TLS M. Thomson Internet-Draft Mozilla Intended status: Standards TrackDecember 4, 2017May 02, 2018 Expires:June 7,November 3, 2018 Example Handshake Traces for TLS 1.3draft-ietf-tls-tls13-vectors-03draft-ietf-tls-tls13-vectors-04 Abstract Examples of TLS 1.3 handshakes are shown. Private keys and inputs are provided so that these handshakes might be reproduced. Intermediate values, including secrets, traffic keys and ivs are shown so that implementations might be checked incrementally against these values. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire onJune 7,November 3, 2018. Copyright Notice Copyright (c)20172018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Private Keys . . . . . . . . . . . . . . . . . . . . . . . . 2 3. Simple 1-RTT Handshake . . . . . . . . . . . . . . . . . . . 3 4. Resumed 0-RTT Handshake . . . . . . . . . . . . . . . . . . .1315 5. HelloRetryRequest . . . . . . . . . . . . . . . . . . . . . .2226 6. Client Authentication . . . . . . . . . . . . . . . . . . . .3338 7. Compatibility Mode . . . . . . . . . . . . . . . . . . . . . 49 8. Security Considerations . . . . . . . . . . . . . . . . . . .42 8.59 9. References . . . . . . . . . . . . . . . . . . . . . . . . .42 8.1.60 9.1. Normative References . . . . . . . . . . . . . . . . . .42 8.2.60 9.2. Informative References . . . . . . . . . . . . . . . . .4260 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . .4360 Author's Address . . . . . . . . . . . . . . . . . . . . . . . .4360 1. Introduction TLS 1.3[I-D.ietf-tls-tls13][TLS13] defines a new key schedule and a number new cryptographic operations. This document includes sample handshakes that show all intermediate values. This allows an implementation to be verified incrementally, examining inputs and outputs of each cryptographic computation independently.Private keys areA private key is included with the traces so that implementations can be checked by importing these values and verifying that the same outputs are produced. 2. Private Keys Ephemeral private keys are shown as they are generated in the traces. The server in most examples uses an RSA certificate with a private key of: modulus (public): b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f public exponent: 01 00 01 private exponent: 04 de a7 05 d4 3a 6e a7 20 9d d8 07 21 11 a8 3c 81 e3 22 a5 92 78 b3 34 80 64 1e af 7c 0a 69 85 b8 e3 1c 44 f6 de 62 e1 b4 c2 30 9f 61 26 e7 7b 7c 41 e9 23 31 4b bf a3 88 13 05 dc 12 17 f1 6c 81 9c e5 38 e9 22 f3 69 82 8d 0e 57 19 5d 8c 84 88 46 02 07 b2 fa a7 26 bc f7 08 bb d7 db 7f 67 9f 89 34 92 fc 2a 62 