 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 754 00 00 00 00 00 00 00 29 00 dd 00 b8 00 b2 20 69 93 e6 82 7e f6 755 98 84 68 d2 55 00 00 00 00 6a 30 23 72 43 90 67 fc 81 f4 d3 17 756 f1 b1 ef 33 00 70 15 93 bc b0 32 cc ea 52 8c 5a 07 c3 7b 16 6f 757 89 7a 83 b7 15 48 18 b7 d1 1a 4e 90 7c da 4e 3f af 48 95 97 21 758 44 b3 a7 d9 96 8d 96 28 b6 e5 66 9c ce f4 26 0e 45 d6 4d 22 d3 759 b6 1a b5 7b 7f 59 dd f7 e2 cf 7a 19 6f 9a 32 a3 d9 4f ea 13 eb 760 25 ab 2d 73 35 78 83 80 dc e7 4d 47 76 8e cf f4 67 9e 88 af ac 761 a6 18 97 b9 1c 53 ee 85 82 2c 9f 08 7b e4 05 8f ed 0d 6e b5 e2 762 68 e6 54 f4 ec 0c 67 5f fb 08 6e 06 7d 04 39 e3 9d ca f1 fb 60 763 31 98 db 83 6a d9 95 00 21 20 58 34 0e ab 95 8d 02 3c 39 84 b4 764 82 81 0b 58 ec 53 7c d3 d1 c6 a9 9d ca 87 1c 73 57 54 1d 45 2f 766 {client} derive secret "tls13 c e traffic": 768 PRK (32 octets): 90 a6 5b c0 8e 4a 66 d4 a9 cf 3c f7 ec 2d 85 be 769 d7 ae 08 af 83 1d 05 d7 0d 6c c0 a9 39 9c 1e 63 771 hash (32 octets): 02 ce c3 cc b1 be e9 72 06 ff bf 5b 0e db f9 43 772 0a d8 02 05 96 0c 04 ba ff ad b6 dc d3 81 b9 0c 774 info (53 octets): 00 20 11 74 6c 73 31 33 20 63 20 65 20 74 72 61 775 66 66 69 63 20 02 ce c3 cc b1 be e9 72 06 ff bf 5b 0e db f9 43 776 0a d8 02 05 96 0c 04 ba ff ad b6 dc d3 81 b9 0c 778 output (32 octets): b0 ea 52 04 68 97 4f 91 39 58 7d cf f5 6f 77 779 85 69 96 02 fb c8 0c 0c 18 50 82 79 dc bf d0 7b 03 781 {client} derive secret "tls13 e exp master": 783 PRK (32 octets): 90 a6 5b c0 8e 4a 66 d4 a9 cf 3c f7 ec 2d 85 be 784 d7 ae 08 af 83 1d 05 d7 0d 6c c0 a9 39 9c 1e 63 786 hash (32 octets): 02 ce c3 cc b1 be e9 72 06 ff bf 5b 0e db f9 43 787 0a d8 02 05 96 0c 04 ba ff ad b6 dc d3 81 b9 0c 789 info (54 octets): 00 20 12 74 6c 73 31 33 20 65 20 65 78 70 20 6d 790 61 73 74 65 72 20 02 ce c3 cc b1 be e9 72 06 ff bf 5b 0e db f9 791 43 0a d8 02 05 96 0c 04 ba ff ad b6 dc d3 81 b9 0c 793 output (32 octets): bc 79 ec a3 3d c5 5e 77 f4 a2 b3 1d e3 b2 eb 794 b7 ff 1a 03 16 e6 a2 ea 2e 1e d1 88 1e 65 c0 ee ba 796 {client} derive write traffic keys for early application data: 798 PRK (32 octets): b0 ea 52 04 68 97 4f 91 39 58 7d cf f5 6f 77 85 799 69 96 02 fb c8 0c 0c 18 50 82 79 dc bf d0 7b 03 801 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 803 key output (16 octets): ad 52 61 5a d7 8f ef c8 30 d7 b5 23 c5 6d 804 39 6c 806 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 808 iv output (12 octets): 1a 68 22 06 82 d9 52 2f 6f d9 80 cb 810 {client} send application_data record: 812 payload (6 octets): 41 42 43 44 45 46 813 ciphertext (28 octets): 17 03 03 00 17 f0 a5 2c ad f2 f8 10 e3 ea 814 31 4a 9e 0d 74 94 18 0c 07 e1 b6 dd 23 05 816 {server} extract secret "early" (same as client) 818 {server} calculate finished "tls13 finished" (same as client) 820 {server} create an ephemeral x25519 key pair: 822 private key (32 octets): 73 c0 5e e2 5c db 68 51 18 f0 f7 dd 5f 823 d2 dd 12 9d 17 a7 98 b9 1c c5 fe 62 ed 70 a9 ba af 53 2f 825 public key (32 octets): 47 d1 32 89 df 6f a0 fc 57 3c 74 fa 73 40 826 a2 6f 43 38 28 70 7d e5 72 7e 68 28 cb d0 81 9d a9 76 828 {server} derive secret "tls13 c e traffic" (same as client) 830 {server} derive secret "tls13 e exp master" (same as client) 832 {server} send a ServerHello handshake message 834 {server} derive secret for handshake "tls13 derived": 836 PRK (32 octets): 90 a6 5b c0 8e 4a 66 d4 a9 cf 3c f7 ec 2d 85 be 837 d7 ae 08 af 83 1d 05 d7 0d 6c c0 a9 39 9c 1e 63 839 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 840 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 842 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 843 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 844 64 9b 93 4c a4 95 99 1b 78 52 b8 55 846 output (32 octets): 95 c5 f6 ae c8 48 4c ad 65 ee ff f1 0c 48 a8 847 4f 34 d6 53 d6 59 91 bf de 13 69 81 97 b3 b9 b4 5d 849 {server} extract secret "handshake": 851 salt (32 octets): 95 c5 f6 ae c8 48 4c ad 65 ee ff f1 0c 48 a8 4f 852 34 d6 53 d6 59 91 bf de 13 69 81 97 b3 b9 b4 5d 854 ikm (32 octets): 4f 81 91 7a 09 87 67 f2 22 5f cf 33 e8 a5 d5 33 855 d6 88 3b d8 ee 16 00 b2 c5 e4 f0 e8 24 02 06 37 857 secret (32 octets): 96 eb 95 b5 63 62 0c 58 ca d2 c7 37 0f b7 4b 858 8f 55 b2 0e 28 bd bc 2d 70 6e 6f db aa 9e 9e 60 93 860 {server} derive secret "tls13 c hs traffic": 862 PRK (32 octets): 96 eb 95 b5 63 62 0c 58 ca d2 c7 37 0f b7 4b 8f 863 55 b2 0e 28 bd bc 2d 70 6e 6f db aa 9e 9e 60 93 865 hash (32 octets): ab e0 a2 b9 a8 84 3e 92 93 a8 36 91 96 7c fa 4c 866 d0 8d 8e fc 0b 13 63 39 a9 1a 6d 01 45 3d 32 91 868 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 869 61 66 66 69 63 20 ab e0 a2 b9 a8 84 3e 92 93 a8 36 91 96 7c fa 870 4c d0 8d 8e fc 0b 13 63 39 a9 1a 6d 01 45 3d 32 91 872 output (32 octets): 50 26 86 51 18 93 2f ba 00 9f b8 84 c2 6c e1 873 8e 44 96 c8 f3 57 dd f0 d1 a9 0b c2 7b 4c 31 92 9c 875 {server} derive secret "tls13 s hs traffic": 877 PRK (32 octets): 96 eb 95 b5 63 62 0c 58 ca d2 c7 37 0f b7 4b 8f 878 55 b2 0e 28 bd bc 2d 70 6e 6f db aa 9e 9e 60 93 880 hash (32 octets): ab e0 a2 b9 a8 84 3e 92 93 a8 36 91 96 7c fa 4c 881 d0 8d 8e fc 0b 13 63 39 a9 1a 6d 01 45 3d 32 91 883 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 884 61 66 66 69 63 20 ab e0 a2 b9 a8 84 3e 92 93 a8 36 91 96 7c fa 885 4c d0 8d 8e fc 0b 13 63 39 a9 1a 6d 01 45 3d 32 91 887 output (32 octets): c9 23 18 b4 c5 6f ba 46 bf 6e ef 2a 9a 8f 02 888 33 a2 8b ab 9b b9 66 67 4a 19 32 0b b5 3c 50 10 19 890 {server} derive secret for master "tls13 derived": 892 PRK (32 octets): 96 eb 95 b5 63 62 0c 58 ca d2 c7 37 0f b7 4b 8f 893 55 b2 0e 28 bd bc 2d 70 6e 6f db aa 9e 9e 60 93 895 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 896 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 898 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 899 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 900 64 9b 93 4c a4 95 99 1b 78 52 b8 55 902 output (32 octets): b2 da f2 ee a8 bb d9 2b 5d 84 12 d4 26 7a 3c 903 31 6c 09 cd 45 8e 71 ab dc c6 7b e6 b1 41 6c 0f 31 905 {server} extract secret "master": 907 salt (32 octets): b2 da f2 ee a8 bb d9 2b 5d 84 12 d4 26 7a 3c 31 908 6c 09 cd 45 8e 71 ab dc c6 7b e6 b1 41 6c 0f 31 910 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 911 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 913 secret (32 octets): c5 ee bf b8 6e 50 81 37 24 5d 79 91 9a 3d 43 914 19 61 bc 0d 5c c8 70 d9 08 9a 2f 30 34 b4 b9 6b 02 916 {server} send handshake record: 918 payload (96 octets): 02 00 00 5c 03 03 3e 47 ec 55 17 e3 8e 7e f5 919 cc bc 69 f9 2f 5b 20 b8 fa 46 a6 54 66 31 bb 99 fa 08 65 f4 af 920 22 8c 00 13 01 00 00 34 00 29 00 02 00 00 00 33 00 24 00 1d 00 921 20 47 d1 32 89 df 6f a0 fc 57 3c 74 fa 73 40 a2 6f 43 38 28 70 922 7d e5 72 7e 68 28 cb d0 81 9d a9 76 00 2b 00 02 7f 1c 924 ciphertext (101 octets): 16 03 03 00 60 02 00 00 5c 03 03 3e 47 925 ec 55 17 e3 8e 7e f5 cc bc 69 f9 2f 5b 20 b8 fa 46 a6 54 66 31 926 bb 99 fa 08 65 f4 af 22 8c 00 13 01 00 00 34 00 29 00 02 00 00 927 00 33 00 24 00 1d 00 20 47 d1 32 89 df 6f a0 fc 57 3c 74 fa 73 928 40 a2 6f 43 38 28 70 7d e5 72 7e 68 28 cb d0 81 9d a9 76 00 2b 929 00 02 7f 1c 931 {server} derive write traffic keys for handshake data: 933 PRK (32 octets): c9 23 18 b4 c5 6f ba 46 bf 6e ef 2a 9a 8f 02 33 934 a2 8b ab 9b b9 66 67 4a 19 32 0b b5 3c 50 10 19 936 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 938 key output (16 octets): 0d 71 1f 45 1d c2 0e fc 7e f8 08 9b 44 79 939 75 ac 941 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 943 iv output (12 octets): ee 5d 71 8a 24 a8 e5 32 8d bc 58 00 945 {server} send a EncryptedExtensions handshake message 947 {server} calculate finished "tls13 finished": 949 PRK (32 octets): c9 23 18 b4 c5 6f ba 46 bf 6e ef 2a 9a 8f 02 33 950 a2 8b ab 9b b9 66 67 4a 19 32 0b b5 3c 50 10 19 952 hash (0 octets): (empty) 954 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 955 64 00 957 output (32 octets): 89 20 c8 40 6e b4 0e d6 66 66 68 95 ae 3d 8d 958 12 67 0e c0 e4 5f 0b cb 63 cf ef f5 13 38 e8 1a 5b 960 {server} send a Finished handshake message 962 {server} send handshake record: 964 payload (74 octets): 08 00 00 22 00 20 00 0a 00 14 00 12 00 1d 00 965 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 00 2a 966 00 00 14 00 00 20 b5 06 45 62 14 0c b7 fa 10 da 9a 57 ff 61 7b 967 f2 66 d7 14 b7 8b 59 41 a0 af 36 3f ac c1 8d a6 b0 969 ciphertext (96 octets): 17 03 03 00 5b c8 2d 5e 2c 40 f0 77 cc 7d 970 8b c6 f5 0a 61 52 c2 ff e0 d9 30 60 11 a6 c2 7c 1c 2a c3 88 4c 971 a6 1e f2 08 46 fb c3 dd 91 19 4e 26 b6 9a 4a 74 73 a2 51 4d e7 972 76 68 92 9d 4c 77 63 64 51 21 70 9f 8a 64 a2 9d 14 88 0b 6d f1 973 04 08 b5 74 da 7e 2e 5d 0b 6c da 9d 18 4f fe 57 62 b5 5f 975 {server} derive secret "tls13 c ap traffic": 977 PRK (32 octets): c5 ee bf b8 6e 50 81 37 24 5d 79 91 9a 3d 43 19 978 61 bc 0d 5c c8 70 d9 08 9a 2f 30 34 b4 b9 6b 02 980 hash (32 octets): 11 bf 9b 71 22 aa c5 07 85 59 ef 90 f7 8e e0 78 981 32 a6 79 72 a2 c7 f4 bd 8f 56 15 d0 bc 19 7a 39 983 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 984 61 66 66 69 63 20 11 bf 9b 71 22 aa c5 07 85 59 ef 90 f7 8e e0 985 78 32 a6 79 72 a2 c7 f4 bd 8f 56 15 d0 bc 19 7a 39 987 output (32 octets): bc 39 56 2d 42 a4 e7 62 8d cc 15 1b ba c1 16 988 88 06 9c 1c 56 ca cd 17 d4 cc 53 4a bb 05 e3 c0 3e 990 {server} derive secret "tls13 s ap traffic": 992 PRK (32 octets): c5 ee bf b8 6e 50 81 37 24 5d 79 91 9a 3d 43 19 993 61 bc 0d 5c c8 70 d9 08 9a 2f 30 34 b4 b9 6b 02 995 hash (32 octets): 11 bf 9b 71 22 aa c5 07 85 59 ef 90 f7 8e e0 78 996 32 a6 79 72 a2 c7 f4 bd 8f 56 15 d0 bc 19 7a 39 998 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 999 61 66 66 69 63 20 11 bf 9b 71 22 aa c5 07 85 59 ef 90 f7 8e e0 1000 78 32 a6 79 72 a2 c7 f4 bd 8f 56 15 d0 bc 19 7a 39 1002 output (32 octets): a2 05 9e be 09 34 8a d4 2b 1d 6a 72 01 9e 8f 1003 89 06 0d e5 9f de 34 2d 4a d1 68 f2 08 5c ab c3 60 1005 {server} derive secret "tls13 exp master": 1007 PRK (32 octets): c5 ee bf b8 6e 50 81 37 24 5d 79 91 9a 3d 43 19 1008 61 bc 0d 5c c8 70 d9 08 9a 2f 30 34 b4 b9 6b 02 1010 hash (32 octets): 11 bf 9b 71 22 aa c5 07 85 59 ef 90 f7 8e e0 78 1011 32 a6 79 72 a2 c7 f4 bd 8f 56 15 d0 bc 19 7a 39 1013 info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 1014 74 65 72 20 11 bf 9b 71 22 aa c5 07 85 59 ef 90 f7 8e e0 78 32 1015 a6 79 72 a2 c7 f4 bd 8f 56 15 d0 bc 19 7a 39 1017 output (32 octets): e2 d4 f1 2f c6 26 c2 91 de 52 8c 4d d2 cb 1f 1018 d2 11 b2 d8 44 d9 53 d4 7a 48 d8 17 87 64 05 88 41 1020 {server} derive write traffic keys for application data: 1022 PRK (32 octets): a2 05 9e be 09 34 8a d4 2b 1d 6a 72 01 9e 8f 89 1023 06 0d e5 9f de 34 2d 4a d1 68 f2 08 5c ab c3 60 1025 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1027 key output (16 octets): 2e c4 83 49 b4 00 e4 