idnits 2.17.00 (12 Aug 2021) /tmp/idnits2246/draft-ietf-tls-tls13-vectors-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 30, 2018) is 1451 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '1' on line 2857 == Outdated reference: draft-ietf-tls-tls13 has been published as RFC 8446 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 TLS M. Thomson 3 Internet-Draft Mozilla 4 Intended status: Informational May 30, 2018 5 Expires: December 1, 2018 7 Example Handshake Traces for TLS 1.3 8 draft-ietf-tls-tls13-vectors-05 10 Abstract 12 Examples of TLS 1.3 handshakes are shown. Private keys and inputs 13 are provided so that these handshakes might be reproduced. 14 Intermediate values, including secrets, traffic keys and ivs are 15 shown so that implementations might be checked incrementally against 16 these values. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at https://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on December 1, 2018. 35 Copyright Notice 37 Copyright (c) 2018 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (https://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. Private Keys . . . . . . . . . . . . . . . . . . . . . . . . 2 54 3. Simple 1-RTT Handshake . . . . . . . . . . . . . . . . . . . 3 55 4. Resumed 0-RTT Handshake . . . . . . . . . . . . . . . . . . . 15 56 5. HelloRetryRequest . . . . . . . . . . . . . . . . . . . . . . 26 57 6. Client Authentication . . . . . . . . . . . . . . . . . . . . 38 58 7. Compatibility Mode . . . . . . . . . . . . . . . . . . . . . 49 59 8. Security Considerations . . . . . . . . . . . . . . . . . . . 59 60 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 60 61 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 60 62 10.1. Normative References . . . . . . . . . . . . . . . . . . 60 63 10.2. Informative References . . . . . . . . . . . . . . . . . 60 64 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 60 65 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 60 67 1. Introduction 69 TLS 1.3 [TLS13] defines a new key schedule and a number new 70 cryptographic operations. This document includes sample handshakes 71 that show all intermediate values. This allows an implementation to 72 be verified incrementally, examining inputs and outputs of each 73 cryptographic computation independently. 75 A private key is included with the traces so that implementations can 76 be checked by importing these values and verifying that the same 77 outputs are produced. 79 2. Private Keys 81 Ephemeral private keys are shown as they are generated in the traces. 83 The server in most examples uses an RSA certificate with a private 84 key of: 86 modulus (public): b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 87 0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab 88 bc 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 89 a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f 90 da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 91 3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 92 3f 94 public exponent: 01 00 01 96 private exponent: 04 de a7 05 d4 3a 6e a7 20 9d d8 07 21 11 a8 3c 81 97 e3 22 a5 92 78 b3 34 80 64 1e af 7c 0a 69 85 b8 e3 1c 44 f6 de 62 98 e1 b4 c2 30 9f 61 26 e7 7b 7c 41 e9 23 31 4b bf a3 88 13 05 dc 12 99 17 f1 6c 81 9c e5 38 e9 22 f3 69 82 8d 0e 57 19 5d 8c 84 88 46 02 100 07 b2 fa a7 26 bc f7 08 bb d7 db 7f 67 9f 89 34 92 fc 2a 62 2e 08 101 97 0a ac 44 1c e4 e0 c3 08 8d f2 5a e6 79 23 3d f8 a3 bd a2 ff 99 102 41 104 prime1: e4 35 fb 7c c8 37 37 75 6d ac ea 96 ab 7f 59 a2 cc 10 69 db 105 7d eb 19 0e 17 e3 3a 53 2b 27 3f 30 a3 27 aa 0a aa bc 58 cd 67 46 106 6a f9 84 5f ad c6 75 fe 09 4a f9 2c 4b d1 f2 c1 bc 33 dd 2e 05 15 108 prime2: ca bd 3b c0 e0 43 86 64 c8 d4 cc 9f 99 97 7a 94 d9 bb fe ad 109 8e 43 87 0a ba e3 f7 eb 8b 4e 0e ee 8a f1 d9 b4 71 9b a6 19 6c f2 110 cb ba ee eb f8 b3 49 0a fe 9e 9f fa 74 a8 8a a5 1f c6 45 62 93 03 112 exponent1: 3f 57 34 5c 27 fe 1b 68 7e 6e 76 16 27 b7 8b 1b 82 64 33 113 dd 76 0f a0 be a6 a6 ac f3 94 90 aa 1b 47 cd a4 86 9d 68 f5 84 dd 114 5b 50 29 bd 32 09 3b 82 58 66 1f e7 15 02 5e 5d 70 a4 5a 08 d3 d3 115 19 117 exponent2: 18 3d a0 13 63 bd 2f 28 85 ca cb dc 99 64 bf 47 64 f1 51 118 76 36 f8 64 01 28 6f 71 89 3c 52 cc fe 40 a6 c2 3d 0d 08 6b 47 c6 119 fb 10 d8 fd 10 41 e0 4d ef 7e 9a 40 ce 95 7c 41 77 94 e1 04 12 d1 120 39 122 coefficient: 83 9c a9 a0 85 e4 28 6b 2c 90 e4 66 99 7a 2c 68 1f 21 123 33 9a a3 47 78 14 e4 de c1 18 33 05 0e d5 0d d1 3c c0 38 04 8a 43 124 c5 9b 2a cc 41 68 89 c0 37 66 5f e5 af a6 05 96 9f 8c 01 df a5 ca 125 96 9d 127 3. Simple 1-RTT Handshake 129 In this example, the simplest possible handshake is completed. The 130 server is authenticated, but the client remains anonymous. After 131 connecting, a few application data octets are exchanged. The server 132 sends a session ticket that permits the use of 0-RTT in any resumed 133 session. 135 {client} create an ephemeral x25519 key pair: 137 private key (32 octets): 1c ca bb 6e 08 b3 86 c8 d6 9e db 0d 7f 138 7c 36 08 47 23 4f e4 85 bc 1c fc a4 18 b2 7e 40 b8 6c 8b 140 public key (32 octets): 2e 59 6f fe 6d 68 c4 f4 02 cb 0f 49 84 1f 141 11 f1 ff 97 32 1d 32 42 54 d3 18 52 9a 77 cc d9 88 06 143 {client} send a ClientHello handshake message 145 {client} send handshake record: 147 payload (190 octets): 01 00 00 ba 03 03 01 6a 95 72 55 63 a4 a5 148 2c 6a ae 5b 86 f8 ec a3 21 a9 a3 57 48 1e b7 84 7e 9a 9d a4 12 149 20 b6 66 00 00 06 13 01 13 03 13 02 01 00 00 8b 00 00 00 0b 00 150 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 151 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 23 00 152 00 00 33 00 26 00 24 00 1d 00 20 2e 59 6f fe 6d 68 c4 f4 02 cb 153 0f 49 84 1f 11 f1 ff 97 32 1d 32 42 54 d3 18 52 9a 77 cc d9 88 154 06 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 155 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 156 02 02 00 2d 00 02 01 01 158 ciphertext (195 octets): 16 03 01 00 be 01 00 00 ba 03 03 01 6a 159 95 72 55 63 a4 a5 2c 6a ae 5b 86 f8 ec a3 21 a9 a3 57 48 1e b7 160 84 7e 9a 9d a4 12 20 b6 66 00 00 06 13 01 13 03 13 02 01 00 00 161 8b 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 162 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 163 03 01 04 00 23 00 00 00 33 00 26 00 24 00 1d 00 20 2e 59 6f fe 164 6d 68 c4 f4 02 cb 0f 49 84 1f 11 f1 ff 97 32 1d 32 42 54 d3 18 165 52 9a 77 cc d9 88 06 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 166 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 167 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 169 {server} extract secret "early": 171 salt: (absent) 173 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 174 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 176 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 177 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 179 {server} create an ephemeral x25519 key pair: 181 private key (32 octets): 13 61 1f 76 71 f7 4e fe 91 3e cb 24 26 182 f8 cf 48 df 50 67 f4 a7 ec b0 d0 27 96 af a5 2c a4 72 4f 184 public key (32 octets): 49 53 6b a3 f5 a9 f9 cf 46 7f e1 bd 67 03 185 52 c3 dd 92 57 e4 d5 63 22 7d a9 0a 07 d2 0c ef 96 6f 187 {server} send a ServerHello handshake message 189 {server} derive secret for handshake "tls13 derived": 191 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 192 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 194 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 195 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 197 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 198 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 199 64 9b 93 4c a4 95 99 1b 78 52 b8 55 201 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 202 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 204 {server} extract secret "handshake": 206 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 207 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 209 ikm (32 octets): 0b c3 7c 6e 7c 83 66 38 4b ad d8 e9 00 57 b9 c2 210 39 21 3e 19 8e f3 95 aa 2d 69 0a ae 1b 4e 9a 44 212 secret (32 octets): ee ef ce 91 5d c4 8b 22 a7 ae 76 4a d2 82 ba 213 41 6f 97 fe 89 e5 d1 bc 89 5b 2d 91 62 35 aa a2 ae 215 {server} derive secret "tls13 c hs traffic": 217 PRK (32 octets): ee ef ce 91 5d c4 8b 22 a7 ae 76 4a d2 82 ba 41 218 6f 97 fe 89 e5 d1 bc 89 5b 2d 91 62 35 aa a2 ae 220 hash (32 octets): df 94 98 64 2c c0 b3 7f 60 42 53 bf 34 1b b0 44 221 8e 3d b5 f5 c8 ab b2 39 31 9b 1c 7b 7b 2e ac 63 223 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 224 61 66 66 69 63 20 df 94 98 64 2c c0 b3 7f 60 42 53 bf 34 1b b0 225 44 8e 3d b5 f5 c8 ab b2 39 31 9b 1c 7b 7b 2e ac 63 227 output (32 octets): a4 d4 cd ed fb 3c 07 d7 be 78 85 8c 0b 63 38 228 eb 48 02 f1 58 88 ad 14 c1 ef 56 20 74 35 84 06 04 230 {server} derive secret "tls13 s hs traffic": 232 PRK (32 octets): ee ef ce 91 5d c4 8b 22 a7 ae 76 4a d2 82 ba 41 233 6f 97 fe 89 e5 d1 bc 89 5b 2d 91 62 35 aa a2 ae 235 hash (32 octets): df 94 98 64 2c c0 b3 7f 60 42 53 bf 34 1b b0 44 236 8e 3d b5 f5 c8 ab b2 39 31 9b 1c 7b 7b 2e ac 63 238 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 239 61 66 66 69 63 20 df 94 98 64 2c c0 b3 7f 60 42 53 bf 34 1b b0 240 44 8e 3d b5 f5 c8 ab b2 39 31 9b 1c 7b 7b 2e ac 63 242 output (32 octets): ce 69 11 59 11 09 be 95 33 30 63 a9 fe e9 3a 243 3f cc 32 bd 24 9c a0 6f 27 34 ad be 91 7c 02 06 ca 245 {server} derive secret for master "tls13 derived": 247 PRK (32 octets): ee ef ce 91 5d c4 8b 22 a7 ae 76 4a d2 82 ba 41 248 6f 97 fe 89 e5 d1 bc 89 5b 2d 91 62 35 aa a2 ae 250 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 251 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 253 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 254 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 255 64 9b 93 4c a4 95 99 1b 78 52 b8 55 257 output (32 octets): 91 33 1f e1 94 ae 42 89 b8 3d f6 0d db ec 5d 258 38 44 94 fb 5d a8 0c 63 4d c9 21 82 7c 9c a0 50 a6 260 {server} extract secret "master": 262 salt (32 octets): 91 33 1f e1 94 ae 42 89 b8 3d f6 0d db ec 5d 38 263 44 94 fb 5d a8 0c 63 4d c9 21 82 7c 9c a0 50 a6 265 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 266 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 268 secret (32 octets): ef 19 6e 6f 5b 18 09 d4 96 19 c1 5d 61 97 a5 269 0f 4e 23 25 df be fa 72 18 08 17 a9 82 0e b3 1f 37 271 {server} send handshake record: 273 payload (90 octets): 02 00 00 56 03 03 5e d8 d9 fa bb 99 81 14 89 274 1b 1a c3 82 95 42 e5 d6 f8 dc 55 72 70 48 04 13 e4 7f 65 f6 fa 275 af 31 00 13 01 00 00 2e 00 33 00 24 00 1d 00 20 49 53 6b a3 f5 276 a9 f9 cf 46 7f e1 bd 67 03 52 c3 dd 92 57 e4 d5 63 22 7d a9 0a 277 07 d2 0c ef 96 6f 00 2b 00 02 7f 1c 279 ciphertext (95 octets): 16 03 03 00 5a 02 00 00 56 03 03 5e d8 d9 280 fa bb 99 81 14 89 1b 1a c3 82 95 42 e5 d6 f8 dc 55 72 70 48 04 281 13 e4 7f 65 f6 fa af 31 00 13 01 00 00 2e 00 33 00 24 00 1d 00 282 20 49 53 6b a3 f5 a9 f9 cf 46 7f e1 bd 67 03 52 c3 dd 92 57 e4 283 d5 63 22 7d a9 0a 07 d2 0c ef 96 6f 00 2b 00 02 7f 1c 285 {server} derive write traffic keys for handshake data: 287 PRK (32 octets): ce 69 11 59 11 09 be 95 33 30 63 a9 fe e9 3a 3f 288 cc 32 bd 24 9c a0 6f 27 34 ad be 91 7c 02 06 ca 290 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 292 key output (16 octets): 33 0f a2 49 0d 3c a4 eb 83 48 8e 36 f9 e8 293 fd 58 295 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 297 iv output (12 octets): 4a 86 a3 a1 e8 c7 cc 6c 37 7d fe 1a 299 {server} send a EncryptedExtensions handshake message 301 {server} send a Certificate handshake message 303 {server} send a CertificateVerify handshake message 305 {server} calculate finished "tls13 finished": 307 PRK (32 octets): ce 69 11 59 11 09 be 95 33 30 63 a9 fe e9 3a 3f 308 cc 32 bd 24 9c a0 6f 27 34 ad be 91 7c 02 06 ca 310 hash (0 octets): (empty) 312 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 313 64 00 315 output (32 octets): 90 8f 48 22 03 d1 39 ef da cc 57 22 4b db 67 316 6c 45 46 21 c6 b7 1f 0b 22 d0 a7 60 20 0b ca 6e 29 318 {server} send a Finished handshake message 320 {server} send handshake record: 322 payload (651 octets): 08 00 00 1e 00 1c 00 0a 00 14 00 12 00 1d 323 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 0b 324 00 01 b9 00 00 01 b5 00 01 b0 30 82 01 ac 30 82 01 15 a0 03 02 325 01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 326 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 30 1e 17 0d 31 36 327 30 37 33 30 30 31 32 33 35 39 5a 17 0d 32 36 30 37 33 30 30 31 328 32 33 35 39 5a 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 329 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 330 00 30 81 89 02 81 81 00 b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 331 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 332 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed 333 43 12 09 98 e1 87 a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d 334 44 9a 6d 38 e2 2a 5f da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9 335 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28 336 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03 01 00 01 a3 1a 30 18 30 09 337 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 05 338 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 85 339 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 72 67 17 06 18 a5 4c 5f 8a 340 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea e8 f8 a5 8c 8f 81 72 f9 31 341 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 51 56 72 60 96 fd 33 5e 5e 342 67 f2 db f1 02 70 2e 60 8c ca e6 be c1 fc 63 a4 2a 99 be 5c 3e 343 b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b 1c 3b 84 e0 a8 b2 f7 59 40 344 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 96 12 29 ac 91 87 b4 2b 4d 345 e1 00 00 0f 00 00 84 08 04 00 80 57 bb 8c 7d 37 ba 54 60 f1 10 346 7b 7c d8 98 09 6d 52 90 98 c6 e9 50 19 cb c1 f9 f0 f7 b6 7c e8 347 40 81 32 d6 e5 23 86 44 ba e0 b2 3b 30 90 7c 7b 70 ca 58 b0 bc 348 13 1b 6a 75 3a 42 03 3e b6 4b 14 ec ee de 85 f6 93 17 74 2d f6 349 23 a3 8b 32 80 45 1d 0c 7f 04 2a df fd 6e a2 3a 4f 78 96 ae 3b 350 21 a5 b0 65 bf 85 67 81 bf 03 08 df 04 06 7c 6c 6b 1e 41 9a 6b 351 4c ed cd 4f 12 5f 61 9d 1b 3d 9f 82 5b 14 00 00 20 bf bf 3e b1 352 7c e6 5a af c8 63 19 41 f3 60 92 1b 5e 31 4a db b0 06 34 62 ca 353 f1 e7 8b 3f c5 9b 3e 355 ciphertext (673 octets): 17 03 03 02 9c d1 f3 a3 49 88 3a ac cd 356 f9 7e 4f d1 70 da 97 2e 72 79 28 e5 23 19 37 a9 cf 80 66 7e 15 357 b5 be 72 d5 12 ab ba c8 f3 c2 50 10 eb b2 c7 ba a1 34 e4 09 44 358 2d ee 9d 59 e5 dd 88 3f 47 f9 bb 07 3b 28 c1 59 dc 8f 6b 6f fa 359 73 78 2f 49 b9 1f 00 7e 1d 8c 00 8b 6b f6 78 62 09 e6 f2 