2e 08 97 0a ac 44 1c e4 e0 c3 08 8d f2 5a e6 79 23 3d f8 a3 bd a2 ff 99 41 prime1: e4 35 fb 7c c8 37 37 75 6d ac ea 96 ab 7f 59 a2 cc 10 69 db 7d eb 19 0e 17 e3 3a 53 2b 27 3f 30 a3 27 aa 0a aa bc 58 cd 67 46 6a f9 84 5f ad c6 75 fe 09 4a f9 2c 4b d1 f2 c1 bc 33 dd 2e 05 15 prime2: ca bd 3b c0 e0 43 86 64 c8 d4 cc 9f 99 97 7a 94 d9 bb fe ad 8e 43 87 0a ba e3 f7 eb 8b 4e 0e ee 8a f1 d9 b4 71 9b a6 19 6c f2 cb ba ee eb f8 b3 49 0a fe 9e 9f fa 74 a8 8a a5 1f c6 45 62 93 03 exponent1: 3f 57 34 5c 27 fe 1b 68 7e 6e 76 16 27 b7 8b 1b 82 64 33 dd 76 0f a0 be a6 a6 ac f3 94 90 aa 1b 47 cd a4 86 9d 68 f5 84 dd 5b 50 29 bd 32 09 3b 82 58 66 1f e7 15 02 5e 5d 70 a4 5a 08 d3 d3 19 exponent2: 18 3d a0 13 63 bd 2f 28 85 ca cb dc 99 64 bf 47 64 f1 51 76 36 f8 64 01 28 6f 71 89 3c 52 cc fe 40 a6 c2 3d 0d 08 6b 47 c6 fb 10 d8 fd 10 41 e0 4d ef 7e 9a 40 ce 95 7c 41 77 94 e1 04 12 d1 39 coefficient: 83 9c a9 a0 85 e4 28 6b 2c 90 e4 66 99 7a 2c 68 1f 21 33 9a a3 47 78 14 e4 de c1 18 33 05 0e d5 0d d1 3c c0 38 04 8a 43 c5 9b 2a cc 41 68 89 c0 37 66 5f e5 af a6 05 96 9f 8c 01 df a5 ca 96 9d 3. Simple 1-RTT Handshake In this example, the simplest possible handshake is completed. The server is authenticated, but the client remains anonymous. After connecting, a few application data octets are exchanged. The server sends a session ticket that permits the use of 0-RTT in any resumed session. {client} create an ephemeral x25519 key pair: private key (32 octets):b1 6a 3c 97 a7 19 0b ec c4 00 2a 2f be33 21 0a 8040 b5 99 45 df 0b bd 0c e1 ba dbc1 a0 78 c8 52 0d 00 71 0a 06 7b 00 59 68 26 01 05 f4aa 6d 4f 0f a1 9ebf b5 94 a7 13 2b 62 34 33 ab public key (32 octets):78 e5 89 74 13 f1 71 53 c7fa 0cf3 3f a3 4c 84 97 72 4b da b4 f5 7f 9d 01 c9 53 f5 88d2 25 02 a7 23 6a e7 59 9e e0 14 16 e8 05 d7 15 55 93 f030 46 6128 b7 a6 f6 dd f4 9b ad 1a 6f 36 {client} send a ClientHello handshake message {client} send handshake record: payload (190 octets): 01 00 00 ba 03 03c4 e2 ea b7 cc 4b bb 43 7d fa b4 7c a5 6a f8 a03a 02 32 16 f4 df 71 db07 2b 90 e5f2 af d6 09 5f aa cd 8e b9 12 02 36f9 c4 a4 9f ac 89 84 9c 10 b2ca 79 90 c2 0d 40 cb 69 09 57 75 35 00 00 06 13 01 13 03 13 02 01 00 00 8b 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 23 00 00 002833 00 26 00 24 00 1d 00 2078 e5 89 74 13 f1 71 53 c7fa 0cf3 3f a3 4c 84 97 72 4b da b4 f5 7f 9d 01 c9 53 f5 88d2 25 02 a7 23 6a e7 59 9e e0 14 16 e8 05 d7 15 55 93 f030 46 6128 b7 a6 f6 dd f4 9b ad 1a 6f 36 00 2b 00 03 02 7f161c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 ciphertext (195 octets): 16 03 01 00 be 01 00 00 ba 03 03c4 e2 ea