9d bb 71 9a 98 91 11 1028 2d 99 1030 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1032 iv output (12 octets): b2 6b 47 20 2b 9a 93 55 45 90 c0 3c 1034 {server} derive read traffic keys for early application data (same 1035 as client write traffic keys) 1037 {client} derive secret for handshake "tls13 derived": 1039 PRK (32 octets): 90 a6 5b c0 8e 4a 66 d4 a9 cf 3c f7 ec 2d 85 be 1040 d7 ae 08 af 83 1d 05 d7 0d 6c c0 a9 39 9c 1e 63 1042 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 1043 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1045 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 1046 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 1047 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1049 output (32 octets): 95 c5 f6 ae c8 48 4c ad 65 ee ff f1 0c 48 a8 1050 4f 34 d6 53 d6 59 91 bf de 13 69 81 97 b3 b9 b4 5d 1052 {client} extract secret "handshake": 1054 salt (32 octets): 95 c5 f6 ae c8 48 4c ad 65 ee ff f1 0c 48 a8 4f 1055 34 d6 53 d6 59 91 bf de 13 69 81 97 b3 b9 b4 5d 1057 ikm (32 octets): 4f 81 91 7a 09 87 67 f2 22 5f cf 33 e8 a5 d5 33 1058 d6 88 3b d8 ee 16 00 b2 c5 e4 f0 e8 24 02 06 37 1060 secret (32 octets): 96 eb 95 b5 63 62 0c 58 ca d2 c7 37 0f b7 4b 1061 8f 55 b2 0e 28 bd bc 2d 70 6e 6f db aa 9e 9e 60 93 1063 {client} derive secret "tls13 c hs traffic" (same as server) 1065 {client} derive secret "tls13 s hs traffic" (same as server) 1067 {client} derive secret for master "tls13 derived" (same as server) 1069 {client} extract secret "master" (same as server) 1071 {client} derive read traffic keys for handshake data: 1073 PRK (32 octets): c9 23 18 b4 c5 6f ba 46 bf 6e ef 2a 9a 8f 02 33 1074 a2 8b ab 9b b9 66 67 4a 19 32 0b b5 3c 50 10 19 1076 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1078 key output (16 octets): 0d 71 1f 45 1d c2 0e fc 7e f8 08 9b 44 79 1079 75 ac 1081 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1083 iv output (12 octets): ee 5d 71 8a 24 a8 e5 32 8d bc 58 00 1085 {client} calculate finished "tls13 finished" (same as server) 1087 {client} derive secret "tls13 c ap traffic" (same as server) 1089 {client} derive secret "tls13 s ap traffic" (same as server) 1091 {client} derive secret "tls13 exp master" (same as server) 1093 {client} send a EndOfEarlyData handshake message 1095 {client} send handshake record: 1097 payload (4 octets): 05 00 00 00 1099 ciphertext (26 octets): 17 03 03 00 15 87 ea 08 9b c5 7f 33 1c 4f 1100 ad 29 80 d7 5e 3b c1 cc 55 40 e8 75 1102 {client} derive write traffic keys for handshake data: 1104 PRK (32 octets): 50 26 86 51 18 93 2f ba 00 9f b8 84 c2 6c e1 8e 1105 44 96 c8 f3 57 dd f0 d1 a9 0b c2 7b 4c 31 92 9c 1107 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1109 key output (16 octets): 4c 0f 31 7d 9a b1 56 f2 7b 71 cb ca 63 3d 1110 f7 4f 1112 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1114 iv output (12 octets): e3 19 71 d9 f6 41 4b 45 de 4c 4c e2 1116 {client} derive read traffic keys for application data (same as 1117 server write traffic keys) 1119 {client} calculate finished "tls13 finished": 1121 PRK (32 octets): 50 26 86 51 18 93 2f ba 00 9f b8 84 c2 6c e1 8e 1122 44 96 c8 f3 57 dd f0 d1 a9 0b c2 7b 4c 31 92 9c 1124 hash (0 octets): (empty) 1126 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 1127 64 00 1129 output (32 octets): 68 9e a0 1d d9 3b e4 b2 38 94 de ab a8 d0 7c 1130 56 31 29 ad 6b ef dd 7b 3d 8d ef e5 8e 4f 7e 3a 44 1132 {client} send a Finished handshake message 1134 {client} send handshake record: 1136 payload (36 octets): 14 00 00 20 52 90 13 55 ab 06 bb fb ab 3a 81 1137 cc 67 e3 6f eb 5d 8d a1 63 2a 02 ba 83 0a 8f c8 5f 4c 22 66 cf 1139 ciphertext (58 octets): 17 03 03 00 35 39 ab 4d 04 21 bb 3e 2b 85 1140 53 d0 2c ee 16 d3 78 c5 0f a8 76 fd 44 b4 d8 c6 36 26 6e 44 70 1141 bd 05 f4 77 d4 fb 91 70 f4 42 96 e2 43 3c 78 0e ef c7 50 5f 9b 1142 e1 68 1144 {client} derive write traffic keys for application data: 1146 PRK (32 octets): bc 39 56 2d 42 a4 e7 62 8d cc 15 1b ba c1 16 88 1147 06 9c 1c 56 ca cd 17 d4 cc 53 4a bb 05 e3 c0 3e 1149 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1150 key output (16 octets): 24 56 8c c4 56 c9 16 6a 17 54 e3 f8 4d da 1151 66 23 1153 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1155 iv output (12 octets): 92 d2 da ec 04 ce c8 de 21 2a 8e 0c 1157 {client} derive secret "tls13 res master": 1159 PRK (32 octets): c5 ee bf b8 6e 50 81 37 24 5d 79 91 9a 3d 43 19 1160 61 bc 0d 5c c8 70 d9 08 9a 2f 30 34 b4 b9 6b 02 1162 hash (32 octets): 74 61 12 2a b1 9d 89 46 41 d8 1c 0b 32 71 a9 35 1163 90 9f be 21 87 ce 40 18 d1 81 d0 4b 1f 9b 95 8a 1165 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 1166 74 65 72 20 74 61 12 2a b1 9d 89 46 41 d8 1c 0b 32 71 a9 35 90 1167 9f be 21 87 ce 40 18 d1 81 d0 4b 1f 9b 95 8a 1169 output (32 octets): 98 85 4e 70 a8 c2 0f 1b 02 44 b8 d9 f2 e9 94 1170 37 7d 11 dd 0b 6b 09 42 29 de f0 cd 55 56 9a c1 20 1172 {server} derive read traffic keys for handshake data: 1174 PRK (32 octets): 50 26 86 51 18 93 2f ba 00 9f b8 84 c2 6c e1 8e 1175 44 96 c8 f3 57 dd f0 d1 a9 0b c2 7b 4c 31 92 9c 1177 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1179 key output (16 octets): 4c 0f 31 7d 9a b1 56 f2 7b 71 cb ca 63 3d 1180 f7 4f 1182 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1184 iv output (12 octets): e3 19 71 d9 f6 41 4b 45 de 4c 4c e2 1186 {server} calculate finished "tls13 finished" (same as client) 1188 {server} derive read traffic keys for application data (same as 1189 client write traffic keys) 1191 {server} derive secret "tls13 res master" (same as client) 1193 {client} send application_data record: 1195 payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 1196 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 1197 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 1199 ciphertext (72 octets): 17 03 03 00 43 28 e8 c4 0d 6e 0a 83 0c 62 1200 58 8a 5a 29 e4 1e 24 48 3d 50 c8 57 f0 1f d2 25 6f a4 51 4e 2d 1201 4c a3 77 fd ff 96 26 0e a6 46 a6 92 4e 93 3d 96 74 29 3f 26 ab 1202 a3 a6 da 07 4c 16 c0 27 68 65 ab 02 df 0e 61 01 1204 {server} send application_data record: 1206 payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 1207 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 1208 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 1210 ciphertext (72 octets): 17 03 03 00 43 54 25 7b ed c2 61 dd 2c f2 1211 a5 bd f1 3f ed fc 93 7a 46 dd 32 59 9b 6f 16 df 78 2e 92 42 bd 1212 43 b0 b4 7e 79 b6 b5 fd 5a 98 23 d7 6f a6 fc ad 1c 84 97 c3 8a 1213 62 20 70 af 9e 2a 72 6c 78 b3 ee bc 92 9b 27 66 1215 {client} send alert record: 1217 payload (2 octets): 01 00 1219 ciphertext (24 octets): 17 03 03 00 13 5a d6 a3 97 6d 9d 6c b8 66 1220 b4 a3 5c 0f b4 53 90 ae dd 88 1222 {server} send alert record: 1224 payload (2 octets): 01 00 1226 ciphertext (24 octets): 17 03 03 00 13 1d 7f 76 5d 2c d2 65 53 b2 1227 f3 a8 c4 0a 71 a7 e6 48 c3 87 1229 5. HelloRetryRequest 1231 In this example, the client initiates a handshake with an X25519 1232 [RFC7748] share. The server however prefers P-256 [FIPS186] and 1233 sends a HelloRetryRequest that requires the client to generate a key 1234 share on the P-256 curve. 1236 {client} create an ephemeral x25519 key pair: 1238 private key (32 octets): 2f 74 42 ae 1b ce d7 5e 82 f9 be 34 3c 1239 af cd fd 6c 14 28 e6 19 f1 f5 1a ae 58 68 01 1b 94 4c ab 1241 public key (32 octets): 18 77 ec d6 d3 b5 46 fb 68 dd 27 35 0f 25 1242 24 87 b7 e8 7b 8a 91 2c e1 a6 a8 8c d0 bb 02 cd 15 49 1244 {client} send a ClientHello handshake message 1246 {client} send handshake record: 1248 payload (174 octets): 01 00 00 aa 03 03 b7 c9 bc 82 7e a9 0b 53 1249 72 b5 ba 58 29 7e 40 ba 82 77 ce bf be eb 8e af 94 e8 85 36 5b 1250 91 c5 bb 00 00 06 13 01 13 03 13 02 01 00 00 7b 00 00 00 0b 00 1251 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06 1252 00 1d 00 17 00 18 00 33 00 26 00 24 00 1d 00 20 18 77 ec d6 d3 1253 b5 46 fb 68 dd 27 35 0f 25 24 87 b7 e8 7b 8a 91 2c e1 a6 a8 8c 1254 d0 bb 02 cd 15 49 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 1255 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 1256 02 05 02 06 02 02 02 00 2d 00 02 01 01 1258 ciphertext (179 octets): 16 03 01 00 ae 01 00 00 aa 03 03 b7 c9 1259 bc 82 7e a9 0b 53 72 b5 ba 58 29 7e 40 ba 82 77 ce bf be eb 8e 1260 af 94 e8 85 36 5b 91 c5 bb 00 00 06 13 01 13 03 13 02 01 00 00 1261 7b 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 1262 00 0a 00 08 00 06 00 1d 00 17 00 18 00 33 00 26 00 24 00 1d 00 1263 20 18 77 ec d6 d3 b5 46 fb 68 dd 27 35 0f 25 24 87 b7 e8 7b 8a 1264 91 2c e1 a6 a8 8c d0 bb 02 cd 15 49 00 2b 00 03 02 7f 1c 00 0d 1265 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 1266 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 1268 {server} send a ServerHello handshake message 1270 {server} send handshake record: 1272 payload (176 octets): 02 00 00 ac 03 03 cf 21 ad 74 e5 9a 61 11 1273 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c 5e 07 9e 09 e2 c8 1274 a8 33 9c 00 13 01 00 00 84 00 33 00 02 00 17 00 2c 00 74 00 72 1275 20 1c e9 22 bf 9a 57 cc 0c 63 8a 02 00 00 00 00 b5 89 27 72 3a 1276 7b 57 e1 de 6d 9d 65 d4 9b 4c 1d 00 30 39 bc 6d f6 e6 1b 34 45 1277 a1 12 cf 2c 5d f4 b3 bd 4c db 05 07 08 57 d9 f0 22 e8 6a c7 df 1278 91 a9 4a 1b e9 fd 61 ac b3 22 13 7a d5 63 70 dc fa 29 55 aa c6 1279 d6 ab 28 a2 98 43 62 89 9d 38 b7 b0 9b 3c 4d 86 76 a4 8b b2 c6 1280 bd 05 02 fc c5 61 b5 50 2e 00 2b 00 02 7f 1c 1282 ciphertext (181 octets): 16 03 03 00 b0 02 00 00 ac 03 03 cf 21 1283 ad 74 e5 9a 61 11 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c 1284 5e 07 9e 09 e2 c8 a8 33 9c 00 13 01 00 00 84 00 33 00 02 00 17 1285 00 2c 00 74 00 72 20 1c e9 22 bf 9a 57 cc 0c 63 8a 02 00 00 00 1286 00 b5 89 27 72 3a 7b 57 e1 de 6d 9d 65 d4 9b 4c 1d 00 30 39 bc 1287 6d f6 e6 1b 34 45 a1 12 cf 2c 5d f4 b3 bd 4c db 05 07 08 57 d9 1288 f0 22 e8 6a c7 df 91 a9 4a 1b e9 fd 61 ac b3 22 13 7a d5 63 70 1289 dc fa 29 55 aa c6 d6 ab 28 a2 98 43 62 89 9d 38 b7 b0 9b 3c 4d 1290 86 76 a4 8b b2 c6 bd 05 02 fc c5 61 b5 50 2e 00 2b 00 02 7f 1c 1292 {client} create an ephemeral P-256 key pair: 1294 private key (32 octets): 12 04 90 37 70 08 12 91 d2 e2 8c 2e 4c 1295 cc ae fd fa be a9 02 d6 24 cc 53 7e 17 7e f4 62 e0 4e 68 1297 public key (65 octets): 04 34 64 59 40 3b b6 5d 0e 0d 11 d1 03 8b 1298 e7 1b 03 a7 56 2b 01 e0 3a a1 b5 80 25 c4 65 88 a4 09 3f 1c 75 1299 98 bd 8c 79 ee 7e fc 5b a7 49 bd 24 3c 10 82 12 3a 37 f9 3f 9a 1300 00 8c ff 64 5b c4 e5 8f 20 1302 {client} send a ClientHello handshake message 1304 {client} send handshake record: 1306 payload (512 octets): 01 00 01 fc 03 03 b7 c9 bc 82 7e a9 0b 53 1307 72 b5 ba 58 29 7e 40 ba 82 77 ce bf be eb 8e af 94 e8 85 36 5b 1308 91 c5 bb 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00 