dd ef 360 6e e6 22 12 d2 bc 3b b6 ff 23 89 79 12 83 11 8f 16 33 34 71 c1 361 4d 3b 0b 10 d7 07 d5 32 db 92 05 a7 b4 2b c7 ac 42 c6 30 56 79 362 d1 0a 09 66 ff af 0d 0a 71 cb a8 60 0d 30 17 a2 16 98 81 6d 30 363 66 f4 6c 6f a6 d4 be 37 93 09 e7 d1 38 a9 31 29 af 5d 2e fb b1 364 1f 06 aa 85 42 1c a9 28 57 e6 1c e9 28 c9 60 ce 25 1b 67 eb 1f 365 c9 fe c9 c4 db 72 d3 f6 9c 16 e6 d6 fa c5 e8 21 7a e3 d9 f5 ba 366 52 41 00 9a 0b 94 57 65 a6 dd 9c 28 49 77 8a a9 62 ae a6 f9 85 367 70 4b 60 0a 5a a4 03 05 b1 dd 27 f4 a2 e1 6e 24 f9 38 cd 8d ed 368 11 38 cb c4 a5 48 fd b2 08 51 9a 7d d0 6b e9 90 ff 0d 8c aa 5c 369 5f 9a e9 ea 35 6f 5d e7 a5 62 4d 5c a9 64 44 95 32 e1 a7 c7 a0 370 df e1 37 b1 70 11 4c d5 f5 11 98 71 18 d7 ee df cd 75 98 43 05 371 93 0e 12 26 89 26 90 f6 55 5b a1 f0 43 cf fa ff 2f f7 36 37 93 372 97 fd 65 9a 07 4e 4f c1 e0 d9 53 9f 8c c3 07 47 a9 c2 3c fa 09 373 0e 49 f1 17 70 e5 52 6f 8e cb 0c 2d 31 de 53 2d be 22 54 01 7c 374 35 6b b1 fd 9a c8 63 b6 db 9e 36 70 5f 3b 48 d7 dd 88 f2 8b 92 375 a5 08 2a e8 15 73 f6 91 0a 2f 6f a1 d6 ca ac 0e ef 5a 15 23 44 376 5b ce 23 11 52 84 7b 3b bc c8 47 ee 30 78 0d bf 46 6e b3 5a fc 377 d9 e0 31 b0 c1 5e 1c ea 34 13 4e 49 5f a6 cf 36 44 a5 dd 3b db 378 46 18 54 51 f9 8b 94 14 ef c9 f1 0a d5 55 a2 a0 de 25 f3 5f 7d 379 4a 6b 28 c4 a8 02 cd f2 68 f4 ed 62 f2 1e b5 9d d3 a4 99 f4 2d 380 3a 84 fe f1 2d a3 79 4c 61 ae 6a 77 34 71 ee 53 e0 b8 70 69 82 381 66 5c 08 00 7c e5 22 d0 78 e9 01 d3 9b 11 b5 8f 01 94 16 e6 0c 382 f6 e9 93 e9 4c cd 45 0a 6e e1 0f c7 f5 a6 92 46 c7 83 5f b0 92 383 11 82 16 b7 0e dc 83 13 66 8c d1 94 8e ea 29 69 b0 68 ef dd 6c 384 96 70 6e e5 b0 67 3d 38 c3 b2 59 5e 0b 7a 89 46 49 24 67 5c 74 385 4b da a5 85 19 9b 13 61 c4 27 be ad be 5e fa ed 4c ed 75 1c 17 386 e2 1e b8 fa 77 f7 8b 0b 48 4e cd 89 3d 1f 33 56 8b 73 d5 a6 75 387 b4 5b 4a c1 7b ec 31 f2 0e 389 {server} derive secret "tls13 c ap traffic": 391 PRK (32 octets): ef 19 6e 6f 5b 18 09 d4 96 19 c1 5d 61 97 a5 0f 392 4e 23 25 df be fa 72 18 08 17 a9 82 0e b3 1f 37 394 hash (32 octets): b1 a4 df 62 92 b9 0c 0f 03 58 a1 fd e1 39 90 b6 395 fe 1c 0c 6c 62 4d 26 b0 10 06 98 82 9f b5 82 35 397 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 398 61 66 66 69 63 20 b1 a4 df 62 92 b9 0c 0f 03 58 a1 fd e1 39 90 399 b6 fe 1c 0c 6c 62 4d 26 b0 10 06 98 82 9f b5 82 35 401 output (32 octets): 5e 5c 1f fe 68 ac e5 1e 41 18 4f 94 b3 2b ad 402 a9 23 ad 4c c5 97 aa 79 61 98 bb f6 51 5f 81 2d a6 404 {server} derive secret "tls13 s ap traffic": 406 PRK (32 octets): ef 19 6e 6f 5b 18 09 d4 96 19 c1 5d 61 97 a5 0f 407 4e 23 25 df be fa 72 18 08 17 a9 82 0e b3 1f 37 409 hash (32 octets): b1 a4 df 62 92 b9 0c 0f 03 58 a1 fd e1 39 90 b6 410 fe 1c 0c 6c 62 4d 26 b0 10 06 98 82 9f b5 82 35 412 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 413 61 66 66 69 63 20 b1 a4 df 62 92 b9 0c 0f 03 58 a1 fd e1 39 90 414 b6 fe 1c 0c 6c 62 4d 26 b0 10 06 98 82 9f b5 82 35 416 output (32 octets): 60 28 ef a6 f1 a1 60 f6 99 83 cc 71 fc 16 d2 417 58 af 39 bb ec 9f 49 20 b2 cc e9 17 df 46 df ea 84 419 {server} derive secret "tls13 exp master": 421 PRK (32 octets): ef 19 6e 6f 5b 18 09 d4 96 19 c1 5d 61 97 a5 0f 422 4e 23 25 df be fa 72 18 08 17 a9 82 0e b3 1f 37 424 hash (32 octets): b1 a4 df 62 92 b9 0c 0f 03 58 a1 fd e1 39 90 b6 425 fe 1c 0c 6c 62 4d 26 b0 10 06 98 82 9f b5 82 35 427 info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 428 74 65 72 20 b1 a4 df 62 92 b9 0c 0f 03 58 a1 fd e1 39 90 b6 fe 429 1c 0c 6c 62 4d 26 b0 10 06 98 82 9f b5 82 35 431 output (32 octets): ce d4 f0 d7 52 e8 7a 2a b4 12 e6 8b 87 e1 d3 432 a9 55 63 9b 8b 08 9a f1 05 6d 66 88 0a e8 6b 68 92 434 {server} derive write traffic keys for application data: 436 PRK (32 octets): 60 28 ef a6 f1 a1 60 f6 99 83 cc 71 fc 16 d2 58 437 af 39 bb ec 9f 49 20 b2 cc e9 17 df 46 df ea 84 439 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 441 key output (16 octets): 60 22 e5 dd af 3f 2f d9 db 39 92 3d 13 65 442 26 a5 444 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 446 iv output (12 octets): 93 4e 1e c5 0b 75 8e 6c 60 e6 86 aa 448 {server} derive read traffic keys for handshake data: 450 PRK (32 octets): a4 d4 cd ed fb 3c 07 d7 be 78 85 8c 0b 63 38 eb 451 48 02 f1 58 88 ad 14 c1 ef 56 20 74 35 84 06 04 453 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 455 key output (16 octets): d4 d7 6a f0 5a 04 e1 d3 2d 8a 1f 17 84 06 456 10 1f 458 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 460 iv output (12 octets): f1 8b 1f 02 a5 01 0c 4d 45 b1 81 d9 462 {client} extract secret "early": 464 salt: (absent) 466 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 467 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 469 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 470 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 472 {client} derive secret for handshake "tls13 derived": 474 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 475 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 477 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 478 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 480 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 481 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 482 64 9b 93 4c a4 95 99 1b 78 52 b8 55 484 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 485 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 487 {client} extract secret "handshake": 489 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 490 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 492 ikm (32 octets): 0b c3 7c 6e 7c 83 66 38 4b ad d8 e9 00 57 b9 c2 493 39 21 3e 19 8e f3 95 aa 2d 69 0a ae 1b 4e 9a 44 495 secret (32 octets): ee ef ce 91 5d c4 8b 22 a7 ae 76 4a d2 82 ba 496 41 6f 97 fe 89 e5 d1 bc 89 5b 2d 91 62 35 aa a2 ae 498 {client} derive secret "tls13 c hs traffic" (same as server) 500 {client} derive secret "tls13 s hs traffic" (same as server) 502 {client} derive secret for master "tls13 derived" (same as server) 504 {client} extract secret "master" (same as server) 506 {client} derive read traffic keys for handshake data: 508 PRK (32 octets): ce 69 11 59 11 09 be 95 33 30 63 a9 fe e9 3a 3f 509 cc 32 bd 24 9c a0 6f 27 34 ad be 91 7c 02 06 ca 511 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 513 key output (16 octets): 33 0f a2 49 0d 3c a4 eb 83 48 8e 36 f9 e8 514 fd 58 516 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 518 iv output (12 octets): 4a 86 a3 a1 e8 c7 cc 6c 37 7d fe 1a 520 {client} calculate finished "tls13 finished" (same as server) 522 {client} derive secret "tls13 c ap traffic" (same as server) 524 {client} derive secret "tls13 s ap traffic" (same as server) 526 {client} derive secret "tls13 exp master" (same as server) 527 {client} derive write traffic keys for handshake data (same as 528 server read traffic keys) 530 {client} derive read traffic keys for application data (same as 531 server write traffic keys) 533 {client} calculate finished "tls13 finished": 535 PRK (32 octets): a4 d4 cd ed fb 3c 07 d7 be 78 85 8c 0b 63 38 eb 536 48 02 f1 58 88 ad 14 c1 ef 56 20 74 35 84 06 04 538 hash (0 octets): (empty) 540 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 541 64 00 543 output (32 octets): ca 71 d4 6a cd 46 bd 20 90 b3 c6 c4 f2 39 2e 544 e2 13 4c e0 bf 7b 7d ed 78 24 e3 aa b9 4c 5a 7c 4b 546 {client} send a Finished handshake message 548 {client} send handshake record: 550 payload (36 octets): 14 00 00 20 de cc f6 f8 1b 07 0d d0 0e 02 78 551 8e 04 90 94 7a 37 61 89 4c ab 21 c2 9c 4b 16 eb 3d 91 13 e4 e4 553 ciphertext (58 octets): 17 03 03 00 35 72 67 bb b3 57 e3 66 8a fe 554 88 38 71 31 40 7b e5 12 93 53 01 51 df 34 30 e0 32 b4 7a bd 24 555 87 47 42 fa 75 0d a1 84 ed 7b 5f 1c 81 39 fc 2f 14 d2 c8 55 81 556 7c e2 558 {client} derive write traffic keys for application data: 560 PRK (32 octets): 5e 5c 1f fe 68 ac e5 1e 41 18 4f 94 b3 2b ad a9 561 23 ad 4c c5 97 aa 79 61 98 bb f6 51 5f 81 2d a6 563 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 565 key output (16 octets): b3 84 bc a1 b8 df e4 3c 76 37 84 65 0f 70 566 e2 70 568 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 570 iv output (12 octets): 87 b1 c1 a2 d5 f8 4a e7 74 b4 51 34 572 {client} derive secret "tls13 res master": 574 PRK (32 octets): ef 19 6e 6f 5b 18 09 d4 96 19 c1 5d 61 97 a5 0f 575 4e 23 25 df be fa 72 18 08 17 a9 82 0e b3 1f 37 577 hash (32 octets): 94 4b a6 82 91 6b e1 4d 32 da d5 f8 99 79 83 2f 578 6d d5 0e 47 31 15 0e 3e 86 56 39 37 3b ac 83 f7 580 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 581 74 65 72 20 94 4b a6 82 91 6b e1 4d 32 da d5 f8 99 79 83 2f 6d 582 d5 0e 47 31 15 0e 3e 86 56 39 37 3b ac 83 f7 584 output (32 octets): 49 d5 94 20 40 47 00 a8 e2 ee 7a cf 46 82 87 585 54 4f e6 01 b2 31 97 a0 e1 63 5a 47 4a d6 53 6d 74 587 {server} calculate finished "tls13 finished" (same as client) 589 {server} derive read traffic keys for application data (same as 590 client write traffic keys) 592 {server} derive secret "tls13 res master" (same as client) 594 {server} generate resumption secret "tls13 resumption": 596 PRK (32 octets): 49 d5 94 20 40 47 00 a8 e2 ee 7a cf 46 82 87 54 597 4f e6 01 b2 31 97 a0 e1 63 5a 47 4a d6 53 6d 74 599 hash (2 octets): 00 00 601 info (22 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 75 6d 70 74 602 69 6f 6e 02 00 00 604 output (32 octets): 46 3a 87 db 89 89 ca 34 e2 ab 45 92 9d b5 45 605 89 40 23 a8 3d 13 9b f5 68 34 17 13 19 87 47 ae 86 607 {server} send a NewSessionTicket handshake message 609 {server} send handshake record: 611 payload (205 octets): 04 00 00 c9 00 00 00 1e f4 34 71 a2 02 00 612 00 00 b2 0f 63 7d a7 09 04 33 70 d0 60 00 06 00 00 00 00 2d fe 613 b5 7a a8 7b 9c f1 76 0a 8a b4 91 d4 fb 0f 00 70 3d 7a 42 b6 a9 614 87 ef d2 4a fb bd 2b c6 06 9d c9 03 d4 c2 d3 f0 4f dd 3d 8e 95 615 97 0a 7b 78 aa 2c e8 28 75 72 4f 8a 82 75 d1 65 e7 7b e4 7d 59 616 0e aa ab fa 5f 4c 2d f0 46 71 a0 44 d8 4c f5 cc da c5 88 7d 6b 617 e7 fe 2e 52 80 d7 a5 0f 23 fc 9c d4 a5 43 01 9e 41 94 63 c4 ee 618 29 8f d3 2c 01 93 34 b7 ab bb 78 d4 f2 a1 cf 4e 0f e1 60 aa 72 619 86 19 3f da 28 8c 97 d5 ba 39 75 5f 25 b7 a4 a8 f0 63 01 24 88 620 3d 2c 66 78 78 75 d6 7a 0f 6e b0 ba 71 00 08 00 2a 00 04 00 00 621 04 00 623 ciphertext (227 octets): 17 03 03 00 de 64 1b 9e 9f fc 8e 0b 0c 624 3f fb c6 46 44 34 fb 66 8c a2 63 e3 9f 89 7c 0c 55 06 45 49 40 625 0b 3b 29 3a 1c 03 44 31 e9 f9 85 ab c8 40 0b e5 fd 4f 99 29 0f 626 13 7b eb 4b a2 46 df a7 87 e4 5c 02 3a de b5 5b e2 f9 a8 42 09 627 90 f5 2a ac 47 ef e9 7e dd 85 32 d1 14 0a d0 b1 b5 47 96 13 10 628 3c ed 0e 14 ad b1 16 ae f6 74 fd 86 64 9d ec a8 8f 84 3a 23 ab 629 5f 3d e4 77 6b aa a3 da 74 36 4a 21 03 e3 46 ed 89 58 98 ed a4 630 b7 10 b7 43 c9 1f 1f 53 71 e3 16 00 c1 3c 40 57 7a 2b ab 9c f1 631 33 86 ff 41 4d 2e b8 b6 df 95 d3 a8 48 cc 8f 4f 48 18 3e 05 b8 632 f1 5a 05 0f c5 92 52 6c ab 9a d2 96 80 b5 a3 9d 53 06 26 a9 95 633 ca 0d 62 73 ff 7e 67 44 3d c1 f4 59 dc 47 11 30 d3 20 0a d6 e2 634 5d b4 48 03 636 {client} generate resumption secret "tls13 resumption" (same as 637 server) 639 {client} send application_data record: 641 payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 642 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 643 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 645 ciphertext (72 octets): 17 03 03 00 43 97 fc be 0b 4f 37 48 da 56 646 92 ac fb d1 19 0f a7 b1 8b 10 5a 62 63 f4 79 a3 f2 6b ba 2f 31 647 64 c6 fd 24 d5 6f d8 69 8e 4a d0 27 7f 2b 32 c7 d5 84 41 33 5f 648 35 0b 45 5c d6 8c 28 aa 71 fb 58 cb 86 cf 73 4a 650 {server} send application_data record: 652 payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 653 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 654 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 656 ciphertext (72 octets): 17 03 03 00 43 46 1a 15 62 a3 41 d6 17 9b 657 c8 c6 26 2c 33 2b 18 70 9e 1d c8 10 98 6e 54 6c aa 34 07 a2 c6 658 c9 38 3d 52 40 21 5a a5 88 9f ba ed 1b b8 f0 40 b0 6c 82 74 fb 659 bd 41 0c b1 54 63 2b 86 a3 06 1d f5 5f 7a fa af 661 {client} send alert record: 663 payload (2 octets): 01 00 665 ciphertext (24 octets): 17 03 03 00 13 42 db 77 cb a0 54 50 26 af 666 81 7f 90 9e 65 3d 50 90 3e 65 668 {server} send alert record: 670 payload (2 octets): 01 00 671 ciphertext (24 octets): 17 03 03 00 13 70 bf 8b d2 98 53 2f 13 91 672 ca a6 e6 0f 83 e0 b5 1d 79 4a 674 4. Resumed 0-RTT Handshake 676 This handshake resumes from the handshake in Section 3. Since the 677 server provided a session ticket that permitted 0-RTT, and the client 678 is configured for 0-RTT, the client is able to send 0-RTT data. 680 {client} create an ephemeral x25519 key pair: 682 private key (32 octets): c8 c8 db ad 72 04 fb fe ed 20 ab 24 44 683 6a 9c 07 4d b3 5a 4b 07 ec f1 cc 9d 88 70 e8 fd 2e 1d d6 685 public key (32 octets): a2 e0 04 93 2f 3c d0 b3 c6 a2 9a de 11 8b 686 46 7c 69 55 a6 c3 6a 1d 44 27 38 60 59 b2 26 f5 0c 0f 688 {client} extract secret "early": 690 salt: (absent) 692 ikm (32 octets): 46 3a 87 db 89 89 ca 34 e2 ab 45 92 9d b5 45 89 693 40 23 a8 3d 13 9b f5 68 34 17 13 19 87 47 ae 86 695 secret (32 octets): 2f 7b c4 a7 4b c7 88 49 cc ff cc 43 29 c0 11 696 8e 83 09 71 cd 45 63 6b 0b 4b a4 57 dc e6 a9 6e dd 698 {client} send a ClientHello handshake message 700 {client} calculate finished "tls13 finished": 702 PRK (32 octets): e1 6f 14 f0 eb 94 d9 54 e0 f6 24 5d 7d 0e d0 e8 703 53 9f 66 38 28 10 6f 17 30 1c f5 de b2 06 a5 50 705 hash (0 octets): (empty) 707 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 708 64 00 710 output (32 octets): 68 08 1e cc c0 ef 70 30 ad dc 42 3a f3 95 c4 711 61 5c 83 67 4f 7d 0d 98 08 69 05 c5 2d a5 bf 66 4e 713 {client} send handshake record: 715 payload (512 octets): 01 00 01 fc 03 03 eb ef 0b 92 25 8b ec d1 716 07 3d cf f0 bb a7 da ad c7 b4 e8 14 df dd 1b 77 4b 0d 43 53 95 717 2b c4 2b 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00 718 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 719 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00 720 26 00 24 00 1d 00 20 a2 e0 04 93 2f 3c d0 b3 c6 a2 9a de 11 8b 721 46 7c 69 55 a6 c3 6a 1d 44 27 38 60 59 b2 26 f5 0c 0f 00 2a 00 722 00 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 723 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 724 02 02 00 2d 00 02 01 01 00 15 00 5d 00 00 00 00 00 00 00 00 00 725 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 726 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 727 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 728 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 729 00 29 00 dd 00 b8 00 b2 0f 63 7d a7 09 04 33 70 d0 60 00 06 00 730 00 00 00 2d fe b5 7a a8 7b 9c f1 76 0a 