b7 cc 4b bb 43 7d fa b4 7c a5 6a f8 a03a 02 32 16 f4 df 71 db07 2b 90 e5f2 af d6 09 5f aa cd 8e b9 12 02 36f9 c4 a4 9f ac 89 84 9c 10 b2ca 79 90 c2 0d 40 cb 69 09 57 75 35 00 00 06 13 01 13 03 13 02 01 00 00 8b 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 23 00 00 002833 00 26 00 24 00 1d 00 2078 e5 89 74 13 f1 71 53 c7fa 0cf3 3f a3 4c 84 97 72 4b da b4 f5 7f 9d 01 c9 53 f5 88d2 25 02 a7 23 6a e7 59 9e e0 14 16 e8 05 d7 15 55 93 f030 46 6128 b7 a6 f6 dd f4 9b ad 1a 6f 36 00 2b 00 03 02 7f161c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 {server} extract secret "early": salt: (absent) ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a {server} create an ephemeral x25519 key pair: private key (32 octets):20 eb 30 48 af fc bf 2b ff 56 df b5 1e 93 4d 78 a0 f5 d2 38 299d ae 7f c7 6c 00 9e 64 32 4170 b1 0e ea 18 31 69688b 65c6 27 99 1a 97 d3 95 9e 32 e7 c8 45 0c 14 f3 b5 30 bf 75 ef 87 public key (32 octets):ee 31 96 ca 63 98 21 a1 7baa 6c be 84 01 8c c1 a7 43 75 b6 d4 ea 18 ad 5168 ab 61 0d 70 57 d2 b271 c1 5084 89 1f 87ae 55 80 a8 4c 62 ef26 cf 0c 26 84 e5 d6 7e05 21 a1 16 8a 25 {server} send a ServerHello handshake message {server} derive secret for handshake "tls13 derived": PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba {server} extract secret "handshake": salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba ikm (32 octets):61 d3 4a ad f2 5ede 19 c3 5f f1 64 46 31 c4 b4 59 9a 223a2ce6 fb 59 f8 a0 f9 d1 d7 5f 18 87 df b0 6c 0f ff f8 47 6d c3 c5 0f 47ee eb 31 aa 4c f3 03 ef 15 48 de 68 ea 83 c9 4b 78 1c secret (32 octets):79 07 c2 82 34 f1 6c95 96 d5 36 cf ab b0 51 28 69 b3 c3 66 39 1f b2 97 59 36 a871 a4 6b eb 25cd da 1f 8c 66 b5 f0 26 547f dc 8a ab 96 d1 4e ef f8 0f 5b 12 f9 ad 8a c9 d604 5e 6b {server} derive secret "tls13 c hs traffic": PRK (32 octets):79 07 c2 82 34 f1 6c95 96 d5 36 cf ab b0 51 28 69 b3 c3 66 39 1f b2 97 59 36 a871 a4 6b eb 25cd da 1f 8c 66 b5 f0 26 547f dc 8a ab 96 d1 4e ef f8 0f 5b 12 f9 ad 8a c9 d604 5e 6b hash (32 octets):2a 63 e9 0b 84 e5 c9 79 80 56 98 41 19 3b 80 94 22 19 36 52 19 ad 23 90 b658 53 8064 c2 ae bb 09 69f8 31 c7 62 08 c5 2c 34 8c 76 be 4a 4b a6 17 fd 16 da 68 b0 a9 50 38 82 fe ea ff 81 dc info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 61 66 66 69 63 202a 63 e9 0b 84 e5 c9 79 80 56 98 41 19 3b 80 94 22 19 36 52 19 ad 23 90 b658 53 8064 c2 ae bb 09 69f8 31 c7 62 08 c5 2c 34 8c 76 be 4a 4b a6 17 fd 16 da 68 b0 a9 50 38 82 fe ea ff 81 dc output (32 octets):40 2b 60 6f 3c b0 c8 5b 6d bf fb fd a9 df 79 14 58 4a 0e b9ed 5d 2e 57 8f 39 41 2a 63 a1 8e 68 d4 52 e4 09 211b b5 