1309 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06 1310 00 1d 00 17 00 18 00 33 00 47 00 45 00 17 00 41 04 34 64 59 40 1311 3b b6 5d 0e 0d 11 d1 03 8b e7 1b 03 a7 56 2b 01 e0 3a a1 b5 80 1312 25 c4 65 88 a4 09 3f 1c 75 98 bd 8c 79 ee 7e fc 5b a7 49 bd 24 1313 3c 10 82 12 3a 37 f9 3f 9a 00 8c ff 64 5b c4 e5 8f 20 00 2b 00 1314 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 1315 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2c 1316 00 74 00 72 20 1c e9 22 bf 9a 57 cc 0c 63 8a 02 00 00 00 00 b5 1317 89 27 72 3a 7b 57 e1 de 6d 9d 65 d4 9b 4c 1d 00 30 39 bc 6d f6 1318 e6 1b 34 45 a1 12 cf 2c 5d f4 b3 bd 4c db 05 07 08 57 d9 f0 22 1319 e8 6a c7 df 91 a9 4a 1b e9 fd 61 ac b3 22 13 7a d5 63 70 dc fa 1320 29 55 aa c6 d6 ab 28 a2 98 43 62 89 9d 38 b7 b0 9b 3c 4d 86 76 1321 a4 8b b2 c6 bd 05 02 fc c5 61 b5 50 2e 00 2d 00 02 01 01 00 15 1322 00 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1323 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1324 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1325 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1326 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1327 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1328 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1329 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1332 ciphertext (517 octets): 16 03 03 02 00 01 00 01 fc 03 03 b7 c9 1333 bc 82 7e a9 0b 53 72 b5 ba 58 29 7e 40 ba 82 77 ce bf be eb 8e 1334 af 94 e8 85 36 5b 91 c5 bb 00 00 06 13 01 13 03 13 02 01 00 01 1335 cd 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 1336 00 0a 00 08 00 06 00 1d 00 17 00 18 00 33 00 47 00 45 00 17 00 1337 41 04 34 64 59 40 3b b6 5d 0e 0d 11 d1 03 8b e7 1b 03 a7 56 2b 1338 01 e0 3a a1 b5 80 25 c4 65 88 a4 09 3f 1c 75 98 bd 8c 79 ee 7e 1339 fc 5b a7 49 bd 24 3c 10 82 12 3a 37 f9 3f 9a 00 8c ff 64 5b c4 1340 e5 8f 20 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 1341 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 1342 06 02 02 02 00 2c 00 74 00 72 20 1c e9 22 bf 9a 57 cc 0c 63 8a 1343 02 00 00 00 00 b5 89 27 72 3a 7b 57 e1 de 6d 9d 65 d4 9b 4c 1d 1344 00 30 39 bc 6d f6 e6 1b 34 45 a1 12 cf 2c 5d f4 b3 bd 4c db 05 1345 07 08 57 d9 f0 22 e8 6a c7 df 91 a9 4a 1b e9 fd 61 ac b3 22 13 1346 7a d5 63 70 dc fa 29 55 aa c6 d6 ab 28 a2 98 43 62 89 9d 38 b7 1347 b0 9b 3c 4d 86 76 a4 8b b2 c6 bd 05 02 fc c5 61 b5 50 2e 00 2d 1348 00 02 01 01 00 15 00 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 1349 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1351 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1352 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1353 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1354 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1355 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1356 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1358 {server} extract secret "early": 1360 salt: (absent) 1362 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1363 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1365 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 1366 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 1368 {server} create an ephemeral P-256 key pair: 1370 private key (32 octets): 02 03 21 a8 85 5a 5c ce 43 5e c4 eb 2c 1371 74 54 9d cd 14 b2 50 cc 88 ae b4 e1 a8 27 77 a2 a8 3d e2 1373 public key (65 octets): 04 a9 fc 26 e5 99 e4 8d ed 07 36 f4 b1 b2 1374 20 2b f4 9c f3 e5 eb 5a 37 0b aa 88 8b 45 50 27 32 36 85 e5 e8 1375 eb 52 e1 d3 63 73 08 76 d4 4a 1a cf 53 25 8e a6 e1 75 c1 4c 5f 1376 20 2c a0 eb b8 a7 3a f2 34 1378 {server} send a ServerHello handshake message 1380 {server} derive secret for handshake "tls13 derived": 1382 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 1383 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 1385 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 1386 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1388 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 1389 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 1390 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1392 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 1393 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 1395 {server} extract secret "handshake": 1397 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 1398 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 1400 ikm (32 octets): 67 5e 8f e3 7d f3 8e b4 ae d1 ac 3e a4 a0 a1 63 1401 a7 26 56 83 e4 3d ca 95 40 43 87 73 24 aa cf 70 1403 secret (32 octets): 56 b6 d9 4c b7 89 04 56 07 85 86 b5 d6 5d 69 1404 69 bc 7c 48 51 ff 7f 95 33 75 ed cb e2 60 4c 1f 8e 1406 {server} derive secret "tls13 c hs traffic": 1408 PRK (32 octets): 56 b6 d9 4c b7 89 04 56 07 85 86 b5 d6 5d 69 69 1409 bc 7c 48 51 ff 7f 95 33 75 ed cb e2 60 4c 1f 8e 1411 hash (32 octets): 0b 61 d4 9c 83 fe f7 da 03 04 0f e3 5e 72 33 fe 1412 bd 0f 47 e2 c0 e0 9c 85 a4 a1 2f 89 a0 04 a1 6f 1414 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 1415 61 66 66 69 63 20 0b 61 d4 9c 83 fe f7 da 03 04 0f e3 5e 72 33 1416 fe bd 0f 47 e2 c0 e0 9c 85 a4 a1 2f 89 a0 04 a1 6f 1418 output (32 octets): 96 f0 1d 63 6d 87 b9 36 1c 0b 8b 93 0c de d9 1419 7b 59 06 0b 89 3b e2 4e 5d 64 b5 25 86 c0 39 ac 18 1421 {server} derive secret "tls13 s hs traffic": 1423 PRK (32 octets): 56 b6 d9 4c b7 89 04 56 07 85 86 b5 d6 5d 69 69 1424 bc 7c 48 51 ff 7f 95 33 75 ed cb e2 60 4c 1f 8e 1426 hash (32 octets): 0b 61 d4 9c 83 fe f7 da 03 04 0f e3 5e 72 33 fe 1427 bd 0f 47 e2 c0 e0 9c 85 a4 a1 2f 89 a0 04 a1 6f 1429 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 1430 61 66 66 69 63 20 0b 61 d4 9c 83 fe f7 da 03 04 0f e3 5e 72 33 1431 fe bd 0f 47 e2 c0 e0 9c 85 a4 a1 2f 89 a0 04 a1 6f 1433 output (32 octets): 48 c0 79 83 b0 b1 9b 41 75 36 af 49 aa 3c 4f 1434 a1 20 26 fe fa 16 d0 40 12 8b 7f 87 19 6c ab fe 14 1436 {server} derive secret for master "tls13 derived": 1438 PRK (32 octets): 56 b6 d9 4c b7 89 04 56 07 85 86 b5 d6 5d 69 69 1439 bc 7c 48 51 ff 7f 95 33 75 ed cb e2 60 4c 1f 8e 1441 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 1442 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1444 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 1445 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 1446 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1448 output (32 octets): ef ff c0 f0 7a 08 0f cd c7 7e 55 8a 02 f1 77 1449 f7 32 a9 ff 20 12 8b 66 a0 de e7 1c a3 99 74 ba c8 1451 {server} extract secret "master": 1453 salt (32 octets): ef ff c0 f0 7a 08 0f cd c7 7e 55 8a 02 f1 77 f7 1454 32 a9 ff 20 12 8b 66 a0 de e7 1c a3 99 74 ba c8 1456 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1457 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1459 secret (32 octets): 67 f3 ca a1 17 80 44 45 c3 84 1d f0 d6 cf 0c 1460 be 84 eb 2d 1e 29 29 3c de 0e 59 8b c0 79 99 24 00 1462 {server} send handshake record: 1464 payload (123 octets): 02 00 00 77 03 03 a9 8d a5 12 67 95 e8 50 1465 bf d4 69 ae 41 2c 8a d6 c6 a2 43 da b5 ca 68 9b cc 37 7b 7f 45 1466 7e 93 57 00 13 01 00 00 4f 00 33 00 45 00 17 00 41 04 a9 fc 26 1467 e5 99 e4 8d ed 07 36 f4 b1 b2 20 2b f4 9c f3 e5 eb 5a 37 0b aa 1468 88 8b 45 50 27 32 36 85 e5 e8 eb 52 e1 d3 63 73 08 76 d4 4a 1a 1469 cf 53 25 8e a6 e1 75 c1 4c 5f 20 2c a0 eb b8 a7 3a f2 34 00 2b 1470 00 02 7f 1c 1472 ciphertext (128 octets): 16 03 03 00 7b 02 00 00 77 03 03 a9 8d 1473 a5 12 67 95 e8 50 bf d4 69 ae 41 2c 8a d6 c6 a2 43 da b5 ca 68 1474 9b cc 37 7b 7f 45 7e 93 57 00 13 01 00 00 4f 00 33 00 45 00 17 1475 00 41 04 a9 fc 26 e5 99 e4 8d ed 07 36 f4 b1 b2 20 2b f4 9c f3 1476 e5 eb 5a 37 0b aa 88 8b 45 50 27 32 36 85 e5 e8 eb 52 e1 d3 63 1477 73 08 76 d4 4a 1a cf 53 25 8e a6 e1 75 c1 4c 5f 20 2c a0 eb b8 1478 a7 3a f2 34 00 2b 00 02 7f 1c 1480 {server} derive write traffic keys for handshake data: 1482 PRK (32 octets): 48 c0 79 83 b0 b1 9b 41 75 36 af 49 aa 3c 4f a1 1483 20 26 fe fa 16 d0 40 12 8b 7f 87 19 6c ab fe 14 1485 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1487 key output (16 octets): c9 66 8b e3 a4 eb 59 74 eb 92 ff 02 bb d7 1488 2e 0b 1490 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1492 iv output (12 octets): a0 3e bc f0 df 01 00 7b 81 7b 21 de 1494 {server} send a EncryptedExtensions handshake message 1496 {server} send a Certificate handshake message 1498 {server} send a CertificateVerify handshake message 1500 {server} calculate finished "tls13 finished": 1502 PRK (32 octets): 48 c0 79 83 b0 b1 9b 41 75 36 af 49 aa 3c 4f a1 1503 20 26 fe fa 16 d0 40 12 8b 7f 87 19 6c ab fe 14 1505 hash (0 octets): (empty) 1507 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 1508 64 00 1510 output (32 octets): c9 32 f8 bb a8 09 0c d8 3c fa ae 73 f8 41 79 1511 6c bb a9 97 73 28 e4 53 d6 a1 da c8 8c a8 0b 2b ec 1513 {server} send a Finished handshake message 1515 {server} send handshake record: 1517 payload (639 octets): 08 00 00 12 00 10 00 0a 00 08 00 06 00 17 1518 00 18 00 1d 00 00 00 00 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82 1519 01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48 1520 86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 1521 72 73 61 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17 1522 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06 1523 03 55 04 03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7 1524 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f 1525 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 1526 d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1527 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52 1528 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74 1529 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 1530 ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03 1531 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 1532 03 55 1d 0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 1533 01 0b 05 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 1534 72 67 17 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea 1535 e8 f8 a5 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 1536 51 56 72 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be 1537 c1 fc 63 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b 1538 1c 3b 84 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 1539 96 12 29 ac 91 87 b4 2b 4d e1 00 00 0f 00 00 84 08 04 00 80 7d 1540 29 50 6f 66 e0 87 bd b7 c1 5b 15 f5 f9 32 72 41 8a 59 c5 74 59 1541 13 33 9c f3 78 5a 39 86 78 55 66 d7 95 2d 9e a9 ab 9f 77 87 6e 1542 6a 39 8b 5b 88 2c 83 e5 43 d3 c1 80 95 30 ef 30 70 fb e4 eb a9 1543 07 2c 6c 23 95 6b de 0e 61 4c d0 13 aa e7 9c b1 86 76 0a 95 55 1544 aa 7c 62 2a 29 5c ce 9e f4 7b eb 28 06 10 29 4e a0 a4 cc ca 29 1545 92 00 ab f2 25 44 3d 0b 50 d1 f8 b1 fa 9b 98 f3 38 