8a b4 91 d4 fb 0f 00 70 731 3d 7a 42 b6 a9 87 ef d2 4a fb bd 2b c6 06 9d c9 03 d4 c2 d3 f0 732 4f dd 3d 8e 95 97 0a 7b 78 aa 2c e8 28 75 72 4f 8a 82 75 d1 65 733 e7 7b e4 7d 59 0e aa ab fa 5f 4c 2d f0 46 71 a0 44 d8 4c f5 cc 734 da c5 88 7d 6b e7 fe 2e 52 80 d7 a5 0f 23 fc 9c d4 a5 43 01 9e 735 41 94 63 c4 ee 29 8f d3 2c 01 93 34 b7 ab bb 78 d4 f2 a1 cf 4e 736 0f e1 60 aa 72 86 19 3f da 28 8c 97 d5 ba 39 75 5f 25 b7 a4 a8 737 f0 63 01 24 88 3d 2c 66 78 78 75 d6 7a 0f 6e b0 ba 71 f4 34 71 738 a5 00 21 20 b1 da ce 1d 97 d7 ff bf 46 1d f9 4d ec 70 f1 30 08 739 f9 13 4b 9c c0 40 88 d9 6d 93 cf 73 18 5b d8 741 ciphertext (517 octets): 16 03 01 02 00 01 00 01 fc 03 03 eb ef 742 0b 92 25 8b ec d1 07 3d cf f0 bb a7 da ad c7 b4 e8 14 df dd 1b 743 77 4b 0d 43 53 95 2b c4 2b 00 00 06 13 01 13 03 13 02 01 00 01 744 cd 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 745 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 746 03 01 04 00 33 00 26 00 24 00 1d 00 20 a2 e0 04 93 2f 3c d0 b3 747 c6 a2 9a de 11 8b 46 7c 69 55 a6 c3 6a 1d 44 27 38 60 59 b2 26 748 f5 0c 0f 00 2a 00 00 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 749 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 750 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 15 00 5d 00 00 00 751 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 752 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 753 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 754 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 755 00 00 00 00 00 00 00 29 00 dd 00 b8 00 b2 0f 63 7d a7 09 04 33 756 70 d0 60 00 06 00 00 00 00 2d fe b5 7a a8 7b 9c f1 76 0a 8a b4 757 91 d4 fb 0f 00 70 3d 7a 42 b6 a9 87 ef d2 4a fb bd 2b c6 06 9d 758 c9 03 d4 c2 d3 f0 4f dd 3d 8e 95 97 0a 7b 78 aa 2c e8 28 75 72 759 4f 8a 82 75 d1 65 e7 7b e4 7d 59 0e aa ab fa 5f 4c 2d f0 46 71 760 a0 44 d8 4c f5 cc da c5 88 7d 6b e7 fe 2e 52 80 d7 a5 0f 23 fc 761 9c d4 a5 43 01 9e 41 94 63 c4 ee 29 8f d3 2c 01 93 34 b7 ab bb 762 78 d4 f2 a1 cf 4e 0f e1 60 aa 72 86 19 3f da 28 8c 97 d5 ba 39 763 75 5f 25 b7 a4 a8 f0 63 01 24 88 3d 2c 66 78 78 75 d6 7a 0f 6e 764 b0 ba 71 f4 34 71 a5 00 21 20 b1 da ce 1d 97 d7 ff bf 46 1d f9 765 4d ec 70 f1 30 08 f9 13 4b 9c c0 40 88 d9 6d 93 cf 73 18 5b d8 767 {client} derive secret "tls13 c e traffic": 769 PRK (32 octets): 2f 7b c4 a7 4b c7 88 49 cc ff cc 43 29 c0 11 8e 770 83 09 71 cd 45 63 6b 0b 4b a4 57 dc e6 a9 6e dd 772 hash (32 octets): 8a ec fe eb b4 23 6e fd 8b 78 bb 3f f1 c7 af e0 773 87 2b fb b2 60 0f 04 69 ed 58 6f 23 39 7a e0 2d 775 info (53 octets): 00 20 11 74 6c 73 31 33 20 63 20 65 20 74 72 61 776 66 66 69 63 20 8a ec fe eb b4 23 6e fd 8b 78 bb 3f f1 c7 af e0 777 87 2b fb b2 60 0f 04 69 ed 58 6f 23 39 7a e0 2d 779 output (32 octets): 6c 59 9c 07 27 75 ad e3 57 01 58 17 a2 f1 cf 780 4f 3b ed 5e 44 7b a6 1c 75 1a 3a 45 f5 76 a5 bf 75 782 {client} derive secret "tls13 e exp master": 784 PRK (32 octets): 2f 7b c4 a7 4b c7 88 49 cc ff cc 43 29 c0 11 8e 785 83 09 71 cd 45 63 6b 0b 4b a4 57 dc e6 a9 6e dd 787 hash (32 octets): 8a ec fe eb b4 23 6e fd 8b 78 bb 3f f1 c7 af e0 788 87 2b fb b2 60 0f 04 69 ed 58 6f 23 39 7a e0 2d 790 info (54 octets): 00 20 12 74 6c 73 31 33 20 65 20 65 78 70 20 6d 791 61 73 74 65 72 20 8a ec fe eb b4 23 6e fd 8b 78 bb 3f f1 c7 af 792 e0 87 2b fb b2 60 0f 04 69 ed 58 6f 23 39 7a e0 2d 794 output (32 octets): a8 fd 17 f5 b4 63 f3 82 fa 6c 36 e4 72 51 41 795 55 d6 c1 df 3b 20 43 31 4c 9c 15 6c 36 b1 c2 7b d3 797 {client} derive write traffic keys for early application data: 799 PRK (32 octets): 6c 59 9c 07 27 75 ad e3 57 01 58 17 a2 f1 cf 4f 800 3b ed 5e 44 7b a6 1c 75 1a 3a 45 f5 76 a5 bf 75 802 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 804 key output (16 octets): 62 9d 26 ba f5 21 45 c0 4f 7d 23 dc 78 c3 805 55 49 807 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 809 iv output (12 octets): d7 a4 2a a7 a5 00 ef fb e7 dc 61 89 811 {client} send application_data record: 813 payload (6 octets): 41 42 43 44 45 46 814 ciphertext (28 octets): 17 03 03 00 17 cd 4e a6 16 28 3d 3e a5 ad 815 af 68 9b a4 12 e1 a2 31 05 d3 83 0f 11 85 817 {server} extract secret "early" (same as client) 819 {server} calculate finished "tls13 finished" (same as client) 821 {server} create an ephemeral x25519 key pair: 823 private key (32 octets): 00 a9 a0 a6 d0 03 a5 a8 48 b0 ec c7 99 824 93 b6 a7 f4 c7 b2 3d 52 28 7f 34 61 a0 af 7e e0 53 0e c2 826 public key (32 octets): 6f e0 56 e9 fe b7 db 5f 5c fa 38 66 89 ce 827 ef 6a 11 9c e9 8b ae 4f 42 df 95 d4 e0 57 37 46 21 30 829 {server} derive secret "tls13 c e traffic" (same as client) 831 {server} derive secret "tls13 e exp master" (same as client) 833 {server} send a ServerHello handshake message 835 {server} derive secret for handshake "tls13 derived": 837 PRK (32 octets): 2f 7b c4 a7 4b c7 88 49 cc ff cc 43 29 c0 11 8e 838 83 09 71 cd 45 63 6b 0b 4b a4 57 dc e6 a9 6e dd 840 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 841 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 843 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 844 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 845 64 9b 93 4c a4 95 99 1b 78 52 b8 55 847 output (32 octets): d3 ea 7b 5e e5 70 5c 9a 63 2c c2 18 a9 c0 54 848 db 19 26 a5 37 7d f1 a6 2a 60 1f 17 55 5e 27 9b bf 850 {server} extract secret "handshake": 852 salt (32 octets): d3 ea 7b 5e e5 70 5c 9a 63 2c c2 18 a9 c0 54 db 853 19 26 a5 37 7d f1 a6 2a 60 1f 17 55 5e 27 9b bf 855 ikm (32 octets): 40 29 ba 3a 16 b8 7f 62 16 d5 a1 3b d2 72 6b 3e 856 46 ff f7 44 ee b0 9d 4f 2e df fa 22 aa 3b e8 57 858 secret (32 octets): de 91 a0 54 86 16 ed 5a 59 fd 0d ad d5 d1 87 859 fc f6 de e8 67 71 78 28 fa 52 9f 16 34 b2 8c e6 10 861 {server} derive secret "tls13 c hs traffic": 863 PRK (32 octets): de 91 a0 54 86 16 ed 5a 59 fd 0d ad d5 d1 87 fc 864 f6 de e8 67 71 78 28 fa 52 9f 16 34 b2 8c e6 10 866 hash (32 octets): ea a7 3e 93 3e c9 cf a6 f6 78 92 1e e8 3f 23 0c 867 0d 0b 71 94 a0 f6 2b be 66 19 65 a7 1d f3 df 8e 869 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 870 61 66 66 69 63 20 ea a7 3e 93 3e c9 cf a6 f6 78 92 1e e8 3f 23 871 0c 0d 0b 71 94 a0 f6 2b be 66 19 65 a7 1d f3 df 8e 873 output (32 octets): ab 97 16 88 85 72 36 8f 24 6c d9 87 3e 59 4e 874 9e 8c 58 a9 03 9d 4b b0 86 82 ff 61 05 4b 27 48 8b 876 {server} derive secret "tls13 s hs traffic": 878 PRK (32 octets): de 91 a0 54 86 16 ed 5a 59 fd 0d ad d5 d1 87 fc 879 f6 de e8 67 71 78 28 fa 52 9f 16 34 b2 8c e6 10 881 hash (32 octets): ea a7 3e 93 3e c9 cf a6 f6 78 92 1e e8 3f 23 0c 882 0d 0b 71 94 a0 f6 2b be 66 19 65 a7 1d f3 df 8e 884 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 885 61 66 66 69 63 20 ea a7 3e 93 3e c9 cf a6 f6 78 92 1e e8 3f 23 886 0c 0d 0b 71 94 a0 f6 2b be 66 19 65 a7 1d f3 df 8e 888 output (32 octets): d0 48 f1 02 d3 4c 27 a8 e1 19 24 c9 7c ff cb 889 b1 81 4e 38 fa ce 72 98 8f c0 9d ee 5f b3 41 82 c6 891 {server} derive secret for master "tls13 derived": 893 PRK (32 octets): de 91 a0 54 86 16 ed 5a 59 fd 0d ad d5 d1 87 fc 894 f6 de e8 67 71 78 28 fa 52 9f 16 34 b2 8c e6 10 896 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 897 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 899 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 900 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 901 64 9b 93 4c a4 95 99 1b 78 52 b8 55 903 output (32 octets): 57 7e 06 13 10 df 25 c2 6c e4 30 a1 e3 64 79 904 8b e1 0d f9 99 c6 a8 79 46 33 ac 1d de 56 6b c6 5d 906 {server} extract secret "master": 908 salt (32 octets): 57 7e 06 13 10 df 25 c2 6c e4 30 a1 e3 64 79 8b 909 e1 0d f9 99 c6 a8 79 46 33 ac 1d de 56 6b c6 5d 911 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 912 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 914 secret (32 octets): ea 7a 47 05 8d 09 bb 7b e7 92 82 6c ef 8e 22 915 ed 8f 40 94 01 9d c5 ca a9 1f 02 07 80 5f c0 3b 1c 917 {server} send handshake record: 919 payload (96 octets): 02 00 00 5c 03 03 82 21 ab 7c ed 15 82 80 e4 920 e3 35 09 f8 69 4f 69 3b 54 1a 73 00 04 8f df 31 3b 2b f5 cb a1 921 3c 19 00 13 01 00 00 34 00 29 00 02 00 00 00 33 00 24 00 1d 00 922 20 6f e0 56 e9 fe b7 db 5f 5c fa 38 66 89 ce ef 6a 11 9c e9 8b 923 ae 4f 42 df 95 d4 e0 57 37 46 21 30 00 2b 00 02 7f 1c 925 ciphertext (101 octets): 16 03 03 00 60 02 00 00 5c 03 03 82 21 926 ab 7c ed 15 82 80 e4 e3 35 09 f8 69 4f 69 3b 54 1a 73 00 04 8f 927 df 31 3b 2b f5 cb a1 3c 19 00 13 01 00 00 34 00 29 00 02 00 00 928 00 33 00 24 00 1d 00 20 6f e0 56 e9 fe b7 db 5f 5c fa 38 66 89 929 ce ef 6a 11 9c e9 8b ae 4f 42 df 95 d4 e0 57 37 46 21 30 00 2b 930 00 02 7f 1c 932 {server} derive write traffic keys for handshake data: 934 PRK (32 octets): d0 48 f1 02 d3 4c 27 a8 e1 19 24 c9 7c ff cb b1 935 81 4e 38 fa ce 72 98 8f c0 9d ee 5f b3 41 82 c6 937 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 939 key output (16 octets): 5f 3c 74 07 8c 9b 69 ca 92 fb 9e d0 b5 24 940 a0 4e 942 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 944 iv output (12 octets): c1 4a 56 2a c5 4c 08 90 4e 4c cf e1 946 {server} send a EncryptedExtensions handshake message 948 {server} calculate finished "tls13 finished": 950 PRK (32 octets): d0 48 f1 02 d3 4c 27 a8 e1 19 24 c9 7c ff cb b1 951 81 4e 38 fa ce 72 98 8f c0 9d ee 5f b3 41 82 c6 953 hash (0 octets): (empty) 955 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 956 64 00 958 output (32 octets): 33 15 23 2e 79 6a 55 ab ac 23 c5 b2 6e 24 3c 959 f6 b8 3f e5 31 63 b1 ac 10 fb 0b ec 79 9b 39 84 33 961 {server} send a Finished handshake message 963 {server} send handshake record: 965 payload (74 octets): 08 00 00 22 00 20 00 0a 00 14 00 12 00 1d 00 966 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 00 2a 967 00 00 14 00 00 20 bb 25 a6 22 90 1d 44 5c 31 98 e8 ba fd 3a cf 968 b3 bd 16 65 9f e5 6a c0 3c 50 55 5e 27 58 05 ae 7a 970 ciphertext (96 octets): 17 03 03 00 5b 0e 44 3c f1 1f 00 5f 95 22 971 65 d5 20 87 9e 13 f3 f9 b5 bf 91 f0 3d a2 84 c1 9d 8a 7e fb 1e 972 e9 8e f5 ec 1f 5b af 98 3d 8a 94 5f 0c 3b 56 34 c2 39 3c 67 fd 973 18 d4 aa cf 69 c9 16 03 37 4f 8c da c3 a6 e4 9f 18 08 8f 48 38 974 ba 22 f5 30 41 00 31 7b ff be 74 9b 1f c6 b0 27 ed 80 14 976 {server} derive secret "tls13 c ap traffic": 978 PRK (32 octets): ea 7a 47 05 8d 09 bb 7b e7 92 82 6c ef 8e 22 ed 979 8f 40 94 01 9d c5 ca a9 1f 02 07 80 5f c0 3b 1c 981 hash (32 octets): 90 3c e9 7a ed b6 cd 73 55 8c 25 17 44 db c7 bb 982 4c c8 f5 2b 92 d0 0b 44 e8 34 34 ce 7a 81 ec 60 984 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 985 61 66 66 69 63 20 90 3c e9 7a ed b6 cd 73 55 8c 25 17 44 db c7 986 bb 4c c8 f5 2b 92 d0 0b 44 e8 34 34 ce 7a 81 ec 60 988 output (32 octets): 2f d1 64 22 0e 74 ba e8 93 70 20 38 bb 73 c6 989 72 4c 92 64 bb ad 2b 7b 72 37 e3 40 29 e0 c3 69 4b 991 {server} derive secret "tls13 s ap traffic": 993 PRK (32 octets): ea 7a 47 05 8d 09 bb 7b e7 92 82 6c ef 8e 22 ed 994 8f 40 94 01 9d c5 ca a9 1f 02 07 80 5f c0 3b 1c 996 hash (32 octets): 90 3c e9 7a ed b6 cd 73 55 8c 25 17 44 db c7 bb 997 4c c8 f5 2b 92 d0 0b 44 e8 34 34 ce 7a 81 ec 60 999 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 1000 61 66 66 69 63 20 90 3c e9 7a ed b6 cd 73 55 8c 25 17 44 db c7 1001 bb 4c c8 f5 2b 92 d0 0b 44 e8 34 34 ce 7a 81 ec 60 1003 output (32 octets): b7 a6 20 bf bc 35 b7 1e 98 d8 40 14 02 6d e1 1004 13 f2 0e ae 01 8b 56 75 04 8f 88 c2 f8 b1 37 b0 f7 1006 {server} derive secret "tls13 exp master": 1008 PRK (32 octets): ea 7a 47 05 8d 09 bb 7b e7 92 82 6c ef 8e 22 ed 1009 8f 40 94 01 9d c5 ca a9 1f 02 07 80 5f c0 3b 1c 1011 hash (32 octets): 90 3c e9 7a ed b6 cd 73 55 8c 25 17 44 db c7 bb 1012 4c c8 f5 2b 92 d0 0b 44 e8 34 34 ce 7a 81 ec 60 1014 info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 1015 74 65 72 20 90 3c e9 7a ed b6 cd 73 55 8c 25 17 44 db c7 bb 4c 1016 c8 f5 2b 92 d0 0b 44 e8 34 34 ce 7a 81 ec 60 1018 output (32 octets): 1a 13 62 f1 9a 22 1e 14 9a 38 62 de 2a fc 46 1019 42 b5 7c aa 3b 0a 50 90 b3 f6 e3 ea 01 47 09 69 bc 1021 {server} derive write traffic keys for application data: 1023 PRK (32 octets): b7 a6 20 bf bc 35 b7 1e 98 d8 40 14 02 6d e1 13 1024 f2 0e ae 01 8b 56 75 04 8f 88 c2 f8 b1 37 b0 f7 1026 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1028 key output (16 octets): 13 d9 5b 20 9e 16 d7 10 96 cf 53 55 e4 8a 1029 11 7e 1031 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1033 iv output (12 octets): 5b f1 cd 5c f6 f8 78 61 86 21 8a 83 1035 {server} derive read traffic keys for early application data (same 1036 as client write traffic keys) 1038 {client} derive secret for handshake "tls13 derived": 1040 PRK (32 octets): 2f 7b c4 a7 4b c7 88 49 cc ff cc 43 29 c0 11 8e 1041 83 09 71 cd 45 63 6b 0b 4b a4 57 dc e6 a9 6e dd 1043 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 1044 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1046 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 1047 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 1048 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1050 output (32 octets): d3 ea 7b 5e e5 70 5c 9a 63 2c c2 18 a9 c0 54 1051 db 19 26 a5 37 7d f1 a6 2a 60 1f 17 55 5e 27 9b bf 1053 {client} extract secret "handshake": 1055 salt (32 octets): d3 ea 7b 5e e5 70 5c 9a 63 2c c2 18 a9 c0 54 db 1056 19 26 a5 37 7d f1 a6 2a 60 1f 17 55 5e 27 9b bf 1058 ikm (32 octets): 40 29 ba 3a 16 b8 7f 62 16 d5 a1 3b d2 72 6b 3e 1059 46 ff f7 44 ee b0 9d 4f 2e df fa 22 aa 3b e8 57 1061 secret (32 octets): de 91 a0 54 86 16 ed 5a 59 fd 0d ad d5 d1 87 1062 fc f6 de e8 67 71 78 28 fa 52 9f 16 34 b2 8c e6 10 1064 {client} derive secret "tls13 c hs traffic" (same as server) 1066 {client} derive secret "tls13 s hs traffic" (same as server) 1068 {client} derive secret for master "tls13 derived" (same as server) 1070 {client} extract secret "master" (same as server) 1072 {client} derive read traffic keys for handshake data: 1074 PRK (32 octets): d0 48 f1 02 d3 4c 27 a8 e1 19 24 c9 7c ff cb b1 1075 81 4e 38 fa ce 72 98 8f c0 9d ee 5f b3 41 82 c6 1077 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1079 key output (16 octets): 5f 3c 74 07 8c 9b 69 ca 92 fb 9e d0 b5 24 1080 a0 4e 1082 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1084 iv output (12 octets): c1 4a 56 2a c5 4c 08 90 4e 4c cf e1 1086 {client} calculate finished "tls13 finished" (same as server) 1088 {client} derive secret "tls13 c ap traffic" (same as server) 1090 {client} derive secret "tls13 s ap traffic" (same as server) 1092 {client} derive secret "tls13 exp master" (same as server) 1094 {client} send a EndOfEarlyData handshake message 1096 {client} send handshake record: 1098 payload (4 octets): 05 00 00 00 1100 ciphertext (26 octets): 17 