e9 0b a4 815b 42 a8 63 40 29 f25c 4b 94 e24c c9 c7 bb 3c 4d 29 de {server} derive secret "tls13 s hs traffic": PRK (32 octets):79 07 c2 82 34 f1 6c95 96 d5 36 cf ab b0 51 28 69 b3 c3 66 39 1f b2 97 59 36 a871 a4 6b eb 25cd da 1f 8c 66 b5 f0 26 547f dc 8a ab 96 d1 4e ef f8 0f 5b 12 f9 ad 8a c9 d604 5e 6b hash (32 octets):2a 63 e9 0b 84 e5 c9 79 80 56 98 41 19 3b 80 94 22 19 36 52 19 ad 23 90 b658 53 8064 c2 ae bb 09 69f8 31 c7 62 08 c5 2c 34 8c 76 be 4a 4b a6 17 fd 16 da 68 b0 a9 50 38 82 fe ea ff 81 dc info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 61 66 66 69 63 202a 63 e9 0b 84 e5 c9 79 80 56 98 41 19 3b 80 94 22 19 36 52 19 ad 23 90 b658 53 8064 c2 ae bb 09 69f8 31 c7 62 08 c5 2c 34 8c 76 be 4a 4b a6 17 fd 16 da 68 b0 a9 50 38 82 fe ea ff 81 dc output (32 octets):a2 c176 535b 55 26 42 8b 49 cb e6 cc 3cd6 1923 7c 37 4e 9495 c3 c7 b9 a7 db25 6c 96 4d 4d 13 76 a9 de 1a c5 126e f8 80 0d e0 63 e2 c4 10 1d 52 15 01 1c 8a 28 36 6e 8a 44 9b b3 {server} derive secret for master "tls13 derived": PRK (32 octets):79 07 c2 82 34 f1 6c95 96 d5 36 cf ab b0 51 28 69 b3 c3 66 39 1f b2 97 59 36 a871 a4 6b eb 25cd da 1f 8c 66 b5 f0 26 547f dc 8a ab 96 d1 4e ef f8 0f 5b 12 f9 ad 8a c9 d604 5e 6b hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets):44 50 97 b3 09 4b 9c e8 35 af 72 02 5d 0f d3 80 ae 2b ae 88 06 08 f6 b2 b9 92 42 92ff e0 3e bf eb04 71 d18e f7 7a b4 95 7f 14 95 2f be d5 5a 1f 3b 9d 1c e9 4e 1e 00 f7 40 7d 99 72 99 1b {server} extract secret "master": salt (32 octets):44 50 97 b3 09 4b 9c e8 35 af 72 02 5d 0f d3 80 ae 2b ae 88 06 08 f6 b2 b9 92 42 92ff e0 3e bf eb04 71 d18e f7 7a b4 95 7f 14 95 2f be d5 5a 1f 3b 9d 1c e9 4e 1e 00 f7 40 7d 99 72 99 1b ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets):23 07fa 2f 3768 ca 09 44 ef de d6 a1 fdbc 3a 87 b5 9c 46 10 26 27 173e59 84 d8 4e 03 5f a5 64 75 9c 1e ec 3b 96 4c e9 7a 1fa7 51 b2 1b 6b f2 07 66 1c b2 94 bc 29 f4 49 c714 {server} send handshake record: payload (90 octets): 02 00 00 56 03 038e 58 c0 e7 0c 99 2d 7f fc 80 98 eb dc 67 ba 85 05 e4 2e 4442 ec 65 e2 f1 86 19 05bf 77 23 95 49 24 7a b2 ba 20 3c8f 0a e6 42 76 a1 0d 47 b3 5d 5f 26 75 0b c5 a9 b7 aa c6 30 9f 19 75 71 00 13 01 00 00 2e 002833 00 24 00 1d 00 20ee 31 96 ca 63 98 21 a1 7baa 6c be 84 01 8c c1 a7 43 75 b6 d4 ea 18 ad 5168 ab 61 0d 70 57 d2 b271 c1 5084 89 1f 87ae 55 80 a8 4c 62 ef26 cf 0c 26 84 e5 d6 7e05 21 a1 16 8a 25 00 2b 00 02 7f161c ciphertext (95 octets): 16 03 03 00 5a 02 00 00 56 03 038e 58 c0 e7 0c 99 2d 7f fc 80 98 eb dc 67 ba 85 05 e4 2e 4442 ec 65 e2 f1 86 19 05bf 77 23 95 49 24 7a b2 ba 20 3c8f 0a e6 