b8 00 65 08 1546 87 14 00 00 20 43 2a 86 e1 4a 5e 66 f5 57 83 3f 39 ea eb 85 71 1547 13 0b cd 59 ba 06 5d 8d 6d b4 26 ac 11 43 da 0e 1549 ciphertext (661 octets): 17 03 03 02 90 2a 10 90 52 02 96 ad d1 1550 82 97 94 74 52 0d 25 ef c8 1d 11 77 14 c5 0d d5 32 d9 df f1 fa 1551 fe 96 c7 3b 66 e4 7d 81 e6 25 2b 66 86 b8 86 37 10 26 0e 15 4b 1552 c4 8d 8a e2 f2 67 45 f5 98 ee 7b 46 70 cb 87 89 3a 73 81 7f cb 1553 09 45 5f e5 8d 49 5c 07 7a ca a3 b3 ae 9c cc a4 58 5b 12 6d f4 1554 8c 5f a4 f9 d2 b4 b5 0b dc 72 a8 42 eb 09 5f 71 f9 24 77 d4 5d 1555 d8 ee 69 62 81 87 86 0d f3 d6 8b 80 a3 c7 c7 d4 ca 36 61 69 2f 1556 a4 64 23 f5 64 2d 73 6e 27 63 b0 41 07 47 f6 55 eb db 18 37 c1 1557 6f 59 bd c2 db 64 e3 92 fd 92 77 b0 ac e7 1c 1a 15 da e4 13 6c 1558 84 aa 17 7b 69 4d 33 e0 b0 ac 68 0b f0 46 54 d0 03 75 84 c9 b4 1559 06 59 87 ff 49 02 70 07 f9 1b 95 29 ef a3 87 2c 6a df a9 a9 f8 1560 75 4a 57 f2 a1 6c 16 d3 34 06 ac 27 a8 93 ca 13 2c c3 3a 89 d2 1561 2f f1 fa 70 c0 c6 06 10 1d 89 64 ff 42 3d 13 b7 ac 11 b7 e9 47 1562 91 b0 51 45 6a 9b 6f 41 b6 66 00 79 60 8e 87 22 d2 ad 87 36 92 1563 bf db 79 f2 9e 67 e4 16 6d 82 a9 5c be 36 e3 d1 67 88 f5 32 33 1564 7b f9 4c bf 54 31 02 22 4e 45 ee 98 0d 05 d4 68 fa dc 12 91 a2 1565 6f 13 81 01 5c 21 f3 d5 d6 36 9f 29 51 7e a2 f6 1b 9b 7f 20 6a 1566 63 c8 10 d1 3b 74 e4 29 e6 6d 08 1e 41 7f 96 6e 82 88 da a5 52 1567 2d b6 cb 22 35 33 d6 e6 84 2a 70 6c e0 9f 3d 12 19 b6 4f 08 f5 1568 f4 d2 ca 3d 55 6d 88 64 1f 16 25 de 1e cc 65 5f e5 17 c1 f0 a5 1569 a4 9c 79 62 00 02 2d 22 cd cb 70 8c 27 fd d4 16 7a a8 68 fa f7 1570 be b6 ca 42 e2 da d2 b8 a7 7c 3f a8 68 83 35 de 97 f9 06 bf 69 1571 09 20 60 b4 23 dd 9c 1a 7e 9e c2 3c 78 4c 52 a7 a0 44 35 6c e1 1572 27 c3 54 73 ed 92 49 fe 68 1a 70 ca 11 db c1 e5 4f 51 12 ae 74 1573 d1 88 c2 db dc f0 66 13 28 02 10 5e 8b de ae 53 50 b1 b3 55 34 1574 a6 82 91 73 03 fb eb 65 3b bc 4b 0c 5c 77 4b b2 94 dc 50 44 c4 1575 7f 70 5b d6 80 73 af 3a e5 c6 45 29 1e fc 9d 9c 17 6b 19 bd 95 1576 47 55 dc a2 2e 2b 52 13 a5 37 2e d9 6b 9f 89 f6 30 80 89 f3 98 1577 2a 13 f2 41 30 3b 2e 5d c0 d4 3f fa 73 16 d2 79 bd 78 d1 65 e0 1578 33 61 16 66 fd 79 a3 90 95 db f5 5a 43 e0 89 b1 3b db 6a 33 ef 1579 b3 bb 0b 67 9c 58 9d 2a 3e 4f 56 18 46 dd 9b 34 c4 68 a9 ce 4d 1580 bd 63 59 29 f7 b5 1f 21 a9 67 92 97 22 7d 7e a1 db 4c 1582 {server} derive secret "tls13 c ap traffic": 1584 PRK (32 octets): 67 f3 ca a1 17 80 44 45 c3 84 1d f0 d6 cf 0c be 1585 84 eb 2d 1e 29 29 3c de 0e 59 8b c0 79 99 24 00 1587 hash (32 octets): 91 14 ee f5 c3 d5 c0 86 d1 1a a9 f3 32 fd 35 54 1588 51 f8 70 7c 4f 14 92 ed 2e 84 7e 08 7e 6a bf 98 1590 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 1591 61 66 66 69 63 20 91 14 ee f5 c3 d5 c0 86 d1 1a a9 f3 32 fd 35 1592 54 51 f8 70 7c 4f 14 92 ed 2e 84 7e 08 7e 6a bf 98 1594 output (32 octets): 33 60 70 33 79 0d 4d 7d 0f d0 db d9 6f 3c 78 1595 21 75 8f 78 14 79 4f 9b b1 e9 c9 17 de 7b ef d4 b2 1597 {server} derive secret "tls13 s ap traffic": 1599 PRK (32 octets): 67 f3 ca a1 17 80 44 45 c3 84 1d f0 d6 cf 0c be 1600 84 eb 2d 1e 29 29 3c de 0e 59 8b c0 79 99 24 00 1602 hash (32 octets): 91 14 ee f5 c3 d5 c0 86 d1 1a a9 f3 32 fd 35 54 1603 51 f8 70 7c 4f 14 92 ed 2e 84 7e 08 7e 6a bf 98 1605 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 1606 61 66 66 69 63 20 91 14 ee f5 c3 d5 c0 86 d1 1a a9 f3 32 fd 35 1607 54 51 f8 70 7c 4f 14 92 ed 2e 84 7e 08 7e 6a bf 98 1609 output (32 octets): 82 4f 40 74 98 f3 55 f7 c4 56 7d 1a c4 9d a3 1610 cc 44 1c fe a5 7c 86 6d 01 28 04 88 63 74 bb 4f a1 1612 {server} derive secret "tls13 exp master": 1614 PRK (32 octets): 67 f3 ca a1 17 80 44 45 c3 84 1d f0 d6 cf 0c be 1615 84 eb 2d 1e 29 29 3c de 0e 59 8b c0 79 99 24 00 1617 hash (32 octets): 91 14 ee f5 c3 d5 c0 86 d1 1a a9 f3 32 fd 35 54 1618 51 f8 70 7c 4f 14 92 ed 2e 84 7e 08 7e 6a bf 98 1620 info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 1621 74 65 72 20 91 14 ee f5 c3 d5 c0 86 d1 1a a9 f3 32 fd 35 54 51 1622 f8 70 7c 4f 14 92 ed 2e 84 7e 08 7e 6a bf 98 1624 output (32 octets): aa 09 d0 be d1 a3 70 92 4b bd 25 44 60 e7 71 1625 c4 f1 3c 0a 68 8f 6b b9 f5 b1 e3 35 7b 72 42 c9 17 1627 {server} derive write traffic keys for application data: 1629 PRK (32 octets): 82 4f 40 74 98 f3 55 f7 c4 56 7d 1a c4 9d a3 cc 1630 44 1c fe a5 7c 86 6d 01 28 04 88 63 74 bb 4f a1 1632 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1633 key output (16 octets): 1d dd e3 13 e4 23 c0 bb b4 6e 21 55 4e 62 1634 bc 02 1636 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1638 iv output (12 octets): 1d 33 01 7e 40 29 4c bc df b2 cd ec 1640 {server} derive read traffic keys for handshake data: 1642 PRK (32 octets): 96 f0 1d 63 6d 87 b9 36 1c 0b 8b 93 0c de d9 7b 1643 59 06 0b 89 3b e2 4e 5d 64 b5 25 86 c0 39 ac 18 1645 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1647 key output (16 octets): dd e8 55 4c 07 08 a0 f7 7c dd da 22 50 43 1648 b4 82 1650 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1652 iv output (12 octets): 10 90 01 0f e7 e8 21 c7 40 6b 82 d0 1654 {client} extract secret "early": 1656 salt: (absent) 1658 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1659 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1661 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 1662 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 1664 {client} derive secret for handshake "tls13 derived": 1666 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 1667 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 1669 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 1670 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1672 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 1673 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 1674 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1676 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 1677 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 1679 {client} extract secret "handshake": 1681 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 1682 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 1684 ikm (32 octets): 67 5e 8f e3 7d f3 8e b4 ae d1 ac 3e a4 a0 a1 63 1685 a7 26 56 83 e4 3d ca 95 40 43 87 73 24 aa cf 70 1687 secret (32 octets): 56 b6 d9 4c b7 89 04 56 07 85 86 b5 d6 5d 69 1688 69 bc 7c 48 51 ff 7f 95 33 75 ed cb e2 60 4c 1f 8e 1690 {client} derive secret "tls13 c hs traffic" (same as server) 1692 {client} derive secret "tls13 s hs traffic" (same as server) 1694 {client} derive secret for master "tls13 derived" (same as server) 1696 {client} extract secret "master" (same as server) 1698 {client} derive read traffic keys for handshake data: 1700 PRK (32 octets): 48 c0 79 83 b0 b1 9b 41 75 36 af 49 aa 3c 4f a1 1701 20 26 fe fa 16 d0 40 12 8b 7f 87 19 6c ab fe 14 1703 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1705 key output (16 octets): c9 66 8b e3 a4 eb 59 74 eb 92 ff 02 bb d7 1706 2e 0b 1708 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1710 iv output (12 octets): a0 3e bc f0 df 01 00 7b 81 7b 21 de 1712 {client} calculate finished "tls13 finished" (same as server) 1714 {client} derive secret "tls13 c ap traffic" (same as server) 1716 {client} derive secret "tls13 s ap traffic" (same as server) 1718 {client} derive secret "tls13 exp master" (same as server) 1720 {client} derive write traffic keys for handshake data (same as 1721 server read traffic keys) 1723 {client} derive read traffic keys for application data (same as 1724 server write traffic keys) 1726 {client} calculate finished "tls13 finished": 1728 PRK (32 octets): 96 f0 1d 63 6d 87 b9 36 1c 0b 8b 93 0c de d9 7b 1729 59 06 0b 89 3b e2 4e 5d 64 b5 25 86 c0 39 ac 18 1731 hash (0 octets): (empty) 1733 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 1734 64 00 1736 output (32 octets): a2 e7 bc 56 e4 4c 66 f7 b1 f7 e9 5f 43 4b 03 1737 49 7c 09 11 73 96 b8 6e a1 88 a2 e7 5e 4b 5b 52 bd 1739 {client} send a Finished handshake message 1741 {client} send handshake record: 1743 payload (36 octets): 14 00 00 20 dd 60 b6 e8 68 65 0c d8 8a 16 ae 1744 ea be c9 ef 92 8b d1 4a 55 cc fc 9b 25 36 bb f8 5b ef cb a9 2f 1746 ciphertext (58 octets): 17 03 03 00 35 10 83 df 24 a1 2c 20 11 96 1747 5e 1c 0c d5 82 85 53 dc 17 d9 4f 60 a4 b9 03 58 8c d3 00 63 3b 1748 de 1c 93 48 a5 38 d4 a9 67 66 ce e5 2c 32 46 4c 84 8b cd 12 19 1749 9b 2f 1751 {client} derive write traffic keys for application data: 1753 PRK (32 octets): 33 60 70 33 79 0d 4d 7d 0f d0 db d9 6f 3c 78 21 1754 75 8f 78 14 79 4f 9b b1 e9 c9 17 de 7b ef d4 b2 1756 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1758 key output (16 octets): 74 df 54 32 03 d8 58 9d c5 27 43 85 9f 6c 1759 cd da 1761 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1763 iv output (12 octets): c1 af 57 8c 97 99 e3 a6 48 08 70 35 1765 {client} derive secret "tls13 res master": 1767 PRK (32 octets): 67 f3 ca a1 17 80 44 45 c3 84 1d f0 d6 cf 0c be 1768 84 eb 2d 1e 29 29 3c de 0e 59 8b c0 79 99 24 00 1770 hash (32 octets): e6 a1 73 98 69 66 1d dc bb dc 11 0a ed ed 74 bc 1771 13 74 65 fa a9 20 ec 69 ea 9e cc 73 60 b2 9d d2 1773 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 1774 74 65 72 20 e6 a1 73 98 69 66 1d dc bb dc 11 0a ed ed 74 bc 13 1775 74 65 fa a9 20 ec 69 ea 9e cc 73 60 b2 9d d2 1777 output (32 octets): 5f 86 e4 2a b7 ff e8 49 b9 3e ed b3 f6 e3 88 1778 a8 a4 55 72 b1 cc 03 88 30 44 c6 dd 25 04 57 b9 8b 1780 {server} calculate finished "tls13 finished" (same as client) 1782 {server} derive read traffic keys for application data (same as 1783 client write traffic keys) 1785 {server} derive secret "tls13 res master" (same as client) 1787 {client} send alert record: 1789 payload (2 octets): 01 00 1791 ciphertext (24 octets): 17 03 03 00 13 a5 48 29 ee 82 c4 6f 8a 11 1792 08 8a ff d2 51 1e 5c 2d d6 d1 1794 {server} send alert record: 1796 payload (2 octets): 01 00 1798 ciphertext (24 octets): 17 03 03 00 13 54 78 81 09 80 71 83 23 ed 1799 12 c2 e3 d1 a0 c0 f4 87 72 40 1801 6. Client Authentication 1803 In this example, the server requests client authentication. The 1804 client uses a certificate with an RSA key, the server uses an ECDSA 1805 certificate with a P-256 key. Note that private keys for this 1806 example are not included in the draft. 