03 03 00 15 7e aa 3c de 68 e7 2f f7 65 1101 c1 ee 52 0e 19 94 4f 21 52 dd 19 2f 1103 {client} derive write traffic keys for handshake data: 1105 PRK (32 octets): ab 97 16 88 85 72 36 8f 24 6c d9 87 3e 59 4e 9e 1106 8c 58 a9 03 9d 4b b0 86 82 ff 61 05 4b 27 48 8b 1108 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1110 key output (16 octets): 71 bc 0c 4d c2 b7 d6 8a 2c ac 6e d6 f5 c2 1111 81 50 1113 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1115 iv output (12 octets): 1b b0 fc f0 a3 03 5e e7 87 dc 3e 62 1117 {client} derive read traffic keys for application data (same as 1118 server write traffic keys) 1120 {client} calculate finished "tls13 finished": 1122 PRK (32 octets): ab 97 16 88 85 72 36 8f 24 6c d9 87 3e 59 4e 9e 1123 8c 58 a9 03 9d 4b b0 86 82 ff 61 05 4b 27 48 8b 1125 hash (0 octets): (empty) 1127 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 1128 64 00 1130 output (32 octets): 97 d3 03 31 b4 2e 62 1c 6a 37 2f d5 48 c2 1e 1131 bc 6c f3 c6 09 05 d3 41 9a 60 ac 51 d0 02 73 66 8e 1133 {client} send a Finished handshake message 1135 {client} send handshake record: 1137 payload (36 octets): 14 00 00 20 f4 08 6f f0 ce c8 b2 d0 17 a2 c7 1138 17 8c 5a 67 55 c8 2c 24 81 d6 74 70 7f 39 02 6c 8e e9 de c0 7e 1140 ciphertext (58 octets): 17 03 03 00 35 c8 bc f9 ae e6 c2 2a b9 74 1141 99 f2 91 de f9 31 39 40 8a db d2 01 27 29 9b fc cb 55 c2 5d 7d 1142 f3 c2 25 f9 60 f9 63 49 1a c8 84 0f cb eb 78 2f 06 50 c7 ae 89 1143 76 0b 1145 {client} derive write traffic keys for application data: 1147 PRK (32 octets): 2f d1 64 22 0e 74 ba e8 93 70 20 38 bb 73 c6 72 1148 4c 92 64 bb ad 2b 7b 72 37 e3 40 29 e0 c3 69 4b 1150 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1151 key output (16 octets): 9d 33 13 5f 96 74 2a ef 1e a5 c0 9f a5 9c 1152 6a 0c 1154 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1156 iv output (12 octets): 71 12 64 6d a3 ba a6 31 70 ca 75 26 1158 {client} derive secret "tls13 res master": 1160 PRK (32 octets): ea 7a 47 05 8d 09 bb 7b e7 92 82 6c ef 8e 22 ed 1161 8f 40 94 01 9d c5 ca a9 1f 02 07 80 5f c0 3b 1c 1163 hash (32 octets): 9f d1 b0 84 01 46 d6 24 97 08 30 e0 91 ae 31 7a 1164 d1 0a ae 86 cc 04 70 f8 98 87 86 2f 53 e6 6e e2 1166 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 1167 74 65 72 20 9f d1 b0 84 01 46 d6 24 97 08 30 e0 91 ae 31 7a d1 1168 0a ae 86 cc 04 70 f8 98 87 86 2f 53 e6 6e e2 1170 output (32 octets): 4e ee b9 39 b9 63 8f a3 5a d7 57 84 97 13 35 1171 9a 47 a3 bc 64 4e 72 26 5c a6 f6 4d 37 52 90 d1 73 1173 {server} derive read traffic keys for handshake data: 1175 PRK (32 octets): ab 97 16 88 85 72 36 8f 24 6c d9 87 3e 59 4e 9e 1176 8c 58 a9 03 9d 4b b0 86 82 ff 61 05 4b 27 48 8b 1178 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1180 key output (16 octets): 71 bc 0c 4d c2 b7 d6 8a 2c ac 6e d6 f5 c2 1181 81 50 1183 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1185 iv output (12 octets): 1b b0 fc f0 a3 03 5e e7 87 dc 3e 62 1187 {server} calculate finished "tls13 finished" (same as client) 1189 {server} derive read traffic keys for application data (same as 1190 client write traffic keys) 1192 {server} derive secret "tls13 res master" (same as client) 1194 {client} send application_data record: 1196 payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 1197 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 1198 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 1200 ciphertext (72 octets): 17 03 03 00 43 2d db e2 e3 33 68 96 b5 df 1201 2c f5 d3 7c f3 50 ba 01 61 52 4f 57 4d 89 44 0c 67 63 9f fc b4 1202 2f a8 1e 0a b1 8f 3c 48 0e 35 d6 36 1c 66 39 58 71 7f 03 52 83 1203 5e 8e 3a a8 40 39 48 a5 d6 e6 20 38 70 e6 a3 c7 1205 {server} send application_data record: 1207 payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 1208 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 1209 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 1211 ciphertext (72 octets): 17 03 03 00 43 09 f1 68 49 32 61 0e 09 17 1212 f6 34 37 02 c6 82 d2 5d 03 ee ac 0c e3 dd 1e 87 32 3c 25 ef e9 1213 b3 68 ad 9f c7 0c 00 49 5c 38 f6 14 d5 01 ae b6 6a 2a 47 c6 c9 1214 06 d8 b0 32 67 32 1b 7d 6b 32 82 01 be 0b c0 6a 1216 {client} send alert record: 1218 payload (2 octets): 01 00 1220 ciphertext (24 octets): 17 03 03 00 13 c5 fa f2 2d f7 ce ea b6 f2 1221 0b 3b da ee 3b d9 69 e8 7b aa 1223 {server} send alert record: 1225 payload (2 octets): 01 00 1227 ciphertext (24 octets): 17 03 03 00 13 b5 3a d6 ce 3d 3a 44 c6 4c 1228 0c 85 67 64 6f ee 6e 7c de aa 1230 5. HelloRetryRequest 1232 In this example, the client initiates a handshake with an X25519 1233 [RFC7748] share. The server however prefers P-256 [FIPS186] and 1234 sends a HelloRetryRequest that requires the client to generate a key 1235 share on the P-256 curve. 1237 {client} create an ephemeral x25519 key pair: 1239 private key (32 octets): 5d be 3b b2 1c d0 ab b9 c2 ab 42 90 1c 1240 bc 23 c8 c2 b8 84 58 ac 6b e9 14 25 dd dd 3a 98 b0 93 b2 1242 public key (32 octets): 77 a1 f8 c2 bf f9 ae ce f0 f3 7c 60 14 f0 1243 5c 82 7f 5f fe 60 5c 3c 32 67 1d 79 8c 1a 29 50 7c 6d 1245 {client} send a ClientHello handshake message 1247 {client} send handshake record: 1249 payload (174 octets): 01 00 00 aa 03 03 fd a5 c0 5a 01 de 6f 64 1250 0f 13 2a 1a a8 b7 a0 5a 9f 17 91 ca 88 fd f1 ac 8e 07 5e 50 cf 1251 69 0c c9 00 00 06 13 01 13 03 13 02 01 00 00 7b 00 00 00 0b 00 1252 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06 1253 00 1d 00 17 00 18 00 33 00 26 00 24 00 1d 00 20 77 a1 f8 c2 bf 1254 f9 ae ce f0 f3 7c 60 14 f0 5c 82 7f 5f fe 60 5c 3c 32 67 1d 79 1255 8c 1a 29 50 7c 6d 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 1256 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 1257 02 05 02 06 02 02 02 00 2d 00 02 01 01 1259 ciphertext (179 octets): 16 03 01 00 ae 01 00 00 aa 03 03 fd a5 1260 c0 5a 01 de 6f 64 0f 13 2a 1a a8 b7 a0 5a 9f 17 91 ca 88 fd f1 1261 ac 8e 07 5e 50 cf 69 0c c9 00 00 06 13 01 13 03 13 02 01 00 00 1262 7b 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 1263 00 0a 00 08 00 06 00 1d 00 17 00 18 00 33 00 26 00 24 00 1d 00 1264 20 77 a1 f8 c2 bf f9 ae ce f0 f3 7c 60 14 f0 5c 82 7f 5f fe 60 1265 5c 3c 32 67 1d 79 8c 1a 29 50 7c 6d 00 2b 00 03 02 7f 1c 00 0d 1266 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 1267 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 1269 {server} send a ServerHello handshake message 1271 {server} send handshake record: 1273 payload (176 octets): 02 00 00 ac 03 03 cf 21 ad 74 e5 9a 61 11 1274 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c 5e 07 9e 09 e2 c8 1275 a8 33 9c 00 13 01 00 00 84 00 33 00 02 00 17 00 2c 00 74 00 72 1276 be 27 61 a6 66 36 1c 81 90 47 cf 51 00 00 00 00 5a 99 8e 4c c3 1277 d8 dd 02 5b bb e1 0d a6 f2 b2 d1 00 30 b0 3a 58 2f 9c c5 81 d1 1278 0f 62 6c f0 e3 b9 3d 14 d4 65 f9 48 83 5a 2a b5 31 3a 23 a1 9a 1279 eb a3 67 1e 7a 0d 41 0e 17 4f d0 04 f6 53 f1 08 25 17 3d 1a 90 1280 37 cd ea b4 86 df 4e 79 c6 87 f9 d9 b1 b9 e2 ae 81 1e 0b 97 4e 1281 8f 82 7b b1 66 a8 2d f7 a1 00 2b 00 02 7f 1c 1283 ciphertext (181 octets): 16 03 03 00 b0 02 00 00 ac 03 03 cf 21 1284 ad 74 e5 9a 61 11 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c 1285 5e 07 9e 09 e2 c8 a8 33 9c 00 13 01 00 00 84 00 33 00 02 00 17 1286 00 2c 00 74 00 72 be 27 61 a6 66 36 1c 81 90 47 cf 51 00 00 00 1287 00 5a 99 8e 4c c3 d8 dd 02 5b bb e1 0d a6 f2 b2 d1 00 30 b0 3a 1288 58 2f 9c c5 81 d1 0f 62 6c f0 e3 b9 3d 14 d4 65 f9 48 83 5a 2a 1289 b5 31 3a 23 a1 9a eb a3 67 1e 7a 0d 41 0e 17 4f d0 04 f6 53 f1 1290 08 25 17 3d 1a 90 37 cd ea b4 86 df 4e 79 c6 87 f9 d9 b1 b9 e2 1291 ae 81 1e 0b 97 4e 8f 82 7b b1 66 a8 2d f7 a1 00 2b 00 02 7f 1c 1293 {client} create an ephemeral P-256 key pair: 1295 private key (32 octets): d3 b7 74 44 db 98 f0 23 a7 9b 88 d4 18 1296 e3 74 80 27 67 43 24 ae 7e 9d 7f 25 33 46 34 b7 eb 40 f6 1298 public key (65 octets): 04 9c 86 50 ec 41 c5 a8 df da c7 8b 1f 35 1299 65 42 16 cf cf 8c 2d b5 09 31 58 59 3b 33 22 1a 60 4b f7 df f9 1300 a4 7d cf 13 ee cb 29 be 5c 24 73 21 48 2f 44 51 57 b7 33 1e e4 1301 af 71 7b 59 7e 07 6d 56 e9 1303 {client} send a ClientHello handshake message 1305 {client} send handshake record: 1307 payload (512 octets): 01 00 01 fc 03 03 fd a5 c0 5a 01 de 6f 64 1308 0f 13 2a 1a a8 b7 a0 5a 9f 17 91 ca 88 fd f1 ac 8e 07 5e 50 cf 1309 69 0c c9 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00 1310 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06 1311 00 1d 00 17 00 18 00 33 00 47 00 45 00 17 00 41 04 9c 86 50 ec 1312 41 c5 a8 df da c7 8b 1f 35 65 42 16 cf cf 8c 2d b5 09 31 58 59 1313 3b 33 22 1a 60 4b f7 df f9 a4 7d cf 13 ee cb 29 be 5c 24 73 21 1314 48 2f 44 51 57 b7 33 1e e4 af 71 7b 59 7e 07 6d 56 e9 00 2b 00 1315 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 1316 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2c 1317 00 74 00 72 be 27 61 a6 66 36 1c 81 90 47 cf 51 00 00 00 00 5a 1318 99 8e 4c c3 d8 dd 02 5b bb e1 0d a6 f2 b2 d1 00 30 b0 3a 58 2f 1319 9c c5 81 d1 0f 62 6c f0 e3 b9 3d 14 d4 65 f9 48 83 5a 2a b5 31 1320 3a 23 a1 9a eb a3 67 1e 7a 0d 41 0e 17 4f d0 04 f6 53 f1 08 25 1321 17 3d 1a 90 37 cd ea b4 86 df 4e 79 c6 87 f9 d9 b1 b9 e2 ae 81 1322 1e 0b 97 4e 8f 82 7b b1 66 a8 2d f7 a1 00 2d 00 02 01 01 00 15 1323 00 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1324 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1325 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1326 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1327 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1328 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1329 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1331 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1333 ciphertext (517 octets): 16 03 03 02 00 01 00 01 fc 03 03 fd a5 1334 c0 5a 01 de 6f 64 0f 13 2a 1a a8 b7 a0 5a 9f 17 91 ca 88 fd f1 1335 ac 8e 07 5e 50 cf 69 0c c9 00 00 06 13 01 13 03 13 02 01 00 01 1336 cd 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 1337 00 0a 00 08 00 06 00 1d 00 17 00 18 00 33 00 47 00 45 00 17 00 1338 41 04 9c 86 50 ec 41 c5 a8 df da c7 8b 1f 35 65 42 16 cf cf 8c 1339 2d b5 09 31 58 59 3b 33 22 1a 60 4b f7 df f9 a4 7d cf 13 ee cb 1340 29 be 5c 24 73 21 48 2f 44 51 57 b7 33 1e e4 af 71 7b 59 7e 07 1341 6d 56 e9 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 1342 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 1343 06 02 02 02 00 2c 00 74 00 72 be 27 61 a6 66 36 1c 81 90 47 cf 1344 51 00 00 00 00 5a 99 8e 4c c3 d8 dd 02 5b bb e1 0d a6 f2 b2 d1 1345 00 30 b0 3a 58 2f 9c c5 81 d1 0f 62 6c f0 e3 b9 3d 14 d4 65 f9 1346 48 83 5a 2a b5 31 3a 23 a1 9a eb a3 67 1e 7a 0d 41 0e 17 4f d0 1347 04 f6 53 f1 08 25 17 3d 1a 90 37 cd ea b4 86 df 4e 79 c6 87 f9 1348 d9 b1 b9 e2 ae 81 1e 0b 97 4e 8f 82 7b b1 66 a8 2d f7 a1 00 2d 1349 00 02 01 01 00 15 00 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 1350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1351 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1352 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1353 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1354 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1355 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1356 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1357 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1359 {server} extract secret "early": 1361 salt: (absent) 1363 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1364 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1366 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 1367 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 1369 {server} create an ephemeral P-256 key pair: 1371 private key (32 octets): 3b 21 7a 4d b8 ab 31 54 d8 f1 ca 4f fc 1372 a0 c3 3f 04 8f 1a 06 01 e2 9f 8b b7 f7 9b 36 8c 65 ba a6 1374 public key (65 octets): 04 65 7e a5 e0 7c 82 1e 25 fd 9e f2 61 4c 1375 08 9f 9d 21 b4 8c c5 44 26 77 0d f4 ef 95 8a 85 c5 e0 3c e3 8b 1376 5e 7e 7b 6f 63 92 f0 e3 6c f1 11 9a 9b 59 59 76 79 83 93 19 e4 1377 0e d1 f0 9a 06 81 d2 ec 71 1379 {server} send a ServerHello handshake message 1381 {server} derive secret for handshake "tls13 derived": 1383 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 1384 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 1386 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 1387 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1389 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 1390 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 1391 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1393 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 1394 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 1396 {server} extract secret "handshake": 1398 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 1399 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 1401 ikm (32 octets): fe b0 20 4b f7 6c ce 95 68 ae ef fa 0b 10 ef c7 1402 64 06 5c 03 48 cc f4 f2 f8 97 22 f2 f5 5c df a8 1404 secret (32 octets): 91 35 3f 07 99 0d 6d 5a e0 43 f2 dd 4b 36 45 1405 a8 2d d7 a4 8b 91 73 36 5c af 7e 09 80 ba f4 9d 15 1407 {server} derive secret "tls13 c hs traffic": 1409 PRK (32 octets): 91 35 3f 07 99 0d 6d 5a e0 43 f2 dd 4b 36 45 a8 1410 2d d7 a4 8b 91 73 36 5c af 7e 09 80 ba f4 9d 15 1412 hash (32 octets): 12 5d 04 9c 5f a7 94 33 01 e3 0c 64 53 2d 45 00 1413 66 c7 be b0 cd 26 bd 3f 7a 33 43 ab 7c fc bb 0d 1415 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 1416 61 66 66 69 63 20 12 5d 04 9c 5f a7 94 33 01 e3 0c 64 53 2d 45 1417 00 66 c7 be b0 cd 26 bd 3f 7a 33 43 ab 7c fc bb 0d 1419 output (32 octets): 66 65 be 10 30 f9 05 87 74 35 d5 6b 4a 9b d8 1420 de 7f 4e 37 1c ef 29 5b ac 39 7b 98 d7 35 f5 16 54 1422 {server} derive secret "tls13 s hs traffic": 1424 PRK (32 octets): 91 35 3f 07 99 0d 6d 5a e0 43 f2 dd 4b 36 45 a8 1425 2d d7 a4 8b 91 73 36 5c af 7e 09 80 ba f4 9d 15 1427 hash (32 octets): 12 5d 04 9c 5f a7 94 33 01 e3 0c 64 53 2d 45 00 1428 66 c7 be b0 cd 26 bd 3f 7a 33 43 ab 7c fc bb 0d 1430 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 1431 61 66 66 69 63 20 12 5d 04 9c 5f a7 94 33 01 e3 0c 64 53 2d 45 1432 00 66 c7 be b0 cd 26 bd 3f 7a 33 43 ab 7c fc bb 0d 1434 output (32 octets): d6 d3 a4 da b6 55 19 ef aa d1 8e 18 4a f2 6f 1435 6a 2f 41 08 a3 6c e9 90 ef 5c 36 bb d9 d2 36 d8 d7 1437 {server} derive secret for master "tls13 derived": 1439 PRK (32 octets): 91 35 3f 07 99 0d 6d 5a e0 43 f2 dd 4b 36 45 a8 1440 2d d7 a4 8b 91 73 36 5c af 7e 09 80 ba f4 9d 15 1442 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 1443 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1445 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 