42 76 a1 0d 47 b3 5d 5f 26 75 0b c5 a9 b7 aa c6 30 9f 19 75 71 00 13 01 00 00 2e 002833 00 24 00 1d 00 20ee 31 96 ca 63 98 21 a1 7baa 6c be 84 01 8c c1 a7 43 75 b6 d4 ea 18 ad 5168 ab 61 0d 70 57 d2 b271 c1 5084 89 1f 87ae 55 80 a8 4c 62 ef26 cf 0c 26 84 e5 d6 7e05 21 a1 16 8a 25 00 2b 00 02 7f161c {server} derive write traffic keys for handshake data: PRK (32 octets): 76 53 d6 19 95 c3 c7 b9 a7 db 6e f8 80 0d e0 63 e2 c4 10 1d 52 15 01 1c 8a 28 36 6e 8a 44 9b b3 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets): 6b de 0a 34 c4 42 3c f3 5b f4 a7 ec 1a b0 aa 06 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets): 22 07 9a 1b e6 53 89 9a 59 a4 e5 51 {server} send a EncryptedExtensions handshake message {server} send a Certificate handshake message {server} send a CertificateVerify handshake message {server} calculate finished "tls13 finished": PRK (32 octets):a2 c176 535b 55 26 42 8b 49 cb e6 cc 3cd6 1923 7c 37 4e 9495 c3 c7 b9 a7 db25 6c 96 4d 4d 13 76 a9 de 1a c5 126e f8 80 0d e0 63 e2 c4 10 1d 52 15 01 1c 8a 28 36 6e 8a 44 9b b3 hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets):d2 7d 01 ab e21c a5 43 d9d6 68 98 dc 10 f8 5d 92 2f d6 ff f5 1d08 b880 f4 af 64 52 b7ec 1c05 c3 fc 42 67b7 25 55 7f 83 c4 de 03 f1 71 85 07 b9 0a e4 39 ec 84 92 c2 22 5d 6e 75 {server} send a Finished handshake message {server} send handshake record: payload (651 octets): 08 00 00 1e 00 1c 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82 01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 72 67 17 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea e8 f8 a5 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 51 56 72 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be c1 fc 63 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b 1c 3b 84 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 96 12 29 ac 91 87 b4 2b 4d e1 00 00 0f 00 00 84 08 04 00 8035 dc 65 98 6e 5d 7a 91 25 7a 91 01 85 5d 87 54 9c 1b 0d 19 6b 6c 19 da a2 67 38 30 ff 73 a4 51 ab60 7948 55 ca c353 73 40e8 48 fd 10 5a82 02 3f d3 8f e9 bd 96ed b4 23 48 99 8c d9 acea f9 dd e4 45 12 7b ef 6f c8 5b 2a 29 82 27 a9 0df6 63 d8 92 7e 88 67 25 57 0a 41 5226 12 28af 19 67 a2 2d 9b 4d 3611 7bb0 90 e4 f0 76 ea 5f a4 7d c593 f7 6c 00 02 56 02 b8 5b e9 6e 6e 75 a2 5b 72 bd d9 38 9d 7cac 77 cb e6 21 7f 3e fa 6f 10 53 12 9e b9 1a cb 05 48 c697 95 f3 14 24 60 17 18 9d 4b dd 30 b8 3816 89 8d 3617 f5 9a 5b c3 66 9a 98 d6 41 64 fd c7 80 77 2d ca 3d 06 63 798d 6a c0 38 8924 1a 21 32 c4 07 1e 21 f9 f3 f0 cd 1d f4 06 ab 1d 37 bd db 13 e1 c2 93 f8 a4 46 8b 8e 5b c927 de df f9 39 d0 58 8c09 