1808 {client} create an ephemeral x25519 key pair: 1810 private key (32 octets): 6d 8b a2 5f f1 2f 88 11 f2 67 80 03 48 1811 ea da fc c1 c5 74 1c 65 fc 45 8d fd b4 f8 f0 19 8f 01 c9 1813 public key (32 octets): 96 33 5a 91 2f 9a 39 44 4c cc 04 fd 51 51 1814 f0 de 0b da 04 02 75 dd 2f 07 10 5a 1c 7d 93 89 99 13 1816 {client} send a ClientHello handshake message 1818 {client} send handshake record: 1820 payload (186 octets): 01 00 00 b6 03 03 1d fe f2 73 b4 49 8b 2c 1821 68 e0 44 af 2c 39 12 ca 6e 91 4b d8 88 f9 09 41 8b f4 8b a3 b5 1822 75 a4 a1 00 00 06 13 01 13 03 13 02 01 00 00 87 00 00 00 0b 00 1823 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 1824 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00 1825 26 00 24 00 1d 00 20 96 33 5a 91 2f 9a 39 44 4c cc 04 fd 51 51 1826 f0 de 0b da 04 02 75 dd 2f 07 10 5a 1c 7d 93 89 99 13 00 2b 00 1827 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 1828 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 1829 00 02 01 01 1831 ciphertext (191 octets): 16 03 01 00 ba 01 00 00 b6 03 03 1d fe 1832 f2 73 b4 49 8b 2c 68 e0 44 af 2c 39 12 ca 6e 91 4b d8 88 f9 09 1833 41 8b f4 8b a3 b5 75 a4 a1 00 00 06 13 01 13 03 13 02 01 00 00 1834 87 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 1835 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 1836 03 01 04 00 33 00 26 00 24 00 1d 00 20 96 33 5a 91 2f 9a 39 44 1837 4c cc 04 fd 51 51 f0 de 0b da 04 02 75 dd 2f 07 10 5a 1c 7d 93 1838 89 99 13 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 1839 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 1840 06 02 02 02 00 2d 00 02 01 01 1842 {server} extract secret "early": 1844 salt: (absent) 1846 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1847 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1849 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 1850 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 1852 {server} create an ephemeral x25519 key pair: 1854 private key (32 octets): 4c 22 f1 c1 22 00 9b 54 ae dc 6f 54 2e 1855 98 01 4d a2 91 e6 f5 b8 77 03 67 5e 49 f6 10 06 ae 86 65 1857 public key (32 octets): c5 4d 65 0c e2 52 6e 90 24 f2 a3 68 9e 3b 1858 82 58 87 e5 82 b6 c0 e6 07 75 dd a0 bd 2f 8a 5b 6d 53 1860 {server} send a ServerHello handshake message 1862 {server} derive secret for handshake "tls13 derived": 1864 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 1865 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 1867 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 1868 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1870 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 1871 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 1872 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1874 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 1875 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 1877 {server} extract secret "handshake": 1879 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 1880 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 1882 ikm (32 octets): 49 a2 14 3a 0c 4b 7c a4 e9 c1 3a 6f 64 93 88 ec 1883 4d 34 87 b5 dc d0 68 37 bd 5c 41 23 a2 e0 1e 5b 1885 secret (32 octets): f4 58 19 79 77 70 fb 25 ec e8 ec 05 ce 3a 97 1886 3e c3 30 47 00 5c 29 fd f8 b0 3d 35 73 ba 3b 8b 6d 1888 {server} derive secret "tls13 c hs traffic": 1890 PRK (32 octets): f4 58 19 79 77 70 fb 25 ec e8 ec 05 ce 3a 97 3e 1891 c3 30 47 00 5c 29 fd f8 b0 3d 35 73 ba 3b 8b 6d 1893 hash (32 octets): b4 76 d4 d5 07 36 d3 7a 2a ed 25 98 2a 10 6e ec 1894 8c 28 f3 57 ef 19 8c b6 1d e4 a1 3b a2 78 1f 8d 1896 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 1897 61 66 66 69 63 20 b4 76 d4 d5 07 36 d3 7a 2a ed 25 98 2a 10 6e 1898 ec 8c 28 f3 57 ef 19 8c b6 1d e4 a1 3b a2 78 1f 8d 1900 output (32 octets): 06 bd cc 2f 05 32 35 23 70 af 13 71 84 d5 66 1901 31 4a cb 81 bb e1 d2 98 02 f5 78 ef 1e 43 72 26 35 1903 {server} derive secret "tls13 s hs traffic": 1905 PRK (32 octets): f4 58 19 79 77 70 fb 25 ec e8 ec 05 ce 3a 97 3e 1906 c3 30 47 00 5c 29 fd f8 b0 3d 35 73 ba 3b 8b 6d 1908 hash (32 octets): b4 76 d4 d5 07 36 d3 7a 2a ed 25 98 2a 10 6e ec 1909 8c 28 f3 57 ef 19 8c b6 1d e4 a1 3b a2 78 1f 8d 1911 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 1912 61 66 66 69 63 20 b4 76 d4 d5 07 36 d3 7a 2a ed 25 98 2a 10 6e 1913 ec 8c 28 f3 57 ef 19 8c b6 1d e4 a1 3b a2 78 1f 8d 1915 output (32 octets): bb 5b 26 0b 1a b5 ab eb 1b 23 63 39 ad c3 90 1916 39 1e dc 93 38 80 54 eb 6b d6 87 79 d1 38 40 61 f7 1918 {server} derive secret for master "tls13 derived": 1920 PRK (32 octets): f4 58 19 79 77 70 fb 25 ec e8 ec 05 ce 3a 97 3e 1921 c3 30 47 00 5c 29 fd f8 b0 3d 35 73 ba 3b 8b 6d 1923 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 1924 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1926 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 1927 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 1928 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1930 output (32 octets): 30 5e e3 40 d4 47 ef 6d 28 26 2a b4 9f 3a f7 1931 b0 2c e2 ff db c1 25 fb da 8a 36 45 f4 6f 79 04 e6 1933 {server} extract secret "master": 1935 salt (32 octets): 30 5e e3 40 d4 47 ef 6d 28 26 2a b4 9f 3a f7 b0 1936 2c e2 ff db c1 25 fb da 8a 36 45 f4 6f 79 04 e6 1938 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1939 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1941 secret (32 octets): c5 e8 54 45 75 ea 22 fb 0b 25 bc d1 72 1c c7 1942 56 ed 94 9c f7 7c 56 d4 24 b6 d2 eb d3 4b a7 4c ee 1944 {server} send handshake record: 1946 payload (90 octets): 02 00 00 56 03 03 d8 ef 9b d4 2a f5 87 b5 27 1947 30 bd c6 67 4a 66 bf e4 04 1a 57 ef de 4f 63 9c c2 4c 22 f9 e9 1948 77 77 00 13 01 00 00 2e 00 33 00 24 00 1d 00 20 c5 4d 65 0c e2 1949 52 6e 90 24 f2 a3 68 9e 3b 82 58 87 e5 82 b6 c0 e6 07 75 dd a0 1950 bd 2f 8a 5b 6d 53 00 2b 00 02 7f 1c 1952 ciphertext (95 octets): 16 03 03 00 5a 02 00 00 56 03 03 d8 ef 9b 1953 d4 2a f5 87 b5 27 30 bd c6 67 4a 66 bf e4 04 1a 57 ef de 4f 63 1954 9c c2 4c 22 f9 e9 77 77 00 13 01 00 00 2e 00 33 00 24 00 1d 00 1955 20 c5 4d 65 0c e2 52 6e 90 24 f2 a3 68 9e 3b 82 58 87 e5 82 b6 1956 c0 e6 07 75 dd a0 bd 2f 8a 5b 6d 53 00 2b 00 02 7f 1c 1958 {server} derive write traffic keys for handshake data: 1960 PRK (32 octets): bb 5b 26 0b 1a b5 ab eb 1b 23 63 39 ad c3 90 39 1961 1e dc 93 38 80 54 eb 6b d6 87 79 d1 38 40 61 f7 1963 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1965 key output (16 octets): 44 f7 bd 7a d2 f2 13 b2 94 7b c7 29 be 6f 1966 b7 c4 1968 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1970 iv output (12 octets): 38 29 95 dc ff fc c2 32 16 86 39 75 1972 {server} send a EncryptedExtensions handshake message 1974 {server} send a CertificateRequest handshake message 1976 {server} send a Certificate handshake message 1978 {server} send a CertificateVerify handshake message 1980 {server} calculate finished "tls13 finished": 1982 PRK (32 octets): bb 5b 26 0b 1a b5 ab eb 1b 23 63 39 ad c3 90 39 1983 1e dc 93 38 80 54 eb 6b d6 87 79 d1 38 40 61 f7 1985 hash (0 octets): (empty) 1987 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 1988 64 00 1990 output (32 octets): c7 68 70 3c 8c 1f 97 a6 f7 6c e1 62 ac 22 08 1991 c4 d4 72 f3 eb 2d 72 71 1c 0f 2f b7 36 de 45 3e b9 1993 {server} send a Finished handshake message 1995 {server} send handshake record: 1997 payload (510 octets): 08 00 00 1e 00 1c 00 0a 00 14 00 12 00 1d 1998 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 0d 1999 00 00 27 00 00 24 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 2000 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 2001 0b 00 01 3b 00 00 01 37 00 01 32 30 82 01 2e 30 81 d5 a0 03 02 2002 01 02 02 01 07 30 0a 06 08 2a 86 48 ce 3d 04 03 02 30 13 31 11 2003 30 0f 06 03 55 04 03 13 08 65 63 64 73 61 32 35 36 30 1e 17 0d 2004 31 36 30 37 33 30 30 31 32 34 30 30 5a 17 0d 32 36 30 37 33 30 2005 30 31 32 34 30 30 5a 30 13 31 11 30 0f 06 03 55 04 03 13 08 65 2006 63 64 73 61 32 35 36 30 59 30 13 06 07 2a 86 48 ce 3d 02 01 06 2007 08 2a 86 48 ce 3d 03 01 07 03 42 00 04 08 d5 30 16 15 75 f4 cf 2008 e7 f1 54 ee 34 48 18 00 86 00 1e 88 43 1a 79 ee 62 ee 6e 2f 83 2009 ef 38 ba 61 e9 fb 37 f3 4e 00 7a 7d f4 d2 f5 b5 6d 1f 04 ec e4 2010 5d 62 1f 46 84 06 f5 c3 a1 51 58 94 8d d0 a3 1a 30 18 30 09 06 2011 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 2012 30 0a 06 08 2a 86 48 ce 3d 04 03 02 03 48 00 30 45 02 21 00 df 2013 30 fd 45 07 f5 ed d2 2c 1a 6f f8 6d b4 79 ca 69 3f ee ca 3b 71 2014 b3 f9 ef 55 6b 29 37 c0 59 4d 02 20 62 e2 a4 72 50 d3 20 fe a8 2015 3c 7e 2d cb 5b 76 a5 0e 02 00 c0 9a db d1 3f ee 94 6e 51 3e 01 2016 1d 11 00 00 0f 00 00 4a 04 03 00 46 30 44 02 20 30 e4 bf a4 27 2017 2e fb 5c 47 f7 a8 95 68 62 19 07 5d a8 59 00 a1 83 51 88 a7 dc 2018 81 04 7e f8 18 40 02 20 7f af cb e9 ab db 07 6d 0d b8 ed 0e fe 2019 2c 90 17 47 3d a6 99 4f e7 40 21 15 e8 3e d3 99 04 3c 7f 14 00 2020 00 20 ab a1 88 14 12 63 9b 3b 55 a5 c3 9b a4 57 c0 7f 44 92 b7 2021 64 74 0c 52 6d 57 9e 83 98 40 5b ec 1c 2023 ciphertext (532 octets): 17 03 03 02 0f e7 f9 f2 8e 34 e1 1e 5c 2024 23 32 33 8e 43 43 e3 2f e5 17 0e 24 cf d2 64 45 c3 58 79 45 3d 2025 2a 55 40 45 0f 90 73 32 b6 7b 7a 87 36 bd 32 29 39 c9 47 e8 ff 2026 5c 3a bb 07 ac b8 95 91 4e 0e 3e 2e 2e 3d 0e bb 71 b9 31 58 5f 2027 10 6c 5b b7 f9 c7 8d 86 91 76 5c 52 7a bb 61 04 12 97 9a c3 6d 2028 63 22 cd e6 a4 64 38 c5 a9 ac b0 d1 96 15 4d a1 ec fe f3 d8 1c 2029 41 c9 9b 39 6a df 7f 47 b5 29 09 72 b6 e4 c1 73 94 af 05 06 f1 2030 41 37 c1 b1 91 7c a5 f1 e4 da 3a 61 8b ea a8 63 c5 80 4e 1e 28 2031 ce 2d f7 c4 3f 47 c4 6d c4 80 f2 1b 02 9a 62 b8 8a 57 58 8a 6d 2032 67 8e 8d 3f 7f da f4 cf 16 18 b6 4d eb db fc 09 88 eb 40 92 ea 2033 10 bb 0e ec 14 8f 62 46 47 03 f1 15 50 8d 77 05 5d 42 df de 74 2034 42 7e f6 89 c7 a6 5f ff 1c bf a1 2c 5e fa 2c e3 77 3d bf f2 a1 2035 ea 2f 28 1d 8c be 97 83 41 e8 1d 4c f0 81 01 7b 00 b2 1d 13 36 2036 29 7c 99 19 6a 55 f9 c6 2f 78 04 dc fe 20 ee 03 34 ab 7b 52 5f 2037 6a 67 f6 ed dc cf d3 32 af 0c e6 86 3e eb 0c b8 e3 2b f1 6a 24 2038 84 ad 1d c6 de 4e 3a b3 ad 78 43 04 fc d2 62 65 b4 ef 5f ac d6 2039 6e 21 87 30 b2 b4 98 06 fd 75 e5 e1 a9 e8 9e 70 06 7b 9b fa b4 2040 52 9e 01 7c 04 72 21 d8 99 77 d3 cc 25 b1 be 85 5c ae e1 bc 5d 2041 e8 20 9a 37 75 c9 79 2c 78 00 a7 6f 62 c2 24 b8 90 9c ff bd 94 2042 d7 c8 38 f4 d9 5e 2c a6 d2 6e 8e ae 0f 0c 7b ac f3 85 1c 31 1f 2043 b1 fd 0c 19 72 80 61 8f 43 c5 ed ba b5 d3 6d 50 59 cb 7a e5 04 2044 f4 cc 2d 42 f9 81 83 eb eb a6 e3 70 35 d6 bd 45 fc 64 f3 50 ef 2045 15 6e 7e e0 15 ce 0d d6 c8 9e 23 0b aa 54 33 5b 46 0c fd 04 3b 2046 21 cc a2 66 72 2c c6 4b 92 e8 67 42 a9 51 67 c7 88 4d fb 61 f8 2047 88 90 4f 73 1e f8 3c 52 4d f9 27 18 86 06 89 8b ea e5 2d 87 88 2048 98 d1 88 29 2e 39 fa 15 73 7f f2 85 43 59 b0 2050 {server} derive secret "tls13 c ap traffic": 2052 PRK (32 octets): c5 e8 54 45 75 ea 22 fb 0b 25 bc d1 72 1c c7 56 2053 ed 94 9c f7 7c 56 d4 24 b6 d2 eb d3 4b a7 4c ee 2055 hash (32 octets): eb b3 96 15 37 1e 46 21 1d 85 43 f4 0b c5 05 b8 2056 80 16 8c 02 d3 d8 37 ca 46 58 5a 19 98 b0 34 56 2058 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 2059 61 66 66 69 63 20 eb b3 96 15 37 1e 46 21 1d 85 43 f4 0b c5 05 2060 b8 80 16 8c 02 d3 d8 37 ca 46 58 5a 19 98 b0 34 56 2062 output (32 octets): a7 95 27 3b d4 3f 76 6c 34 b0 dd 5e 57 12 9d 2063 cb 6a 62 53 d4 25 39 69 f8 43 fc 64 db fb 4d