1446 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 1447 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1449 output (32 octets): 55 3a 3f 4d 42 b9 da 6e 66 e7 26 49 40 2d 1e 1450 00 25 e3 de 0e 87 51 0d f7 ab 88 0e 85 bc e4 7f ae 1452 {server} extract secret "master": 1454 salt (32 octets): 55 3a 3f 4d 42 b9 da 6e 66 e7 26 49 40 2d 1e 00 1455 25 e3 de 0e 87 51 0d f7 ab 88 0e 85 bc e4 7f ae 1457 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1458 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1460 secret (32 octets): 29 c7 bf 4a b3 ef 65 96 1b 70 85 62 2f cf 5d 1461 d6 c8 6b 01 4e d5 7d 6d 33 92 76 9b 58 d8 cf 3b a4 1463 {server} send handshake record: 1465 payload (123 octets): 02 00 00 77 03 03 b0 4a 61 26 aa 7b 5c f3 1466 0f 4a 09 1c 8f 2f 38 12 85 d7 7c bc db 73 9b 6a 26 f3 73 0e 2c 1467 aa a8 f2 00 13 01 00 00 4f 00 33 00 45 00 17 00 41 04 65 7e a5 1468 e0 7c 82 1e 25 fd 9e f2 61 4c 08 9f 9d 21 b4 8c c5 44 26 77 0d 1469 f4 ef 95 8a 85 c5 e0 3c e3 8b 5e 7e 7b 6f 63 92 f0 e3 6c f1 11 1470 9a 9b 59 59 76 79 83 93 19 e4 0e d1 f0 9a 06 81 d2 ec 71 00 2b 1471 00 02 7f 1c 1473 ciphertext (128 octets): 16 03 03 00 7b 02 00 00 77 03 03 b0 4a 1474 61 26 aa 7b 5c f3 0f 4a 09 1c 8f 2f 38 12 85 d7 7c bc db 73 9b 1475 6a 26 f3 73 0e 2c aa a8 f2 00 13 01 00 00 4f 00 33 00 45 00 17 1476 00 41 04 65 7e a5 e0 7c 82 1e 25 fd 9e f2 61 4c 08 9f 9d 21 b4 1477 8c c5 44 26 77 0d f4 ef 95 8a 85 c5 e0 3c e3 8b 5e 7e 7b 6f 63 1478 92 f0 e3 6c f1 11 9a 9b 59 59 76 79 83 93 19 e4 0e d1 f0 9a 06 1479 81 d2 ec 71 00 2b 00 02 7f 1c 1481 {server} derive write traffic keys for handshake data: 1483 PRK (32 octets): d6 d3 a4 da b6 55 19 ef aa d1 8e 18 4a f2 6f 6a 1484 2f 41 08 a3 6c e9 90 ef 5c 36 bb d9 d2 36 d8 d7 1486 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1488 key output (16 octets): 51 dc bb f8 4c a6 41 9d 5c 5f 52 32 da 05 1489 c0 af 1491 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1493 iv output (12 octets): b1 c3 52 60 1b c5 a8 3d 37 e1 27 fe 1495 {server} send a EncryptedExtensions handshake message 1497 {server} send a Certificate handshake message 1499 {server} send a CertificateVerify handshake message 1501 {server} calculate finished "tls13 finished": 1503 PRK (32 octets): d6 d3 a4 da b6 55 19 ef aa d1 8e 18 4a f2 6f 6a 1504 2f 41 08 a3 6c e9 90 ef 5c 36 bb d9 d2 36 d8 d7 1506 hash (0 octets): (empty) 1508 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 1509 64 00 1511 output (32 octets): 8e 5f be fe 35 d1 12 a8 bd 57 10 e8 b1 00 dd 1512 61 dc 48 a3 d0 29 87 3e fb c3 ab 67 07 01 8e 86 6e 1514 {server} send a Finished handshake message 1516 {server} send handshake record: 1518 payload (639 octets): 08 00 00 12 00 10 00 0a 00 08 00 06 00 17 1519 00 18 00 1d 00 00 00 00 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82 1520 01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48 1521 86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 1522 72 73 61 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17 1523 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06 1524 03 55 04 03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7 1525 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f 1526 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 1527 d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1528 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52 1529 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74 1530 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 1531 ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03 1532 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 1533 03 55 1d 0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 1534 01 0b 05 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 1535 72 67 17 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea 1536 e8 f8 a5 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 1537 51 56 72 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be 1538 c1 fc 63 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b 1539 1c 3b 84 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 1540 96 12 29 ac 91 87 b4 2b 4d e1 00 00 0f 00 00 84 08 04 00 80 1a 1541 78 c0 86 7a 27 20 39 db d4 e2 95 ae e0 eb ce a5 67 5c 09 f6 c6 1542 2d b9 f3 9d 94 9b c2 2e 1e 23 1c eb dc b8 a6 ec 2e b3 7f 98 bb 1543 bf bb eb f7 64 bb b6 80 45 48 b7 78 52 f4 92 15 60 35 1f 99 8f 1544 42 0d f7 ea ad 47 4b 3a 1a 50 db cb 0e 40 eb 2a 58 5b 64 5e 0b 1545 4c 95 13 6c 02 87 ce 2e 74 ee 5b 99 48 43 77 e3 de ee 00 13 49 1546 9c aa a2 2f 13 65 fb 26 21 05 83 26 d3 6a 92 47 56 d3 ae 8c b9 1547 3b 14 00 00 20 6b a4 58 68 e6 28 c9 7a e3 b0 e1 68 c6 ea ff 9e 1548 58 e5 97 58 28 76 29 c5 93 68 c6 21 27 61 b6 a3 1550 ciphertext (661 octets): 17 03 03 02 90 5b bc c2 f4 05 15 00 8f 1551 44 54 2c 78 a4 87 46 58 09 04 6f 46 b0 e1 74 a9 e8 ad fa 07 60 1552 b7 1b 25 4d a3 19 49 d5 d7 0f 3b 1a 6b 6d c2 1c 5a 68 1a af bf 1553 e5 70 ca cb 35 7b 47 00 cc 74 68 4c c2 99 ba f1 96 02 d5 55 b2 1554 d9 66 4a 35 de 49 37 7e 8c b7 a5 10 b9 c1 ba 4e a6 99 68 3d 39 1555 1b 86 d7 31 e3 2e 1d bc 86 72 24 2d 90 f9 36 27 cd 12 39 65 4c 1556 6b 05 92 5e f0 8b 4f 36 7c e3 4d 5f 08 ce 41 27 63 d1 e3 23 ae 1557 dd 7a 94 c4 db cc 13 85 5a 31 cc 3a 32 68 fa f4 49 ef 17 b2 90 1558 65 77 eb 7e 49 04 bf 9a 9f eb af 80 1c 18 61 dd 18 e7 0f c7 ee 1559 58 38 da 90 38 90 59 95 58 f9 47 d4 70 bf cf 94 29 2a ca 94 83 1560 e4 62 bf 2b c8 a6 16 88 e1 5b 47 7c 88 e4 33 bf 6e ad 2e 97 ac 1561 4a 15 d0 27 60 d1 31 b2 45 25 57 0b 67 e4 d6 27 e0 1f b3 de eb 1562 33 f4 97 7e 43 ea 5d 1c f5 f1 8d 27 14 f1 bd ea 6e 43 9c bb 07 1563 6a 02 76 01 e3 ac 60 39 d7 85 d6 8b 11 ed 5f dd 8b 17 87 27 12 1564 31 c1 cd da 17 a2 70 85 52 cf 1c c2 c9 b9 1d d3 54 77 f7 96 5e 1565 15 87 8c a8 5b b5 a2 03 08 be ed d6 10 af 47 82 76 60 f2 b2 cd 1566 b3 b7 d5 3b b7 9e 19 da 0a 64 39 d5 b9 48 f2 5e f0 fc 9b c4 2f 1567 83 ce 09 40 5f 46 16 4d 06 6f 71 07 9d ff cc 28 cb f3 ba 4f 4b 1568 65 39 1d 49 c9 1d 6a 92 58 67 52 8f e5 a1 09 1c 5c 86 29 cb 0b 1569 7b 91 50 a9 f8 17 e4 18 91 0a f4 0b f9 cd f0 85 c6 d7 a3 be 2c 1570 9c 2e 2e 63 f5 86 68 2d a8 17 c5 c8 ba b8 ee 8c 8d 26 8a 2f f7 1571 50 73 eb c2 76 fb 6c 65 17 33 da 28 50 0d a7 09 df 4f 95 04 d8 1572 23 ca 32 de e7 2a 0b 18 b1 16 28 20 ab a1 c0 1b e8 0b 3f c4 24 1573 d2 8b 66 39 6c c5 45 d3 6d 88 65 1e c7 24 c9 91 18 86 cb 60 52 1574 cc 8f cd 83 7a 26 82 0b 69 41 9d fd a7 c1 79 57 aa 11 26 62 3a 1575 6a 4e de 84 30 a3 e1 ff c5 38 59 a5 95 d6 68 60 e1 07 59 01 11 1576 8d 33 9b a9 bb 04 ff 78 20 2c 6c b9 23 23 ad 66 4b 3a e3 c3 c5 1577 53 a4 b7 34 03 da 89 2e 65 40 60 14 78 81 4b e0 ce 3f da 97 05 1578 0b 72 63 80 d9 d6 d9 a9 55 36 48 c1 05 4f 96 9a 6a 1a 6f d7 f2 1579 88 46 8d 0e 62 69 95 99 4c e5 b4 2a 4f bb 58 16 3e a6 e2 f1 1b 1580 73 8c 07 34 91 1a 2b c2 9d 06 f3 38 f7 a3 83 ae 50 97 71 ea 11 1581 f5 18 38 29 42 5d 89 27 d3 2a 39 18 1d 6a a1 91 8d 25 1583 {server} derive secret "tls13 c ap traffic": 1585 PRK (32 octets): 29 c7 bf 4a b3 ef 65 96 1b 70 85 62 2f cf 5d d6 1586 c8 6b 01 4e d5 7d 6d 33 92 76 9b 58 d8 cf 3b a4 1588 hash (32 octets): 0c cb 7b d0 f0 9f 0e 88 25 77 3f a6 3d 47 60 d0 1589 de b1 ca 2d 33 34 a8 b3 3f 93 2d d4 83 11 b4 1d 1591 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 1592 61 66 66 69 63 20 0c cb 7b d0 f0 9f 0e 88 25 77 3f a6 3d 47 60 1593 d0 de b1 ca 2d 33 34 a8 b3 3f 93 2d d4 83 11 b4 1d 1595 output (32 octets): 62 b9 5d 5d 70 e3 61 a7 ac db 4c 1d 0b 76 ad 1596 8e 52 40 72 d8 65 7b c5 60 45 19 7c 56 95 ae 7d 1f 1598 {server} derive secret "tls13 s ap traffic": 1600 PRK (32 octets): 29 c7 bf 4a b3 ef 65 96 1b 70 85 62 2f cf 5d d6 1601 c8 6b 01 4e d5 7d 6d 33 92 76 9b 58 d8 cf 3b a4 1603 hash (32 octets): 0c cb 7b d0 f0 9f 0e 88 25 77 3f a6 3d 47 60 d0 1604 de b1 ca 2d 33 34 a8 b3 3f 93 2d d4 83 11 b4 1d 1606 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 1607 61 66 66 69 63 20 0c cb 7b d0 f0 9f 0e 88 25 77 3f a6 3d 47 60 1608 d0 de b1 ca 2d 33 34 a8 b3 3f 93 2d d4 83 11 b4 1d 1610 output (32 octets): bb 4b e6 55 75 24 ef c0 ea d5 e4 1f 3a a7 9b 1611 66 2d 54 e7 44 b9 60 bf 4d 74 84 12 98 ea 3c 94 a3 1613 {server} derive secret "tls13 exp master": 1615 PRK (32 octets): 29 c7 bf 4a b3 ef 65 96 1b 70 85 62 2f cf 5d d6 1616 c8 6b 01 4e d5 7d 6d 33 92 76 9b 58 d8 cf 3b a4 1618 hash (32 octets): 0c cb 7b d0 f0 9f 0e 88 25 77 3f a6 3d 47 60 d0 1619 de b1 ca 2d 33 34 a8 b3 3f 93 2d d4 83 11 b4 1d 1621 info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 1622 74 65 72 20 0c cb 7b d0 f0 9f 0e 88 25 77 3f a6 3d 47 60 d0 de 1623 b1 ca 2d 33 34 a8 b3 3f 93 2d d4 83 11 b4 1d 1625 output (32 octets): ac 26 20 81 4f 70 43 09 36 be c0 84 92 b8 5d 1626 36 3f 71 2f c4 f6 7b 82 a7 7b 5e 75 e3 42 ee 11 3c 1628 {server} derive write traffic keys for application data: 1630 PRK (32 octets): bb 4b e6 55 75 24 ef c0 ea d5 e4 1f 3a a7 9b 66 1631 2d 54 e7 44 b9 60 bf 4d 74 84 12 98 ea 3c 94 a3 1633 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1634 key output (16 octets): e3 08 90 8b 31 47 94 f7 9e 88 ee 2a 58 69 1635 b4 8c 1637 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1639 iv output (12 octets): 32 03 04 48 9a 32 bb fe 2f 16 eb 30 1641 {server} derive read traffic keys for handshake data: 1643 PRK (32 octets): 66 65 be 10 30 f9 05 87 74 35 d5 6b 4a 9b d8 de 1644 7f 4e 37 1c ef 29 5b ac 39 7b 98 d7 35 f5 16 54 1646 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1648 key output (16 octets): 23 36 dc fa e3 03 4b 23 54 7b 1c 94 1f bd 1649 99 00 1651 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1653 iv output (12 octets): 7d 1a b0 07 49 38 3b 72 75 4e 90 cb 1655 {client} extract secret "early": 1657 salt: (absent) 1659 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1660 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1662 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 1663 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 1665 {client} derive secret for handshake "tls13 derived": 1667 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 1668 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 1670 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 1671 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1673 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 1674 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 1675 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1677 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 1678 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 1680 {client} extract secret "handshake": 1682 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 1683 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 1685 ikm (32 octets): fe b0 20 4b f7 6c ce 95 68 ae ef fa 0b 10 ef c7 1686 64 06 5c 03 48 cc f4 f2 f8 97 22 f2 f5 5c df a8 1688 secret (32 octets): 91 35 3f 07 99 0d 6d 5a e0 43 f2 dd 4b 36 45 1689 a8 2d d7 a4 8b 91 73 36 5c af 7e 09 80 ba f4 9d 15 1691 {client} derive secret "tls13 c hs traffic" (same as server) 1693 {client} derive secret "tls13 s hs traffic" (same as server) 1695 {client} derive secret for master "tls13 derived" (same as server) 1697 {client} extract secret "master" (same as server) 1699 {client} derive read traffic keys for handshake data: 1701 PRK (32 octets): d6 d3 a4 da b6 55 19 ef aa d1 8e 18 4a f2 6f 6a 1702 2f 41 08 a3 6c e9 90 ef 5c 36 bb d9 d2 36 d8 d7 1704 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1706 key output (16 octets): 51 dc bb f8 4c a6 41 9d 5c 5f 52 32 da 05 1707 c0 af 1709 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1711 iv output (12 octets): b1 c3 52 60 1b c5 a8 3d 37 e1 27 fe 1713 {client} calculate finished "tls13 finished" (same as server) 1715 {client} derive secret "tls13 c ap traffic" (same as server) 1717 {client} derive secret "tls13 s ap traffic" (same as server) 1719 {client} derive secret "tls13 exp master" (same as server) 1721 {client} derive write traffic keys for handshake data (same as 1722 server read traffic keys) 1724 {client} derive read traffic keys for application data (same as 1725 server write traffic keys) 1727 {client} calculate finished "tls13 finished": 1729 PRK (32 octets): 66 65 be 10 30 f9 05 87 74 35 d5 6b 4a 9b d8 de 1730 7f 4e 37 1c ef 29 5b ac 39 7b 98 d7 35 f5 16 54 1732 hash (0 octets): (empty) 1734 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 1735 64 00 1737 output (32 octets): 2e 93 ce 7c 64 a9 11 9d d3 1e c3 f0 4d 01 8b 1738 22 b8 03 9e ce 90 91 a1 3b bc 48 4c bf 3c 11 44 f6 1740 {client} send a Finished handshake message 1742 {client} send handshake record: 1744 payload (36 octets): 14 00 00 20 2d 69 87 f1 81 4d d1 02 06 c9 22 1745 e4 ab c8 26 b3 54 08 6c 19 53 1f 20 46 02 a4 b9 9f c2 07 44 35 1747 ciphertext (58 octets): 17 03 03 00 35 d3 c3 af 19 fd d5 cf 86 1e 1748 1e cd b5 42 30 00 11 23 a8 2c fc b0 f7 32 55 fa c3 52 4c c4 9b 1749 91 08 58 ca 3e d1 8e 22 a3 c3 c8 c2 00 75 9e b2 c6 95 8c 02 6b 1750 c1 c3 1752 {client} derive write traffic keys for application data: 1754 PRK (32 octets): 62 b9 5d 5d 70 e3 61 a7 ac db 4c 1d 0b 76 ad 8e 1755 52 40 72 d8 65 7b c5 60 45 19 7c 56 95 ae 7d 1f 1757 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1759 key output (16 octets): 73 56 0a 54 0e 27 05 3e f9 28 d9 25 23 72 1760 dc 82 1762 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1764 iv output (12 octets): ba 7e bb 92 b1 cb 06 c1 39 c7 df bd 1766 {client} derive secret "tls13 res master": 1768 PRK (32 octets): 29 c7 bf 4a b3 ef 65 96 1b 70 85 62 2f cf 5d d6 1769 c8 6b 01 4e d5 7d 6d 33 92 76 9b 58 d8 cf 3b a4 1771 hash (32 octets): f0 16 61 e7 4c ae b5 8f 27 66 dc 65 c6 67 87 41 1772 bb 07 23 24 a1 13 33 2d 50 8a a9 cd 03 1c 3e ee 1774 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 1775 74 65 72 20 f0 16 61 e7 4c ae b5 8f 27 66 dc 65 c6 67 87 41 bb 1776 07 23 24 a1 13 33 2d 50 8a a9 cd 03 1c 3e ee 1778 output (32 octets): bd 55 23 17 8e 08 61 b1 c1 8a e3 0c 9f f5 a7 1779 fe 68 f2 66 33 af 70 4a ee 1b 64 3e 3a c5 e4 f7 ef 1781 {server} calculate finished "tls13 finished" (same as client) 1783 {server} derive read traffic keys for application data (same as 1784 client write traffic keys) 1786 {server} derive secret "tls13 res master" (same as client) 1788 {client} send alert record: 1790 payload (2 octets): 01 00 1792 ciphertext (24 octets): 17 03 03 00 13 f8 41 57 a0 1d b2 73 9d a1 1793 86 c3 a8 2f 23 cb 31 83 ad e0 1795 {server} send alert record: 1797 payload (2 octets): 01 00 1799 ciphertext (24 octets): 17 03 03 00 13 a2 06 45 93 d6 f1 8a 0e 7e 1800 1d c6 e8 76 69 b3 c4 54 62 e4 1802 6. Client Authentication 1804 In this example, the server requests client authentication. The 1805 client uses a certificate with an RSA key, the server uses an ECDSA 1806 certificate with a P-256 key. Note that private keys for this 1807 example are not included in the draft. 