e5 78 94 e0 f1 14 00 00 204a 81 42 ca b4 49 41 89 68 94 06 27 07 e6 92 d6 32 a8 6a 1216 cb aa 5b 9c 4d 04 ea 5c 83 b2 0b 4cbe 2a 8188 04 7e 8f 95 d9 60 5b 71 24 d1 1d de b1 91 bb 6b3d ef a1 b3 15 40 db6d 18 ciphertext (673 octets): 17 03 03 02 9c6f 0c 3d 25 89 2d 11 1b 9e 10 b7 bf 9e cb 09 ec 5e 87 75 53 b3 15 3e b9 80 12 4c 44 59 58 b1 71 01 41 8b 00 d8 f0 2f af cc 55 ba 06 25 88 ba 53 0e f0 9a 8f b4c7d6 de 1f 8b 7e b8 d8 b6ad d21e 01 343a 51 68 b1 f3 49 b7 59 e3 6b 17 1d ab c9 0b aa 31 29 a975 74 ae 7183 81 35 a2 2d a4 d2 d5 96 c9 4b 86 f6 af be 4d 7e 6d 6d bd 07 0b 84 f7 0f 33 fa 57 91 7d 7f 44 b1 e0 6d 47 46 64 3b fb 8f 2c dd 0a 2e db 1d 43 b7 32 26 b1 be f9 5cb634 58 41 d1 20 fc 70 8d 49 09 bf a3 42 e4 99 33 c15d 19 b3 47 c7 8a 88 4a 71 ff b8 c2 e7 6000 0222 16 a7 93 8f 10 81 8c03 3f81 16 b4 5a 39 79 d0 9d 72 52 e3 b4 4f 10 ae 68 f5 a6 1bee 1e 82 67 0b 26 50 ba 93 c5 3a 87 f8 6d 5c bf 51 26 ad 05 58 6f 97 b1 31 4f 21 c0 b7 a2 0c 4b 4f 90 c3 66 ec 8e d8 49 be a6 d5 b2 e0b4 15bb 88 4f 9e 98 d7 19 5a 42 8f f809 7d d5 14 f1 bad149 dc bc e5 cb 35 48 55 f6 1d 56 08 c7 b9 d5 85 9a d9 f4 e2 0226 5a 67 58 8445 5d 9d abf3 8a 43 60 68 e3 72 9f 8a 50 99 1b f8 61 37d5 6e 0995 0c 5ebd 88 68 890e b3 ad a236 3f c9 7b 16 62 06 63 7c ca 01 ab 37 7e 9d 3f 3d 06 4f 6a fc 87 22 1a bf e6 d5232759 c2 5a f7 00 31 cb 18 00 8c 2f a6 e7 c8 dd 70 58 f8 ec e9 23 b0 9691 6e d4 a37a c5 ed24c0 39 7b 9d5e 71 04 44 dc 78 64 e4 31 6d a8 01 83 b09a ae cf 3f 0d cc0c 3b 38 0a 0a 87 a8 36 17 13 86 c7 f1 b8 db 0b 15 3059 83 a439 6c 1a d4 53 2a 60 7a 55 31 90 6376 9e 26 0f 15 e6 83f7 bb 9c cc 20 da a8 ec78 74 18 ce 06 75 47af 17 e5 7e d6 fc c5 f0 61 b7 cb 5a 42 6d 96 96 19 3fad f9 fa 75 93 24 7d f7 d5 a1 60 32 7b de 57 f8 eb e4a5 13 56 82 a2 2e 0c 3f a2 2674 55 6b 93 97 9f0a bf c6 31 6a 19 6f e8 7c f8 91 29 b7 7c 43 41ae6c 12 b6 c5 703c d2 fa 90 c3 b5 e7 77 d6fb2f 3b 1b 11 bb 92 08 a6 8d 55 06 24 6f 76 ac ef b5 7d b1 b6 37 b4 60 38 24 1d aa 6a 07 b7 dd 8d 45 c4 7b e1 2f 7e 5a 71 a1 00 95 02 9e ed 7e 27 8d de a9 f4 460f f72c 68 9e 1b c65d a5 80 b1 17 0c 49eb c6 b8 84 da b7 f9 de e7 6f 30 08 73 63 85 05 f9 00 3c de 12 e4bd b5 9b 2d 14 f2 7a 05 35 3e 51 d2 18 a3 60 15 4c bf 08 f2 9c 64 4b288f24 ff 3a 17 64 3d42a1 a7 62 7c 16 6c 89 38 5c de 80 87 4b be 7a 19 ff 5c 5e 1a cd 94 eb 26 1b d4 90 4d 4ee8 ea70 85 24 f3 8d 51 0d 17 2c 6d 61 79 fe e3 dc bbf1 26 fd 6b e480 85 b2b0 f1 97 5f e4 73f4 3f fe 1c 39 b6 4e 49 34 a3df a8 83 78 bd 5b ea4c d0 91 fe fe ceee 5276 1c 74 0e6e 2d c7 40 8e63 d1 e0 4a 838f 34 36 29 c1 a4 a3 ddb0 55 75 15 26 0d 8b 40 b0 86 1b d7 75 91 4b 81 24 d6 ec 42 e6 74 fb e4 8b