e8 d1 2065 {server} derive secret "tls13 s ap traffic": 2067 PRK (32 octets): c5 e8 54 45 75 ea 22 fb 0b 25 bc d1 72 1c c7 56 2068 ed 94 9c f7 7c 56 d4 24 b6 d2 eb d3 4b a7 4c ee 2070 hash (32 octets): eb b3 96 15 37 1e 46 21 1d 85 43 f4 0b c5 05 b8 2071 80 16 8c 02 d3 d8 37 ca 46 58 5a 19 98 b0 34 56 2073 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 2074 61 66 66 69 63 20 eb b3 96 15 37 1e 46 21 1d 85 43 f4 0b c5 05 2075 b8 80 16 8c 02 d3 d8 37 ca 46 58 5a 19 98 b0 34 56 2077 output (32 octets): 92 e7 e7 04 3b 35 7d 6c a6 ca ba 36 0e f1 4f 2078 b9 c6 f8 0b f2 f4 b4 26 f2 e5 8d 62 96 79 b7 41 aa 2080 {server} derive secret "tls13 exp master": 2082 PRK (32 octets): c5 e8 54 45 75 ea 22 fb 0b 25 bc d1 72 1c c7 56 2083 ed 94 9c f7 7c 56 d4 24 b6 d2 eb d3 4b a7 4c ee 2085 hash (32 octets): eb b3 96 15 37 1e 46 21 1d 85 43 f4 0b c5 05 b8 2086 80 16 8c 02 d3 d8 37 ca 46 58 5a 19 98 b0 34 56 2088 info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 2089 74 65 72 20 eb b3 96 15 37 1e 46 21 1d 85 43 f4 0b c5 05 b8 80 2090 16 8c 02 d3 d8 37 ca 46 58 5a 19 98 b0 34 56 2092 output (32 octets): ae a4 f5 ae fb fd 28 fd 24 34 e1 75 96 b2 98 2093 21 65 bc fd db cb 01 8f 22 81 2f 1d 1e d9 37 08 ac 2095 {server} derive write traffic keys for application data: 2097 PRK (32 octets): 92 e7 e7 04 3b 35 7d 6c a6 ca ba 36 0e f1 4f b9 2098 c6 f8 0b f2 f4 b4 26 f2 e5 8d 62 96 79 b7 41 aa 2100 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 2102 key output (16 octets): b5 02 c5 17 59 fd 20 90 ef 80 f0 b6 d5 3d 2103 1d 06 2105 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 2107 iv output (12 octets): 19 46 48 8e ca 45 0f 53 3b eb 59 3e 2109 {server} derive read traffic keys for handshake data: 2111 PRK (32 octets): 06 bd cc 2f 05 32 35 23 70 af 13 71 84 d5 66 31 2112 4a cb 81 bb e1 d2 98 02 f5 78 ef 1e 43 72 26 35 2114 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 2115 key output (16 octets): 72 ff ef 49 b3 34 ca dc c9 bf ec ee ae 2f 2116 7e d5 2118 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 2120 iv output (12 octets): 6b 89 8b 86 fe 32 91 19 81 ef 9f 03 2122 {client} extract secret "early": 2124 salt: (absent) 2126 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2127 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2129 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 2130 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 2132 {client} derive secret for handshake "tls13 derived": 2134 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 2135 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 2137 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 2138 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 2140 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 2141 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 2142 64 9b 93 4c a4 95 99 1b 78 52 b8 55 2144 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 2145 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 2147 {client} extract secret "handshake": 2149 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 2150 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 2152 ikm (32 octets): 49 a2 14 3a 0c 4b 7c a4 e9 c1 3a 6f 64 93 88 ec 2153 4d 34 87 b5 dc d0 68 37 bd 5c 41 23 a2 e0 1e 5b 2155 secret (32 octets): f4 58 19 79 77 70 fb 25 ec e8 ec 05 ce 3a 97 2156 3e c3 30 47 00 5c 29 fd f8 b0 3d 35 73 ba 3b 8b 6d 2158 {client} derive secret "tls13 c hs traffic" (same as server) 2160 {client} derive secret "tls13 s hs traffic" (same as server) 2162 {client} derive secret for master "tls13 derived" (same as server) 2163 {client} extract secret "master" (same as server) 2165 {client} derive read traffic keys for handshake data: 2167 PRK (32 octets): bb 5b 26 0b 1a b5 ab eb 1b 23 63 39 ad c3 90 39 2168 1e dc 93 38 80 54 eb 6b d6 87 79 d1 38 40 61 f7 2170 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 2172 key output (16 octets): 44 f7 bd 7a d2 f2 13 b2 94 7b c7 29 be 6f 2173 b7 c4 2175 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 2177 iv output (12 octets): 38 29 95 dc ff fc c2 32 16 86 39 75 2179 {client} calculate finished "tls13 finished" (same as server) 2181 {client} derive secret "tls13 c ap traffic" (same as server) 2183 {client} derive secret "tls13 s ap traffic" (same as server) 2185 {client} derive secret "tls13 exp master" (same as server) 2187 {client} derive write traffic keys for handshake data (same as 2188 server read traffic keys) 2190 {client} derive read traffic keys for application data (same as 2191 server write traffic keys) 2193 {client} send a Certificate handshake message 2195 {client} send a CertificateVerify handshake message 2197 {client} calculate finished "tls13 finished": 2199 PRK (32 octets): 06 bd cc 2f 05 32 35 23 70 af 13 71 84 d5 66 31 2200 4a cb 81 bb e1 d2 98 02 f5 78 ef 1e 43 72 26 35 2202 hash (0 octets): (empty) 2204 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 2205 64 00 2207 output (32 octets): 87 1c e8 63 61 9c 37 09 02 b2 fc aa 08 16 68 2208 db 0f c5 32 8b bc 3f 0e df 74 66 01 e3 ad e7 d2 a2 2210 {client} send a Finished handshake message 2211 {client} send handshake record: 2213 payload (623 octets): 0b 00 01 bf 00 00 01 bb 00 01 b6 30 82 01 2214 b2 30 82 01 1b a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86 2215 f7 0d 01 01 0b 05 00 30 11 31 0f 30 0d 06 03 55 04 03 13 06 63 2216 6c 69 65 6e 74 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 2217 5a 17 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 11 31 0f 30 2218 0d 06 03 55 04 03 13 06 63 6c 69 65 6e 74 30 81 9f 30 0d 06 09 2219 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 2220 00 c3 81 75 e0 04 a6 8d 09 3f 82 3b 9c 37 9d 20 1f bc 0b b7 a1 2221 c7 91 90 5e 3f bf 76 84 7e 44 e7 51 eb bc d3 60 bd 94 5c 81 e5 2222 22 2b cc 88 46 d3 a8 a0 f9 3e 9b f5 be ba bd 92 ed f1 de 1f f1 2223 90 21 70 3e 7a b6 c0 90 15 13 f9 7e 39 b1 11 f0 9c 93 48 97 1c 2224 7b 21 19 84 a7 54 cd 45 fe 09 5a f0 ea 42 36 82 9b cc f7 a7 fe 2225 9b 28 88 e7 8a b4 77 69 0a 5b 9e 1c cb e9 1c 6a 4a 0f 97 a7 e0 2226 28 42 01 02 03 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 2227 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 0d 06 09 2a 86 2228 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 1a 7a 5a 01 85 32 b0 22 2229 af 07 67 d4 86 16 0c ff 2d 16 7a 19 15 d2 38 35 b5 45 94 91 6d 2230 c6 80 be 5d 2e 62 60 76 c5 d5 27 22 eb cc 77 5d 7d 99 f9 80 be 2231 2f c9 4d 34 ac f6 cc 00 ba 90 cb cf b0 60 8a a1 e7 e3 97 1e f0 2232 c0 7a 41 d4 7a d8 34 5d 1f 81 fe 41 8a 1c f4 10 54 42 9f d2 17 2233 bd 77 7d c1 cf 08 f0 5d f9 07 99 c6 59 36 1e 0f 1a 8e e4 ac 0f 2234 78 97 42 0b db c8 23 da 80 a2 f2 ba 23 08 1c 00 00 0f 00 00 84 2235 08 04 00 80 8c 72 81 c7 26 a8 cb 2e 3e 17 d1 22 7f 3a 56 77 69 2236 f4 31 a0 9c e1 37 f9 18 83 11 6c 53 4c d2 09 89 40 27 9b a9 1d 2237 dc d7 17 7f 71 70 59 43 1b d6 c5 0b 24 77 7f 55 6d 2f bf e4 8d 2238 c4 b9 6c 6b 5f bd cb 4c 57 5a 58 88 98 c6 e1 48 ef 5f af dd 2c 2239 1f ee a5 3f 56 72 f0 aa b4 1f 9a 22 cb fa e4 e0 8b 29 5b 14 99 2240 c4 71 a8 6a 86 65 55 92 f0 f6 a0 43 d3 fd 84 05 0e 7b b4 b7 6f 2241 9f 26 76 c7 12 9a 14 00 00 20 34 ef 9a 48 bb 59 75 19 12 14 15 2242 7f 60 73 9f 40 9a a4 f0 0b 68 b7 9e 1d ee d2 91 e5 09 76 32 df 2244 ciphertext (645 octets): 17 03 03 02 80 bd 53 8f 8a 51 8e 53 29 2245 91 44 38 97 42 f7 be 7c e8 d5 cc bc dc 49 7e 99 7e fb eb 45 60 2246 ae 3f ac ab 2f 07 82 53 1a 3a ed 15 9b 74 88 41 04 dc 95 9b 90 2247 63 7d 8c f5 a6 24 25 d5 f3 b7 16 57 6b b3 c0 13 99 92 62 0b 91 2248 ee 02 fa 02 32 3c 8c 3e c9 e6 a6 d1 cc 3b 4a e1 37 94 38 da c9 2249 17 39 8d c9 5c 33 94 19 f7 b4 c0 a8 4e 04 73 af 06 50 4d dc e9 2250 df 3d 7e b5 a5 3e dd 17 8d 2a 4f 83 c9 2f fa d2 3e 8c 28 a6 17 2251 94 f3 c8 45 96 b1 77 0e c5 b4 ec 1f a4 0a 06 8c e0 40 61 dc 80 2252 1b d0 d3 a7 d0 73 10 0d c6 e7 42 7d aa 0c 9b 8d 2f 4e 16 c4 e4 2253 3c 84 16 22 b4 ae e1 5e c7 e3 3a c1 b6 4f 74 85 7e 89 82 f8 85 2254 3d 9a 5e 36 96 9d ad 26 08 b6 88 1f cc 27 a7 39 aa 29 9a ce c4 2255 73 f7 d9 f5 73 4e 5b 24 d9 57 30 4a a5 6b 06 1c be 70 b5 0f 3f 2256 20 3a d1 64 ca 62 76 7d 9d 2b 7c dc 7c ce 9d 05 df ec 43 dc a6 2257 9a d4 2d f5 7a 09 3d 0a e0 b6 e0 a9 40 dc 0e dc 04 27 8c ae fe 2258 f8 ec 26 8f 29 5c 9c cc 76 3e 38 f2 f1 e1 dd 7f d6 14 17 b6 aa 2259 bc 31 a1 94 0b 96 1e ba 3e 85 cd 58 23 fa e7 28 99 9d ec f1 b0 2260 7c cc a4 72 94 88 f1 c7 d1 ab e2 56 88 17 ad 19 4f 71 f5 16 cc 2261 30 28 fa 6e 38 a1 8f 40 e3 bf 68 41 88 84 c6 94 5a de 07 51 b0 2262 ab fe 09 d5 1d 4e 3b d9 95 b5 50 b5 da 84 61 79 30 a5 98 89 19 2263 56 3d 2c b2 96 ec d9 1b a6 cd d1 09 1c ff d8 d9 14 b3 78 1a 43 2264 3e e7 67 03 19 ca ed 45 d5 83 de 8b 66 b3 49 3e df 82 bc d9 14 2265 ba ce e3 06 22 2a 3b 34 de 7f 1c a4 85 7b 9c 9d 19 72 b9 7a a8 2266 26 34 01 be db 19 3b 20 1d f8 dc 33 e3 e9 d6 a6 b8 b0 bc be d3 2267 02 36 08 9a 19 7d 18 8f 21 a0 72 ec 42 7e 5a b8 e5 62 3c 4c 2e 2268 84 ad 88 91 ff 9f b1 68 69 a3 69 63 0d a6 5b f5 0d 4a 6c 92 fa 2269 fc 7d 3f b3 00 7e dc b7 7b 55 82 9f 06 ac 49 9f 6a 9b 2a 26 9d 2270 a0 ef 27 67 29 c9 37 84 db 6d 0c 81 e7 d6 2a e6 8a d5 c5 6a db 2271 21 40 a1 1a 6a ed 8c 35 e7 9f ab 13 5d 37 79 d9 9e 9f 8e a4 58 2272 c7 7f 9f 15 f1 53 7c 4c 16 25 fb f3 d7 6c d1 a2 d9 e5 39 a0 34 2273 26 70 9b 69 32 33 2d 66 76 c4 e6 71 0a 73 d8 1e e5 57 c4 39 81 2274 99 7d 89 74 c2 51 b4 d5 4f 4b cd bc 61 a8 fc c4 a0 d3 ba a6 c0 2275 a6 0a 2277 {client} derive write traffic keys for application data: 2279 PRK (32 octets): a7 95 27 3b d4 3f 76 6c 34 b0 dd 5e 57 12 9d cb 2280 6a 62 53 d4 25 39 69 f8 43 fc 64 db fb 4d e8 d1 2282 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 2284 key output (16 octets): 99 a9 9b 02 57 00 7a b1 61 ba cf 9d e9 80 2285 30 5b 2287 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 2289 iv output (12 octets): 4a f0 6c c7 ce be e4 bc ff e2 0d 0d 2291 {client} derive secret "tls13 res master": 2293 PRK (32 octets): c5 e8 54 45 75 ea 22 fb 0b 25 bc d1 72 1c c7 56 2294 ed 94 9c f7 7c 56 d4 24 b6 d2 eb d3 4b a7 4c ee 2296 hash (32 octets): 52 fc a8 f6 61 6c 96 7f 0e 93 42 dd ab 79 03 1d 2297 64 cf 07 e3 56 f4 75 13 33 1c 37 05 61 94 9b ff 2299 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 2300 74 65 72 20 52 fc a8 f6 61 6c 96 7f 0e 93 42 dd ab 79 03 1d 64 2301 cf 07 e3 56 f4 75 13 33 1c 37 05 61 94 9b ff 2303 output (32 octets): 8b 90 6f 3a d8 2d ba 92 f6 b9 ad 03 7f 71 e3 2304 f4 70 eb f4 63 68 7a 2c 92 ec ee ca 3a 22 52 be af 2306 {server} calculate finished "tls13 finished" (same as client) 2307 {server} derive read traffic keys for application data (same as 2308 client write traffic keys) 2310 {server} derive secret "tls13 res master" (same as client) 2312 {client} send alert record: 2314 payload (2 octets): 01 00 2316 ciphertext (24 octets): 17 03 03 00 13 43 c0 93 e4 62 a8 18 6c fe 2317 a7 1e 94 46 ff ba bd e7 3b 79 2319 {server} send alert record: 2321 payload (2 octets): 01 00 2323 ciphertext (24 octets): 17 03 03 00 13 8e d0 6a 3a 56 ab b0 fb 05 2324 04 ed 3b 3f f9 1d 8c 93 77 8e 2326 7. Compatibility Mode 2328 This example shows use of the handshake with the client requesting 2329 that the server use compatibility mode as defined in Appendix D.4 of 2330 [TLS13]. 