1809 {client} create an ephemeral x25519 key pair: 1811 private key (32 octets): 81 2f 09 40 11 ad f7 29 ff 7c a2 b2 4d 1812 0d 16 49 c9 e3 d4 af 0d 1e dc 10 a1 ae 7c b8 14 a4 96 22 1814 public key (32 octets): 79 fd 6e fb c1 92 04 40 aa 32 5c dc ea 3f 1815 3c b7 07 8f ea 03 13 fa 76 6a c3 76 1e dc 62 ad 2c 31 1817 {client} send a ClientHello handshake message 1819 {client} send handshake record: 1821 payload (186 octets): 01 00 00 b6 03 03 82 97 3b d3 3b b4 81 f5 1822 37 de c6 5a cd 48 5b d4 bd aa 20 f7 d2 2f 68 0c 89 2f 68 45 06 1823 51 a5 0e 00 00 06 13 01 13 03 13 02 01 00 00 87 00 00 00 0b 00 1824 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 1825 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00 1826 26 00 24 00 1d 00 20 79 fd 6e fb c1 92 04 40 aa 32 5c dc ea 3f 1827 3c b7 07 8f ea 03 13 fa 76 6a c3 76 1e dc 62 ad 2c 31 00 2b 00 1828 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 1829 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 1830 00 02 01 01 1832 ciphertext (191 octets): 16 03 01 00 ba 01 00 00 b6 03 03 82 97 1833 3b d3 3b b4 81 f5 37 de c6 5a cd 48 5b d4 bd aa 20 f7 d2 2f 68 1834 0c 89 2f 68 45 06 51 a5 0e 00 00 06 13 01 13 03 13 02 01 00 00 1835 87 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 1836 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 1837 03 01 04 00 33 00 26 00 24 00 1d 00 20 79 fd 6e fb c1 92 04 40 1838 aa 32 5c dc ea 3f 3c b7 07 8f ea 03 13 fa 76 6a c3 76 1e dc 62 1839 ad 2c 31 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 1840 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 1841 06 02 02 02 00 2d 00 02 01 01 1843 {server} extract secret "early": 1845 salt: (absent) 1847 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1848 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1850 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 1851 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 1853 {server} create an ephemeral x25519 key pair: 1855 private key (32 octets): d6 8f 8d b3 5c 04 61 e2 5f 95 f6 23 04 1856 4b 61 bd a3 9d 08 f8 5c 64 43 50 a0 4d 57 d8 9c 66 7a ca 1858 public key (32 octets): c3 ec 4f 42 40 70 ce 83 c7 91 fa 32 8f e9 1859 ae 00 96 ab fc cc 15 b9 aa ec eb f6 0b f4 8f 0b 0f 2e 1861 {server} send a ServerHello handshake message 1863 {server} derive secret for handshake "tls13 derived": 1865 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 1866 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 1868 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 1869 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1871 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 1872 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 1873 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1875 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 1876 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 1878 {server} extract secret "handshake": 1880 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 1881 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 1883 ikm (32 octets): a1 74 df 38 d7 a4 28 b6 2e 99 80 83 00 c6 8c e5 1884 5a 89 1a 80 74 d9 f0 99 56 78 eb 55 68 fe c5 07 1886 secret (32 octets): 4c ce 76 5f ac c3 15 26 36 dc 39 a9 12 ad 99 1887 35 75 ff f1 bf 21 55 3b 7a bd 5e 49 f3 76 fa 39 d6 1889 {server} derive secret "tls13 c hs traffic": 1891 PRK (32 octets): 4c ce 76 5f ac c3 15 26 36 dc 39 a9 12 ad 99 35 1892 75 ff f1 bf 21 55 3b 7a bd 5e 49 f3 76 fa 39 d6 1894 hash (32 octets): 57 65 19 76 4b f9 ac e3 84 32 c8 6d 9e 0f 72 f2 1895 ef 6b a3 7c 9f 76 30 6e fc bb e7 78 56 ad b3 41 1897 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 1898 61 66 66 69 63 20 57 65 19 76 4b f9 ac e3 84 32 c8 6d 9e 0f 72 1899 f2 ef 6b a3 7c 9f 76 30 6e fc bb e7 78 56 ad b3 41 1901 output (32 octets): 80 e0 c6 f8 6e 1e e2 f6 dd b3 ea 30 a7 fc 72 1902 22 3b 9f ed 27 55 5c 8d 41 f5 8f b2 db bd 4c 0d 09 1904 {server} derive secret "tls13 s hs traffic": 1906 PRK (32 octets): 4c ce 76 5f ac c3 15 26 36 dc 39 a9 12 ad 99 35 1907 75 ff f1 bf 21 55 3b 7a bd 5e 49 f3 76 fa 39 d6 1909 hash (32 octets): 57 65 19 76 4b f9 ac e3 84 32 c8 6d 9e 0f 72 f2 1910 ef 6b a3 7c 9f 76 30 6e fc bb e7 78 56 ad b3 41 1912 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 1913 61 66 66 69 63 20 57 65 19 76 4b f9 ac e3 84 32 c8 6d 9e 0f 72 1914 f2 ef 6b a3 7c 9f 76 30 6e fc bb e7 78 56 ad b3 41 1916 output (32 octets): 28 a9 36 51 09 57 b3 70 7b c7 72 bd be 0a f2 1917 23 d9 71 d8 36 69 d6 f0 b8 b7 4f 34 89 85 d4 f1 35 1919 {server} derive secret for master "tls13 derived": 1921 PRK (32 octets): 4c ce 76 5f ac c3 15 26 36 dc 39 a9 12 ad 99 35 1922 75 ff f1 bf 21 55 3b 7a bd 5e 49 f3 76 fa 39 d6 1924 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 1925 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1927 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 1928 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 1929 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1931 output (32 octets): c2 13 d7 c8 ea f2 1c bc 9d 09 fa 15 85 c4 27 1932 ac 96 c3 18 32 5c d3 3c 95 93 4f 6d e8 f9 28 50 e3 1934 {server} extract secret "master": 1936 salt (32 octets): c2 13 d7 c8 ea f2 1c bc 9d 09 fa 15 85 c4 27 ac 1937 96 c3 18 32 5c d3 3c 95 93 4f 6d e8 f9 28 50 e3 1939 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1940 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1942 secret (32 octets): 64 94 cc e1 de 53 33 83 e4 0f 2b fd 9e 2e bb 1943 7e ba 59 9b f6 5d 22 f1 28 2e 61 14 ca 73 74 76 aa 1945 {server} send handshake record: 1947 payload (90 octets): 02 00 00 56 03 03 e1 6b 86 5e 76 5e 84 ba 47 1948 b4 2d f2 62 e3 8e 2d e6 1e 95 e3 75 3b ad fd 98 76 5c 62 98 4f 1949 28 d3 00 13 01 00 00 2e 00 33 00 24 00 1d 00 20 c3 ec 4f 42 40 1950 70 ce 83 c7 91 fa 32 8f e9 ae 00 96 ab fc cc 15 b9 aa ec eb f6 1951 0b f4 8f 0b 0f 2e 00 2b 00 02 7f 1c 1953 ciphertext (95 octets): 16 03 03 00 5a 02 00 00 56 03 03 e1 6b 86 1954 5e 76 5e 84 ba 47 b4 2d f2 62 e3 8e 2d e6 1e 95 e3 75 3b ad fd 1955 98 76 5c 62 98 4f 28 d3 00 13 01 00 00 2e 00 33 00 24 00 1d 00 1956 20 c3 ec 4f 42 40 70 ce 83 c7 91 fa 32 8f e9 ae 00 96 ab fc cc 1957 15 b9 aa ec eb f6 0b f4 8f 0b 0f 2e 00 2b 00 02 7f 1c 1959 {server} derive write traffic keys for handshake data: 1961 PRK (32 octets): 28 a9 36 51 09 57 b3 70 7b c7 72 bd be 0a f2 23 1962 d9 71 d8 36 69 d6 f0 b8 b7 4f 34 89 85 d4 f1 35 1964 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1966 key output (16 octets): 7b 12 04 e6 6d 4a cf 2d a4 da 5d 45 7e e9 1967 97 34 1969 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1971 iv output (12 octets): 2b 44 e2 11 46 6b 55 23 7a 3a 47 82 1973 {server} send a EncryptedExtensions handshake message 1975 {server} send a CertificateRequest handshake message 1977 {server} send a Certificate handshake message 1979 {server} send a CertificateVerify handshake message 1981 {server} calculate finished "tls13 finished": 1983 PRK (32 octets): 28 a9 36 51 09 57 b3 70 7b c7 72 bd be 0a f2 23 1984 d9 71 d8 36 69 d6 f0 b8 b7 4f 34 89 85 d4 f1 35 1986 hash (0 octets): (empty) 1988 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 1989 64 00 1991 output (32 octets): 05 6f 63 21 21 b2 14 cd 48 f9 33 92 7b 7f 8f 1992 d7 6e f6 09 70 8e 2f dc 19 2c 2b 7b e3 eb 2b ce ed 1994 {server} send a Finished handshake message 1996 {server} send handshake record: 1998 payload (512 octets): 08 00 00 1e 00 1c 00 0a 00 14 00 12 00 1d 1999 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 0d 2000 00 00 27 00 00 24 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 2001 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 2002 0b 00 01 3b 00 00 01 37 00 01 32 30 82 01 2e 30 81 d5 a0 03 02 2003 01 02 02 01 07 30 0a 06 08 2a 86 48 ce 3d 04 03 02 30 13 31 11 2004 30 0f 06 03 55 04 03 13 08 65 63 64 73 61 32 35 36 30 1e 17 0d 2005 31 36 30 37 33 30 30 31 32 34 30 30 5a 17 0d 32 36 30 37 33 30 2006 30 31 32 34 30 30 5a 30 13 31 11 30 0f 06 03 55 04 03 13 08 65 2007 63 64 73 61 32 35 36 30 59 30 13 06 07 2a 86 48 ce 3d 02 01 06 2008 08 2a 86 48 ce 3d 03 01 07 03 42 00 04 08 d5 30 16 15 75 f4 cf 2009 e7 f1 54 ee 34 48 18 00 86 00 1e 88 43 1a 79 ee 62 ee 6e 2f 83 2010 ef 38 ba 61 e9 fb 37 f3 4e 00 7a 7d f4 d2 f5 b5 6d 1f 04 ec e4 2011 5d 62 1f 46 84 06 f5 c3 a1 51 58 94 8d d0 a3 1a 30 18 30 09 06 2012 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 2013 30 0a 06 08 2a 86 48 ce 3d 04 03 02 03 48 00 30 45 02 21 00 df 2014 30 fd 45 07 f5 ed d2 2c 1a 6f f8 6d b4 79 ca 69 3f ee ca 3b 71 2015 b3 f9 ef 55 6b 29 37 c0 59 4d 02 20 62 e2 a4 72 50 d3 20 fe a8 2016 3c 7e 2d cb 5b 76 a5 0e 02 00 c0 9a db d1 3f ee 94 6e 51 3e 01 2017 1d 11 00 00 0f 00 00 4c 04 03 00 48 30 46 02 21 00 a9 92 34 f1 2018 07 df ae ab bb 5c a8 f1 a1 1e a4 dd e9 4e c4 3c 9f c2 4f 13 9f 2019 d9 85 02 0f ef 5b 37 02 21 00 88 2a c7 01 dc a9 a3 c2 4d dc 5d 2020 83 99 98 9d e2 bd da f1 cf 3f 4c f5 09 85 8b 19 63 b9 0e a0 98 2021 14 00 00 20 b5 66 19 91 b8 78 02 73 5d ea 1f 4a b1 c9 63 c3 39 2022 50 38 fc c7 e3 5e c4 86 2b 18 6e 89 2a 65 6f 2024 ciphertext (534 octets): 17 03 03 02 11 e7 94 8e bf 77 b7 00 e8 2025 65 c8 90 a4 4a c7 f8 13 ed 92 eb 98 bf fc 81 3f 17 f3 b6 1c 18 2026 ff 65 ba 73 71 1f e9 cb 00 bc 6a 52 f9 5a 64 02 3c ac 02 7a 68 2027 0c 2e 09 a6 27 59 dc 2b 29 e9 a3 5a c1 05 6a 5b 80 ae c1 bd c6 2028 56 be a1 93 dc c1 5a 4a e2 65 0f 99 e2 55 94 87 83 78 0d 3e c2 2029 e2 98 22 f8 51 b8 95 bc 3d e9 51 65 2b f2 de 1f f1 11 c5 60 54 2030 7c b5 64 17 74 ce 0a 61 66 c1 fa c0 60 3e 80 48 1b 79 e2 47 77 2031 24 c6 76 da ea 61 2b 73 e6 36 34 0f 35 8d 0b 31 ad 2a a1 41 51 2032 b1 e3 92 b9 39 4b 28 a5 59 d0 ce 23 79 cd 71 ad bd e9 d3 5a b0 2033 3e 7e 8c f1 a2 e1 09 a3 20 c6 77 9c dd 9c 34 4b c8 64 54 b4 db 2034 a2 37 1c 02 33 05 c6 7c ed c6 3a 81 b8 48 84 33 96 87 5c 41 6d 2035 97 52 60 ab 5a 84 d8 c4 da f9 8f 53 b4 c4 db 2c 62 65 f3 93 79 2036 ee 57 4c 75 55 eb c3 7d 15 81 c4 70 7b 93 e1 ef b2 c1 06 cf 73 2037 7d 40 46 e6 7b 9b 22 a2 96 1d d5 50 44 1b 1e 5f d9 0e 59 c6 0d 2038 b1 f8 5d fd 9d cc 29 52 55 42 a3 e9 1b 96 23 6c 8d 80 1c 0c 6f 2039 e7 3e 7f e2 4f 7a 39 42 75 7b 6f 66 1b 76 cb d6 b6 05 5c ed 9e 2040 19 8d d3 39 20 bd 31 3b 46 28 94 58 9d ff f7 6c 2a 90 4c 42 68 2041 ec a6 da c0 8f 2c d1 d8 34 0a a1 d3 29 3c 24 c7 9a 1a 70 63 3e 2042 4e e4 7b c2 48 b5 a6 79 97 09 57 ab fc 54 ab 15 27 d3 19 2d 3f 2043 e8 b8 ef ce 6b 5c e2 03 4e b0 2f 65 ee 8b e1 71 a7 4a 25 07 81 2044 40 74 54 5e af 76 6d 5e ea 0e 26 89 64 54 9a 6e bd f5 57 c1 65 2045 bc 2a e5 7a 65 af 5e 65 e4 4f 68 2c 0a 84 d2 6f 29 74 b5 6e 6e 2046 f2 ee 1c 1b 8d 50 64 d7 dd 08 0a 9b e2 95 6c 14 61 e8 30 20 29 2047 ee 4c 92 d9 99 00 8e 10 72 42 fa 04 51 ed 3e 38 b2 87 c8 88 0e 2048 bb a3 be 63 a3 10 fd de c4 7d 6f 2f ab cb 66 b4 1f 1d 4f c4 88 2049 92 54 e2 8f 3e 54 06 ce 1d 5c 86 31 bc eb c3 17 20 2051 {server} derive secret "tls13 c ap traffic": 2053 PRK (32 octets): 64 94 cc e1 de 53 33 83 e4 0f 2b fd 9e 2e bb 7e 2054 ba 59 9b f6 5d 22 f1 28 2e 61 14 ca 73 74 76 aa 2056 hash (32 octets): cb 60 d5 fb 22 6a d3 0e fc 47 ce 35 e3 3f 9a 66 2057 59 6a e0 62 ee 1f 1a cc 95 8f 40 02 9d 23 0e df 2059 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 2060 61 66 66 69 63 20 cb 60 d5 fb 22 6a d3 0e fc 47 ce 35 e3 3f 9a 2061 66 59 6a e0 62 ee 1f 1a cc 95 8f 40 02 9d 23 0e df 2063 output (32 octets): f3 15 86 72 b5 85 df 78 19 1e 40 82 60 f7 9c 2064 20 42 3f fd 5f a7 20 1d de 0a 28 87 92 ad 57 c7 9d 2066 {server} derive secret "tls13 s ap traffic": 2068 PRK (32 octets): 64 94 cc e1 de 53 33 83 e4 0f 2b fd 9e 2e bb 7e 2069 ba 59 9b f6 5d 22 f1 28 2e 61 14 ca 73 74 76 aa 2071 hash (32 octets): cb 60 d5 fb 22 6a d3 0e fc 47 ce 35 e3 3f 9a 66 2072 59 6a e0 62 ee 1f 1a cc 95 8f 40 02 9d 23 0e df 2074 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 2075 61 66 66 69 63 20 cb 60 d5 fb 22 6a d3 0e fc 47 ce 35 e3 3f 9a 2076 66 59 6a e0 62 ee 1f 1a cc 95 8f 40 02 9d 23 0e df 2078 output (32 octets): ac 6b c7 af 48 49 1d 9d c2 43 96 50 39 5d 90 2079 1e 5b a8 20 5c 2b 83 d4 70 0a d9 a0 ce 68 8e 77 3e 2081 {server} derive secret "tls13 exp master": 2083 PRK (32 octets): 64 94 cc e1 de 53 33 83 e4 0f 2b fd 9e 2e bb 7e 2084 ba 59 9b f6 5d 22 f1 28 2e 61 14 ca 73 74 76 aa 2086 hash (32 octets): cb 60 d5 fb 22 6a d3 0e fc 47 ce 35 e3 3f 9a 66 2087 59 6a e0 62 ee 1f 1a cc 95 8f 40 02 9d 23 0e df 2089 info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 2090 74 65 72 20 cb 60 d5 fb 22 6a d3 0e fc 47 ce 35 e3 3f 9a 66 59 2091 6a e0 62 ee 1f 1a cc 95 8f 40 02 9d 23 0e df 2093 output (32 octets): 49 d1 b4 ea 60 2f 70 7c 8f 42 26 b7 47 53 64 2094 53 9e d2 68 e7 bc 38 a6 b7 41 ed dc 99 82 1e 61 b9 2096 {server} derive write traffic keys for application data: 2098 PRK (32 octets): ac 6b c7 af 48 49 1d 9d c2 43 96 50 39 5d 90 1e 2099 5b a8 20 5c 2b 83 d4 70 0a d9 a0 ce 68 8e 77 3e 2101 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 2103 key output (16 octets): d9 97 d8 a3 91 e7 d4 a3 9e ab 6f 92 58 8a 2104 4b b0 2106 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 2108 iv output (12 octets): 3e 38 3a 26 9e c2 af 30 4e bb 67 55 2110 {server} derive read traffic keys for handshake data: 2112 PRK (32 octets): 80 e0 c6 f8 6e 1e e2 f6 dd b3 ea 30 a7 fc 72 22 2113 3b 9f ed 27 55 5c 8d 41 f5 8f b2 db bd 4c 0d 09 2115 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 2116 key output (16 octets): 0f 26 6c ef 4e a6 b6 37 11 64 5d a5 43 f8 2117 30 41 2119 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 2121 iv output (12 octets): ed 85 15 18 dd 0d 97 5e d7 70 a4 79 2123 {client} extract secret "early": 2125 salt: (absent) 2127 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2128 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2130 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 2131 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 2133 {client} derive secret for handshake "tls13 derived": 2135 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 2136 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 2138 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 2139 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 2141 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 2142 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 2143 64 9b 93 4c a4 95 99 1b 78 52 b8 55 2145 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 2146 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 2148 {client} extract secret "handshake": 2150 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 2151 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 