2332 {client} create an ephemeral x25519 key pair: 2334 private key (32 octets): 90 d4 67 c3 48 e3 d2 4d 7e bb 3d d0 4c 2335 46 16 9a 16 bb 64 ec 6c d3 4d 56 45 ee ac 7c 2f 02 c9 b5 2337 public key (32 octets): 17 6f 7c 2d 12 36 9d 89 37 4c ae 31 9c 36 2338 34 ca 43 0f 82 d6 89 60 90 9b ef 1d 87 ad 1e 9d 32 32 2340 {client} send a ClientHello handshake message 2342 {client} send handshake record: 2344 payload (218 octets): 01 00 00 d6 03 03 54 dd 27 fd c8 0f 86 ea 2345 a7 d3 79 87 46 73 58 44 60 31 0f 38 aa ec 8f e9 3d 6c 32 b8 c0 2346 0b e1 9c 20 ae 8b b2 af 77 86 0c f6 9d 70 e9 70 b6 29 81 c5 25 2347 56 65 9d 47 33 c2 ab e8 54 86 3e fe 09 ea 86 00 06 13 01 13 03 2348 13 02 01 00 00 87 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 2349 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 2350 01 01 01 02 01 03 01 04 00 33 00 26 00 24 00 1d 00 20 17 6f 7c 2351 2d 12 36 9d 89 37 4c ae 31 9c 36 34 ca 43 0f 82 d6 89 60 90 9b 2352 ef 1d 87 ad 1e 9d 32 32 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 2353 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 2354 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 2356 ciphertext (223 octets): 16 03 01 00 da 01 00 00 d6 03 03 54 dd 2357 27 fd c8 0f 86 ea a7 d3 79 87 46 73 58 44 60 31 0f 38 aa ec 8f 2358 e9 3d 6c 32 b8 c0 0b e1 9c 20 ae 8b b2 af 77 86 0c f6 9d 70 e9 2359 70 b6 29 81 c5 25 56 65 9d 47 33 c2 ab e8 54 86 3e fe 09 ea 86 2360 00 06 13 01 13 03 13 02 01 00 00 87 00 00 00 0b 00 09 00 00 06 2361 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 2362 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00 26 00 24 00 2363 1d 00 20 17 6f 7c 2d 12 36 9d 89 37 4c ae 31 9c 36 34 ca 43 0f 2364 82 d6 89 60 90 9b ef 1d 87 ad 1e 9d 32 32 00 2b 00 03 02 7f 1c 2365 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 2366 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 2368 {server} extract secret "early": 2370 salt: (absent) 2372 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2373 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2375 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 2376 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 2378 {server} create an ephemeral x25519 key pair: 2380 private key (32 octets): 50 16 8d 5c 6e 6c a8 2d 2a a3 35 ba ae 2381 c1 bd 59 f5 19 94 ee 4a d9 79 86 5b 3d fa dc 3c 71 aa 22 2383 public key (32 octets): 37 69 88 a2 1d dd bc 38 a2 e6 fc de 82 33 2384 7a ff e6 79 a3 9c 3f e3 fb 5a 29 f9 5f 9f e8 e5 a0 42 2386 {server} send a ServerHello handshake message 2388 {server} send handshake record: 2390 payload (122 octets): 02 00 00 76 03 03 21 c5 c5 ee bb d5 fc 32 2391 cd 26 52 41 8e 6d 51 4b da df d0 51 e5 d4 37 e0 bf 0c 0a 31 8d 2392 30 a4 b7 20 ae 8b b2 af 77 86 0c f6 9d 70 e9 70 b6 29 81 c5 25 2393 56 65 9d 47 33 c2 ab e8 54 86 3e fe 09 ea 86 13 01 00 00 2e 00 2394 33 00 24 00 1d 00 20 37 69 88 a2 1d dd bc 38 a2 e6 fc de 82 33 2395 7a ff e6 79 a3 9c 3f e3 fb 5a 29 f9 5f 9f e8 e5 a0 42 00 2b 00 2396 02 7f 1c 2398 ciphertext (127 octets): 16 03 03 00 7a 02 00 00 76 03 03 21 c5 2399 c5 ee bb d5 fc 32 cd 26 52 41 8e 6d 51 4b da df d0 51 e5 d4 37 2400 e0 bf 0c 0a 31 8d 30 a4 b7 20 ae 8b b2 af 77 86 0c f6 9d 70 e9 2401 70 b6 29 81 c5 25 56 65 9d 47 33 c2 ab e8 54 86 3e fe 09 ea 86 2402 13 01 00 00 2e 00 33 00 24 00 1d 00 20 37 69 88 a2 1d dd bc 38 2403 a2 e6 fc de 82 33 7a ff e6 79 a3 9c 3f e3 fb 5a 29 f9 5f 9f e8 2404 e5 a0 42 00 2b 00 02 7f 1c 2406 {server} send change_cipher_spec record: 2408 payload (1 octets): 01 2410 ciphertext (6 octets): 14 03 03 00 01 01 2412 {server} derive secret for handshake "tls13 derived": 2414 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 2415 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 2417 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 2418 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 2420 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 2421 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 2422 64 9b 93 4c a4 95 99 1b 78 52 b8 55 2424 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 2425 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 2427 {server} extract secret "handshake": 2429 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 2430 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 2432 ikm (32 octets): 18 5a df 44 30 f3 14 a4 a4 04 47 0e 5d d5 45 35 2433 b3 cb 4f b7 9f 75 da 58 b6 fa f7 e2 cf ff f0 36 2435 secret (32 octets): 50 9a 53 59 61 77 d3 24 94 53 e7 bf ac fe 6e 2436 6d 1d be 83 7e d6 bd ab 06 d2 d8 97 59 33 b9 07 d9 2438 {server} derive secret "tls13 c hs traffic": 2440 PRK (32 octets): 50 9a 53 59 61 77 d3 24 94 53 e7 bf ac fe 6e 6d 2441 1d be 83 7e d6 bd ab 06 d2 d8 97 59 33 b9 07 d9 2443 hash (32 octets): b3 8d da d9 ff b9 64 09 bb de 07 05 47 b4 c6 94 2444 cc b7 9b 4a ed a1 71 a4 6f 09 2d 79 ae fb e7 4c 2446 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 2447 61 66 66 69 63 20 b3 8d da d9 ff b9 64 09 bb de 07 05 47 b4 c6 2448 94 cc b7 9b 4a ed a1 71 a4 6f 09 2d 79 ae fb e7 4c 2450 output (32 octets): 4b 4c d4 8c 4f 39 9c 05 77 bd 73 11 5b b5 12 2451 f1 af 4e 3c 65 fa da 60 d5 24 6b 3e 64 b5 7d c5 ec 2453 {server} derive secret "tls13 s hs traffic": 2455 PRK (32 octets): 50 9a 53 59 61 77 d3 24 94 53 e7 bf ac fe 6e 6d 2456 1d be 83 7e d6 bd ab 06 d2 d8 97 59 33 b9 07 d9 2458 hash (32 octets): b3 8d da d9 ff b9 64 09 bb de 07 05 47 b4 c6 94 2459 cc b7 9b 4a ed a1 71 a4 6f 09 2d 79 ae fb e7 4c 2461 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 2462 61 66 66 69 63 20 b3 8d da d9 ff b9 64 09 bb de 07 05 47 b4 c6 2463 94 cc b7 9b 4a ed a1 71 a4 6f 09 2d 79 ae fb e7 4c 2465 output (32 octets): 2c e0 bf ee 1c 9c bf 77 3a 21 40 b1 4b 14 a0 2466 8c 65 de ee 09 4a bc db 0f 01 8a 1d 50 33 1f 30 cd 2468 {server} derive secret for master "tls13 derived": 2470 PRK (32 octets): 50 9a 53 59 61 77 d3 24 94 53 e7 bf ac fe 6e 6d 2471 1d be 83 7e d6 bd ab 06 d2 d8 97 59 33 b9 07 d9 2473 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 2474 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 2476 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 2477 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 2478 64 9b 93 4c a4 95 99 1b 78 52 b8 55 2480 output (32 octets): 42 60 f4 bc 75 60 30 9b de 27 31 79 f9 2c 94 2481 f1 13 e3 10 02 fb ba b3 b3 17 98 a3 05 04 10 e2 33 2483 {server} extract secret "master": 2485 salt (32 octets): 42 60 f4 bc 75 60 30 9b de 27 31 79 f9 2c 94 f1 2486 13 e3 10 02 fb ba b3 b3 17 98 a3 05 04 10 e2 33 2488 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2489 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2491 secret (32 octets): 6a c7 28 bf 27 30 55 d8 24 4f 71 01 07 fe 11 2492 91 ec 30 47 c0 e9 86 14 aa d5 2f 51 62 27 7f 00 7b 2494 {server} derive write traffic keys for handshake data: 2496 PRK (32 octets): 2c e0 bf ee 1c 9c bf 77 3a 21 40 b1 4b 14 a0 8c 2497 65 de ee 09 4a bc db 0f 01 8a 1d 50 33 1f 30 cd 2499 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 2501 key output (16 octets): 1e f6 3e cc 95 0c e3 96 b0 11 16 ad 52 35 2502 3f f1 2504 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 2506 iv output (12 octets): 73 ab 6b 2d c5 8a 11 fd 05 70 4a ce 2508 {server} send a EncryptedExtensions handshake message 2510 {server} send a Certificate handshake message 2512 {server} send a CertificateVerify handshake message 2514 {server} calculate finished "tls13 finished": 2516 PRK (32 octets): 2c e0 bf ee 1c 9c bf 77 3a 21 40 b1 4b 14 a0 8c 2517 65 de ee 09 4a bc db 0f 01 8a 1d 50 33 1f 30 cd 2519 hash (0 octets): (empty) 2521 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 2522 64 00 2524 output (32 octets): 37 10 db 07 3f 25 97 e5 f6 0f cb 4b 14 df bb 2525 ff 45 1e 50 c4 af 44 24 c2 6b 04 55 f1 de 1f 14 41 2527 {server} send a Finished handshake message 2529 {server} send handshake record: 2531 payload (651 octets): 08 00 00 1e 00 1c 00 0a 00 14 00 12 00 1d 2532 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 0b 2533 00 01 b9 00 00 01 b5 00 01 b0 30 82 01 ac 30 82 01 15 a0 03 02 2534 01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 2535 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 30 1e 17 0d 31 36 2536 30 37 33 30 30 31 32 33 35 39 5a 17 0d 32 36 30 37 33 30 30 31 2537 32 33 35 39 5a 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 2538 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 2539 00 30 81 89 02 81 81 00 b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 2540 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 2541 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed 2542 43 12 09 98 e1 87 a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d 2543 44 9a 6d 38 e2 2a 5f da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9 2544 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28 2545 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03 01 00 01 a3 1a 30 18 30 09 2546 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 05 2547 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 85 2548 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 72 67 17 06 18 a5 4c 5f 8a 2549 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea e8 f8 a5 8c 8f 81 72 f9 31 2550 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 51 56 72 60 96 fd 33 5e 5e 2551 67 f2 db f1 02 70 2e 60 8c ca e6 be c1 fc 63 a4 2a 99 be 5c 3e 2552 b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b 1c 3b 84 e0 a8 b2 f7 59 40 2553 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 96 12 29 ac 91 87 b4 2b 4d 2554 e1 00 00 0f 00 00 84 08 04 00 80 58 c8 c3 2b e7 b4 d2 a7 42 2b 2555 f3 32 1d 0b dc 63 4c 8e 54 7e 12 0e 57 f8 90 ac 3c 2b 93 b1 c9 2556 9d 36 4b 9a 59 9e ad f4 cb 17 50 22 2f 65 61 aa b6 b6 89 10 15 2557 eb 6b 27 4c 21 72 4a df 97 f0 00 ff 03 de 8f 14 24 53 28 5f b4 2558 4b 7e 65 96 7c ea 58 74 3e a1 cb 7a 28 62 d0 18 12 64 6b ff 50 2559 04 9e 5b e1 ea 5d c3 50 ed 7e 53 a4 38 5d d3 f0 aa dc e4 bc ec 2560 9d 64 8f 82 0d e1 3d da e4 2f 9f 96 20 14 00 00 20 ed 0a 13 2e 2561 5f e8 fb 5b 43 aa aa 7b ab 9e 46 34 63 64 11 0a 1b 25 33 75 ab 2562 fc 6d ea 46 ef 91 c0 2564 ciphertext (673 octets): 17 03 03 02 9c 1e 4e 15 9f 57 8e 9d 1d 2565 73 88 13 e5 1b e1 89 ea 1c 80 1b 85 ab bc 4f 0d 52 92 7f aa 30 2566 6c 04 e6 7f a8 02 ab 02 38 56 18 aa 0e b3 d1 af a0 84 62 ec f3 2567 a0 04 a5 f2 dc 51 be 25 10 8f dd d6 38 92 04 88 3a 39 bd f1 0d 2568 bb de 5f 33 4a c5 bf 11 85 86 de c0 