2153 ikm (32 octets): a1 74 df 38 d7 a4 28 b6 2e 99 80 83 00 c6 8c e5 2154 5a 89 1a 80 74 d9 f0 99 56 78 eb 55 68 fe c5 07 2156 secret (32 octets): 4c ce 76 5f ac c3 15 26 36 dc 39 a9 12 ad 99 2157 35 75 ff f1 bf 21 55 3b 7a bd 5e 49 f3 76 fa 39 d6 2159 {client} derive secret "tls13 c hs traffic" (same as server) 2161 {client} derive secret "tls13 s hs traffic" (same as server) 2163 {client} derive secret for master "tls13 derived" (same as server) 2164 {client} extract secret "master" (same as server) 2166 {client} derive read traffic keys for handshake data: 2168 PRK (32 octets): 28 a9 36 51 09 57 b3 70 7b c7 72 bd be 0a f2 23 2169 d9 71 d8 36 69 d6 f0 b8 b7 4f 34 89 85 d4 f1 35 2171 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 2173 key output (16 octets): 7b 12 04 e6 6d 4a cf 2d a4 da 5d 45 7e e9 2174 97 34 2176 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 2178 iv output (12 octets): 2b 44 e2 11 46 6b 55 23 7a 3a 47 82 2180 {client} calculate finished "tls13 finished" (same as server) 2182 {client} derive secret "tls13 c ap traffic" (same as server) 2184 {client} derive secret "tls13 s ap traffic" (same as server) 2186 {client} derive secret "tls13 exp master" (same as server) 2188 {client} derive write traffic keys for handshake data (same as 2189 server read traffic keys) 2191 {client} derive read traffic keys for application data (same as 2192 server write traffic keys) 2194 {client} send a Certificate handshake message 2196 {client} send a CertificateVerify handshake message 2198 {client} calculate finished "tls13 finished": 2200 PRK (32 octets): 80 e0 c6 f8 6e 1e e2 f6 dd b3 ea 30 a7 fc 72 22 2201 3b 9f ed 27 55 5c 8d 41 f5 8f b2 db bd 4c 0d 09 2203 hash (0 octets): (empty) 2205 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 2206 64 00 2208 output (32 octets): b8 55 e7 3a ba 6f 0f 8e 02 45 0a 15 be c7 96 2209 d8 47 8c 75 ae 7e 00 bc 05 b1 45 39 a2 ed 9b 68 a5 2211 {client} send a Finished handshake message 2212 {client} send handshake record: 2214 payload (623 octets): 0b 00 01 bf 00 00 01 bb 00 01 b6 30 82 01 2215 b2 30 82 01 1b a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86 2216 f7 0d 01 01 0b 05 00 30 11 31 0f 30 0d 06 03 55 04 03 13 06 63 2217 6c 69 65 6e 74 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 2218 5a 17 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 11 31 0f 30 2219 0d 06 03 55 04 03 13 06 63 6c 69 65 6e 74 30 81 9f 30 0d 06 09 2220 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 2221 00 c3 81 75 e0 04 a6 8d 09 3f 82 3b 9c 37 9d 20 1f bc 0b b7 a1 2222 c7 91 90 5e 3f bf 76 84 7e 44 e7 51 eb bc d3 60 bd 94 5c 81 e5 2223 22 2b cc 88 46 d3 a8 a0 f9 3e 9b f5 be ba bd 92 ed f1 de 1f f1 2224 90 21 70 3e 7a b6 c0 90 15 13 f9 7e 39 b1 11 f0 9c 93 48 97 1c 2225 7b 21 19 84 a7 54 cd 45 fe 09 5a f0 ea 42 36 82 9b cc f7 a7 fe 2226 9b 28 88 e7 8a b4 77 69 0a 5b 9e 1c cb e9 1c 6a 4a 0f 97 a7 e0 2227 28 42 01 02 03 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 2228 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 0d 06 09 2a 86 2229 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 1a 7a 5a 01 85 32 b0 22 2230 af 07 67 d4 86 16 0c ff 2d 16 7a 19 15 d2 38 35 b5 45 94 91 6d 2231 c6 80 be 5d 2e 62 60 76 c5 d5 27 22 eb cc 77 5d 7d 99 f9 80 be 2232 2f c9 4d 34 ac f6 cc 00 ba 90 cb cf b0 60 8a a1 e7 e3 97 1e f0 2233 c0 7a 41 d4 7a d8 34 5d 1f 81 fe 41 8a 1c f4 10 54 42 9f d2 17 2234 bd 77 7d c1 cf 08 f0 5d f9 07 99 c6 59 36 1e 0f 1a 8e e4 ac 0f 2235 78 97 42 0b db c8 23 da 80 a2 f2 ba 23 08 1c 00 00 0f 00 00 84 2236 08 04 00 80 0b de ba ae 67 e8 1c 4f 30 0d 83 1b 21 b4 8c f3 cb 2237 bf 81 af be 3e b2 0b dc 44 e8 83 7b ed cf 85 8f 8d 0e c0 56 29 2238 f2 ba 93 26 00 7a a5 f9 bc 24 39 b3 d8 41 60 8e bf df f3 87 d8 2239 60 a9 77 28 53 25 65 2f 61 a4 64 13 d2 e3 8c a3 39 d1 70 a7 5e 2240 fc 2a 83 6e 91 19 ad 14 17 16 13 2d 3c 0e a5 3c ce c3 c2 32 ad 2241 13 b3 fa 67 09 80 14 48 58 aa 84 d2 b5 e0 05 df 25 b6 78 07 73 2242 59 88 91 b6 56 04 14 00 00 20 45 88 6e 7d 4d 30 f1 3d 16 30 a7 2243 cf 54 51 37 be fa db 8e 8e b4 f4 c1 08 c1 69 4b cf 09 45 9f 17 2245 ciphertext (645 octets): 17 03 03 02 80 4f 18 6c 35 49 64 14 72 2246 cd a8 6a 17 ea 94 2e ac dd 1f cb b9 3e 73 49 21 c1 a9 63 5c 86 2247 32 8e 85 9f ff a3 ac 41 92 6a 3a cb 7b c6 3a 66 dc 4f 66 68 65 2248 57 fe 0a d0 f3 94 1f 07 98 45 95 b9 7c 91 d1 fd 43 df 76 23 36 2249 0a da 56 5b 44 fc a1 2d fa a2 99 f6 64 55 cf 1c 86 24 54 70 d9 2250 b7 b4 5b 8a b5 ff 6c 65 d5 6e 8e c8 8c ee 82 e8 ff 6c 8b 2c de 2251 e3 cd 65 a7 a6 5c 58 07 b4 d7 cb c1 ed 85 82 e1 7d 8a 58 75 99 2252 f8 ae ef 84 41 71 95 35 7e d2 6c 86 9d 2c 03 ee ae 50 d6 33 6a 2253 27 fa 29 d4 05 51 c3 ef 6c c3 f7 6a 09 32 dd f2 50 22 a3 2b 64 2254 36 ac 4a 1a a1 59 7f a6 10 83 da 75 d2 47 39 b0 0d 10 d3 45 2e 2255 e3 0d 92 f4 f5 87 fc f0 c3 cf 43 2d 3c 8e 4b 4f 6d 4d df 45 e1 2256 24 04 73 01 87 90 b2 a0 09 91 e0 0a 5c 41 75 99 23 d8 9d c7 6c 2257 cd ba 57 fc a3 84 df 91 d9 b1 67 c1 70 58 b8 ad 7b 4a 92 8d 6f 2258 2a fe 68 f9 7a 82 e3 50 2a 63 48 1b 50 cf 7b 11 e5 ce 21 65 4a 2259 f0 b5 1e 13 aa fe 1f fc 02 f4 0e a0 d1 a4 64 cb bf 4d 99 91 2c 2260 27 f4 d8 0f ca ad aa e7 8c 1d fc 56 5c da 59 e6 74 1a 27 aa 82 2261 c2 4f 04 76 00 65 19 4f 62 a5 7c 2b 79 1e 57 4c 56 70 c5 82 f5 2262 dd 33 3f 36 83 ed d8 97 11 57 94 d0 78 6e 4e 25 8c cc 6c 75 e9 2263 3d 33 ee c4 dd 61 7f 63 35 e0 aa eb d5 08 8c 24 d6 ad 03 15 8a 2264 b9 8e bb 0b 3a b1 cc d4 03 41 2a 56 0a 38 eb b6 69 53 05 9b 93 2265 e0 c1 d3 ad 81 5f 3c 00 3f e4 5a 5f 07 c1 fd 71 7b 29 95 81 56 2266 99 8e 91 95 7f 6c c0 ed 13 84 c9 59 3d 2b 7e 7a 4f 67 2e aa f0 2267 ad db 58 10 a0 0c 27 0c 25 56 55 dd 38 d3 90 18 5f 96 e8 1e ea 2268 fa 16 c7 02 9c 95 9c 4a e9 bb 1e b6 fc b5 22 a1 b6 75 17 2e 4c 2269 02 5c 31 57 a6 75 6e b3 ee e3 9e 6a ef 59 32 97 f1 6b 8f 19 68 2270 59 e3 0a 83 06 6f e3 b5 4f 87 aa 72 b5 52 76 58 e5 ea 6e 11 c1 2271 72 17 02 6a ae 62 b7 f8 91 9a cc 40 d9 1d 50 ae c2 cb b8 3f cf 2272 1b 51 96 3c 08 57 9f 07 b6 e2 04 e4 a2 c0 36 48 64 1c 1d 0d bb 2273 e8 62 8b bc 61 b6 0c 7a 22 4a 88 11 39 f7 0c 58 47 1b 3b 54 4d 2274 0d 3a b7 ef 6d b7 fd 8b 3a 4b 10 24 54 c8 08 c2 cd 95 ed a0 93 2275 62 84 8f e3 0d 63 1f 34 f3 cf 8e 4a 6d 49 aa f6 2c 64 d8 8d 1c 2276 70 d4 2278 {client} derive write traffic keys for application data: 2280 PRK (32 octets): f3 15 86 72 b5 85 df 78 19 1e 40 82 60 f7 9c 20 2281 42 3f fd 5f a7 20 1d de 0a 28 87 92 ad 57 c7 9d 2283 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 2285 key output (16 octets): 5f 75 27 06 1e 34 51 95 77 55 81 e4 ea 5a 2286 1d 62 2288 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 2290 iv output (12 octets): f1 59 e4 60 d3 df 3c 5e 2b d7 bc 9e 2292 {client} derive secret "tls13 res master": 2294 PRK (32 octets): 64 94 cc e1 de 53 33 83 e4 0f 2b fd 9e 2e bb 7e 2295 ba 59 9b f6 5d 22 f1 28 2e 61 14 ca 73 74 76 aa 2297 hash (32 octets): aa 82 ed e5 08 e5 40 e0 d5 ee 0e 67 69 89 c0 8c 2298 66 01 a5 e5 c3 b4 fe 34 31 79 71 ce 9b 69 4b e6 2300 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 2301 74 65 72 20 aa 82 ed e5 08 e5 40 e0 d5 ee 0e 67 69 89 c0 8c 66 2302 01 a5 e5 c3 b4 fe 34 31 79 71 ce 9b 69 4b e6 2304 output (32 octets): ba 54 7d 20 f6 13 f6 8e f2 11 96 e4 c6 89 f4 2305 36 24 db ac 5c 2c 20 f4 22 f6 a8 39 e2 80 a1 8e 7d 2307 {server} calculate finished "tls13 finished" (same as client) 2308 {server} derive read traffic keys for application data (same as 2309 client write traffic keys) 2311 {server} derive secret "tls13 res master" (same as client) 2313 {client} send alert record: 2315 payload (2 octets): 01 00 2317 ciphertext (24 octets): 17 03 03 00 13 c5 1d 97 36 4e 8d 18 be 9e 2318 79 eb a9 7b 85 3f 3b 34 d6 01 2320 {server} send alert record: 2322 payload (2 octets): 01 00 2324 ciphertext (24 octets): 17 03 03 00 13 79 be 79 28 e0 e0 62 2e 48 2325 e8 bc 9f 09 93 ac 02 98 b9 f6 2327 7. Compatibility Mode 2329 This example shows use of the handshake with the client requesting 2330 that the server use compatibility mode as defined in Appendix D.4 of 2331 [TLS13]. 2333 {client} create an ephemeral x25519 key pair: 2335 private key (32 octets): 9a 71 27 21 33 44 89 32 c6 de c0 d4 39 2336 a6 e2 94 09 22 79 c6 f7 bf d5 89 33 14 b4 a7 70 18 3e 37 2338 public key (32 octets): 55 34 3a 1d 8d 02 64 b0 78 f1 6d 70 39 f6 2339 9b c9 4e a9 f2 ee 26 f3 51 91 6d 37 d9 73 aa 38 79 03 2341 {client} send a ClientHello handshake message 2343 {client} send handshake record: 2345 payload (218 octets): 01 00 00 d6 03 03 93 ee 06 65 40 d4 cf 08 2346 fa e8 b4 86 09 f8 f5 29 d0 64 f2 bc 65 28 ab a7 3a 40 46 0c 82 2347 0d 86 cd 20 ed db e1 46 86 5a 29 31 2b 13 c7 4d 56 4e 43 6c 3c 2348 a0 92 4e b3 db 86 2d 67 a7 ed f9 7b 88 0e db 00 06 13 01 13 03 2349 13 02 01 00 00 87 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 2350 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 2351 01 01 01 02 01 03 01 04 00 33 00 26 00 24 00 1d 00 20 55 34 3a 2352 1d 8d 02 64 b0 78 f1 6d 70 39 f6 9b c9 4e a9 f2 ee 26 f3 51 91 2353 6d 37 d9 73 aa 38 79 03 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 2354 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 2355 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 2357 ciphertext (223 octets): 16 03 01 00 da 01 00 00 d6 03 03 93 ee 2358 06 65 40 d4 cf 08 fa e8 b4 86 09 f8 f5 29 d0 64 f2 bc 65 28 ab 2359 a7 3a 40 46 0c 82 0d 86 cd 20 ed db e1 46 86 5a 29 31 2b 13 c7 2360 4d 56 4e 43 6c 3c a0 92 4e b3 db 86 2d 67 a7 ed f9 7b 88 0e db 2361 00 06 13 01 13 03 13 02 01 00 00 87 00 00 00 0b 00 09 00 00 06 2362 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 2363 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00 26 00 24 00 2364 1d 00 20 55 34 3a 1d 8d 02 64 b0 78 f1 6d 70 39 f6 9b c9 4e a9 2365 f2 ee 26 f3 51 91 6d 37 d9 73 aa 38 79 03 00 2b 00 03 02 7f 1c 2366 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 2367 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 2369 {server} extract secret "early": 2371 salt: (absent) 2373 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2374 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2376 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 2377 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 2379 {server} create an ephemeral x25519 key pair: 2381 private key (32 octets): 42 05 eb 84 23 9b 8c e9 4a 18 f3 d6 22 2382 4d 52 23 a5 1a 3d 56 74 18 c2 43 11 96 15 56 56 81 8b 35 2384 public key (32 octets): 3b ae b0 1c aa 0c 5c 3f e5 06 3e 42 b2 6a 2385 f6 f5 ba 95 83 7d 54 29 3f 4d 9a 33 36 b9 9b 35 bd 05 2387 {server} send a ServerHello handshake message 2389 {server} send handshake record: 2391 payload (122 octets): 02 00 00 76 03 03 5a 34 53 70 5a ec 8d 6f 2392 89 e7 1f 60 d2 86 6d 82 3d e9 64 f1 00 1e c1 20 32 f8 00 c0 16 2393 0d e6 a8 20 ed db e1 46 86 5a 29 31 2b 13 c7 4d 56 4e 43 6c 3c 2394 a0 92 4e b3 db 86 2d 67 a7 ed f9 7b 88 0e db 13 01 00 00 2e 00 2395 33 00 24 00 1d 00 20 3b ae b0 1c aa 0c 5c 3f e5 06 3e 42 b2 6a 2396 f6 f5 ba 95 83 7d 54 29 3f 4d 9a 33 36 b9 9b 35 bd 05 00 2b 00 2397 02 7f 1c 2399 ciphertext (127 octets): 16 03 03 00 7a 02 00 00 76 03 03 5a 34 2400 53 70 5a ec 8d 6f 89 e7 1f 60 d2 86 6d 82 3d e9 64 f1 00 1e c1 2401 20 32 f8 00 c0 16 0d e6 a8 20 ed db e1 46 86 5a 29 31 2b 13 c7 2402 4d 56 4e 43 6c 3c a0 92 4e b3 db 86 2d 67 a7 ed f9 7b 88 0e db 2403 13 01 00 00 2e 00 33 00 24 00 1d 00 20 3b ae b0 1c aa 0c 5c 3f 2404 e5 06 3e 42 b2 6a f6 f5 ba 95 83 7d 54 29 3f 4d 9a 33 36 b9 9b 2405 35 bd 05 00 2b 00 02 7f 1c 2407 {server} send change_cipher_spec record: 2409 payload (1 octets): 01 2411 ciphertext (6 octets): 14 03 03 00 01 01 2413 {server} derive secret for handshake "tls13 derived": 2415 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 2416 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 2418 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 2419 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 2421 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 2422 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 2423 64 9b 93 4c a4 95 99 1b 78 52 b8 55 2425 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 2426 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 2428 {server} extract secret "handshake": 2430 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 2431 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 2433 ikm (32 octets): 9f 52 3e a8 87 a4 46 5a 4f 16 49 f9 fa 1f b1 60 2434 84 f4 ae ff 99 e4 55 ca 1c 41 bb f0 08 3f 5d 0d 2436 secret (32 octets): e4 41 f1 02 2b 79 40 f1 65 d0 b8 d8 a9 5a 6b 2437 e5 48 4d 1b bf 68 93 b4 3d e6 f8 08 56 8f 2c e4 85 2439 {server} derive secret "tls13 c hs traffic": 2441 PRK (32 octets): e4 41 f1 02 2b 79 40 f1 65 d0 b8 d8 a9 5a 6b e5 2442 48 4d 1b bf 68 93 b4 3d e6 f8 08 56 8f 2c e4 85 2444 hash (32 octets): 63 9d 32 6e 5c ad 8c 4d ae 18 bf 2f 4c ce bb 55 2445 4c be ae 3d 4e 88 a8 1e cf 3e 44 db 33 08 81 dd 2447 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 2448 61 66 66 69 63 20 63 9d 32 6e 5c ad 8c 4d ae 18 bf 2f 4c ce bb 2449 55 4c be ae 3d 4e 88 a8 1e cf 3e 44 db 33 08 81 dd 2451 output (32 octets): 00 0f 13 8f 78 2f 68 a0 95 23 56 27 e0 bf 6d 2452 89 ca 95 33 9a 43 83 b5 f0 a1 54 e5 d3 1b ae dd bf 2454 {server} derive secret "tls13 s hs traffic": 2456 PRK (32 octets): e4 41 f1 02 2b 79 40 f1 65 d0 b8 d8 a9 5a 6b e5 2457 48 4d 1b bf 68 93 b4 3d e6 f8 08 56 8f 2c e4 85 2459 hash (32 octets): 63 9d 32 6e 5c ad 8c 4d ae 18 bf 2f 4c ce bb 55 2460 4c be ae 3d 4e 88 a8 1e cf 3e 44 db 33 08 81 dd 2462 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 2463 61 66 66 69 63 20 63 9d 32 6e 5c ad 8c 4d ae 18 bf 2f 4c ce bb 2464 55 4c be ae 3d 4e 88 a8 1e cf 3e 44 db 33 08 81 dd 2466 output (32 octets): 69 c6 07 a1 9b 25 3c 20 09 b8 21 7b bf ac 40 2467 55 99 57 97 b2 26 a1 87 8f 45 c8 92 a1 00 32 60 10 2469 {server} derive secret for master "tls13 derived": 2471 PRK (32 octets): e4 41 f1 02 2b 79 40 f1 65 d0 b8 d8 a9 5a 6b e5 2472 48 4d 1b bf 68 93 b4 3d e6 f8 08 56 8f 2c e4 85 2474 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 2475 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 2477 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 2478 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 2479 64 9b 93 4c a4 95 99 1b 78 52 b8 55 2481 output (32 octets): 58 bc 54 77 72 31 e8 db 87 75 4a 9d bd ed d4 2482 c1 1d b9 4e ea 7e cd 20 f0 16 4e e8 bb 6d 61 40 a7 2484 {server} extract secret "master": 2486 salt (32 octets): 58 bc 54 77 72 31 e8 db 87 75 4a 9d bd ed d4 c1 2487 1d b9 4e ea 7e cd 20 f0 16 4e e8 bb 6d 61 40 a7 2489 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2490 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2492 secret (32 octets): ea 35 3f 3a 81 83 26 4b fe 63 23 b2 97 bb 30 2493 10 09 b2 da d6 a7 f8 25 40 17 1f 37 57 cf 7a d1 a4 2495 {server} derive write traffic keys for handshake data: 2497 PRK (32 octets): 69 c6 07 a1 9b 25 3c 20 09 b8 21 7b bf ac 40 55 2498 99 57 97 b2 26 a1 87 8f 45 c8 92 a1 00 32 60 10 2500 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 2502 key output (16 octets): 87 7d a8 47 c3 41 75 bb 28 cb d2 8d 0d 02 2503 e9 98 2505 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 2507 iv output (12 octets): 9c 82 74 92 f8 a5 87 6a 42 85 42 55 2509 {server} send a EncryptedExtensions handshake message 2511 {server} send a Certificate handshake message 2513 {server} send a CertificateVerify handshake message 2515 {server} calculate finished "tls13 finished": 2517 PRK (32 octets): 69 c6 07 a1 9b 25 3c 20 09 b8 21 7b bf ac 40 55 2518 99 57 97 b2 26 a1 87 8f 45 c8 92 a1 00 32 60 10 2520 hash (0 octets): (empty) 2522 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 2523 64 00 2525 output (32 octets): df b8 1d 7b e3 86 4f f9 93 fd 55 87 e1 27 f7 2526 1d f5 cd 12 19 a0 c7 77 d7 01 ee ba f7 f1 0a 46 98 2528 {server} send a Finished handshake message 2530 {server} send handshake record: 2532 payload (651 octets): 08 00 00 1e 00 1c 00 0a 00 14 00 12 00 1d 2533 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 0b 2534 00 01 b9 00 00 01 b5 00 01 b0 30 82 01 ac 30 82 01 15 a0 03 02 2535 01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 2536 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 30 1e 17 0d 31 36 2537 30 37 33 30 30 31 32 33 35 39 5a 17 0d 32 36 30 37 33 30 30 31 2538 32 33 35 39 5a 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 2539 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 2540 00 30 81 89 02 81 81 00 b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 2541 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 2542 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed 2543 43 12 09 98 e1 87 a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d 2544 44 9a 6d 38 e2 2a 5f da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9 2545 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28 2546 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03 01 00 01 a3 1a 30 18 30 09 2547 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 05 2548 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 85 2549 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 72 67 17 06 18 a5 4c 5f 8a 2550 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea e8 f8 a5 8c 8f 81 72 f9 31 2551 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 51 56 72 60 96 fd 33 5e 5e 2552 67 f2 db f1 02 70 2e 60 8c ca e6 be c1 fc 63 a4 2a 99 be 5c 3e 2553 b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b 1c 3b 84 e0 a8 b2 f7 59 40 2554 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 96 12 29 ac 91 87 b4 2b 4d 2555 e1 00 00 0f 00 00 84 08 04 00 80 38 58 68 8e 9e 7b 4e e9 95 84 2556 b2 b0 36 c6 01 b0 f4 10 17 ce 41 da 33 a6 40 4a 61 3d 5c 40 b5 2557 64 f1 e6 20 fa c0 f7 d5 4c 26 c9 7f f3 d9 a5 26 b4 a0 50 f1 16 2558 40 d6 e7 1f ec cc 07 e6 06 98 ba 60 5d 58 d2 6a 20 d6 6c 38 06 2559 7d 65 c9 c6 78 41 18 10 c5 28 f4 a6 76 8b aa 0f df ca 98 f4 fb 2560 47 29 0e f5 a6 3e cd a3 70 a3 bc 9c 79 55 17 08 4a 86 e2 93 02 2561 66 32 45 8d f4 ea 7b dc b8 2d f7 d5 9e 14 00 00 20 bc 28 ae 92 2562 94 56 be 73 73 cf b0 58 e3 ba e0 70 f0 52 e2 57 0d 2e 77 dc 07 2563 2b 7e 85 52 23 5f c5 2565 ciphertext (673 octets): 17 03 03 02 9c 2a 03 4f 82 98 74 ce 19 2566 68 38 bd 4a 5a 84 1f 5f ed 01 22 3e d0 a5 6d 12 e5 9c 73 11 60 2567 75 5b a2 6f 31 27 e1 b7 eb bd c8 f7 7c 01 d5 be de 64 92 bc f4 2568 c5 86 a9 85 a3 89 de 5a 7b 4f 8a e3 49 0c f8 95 0e b6 ec d1 a9 2569 02 3a 98 27 1a 5e fc f8 dd e9 cc 52 8e 9a 8e 33 99 7f 51 52 13 2570 14 b5 c5 c1 19 07 67 8f 99 0c 59 b2 01 fe 58 81 e8 5c 75 fa a1 2571 85 97 7c 1e cc b6 1c f9 7f 92 83 bb b9 26 f4 02 06 dc ef 51 e3 2572 2b e3 0f b6 ae c4 9e 1d db c3 af d0 fb 9f 1b aa 73 4a a3 7c a0 2573 94 a3 bf b5 7e d3 dd 61 1c 16 e2 87 8c 0a f2 be fd 65 b3 e4 ff 2574 f8 e7 4c 08 f8 b2 76 4f f7 fd 83 df d6 7d 00 01 52 b8 64 1f 7d 2575 1b 63 bb e5 00 16 5f 05 08 8e 72 43 04 5b 23 e8 91 76 8b 73 14 2576 26 05 2c 12 90 1a 77 2f f5 27 b6 54 b5 bd 38 ae 76 ae a2 11 f2 2577 a8 70 b9 47 5a 6f d3 dd 8f c7 a2 12 b6 10 a5 4e e0 e0 10 58 c5 2578 ce 0b 43 df e0 5a 21 74 17 24 33 ce a4 d0 a1 c6 e5 e5 8b 0f f2 2579 50 ed 5c b0 90 e1 63 33 e6 c7 a7 9c d7 34 3f cf 9c e7 99 dc 32 2580 12 e1 bb 00 d2 a0 3f 34 90 85 0b d0 67 37 0a 1d 10 cb d8 e7 77 2581 0c 3a d0 07 2d aa 9b 8d 76 ec 78 97 47 23 56 bc 68 30 06 13 43 2582 05 6f 6b e6 33 c6 e8 bf 13 00 78 21 ef 17 6b a2 47 4b 3d e1 e8 2583 bd 1e 89 c9 46 75 99 6c 47 38 1e 68 6e 7f 78 c2 e1 e8 4d 71 16 2584 d3 c5 b4 a6 08 d4 d1 fc 58 33 62 bc f6 30 4e ab 91 78 0a ac cb 2585 30 f9 55 3a 1c 01 b4 9c e7 45 3e 08 1a 84 a0 85 94 ad 5e 6b 44 2586 03 c6 ed 93 bf be cd c0 d7 48 e4 40 09 35 4c b4 bb 5c c7 b9 0c 2587 10 07 00 04 a1 d0 d5 98 e1 42 3b e9 cd e7 37 30 cf b4 90 1a db 2588 00 35 ee 1b ac 56 5a ee 7f 18 34 cd 7f da 4d eb 13 14 90 71 e8 2589 34 7d 4c 2a f0 70 fe 4d b8 d9 a2 df 00 35 c3 51 e6 2a ab 84 8e 2590 8c 70 98 e1 36 99 4e 36 71 c5 61 a5 fd b7 79 27 75 59 23 32 35 2591 3b 88 49 64 c3 c3 94 e7 21 32 33 62 88 3d cd 09 a1 46 19 1d 27 2592 bd 2a 56 bd cf 9b 05 cf c4 fc 54 30 1c c2 1c a2 28 27 ef 7b f3 2593 f0 53 98 9b 5a 79 c3 62 7f 58 85 9c 5e 03 1e 9f c4 9b 7f 9b c1 2594 2c 9b 38 8f de 57 1b 10 69 dd a1 b1 d6 d7 e4 94 e4 6c b8 d1 24 2595 93 0c f2 6f 58 f5 42 e2 ef 9c 75 9b 0a 9c c0 e6 0b 74 a0 6e 7e 2596 f6 15 ef f9 19 95 3c bd 76 5e ba 94 14 bc 2a c5 2a 02 64 2d 96 2597 19 d0 ac c6 e3 95 33 62 89 2599 {server} derive secret "tls13 c ap traffic": 2601 PRK (32 octets): ea 35 3f 3a 81 83 26 4b fe 63 23 b2 97 bb 30 10 2602 09 b2 da d6 a7 f8 25 40 17 1f 37 57 cf 7a d1 a4 2604 hash (32 octets): 4d 58 ee 58 f7 6b 48 18 cc 66 89 46 61 91 25 8f 2605 4a 42 e6 75 26 f3 55 e1 4c 3c 2f 54 87 d6 7e b0 2607 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 2608 61 66 66 69 63 20 4d 58 ee 58 f7 6b 48 18 cc 66 89 46 61 91 25 2609 8f 4a 42 e6 75 26 f3 55 e1 4c 3c 2f 54 87 d6 7e b0 2611 output (32 octets): a1 4a a6 67 74 22 a7 8a 73 7c ad 36 29 c5 05 2612 64 7c 87 e4 ed 21 91 65 41 68 bd 66 ea ce ed 6e 69 2614 {server} derive secret "tls13 s ap traffic": 2616 PRK (32 octets): ea 35 3f 3a 81 83 26 4b fe 63 23 b2 97 bb 30 10 2617 09 b2 da d6 a7 f8 25 40 17 1f 37 57 cf 7a d1 a4 2619 hash (32 octets): 4d 58 ee 58 f7 6b 48 18 cc 66 89 46 61 91 25 8f 2620 4a 42 e6 75 26 f3 55 e1 4c 3c 2f 54 87 d6 7e b0 2622 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 2623 61 66 66 69 63 20 4d 58 ee 58 f7 6b 48 18 cc 66 89 46 61 91 25 2624 8f 4a 42 e6 75 26 f3 55 e1 4c 3c 2f 54 87 d6 7e b0 2626 output (32 octets): c1 2e 61 d3 35 07 b5 aa b2 ab be 90 b9 83 9e 2627 1f d7 6e 18 67 1c 7b 7c 37 4a a5 d5 92 ef ce 05 67 2629 {server} derive secret "tls13 exp master": 2631 PRK (32 octets): ea 35 3f 3a 81 83 26 4b fe 63 23 b2 97 bb 30 10 2632 09 b2 da d6 a7 f8 25 40 17 1f 37 57 cf 7a d1 a4 2634 hash (32 octets): 4d 58 ee 58 f7 6b 48 18 cc 66 89 46 61 91 25 8f 2635 4a 42 e6 75 26 f3 55 e1 4c 3c 2f 54 87 d6 7e b0 2637 info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 2638 74 65 72 20 4d 58 ee 58 f7 6b 48 18 cc 66 89 46 61 91 25 8f 4a 2639 42 e6 75 26 f3 55 e1 4c 3c 2f 54 87 d6 7e b0 2641 output (32 octets): 89 a9 80 32 78 0a 83 03 97 d2 5b 01 22 a3 a1 2642 d3 40 9c 17 d4 0e f8 fe 4a 3b 90 91 b5 c2 72 29 c9 2644 {server} derive write traffic keys for application data: 2646 PRK (32 octets): c1 2e 61 d3 35 07 b5 aa b2 ab be 90 b9 83 9e 1f 2647 d7 6e 18 67 1c 7b 7c 37 4a a5 d5 92 ef ce 05 67 2649 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 2651 key output (16 octets): a7 52 9a 38 6b 50 bf 52 04 44 bf 07 bc 6f 2652 2c 5f 2654 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 2656 iv output (12 octets): 38 d0 dc f9 0a d6 63 89 a7 bf 36 31 2658 {server} derive read traffic keys for handshake data: 2660 PRK (32 octets): 00 0f 13 8f 78 2f 68 a0 95 23 56 27 e0 bf 6d 89 2661 ca 95 33 9a 43 83 b5 f0 a1 54 e5 d3 1b ae dd bf 2663 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 2665 key output (16 octets): 4b 0e 0b e7 86 ab 5c 8f a3 7c b4 c4 b7 12 2666 ed 67 2668 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 2670 iv output (12 octets): 0c 9b b3 47 89 4e 14 37 3d 9e 0d b3 2672 {client} extract secret "early": 2674 salt: (absent) 2676 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2677 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2679 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 2680 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 2682 {client} derive secret for handshake "tls13 derived": 2684 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 2685 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 2687 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 2688 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 2690 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 2691 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 2692 64 9b 93 4c a4 95 99 1b 78 52 b8 55 2694 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 2695 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 2697 {client} extract secret "handshake": 2699 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 2700 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 2702 ikm (32 octets): 9f 52 3e a8 87 a4 46 5a 4f 16 49 f9 fa 1f b1 60 2703 84 f4 ae ff 99 e4 55 ca 1c 41 bb f0 08 3f 5d 0d 2705 secret (32 octets): e4 41 f1 02 2b 79 40 f1 65 d0 b8 d8 a9 5a 6b 2706 e5 48 4d 1b bf 68 93 b4 3d e6 f8 08 56 8f 2c e4 85 2708 {client} derive secret "tls13 c hs traffic" (same as server) 2710 {client} derive secret "tls13 s hs traffic" (same as server) 2712 {client} derive secret for master "tls13 derived" (same as server) 2714 {client} extract secret "master" (same as server) 2716 {client} derive read traffic keys for handshake data: 2718 PRK (32 octets): 69 c6 07 a1 9b 25 3c 20 09 b8 21 7b bf ac 40 55 2719 99 57 97 b2 26 a1 87 8f 45 c8 92 a1 00 32 60 10 2721 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 2723 key output (16 octets): 87 7d a8 47 c3 41 75 bb 28 cb d2 8d 0d 02 2724 e9 98 2726 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 2728 iv output (12 octets): 9c 82 74 92 f8 a5 87 6a 42 85 42 55 2730 {client} calculate finished "tls13 finished" (same as server) 2732 {client} derive secret "tls13 c ap traffic" (same as server) 2734 {client} derive secret "tls13 s ap traffic" (same as server) 2736 {client} derive secret "tls13 exp master" (same as server) 2737 {client} send change_cipher_spec record: 2739 payload (1 octets): 01 2741 ciphertext (6 octets): 14 03 03 00 01 01 2743 {client} derive write traffic keys for handshake data (same as 2744 server read traffic keys) 2746 {client} derive read traffic keys for application data (same as 2747 server write traffic keys) 2749 {client} calculate finished "tls13 finished": 2751 PRK (32 octets): 00 0f 13 8f 78 2f 68 a0 95 23 56 27 e0 bf 6d 89 2752 ca 95 33 9a 43 83 b5 f0 a1 54 e5 d3 1b ae dd bf 2754 hash (0 octets): (empty) 2756 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 2757 64 00 2759 output (32 octets): a9 dd b3 5b 53 e6 8e b1 c0 87 d8 b0 a3 4c 68 2760 40 be 0e c8 b9 7a 71 7c 47 09 e7 c3 79 7e 13 9d 8b 2762 {client} send a Finished handshake message 2764 {client} send handshake record: 2766 payload (36 octets): 14 00 00 20 13 a4 3b 47 05 72 8b 46 ef ed 3e 2767 61 c6 66 85 d1 3c b4 44 47 35 28 fb 9f 04 c6 5f 1f ce 68 df 4b 2769 ciphertext (58 octets): 17 03 03 00 35 fe d4 a2 5e db 44 ef ae 4d 2770 9d a9 11 d7 86 65 13 31 c5 a2 80 fd d0 79 09 8a d6 c9 8d aa a5 2771 4f fb 40 22 4f d7 5a 5d 7e 53 dd 1d c8 9c f3 28 2e 97 fb 84 88 2772 be 19 2774 {client} derive write traffic keys for application data: 2776 PRK (32 octets): a1 4a a6 67 74 22 a7 8a 73 7c ad 36 29 c5 05 64 2777 7c 87 e4 ed 21 91 65 41 68 bd 66 ea ce ed 6e 69 2779 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 2781 key output (16 octets): 1f 78 66 90 72 83 c6 18 41 da f0 04 8c 12 2782 9a e6 2784 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 2785 iv output (12 octets): 79 51 ad 9f 92 8f 1c 45 fb 71 83 91 2787 {client} derive secret "tls13 res master": 2789 PRK (32 octets): ea 35 3f 3a 81 83 26 4b fe 63 23 b2 97 bb 30 10 2790 09 b2 da d6 a7 f8 25 40 17 1f 37 57 cf 7a d1 a4 2792 hash (32 octets): 75 dd 85 3e d0 fe 62 6e f3 5f b8 66 98 a2 28 73 2793 26 df 91 48 cd 8e 34 67 f9 ae c4 b6 36 2e b3 68 2795 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 2796 74 65 72 20 75 dd 85 3e d0 fe 62 6e f3 5f b8 66 98 a2 28 73 26 2797 df 91 48 cd 8e 34 67 f9 ae c4 b6 36 2e b3 68 2799 output (32 octets): 7c 04 ce b7 db f9 f5 5e 8f 56 fa 0b d3 a4 d3 2800 5e e1 c0 00 6f 2b ec cd 87 8e d9 65 c5 79 e5 20 c6 2802 {server} calculate finished "tls13 finished" (same as client) 2804 {server} derive read traffic keys for application data (same as 2805 client write traffic keys) 2807 {server} derive secret "tls13 res master" (same as client) 2809 {client} send alert record: 2811 payload (2 octets): 01 00 2813 ciphertext (24 octets): 17 03 03 00 13 28 16 c6 d8 c7 76 a7 a3 d9 2814 6a b2 01 41 16 05 24 97 f2 b4 2816 {server} send alert record: 2818 payload (2 octets): 01 00 2820 ciphertext (24 octets): 17 03 03 00 13 ce d1 f4 91 1b 36 18 48 49 2821 33 38 c6 79 60 b0 34 4c 0c 54 2823 8. Security Considerations 2825 It probably isn't a good idea to use the private key here. If it 2826 weren't for the fact that it is too small to provide any meaningful 2827 security, it is now very well known. 2829 9. IANA Considerations 2831 This document makes no requests of IANA. 2833 10. References 2835 10.1. Normative References 2837 [TLS13] Rescorla, E., "The Transport Layer Security (TLS) Protocol 2838 Version 1.3", draft-ietf-tls-tls13-28 (work in progress), 2839 March 2018. 2841 10.2. Informative References 2843 [FIPS186] National Institute of Standards and Technology (NIST), 2844 "Digital Signature Standard (DSS)", NIST PUB 186-4 , July 2845 2013. 2847 [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves 2848 for Security", RFC 7748, DOI 10.17487/RFC7748, January 2849 2016, . 2851 10.3. URIs 2853 [1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS 2855 Appendix A. Acknowledgements 2857 This draft is generated using tests that were written for NSS [1]. 2858 None of this would have been possible without Franziskus Kiefer, Eric 2859 Rescorla and Tim Taubert, who did a lot of the work in NSS. 2861 Author's Address 2863 Martin Thomson 2864 Mozilla 2866 Email: martin.thomson@gmail.com