38 2d cf 00 b2 69 13 8a fe 2569 27 28 37 0c c1 9a 3d 58 12 4c b1 99 be b9 7c a0 a8 a9 ab af 01 2570 c2 38 f2 9c 45 b5 30 28 f8 d8 d2 2a 49 0b d8 2c f2 53 3a 76 72 2571 4d 67 d8 a7 2a b0 fb 94 53 63 fb 92 4f 8c a5 e1 32 e6 b3 3c 85 2572 29 4b 12 1c 69 8d df 37 52 ec f3 bc b9 f9 b9 01 37 bf d3 ad 0d 2573 fd 04 52 2c 27 1e 63 23 11 37 93 a5 c7 36 ee fa b2 73 a4 79 c3 2574 d8 b0 07 2d 0c 39 d9 4f 7d 1b ea c3 2f 02 15 be 45 04 14 6e 83 2575 c8 d3 37 c8 27 e7 f0 05 d4 83 a8 46 ef 6c c8 1a 13 ed 52 88 d1 2576 69 4e c1 76 a2 7f fb 62 c5 93 ab 1e df dc 8c 6f 0c ec 57 34 7a 2577 e8 81 ab 17 ab a9 49 b4 f5 1a 0b 61 49 09 00 ff 92 16 bd b2 26 2578 99 5b 54 9c 8d 5d 19 31 a0 11 de 06 bf 75 0f 8c 1c 54 8b 4b d7 2579 00 2d 9a 76 7e 7b 66 77 f6 4b d2 3f e7 a5 ce 3c 55 5e 7b 8b c6 2580 ed e8 72 f5 d9 6a fa c0 50 e9 a0 2c 80 1a 0f 15 12 4a 46 42 aa 2581 89 cc d0 e5 fe b6 70 a9 68 dd db 31 7b fc e9 db 82 9f 63 d4 5a 2582 bf e6 1a f9 56 d1 b3 c6 ea 8d fe 17 3b 13 d3 db 69 38 7b 54 23 2583 f2 78 d2 d7 49 e1 9e 2e 61 d4 f6 85 b6 e6 57 40 8f 99 3a b5 b4 2584 5c 3c dc ed fd be 44 b0 5f 6a dd 3a 5d e9 30 46 f2 af bb 30 ea 2585 03 26 47 eb 7d b7 8a c4 6a 1c 54 52 e3 e9 39 69 82 ef 55 2e 69 2586 cc a5 a7 9d 57 af 22 10 2f da 06 7d 2d 48 f6 9a 91 5c 41 87 81 2587 29 10 ec b4 7e 76 41 78 e0 ad cc 92 10 42 bc 9f ac 44 53 54 09 2588 10 b5 02 9d 79 e4 1f 87 d2 66 01 16 18 45 2b 38 b0 0f 97 a6 32 2589 20 30 4c d8 56 b8 0c f7 d7 f0 dc 30 7d 2b 9b 57 db 57 ad 29 3a 2590 58 85 f9 4f c2 65 c1 84 af d9 0b 85 a2 52 12 f5 6c 8c c8 29 c1 2591 b7 d1 6d ce 0b 8b 48 26 44 2d 79 6f 76 fb 1a 8d ff d3 06 96 cf 2592 07 c8 c9 58 4a f9 76 ba 4c 86 4b f4 75 12 fb 8c a3 3f 8d 96 1a 2593 5b 66 68 d1 b5 ad c3 8f 16 aa 8b 87 91 be da 44 5c a4 89 8b 0b 2594 c8 c8 de 04 22 81 25 21 42 50 cf 49 f4 3d ce d2 28 f5 4c 01 d6 2595 b2 e1 fa d7 33 50 e9 a3 69 1e ee fc af 8a 4c a3 66 45 92 0e 72 2596 97 af 36 1e 01 27 0e d1 fe 2598 {server} derive secret "tls13 c ap traffic": 2600 PRK (32 octets): 6a c7 28 bf 27 30 55 d8 24 4f 71 01 07 fe 11 91 2601 ec 30 47 c0 e9 86 14 aa d5 2f 51 62 27 7f 00 7b 2603 hash (32 octets): 9e 61 88 ec d4 0e c8 d1 45 81 2f 15 70 04 59 47 2604 bc 41 6a fc cf a8 ca 34 1a 4a 76 01 f6 a7 39 cd 2606 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 2607 61 66 66 69 63 20 9e 61 88 ec d4 0e c8 d1 45 81 2f 15 70 04 59 2608 47 bc 41 6a fc cf a8 ca 34 1a 4a 76 01 f6 a7 39 cd 2610 output (32 octets): 07 04 02 00 14 0c 44 d3 60 5a 53 0b 0d b2 ee 2611 e6 ad 5b ff 4a 51 64 20 df 10 95 d6 26 15 b5 3b be 2613 {server} derive secret "tls13 s ap traffic": 2615 PRK (32 octets): 6a c7 28 bf 27 30 55 d8 24 4f 71 01 07 fe 11 91 2616 ec 30 47 c0 e9 86 14 aa d5 2f 51 62 27 7f 00 7b 2618 hash (32 octets): 9e 61 88 ec d4 0e c8 d1 45 81 2f 15 70 04 59 47 2619 bc 41 6a fc cf a8 ca 34 1a 4a 76 01 f6 a7 39 cd 2621 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 2622 61 66 66 69 63 20 9e 61 88 ec d4 0e c8 d1 45 81 2f 15 70 04 59 2623 47 bc 41 6a fc cf a8 ca 34 1a 4a 76 01 f6 a7 39 cd 2625 output (32 octets): a1 16 af 52 37 f0 00 ca 95 4a 76 f0 bf 59 78 2626 2d db 81 45 9e b5 f0 36 eb 72 10 ed 9e ab 6c 23 36 2628 {server} derive secret "tls13 exp master": 2630 PRK (32 octets): 6a c7 28 bf 27 30 55 d8 24 4f 71 01 07 fe 11 91 2631 ec 30 47 c0 e9 86 14 aa d5 2f 51 62 27 7f 00 7b 2633 hash (32 octets): 9e 61 88 ec d4 0e c8 d1 45 81 2f 15 70 04 59 47 2634 bc 41 6a fc cf a8 ca 34 1a 4a 76 01 f6 a7 39 cd 2636 info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 2637 74 65 72 20 9e 61 88 ec d4 0e c8 d1 45 81 2f 15 70 04 59 47 bc 2638 41 6a fc cf a8 ca 34 1a 4a 76 01 f6 a7 39 cd 2640 output (32 octets): a6 e6 ca 68 ff 08 62 3b ca de 3d 27 35 95 eb 2641 ae 49 93 aa e4 7d c1 d8 cf 2f 1d 12 e9 d8 ee 91 5e 2643 {server} derive write traffic keys for application data: 2645 PRK (32 octets): a1 16 af 52 37 f0 00 ca 95 4a 76 f0 bf 59 78 2d 2646 db 81 45 9e b5 f0 36 eb 72 10 ed 9e ab 6c 23 36 2648 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 2650 key output (16 octets): b2 1c 13 11 a2 57 45 a0 c1 d8 de 68 c7 ce 2651 7a dc 2653 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 2655 iv output (12 octets): d1 7b 34 2a f3 32 e9 90 1f 42 44 43 2657 {server} derive read traffic keys for handshake data: 2659 PRK (32 octets): 4b 4c d4 8c 4f 39 9c 05 77 bd 73 11 5b b5 12 f1 2660 af 4e 3c 65 fa da 60 d5 24 6b 3e 64 b5 7d c5 ec 2662 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 2664 key output (16 octets): cc 08 24 4c 19 61 00 74 6d 6e bd e5 6f ee 2665 e9 01 2667 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 2669 iv output (12 octets): c0 52 e0 7a ce 1d 8e 0f af aa f1 a9 2671 {client} extract secret "early": 2673 salt: (absent) 2675 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2676 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2678 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 2679 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 2681 {client} derive secret for handshake "tls13 derived": 2683 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 2684 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 2686 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 2687 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 2689 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 2690 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 2691 64 9b 93 4c a4 95 99 1b 78 52 b8 55 2693 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 2694 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 2696 {client} extract secret "handshake": 2698 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 2699 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 2701 ikm (32 octets): 18 5a df 44 30 f3 14 a4 a4 04 47 0e 5d d5 45 35 2702 b3 cb 4f b7 9f 75 da 58 b6 fa f7 e2 cf ff f0 36 2704 secret (32 octets): 50 9a 53 59 61 77 d3 24 94 53 e7 bf ac fe 6e 2705 6d 1d be 83 7e d6 bd ab 06 d2 d8 97 59 33 b9 07 d9 2707 {client} derive secret "tls13 c hs traffic" (same as server) 2709 {client} derive secret "tls13 s hs traffic" (same as server) 2711 {client} derive secret for master "tls13 derived" (same as server) 2713 {client} extract secret "master" (same as server) 2715 {client} derive read traffic keys for handshake data: 2717 PRK (32 octets): 2c e0 bf ee 1c 9c bf 77 3a 21 40 b1 4b 14 a0 8c 2718 65 de ee 09 4a bc db 0f 01 8a 1d 50 33 1f 30 cd 2720 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 2722 key output (16 octets): 1e f6 3e cc 95 0c e3 96 b0 11 16 ad 52 35 2723 3f f1 2725 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 2727 iv output (12 octets): 73 ab 6b 2d c5 8a 11 fd 05 70 4a ce 2729 {client} calculate finished "tls13 finished" (same as server) 2731 {client} derive secret "tls13 c ap traffic" (same as server) 2733 {client} derive secret "tls13 s ap traffic" (same as server) 2735 {client} derive secret "tls13 exp master" (same as server) 2736 {client} send change_cipher_spec record: 2738 payload (1 octets): 01 2740 ciphertext (6 octets): 14 03 03 00 01 01 2742 {client} derive write traffic keys for handshake data (same as 2743 server read traffic keys) 2745 {client} derive read traffic keys for application data (same as 2746 server write traffic keys) 2748 {client} calculate finished "tls13 finished": 2750 PRK (32 octets): 4b 4c d4 8c 4f 39 9c 05 77 bd 73 11 5b b5 12 f1 2751 af 4e 3c 65 fa da 60 d5 24 6b 3e 64 b5 7d c5 ec 2753 hash (0 octets): (empty) 2755 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 2756 64 00 2758 output (32 octets): 00 f1 67 b7 01 24 2f d4 77 08 23 d6 4b a7 f5 2759 09 0e 8b 93 bd 24 9d bd 4d 1d 2f 6c 75 e3 4d 68 4a 2761 {client} send a Finished handshake message 2763 {client} send handshake record: 2765 payload (36 octets): 14 00 00 20 9c dd a7 08 0e f0 6b ce 6c 90 bb 2766 d0 03 1e 1b c8 82 1a 64 70 ea 2a 61 d6 d8 42 b1 51 a6 1c 35 2c 2768 ciphertext (58 octets): 17 03 03 00 35 df 43 9f 06 1c 68 4c 3c 96 2769 08 9b 15 58 8c 8d bf af 32 67 a3 d0 83 60 ae b1 d1 59 ce 92 85 2770 f7 4e 91 b7 91 7b 4d 7a 1d 11 d6 7d cf 8b 8c fe 4c af 5d a9 58 2771 b4 a9 2773 {client} derive write traffic keys for application data: 2775 PRK (32 octets): 07 04 02 00 14 0c 44 d3 60 5a 53 0b 0d b2 ee e6 2776 ad 5b ff 4a 51 64 20 df 10 95 d6 26 15 b5 3b be 2778 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 2780 key output (16 octets): f0 72 a4 38 13 be 60 17 99 b4 c1 21 2c 45 2781 28 18 2783 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 2784 iv output (12 octets): 47 c6 45 c2 e5 1c 04 f6 e9 21 f4 99 2786 {client} derive secret "tls13 res master": 2788 PRK (32 octets): 6a c7 28 bf 27 30 55 d8 24 4f 71 01 07 fe 11 91 2789 ec 30 47 c0 e9 86 14 aa d5 2f 51 62 27 7f 00 7b 2791 hash (32 octets): 7a 0a 30 81 19 4d bc f1 bd af c6 f4 02 a0 62 a2 2792 b1 e3 3a c9 6e ea 6f c3 22 62 c5 20 49 bf d7 1a 2794 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 2795 74 65 72 20 7a 0a 30 81 19 4d bc f1 bd af c6 f4 02 a0 62 a2 b1 2796 e3 3a c9 6e ea 6f c3 22 62 c5 20 49 bf d7 1a 2798 output (32 octets): 69 5c b5 3a dd e2 0c 27 6b 9d 87 11 a8 df 03 2799 6c cc ce be 5c 82 ed ab 0c 3a 6c 5f 39 84 54 1e 77 2801 {server} calculate finished "tls13 finished" (same as client) 2803 {server} derive read traffic keys for application data (same as 2804 client write traffic keys) 2806 {server} derive secret "tls13 res master" (same as client) 2808 {client} send alert record: 2810 payload (2 octets): 01 00 2812 ciphertext (24 octets): 17 03 03 00 13 85 3c c0 b9 9c 64 e3 78 5c 2813 c8 53 b5 61 a1 24 0f f6 35 75 2815 {server} send alert record: 2817 payload (2 octets): 01 00 2819 ciphertext (24 octets): 17 03 03 00 13 2b cd 23 33 71 26 6e b4 bc 2820 ce 2d 27 56 f3 8f 37 15 ea 19 2822 8. Security Considerations 2824 It probably isn't a good idea to use the private key here. If it 2825 weren't for the fact that it is too small to provide any meaningful 2826 security, it is now very well known. 2828 9. References 2830 9.1. Normative References 2832 [TLS13] Rescorla, E., "The Transport Layer Security (TLS) Protocol 2833 Version 1.3", draft-ietf-tls-tls13-28 (work in progress), 2834 March 2018. 2836 9.2. Informative References 2838 [FIPS186] National Institute of Standards and Technology (NIST), 2839 "Digital Signature Standard (DSS)", NIST PUB 186-4 , July 2840 2013. 2842 [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves 2843 for Security", RFC 7748, DOI 10.17487/RFC7748, January 2844 2016, . 2846 9.3. URIs 2848 [1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS 2850 Appendix A. Acknowledgements 2852 This draft is generated using tests that were written for NSS [1]. 2853 None of this would have been possible without Franziskus Kiefer, Eric 2854 Rescorla and Tim Taubert, who did a lot of the work in NSS. 2856 Author's Address 2858 Martin Thomson 2859 Mozilla 2861 Email: martin.thomson@gmail.com