c6 cf 5a 08 cf fa58 c3 c3 f898 00 15 085a 79 3a f2 49 38 3d e5 51 a8 a9 50 4a ea 31 31 2861 33 27ad d1 0c ed b3 39 e4 a2 32 1185aa 27 6f 76 2b 0a 6b cd 9e f8 f8 2c 0f de6e d7 3f 95 2d b6 fd 9f eb 08 85 56 6d 91 79 3e 50 34 ac da 39 8b 40 3b60 d6 5d 10 94 99 b9 1f6a ce 62 35 47 d5 2f f7 194b 88 4a cd c7 b0 d6 3b 8c98 fe 31 a1 ef d7 f6f0 d8 cb ab f1 3c a9 96 69 42 e1 6afb 85 ea b2 06 94 db f4 d5 00 0f 22 10 bc 3d75 24 ad f3 3e ee e5 de e8 91 6b 5731c3 6e 21 1a 2d fb fb 65 60 07 91 3b 51 c5 a0 97 50 df a9 7024 22 f9 d5 8d e9 d3 60 39 bf 8f ae e9 e8 38e0 a2 0b 5c ee c9 58 4b c7 aa 83 70 94 b9 6e fd 55 b0 7a c3 72 0033 8c bf 36 b2 b4 82 bd b5 2c 1d 52 32 3b a7 4f b2 424c30 64 f9eb3f e7 dc 11 542d 53 b5 6e 71 32 33 83 c1 93 f2 cd f6 22 08 35 48 07 a0 19 3e4f cd23 78 ed dd 72 74 27 fe 9d f9 d0 46 28ac 52 10 b89c 38 0b 3b78 91 a1 7a 14 9b 3c 83b5 e6 95 cf ba 2da8 f5 f4 ed b7 63 53 82 01 f7 77 d6 0a e0 5f 36 a8 2a d6 50 a0 8d2f 30 cea3 64 0e19 17 ee 05 2e 7e c9 4d97 4dda 39 b6 93 e0 1e90 ab a968 ad 95 1d 40 cc 99 66 82 0e 7a 95 ff 17 e0 fd 0b31 c1 4dd0 d2 a8 70 d0 b5 ab d9 10 79 5a 3e d7 2d 66 54 ba e0 a781 c6 ed 19 1f 32 36 28 72 d1 0b f9 a6 b7 3a85 fc dc 9b f8 98c2 a9 e2 89 7b a0 df 61 c6 97 35 37 a1 10 e5 d4 6c 35 62 75 89 65 36 f3 16 18 72 2a 56 ff 7d b2 8a 5382 8c 2c 4e 07 51 be e6 e4 a7 de 11c6 c7 73 3c bb 47 {server} derive secret "tls13 c ap traffic": PRK (32 octets):23 07fa 2f 3768 ca 09 44 ef de d6 a1 fdbc 3a 87 b5 9c 46 10 26 27 173e59 84 d8 4e 03 5f a5 64 75 9c 1e ec 3b 96 4c e9 7a 1fa7 51 b2 1b 6b f2 07 66 1c b2 94 bc 29 f4 49 c714 hash (32 octets):ad 7f 35 b9 42 29 61 a5 31 91 f1 be 86 0e 47 19 77 4f e9 ee c7 0e87 c5 9a d53f 29 fa ec af4c f0 89 e9 40 06 d8 eb b0 80 8f 8e 32 e5 44 b1f2 9c 0bb0 79 18 3b 8b eb 89 8e 80 b6 5a 6c info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 61 66 66 69 63 20ad 7f 35 b9 42 29 61 a5 31 91 f1 be 86 0e 47 19 77 4f e9 ee c7 0e87 c5 9a d53f 29 fa ec af4c f0 89 e9 40 06 d8 eb b0 80 8f 8e 32 e5 44 b1f2 9c 0bb0 79 18 3b 8b eb 89 8e 80 b6 5a 6c output (32 octets):4f c9 93 4a 78f7 1a e9 97 5d 12 75 6a 41 53 17 a4 4c 63 01 6e 98 39 5d 1e cd da 48 9b cc afbf b1 ad4a09 f9 13 90 aa 58 f8 16 40 60 8d 633e 8638 78 c0 b9 9f 6c da aa3f 87 35 {server} derive secret "tls13 s ap traffic": PRK (32 octets):23 07fa 2f 3768 ca 09 44 ef de d6 a1 fdbc 3a 87 b5 9c 46 10 26 27 173e59 84 d8 4e 03 5f a5 64 75 9c 1e ec 3b 96 4c e9 7a 1fa7 51 b2 1b 6b f2 07 66 1c b2 94 bc 29 f4 49 c714 hash (32 octets):ad 7f 35 b9 42 29 61 a5 31 91 f1 be 86 0e 47 19 77 4f e9 ee c7 0e87 c5 9a d53f 29 fa ec af4c f0 89 e9 40 06 d8 eb b0 80 8f 8e 32 e5 44 b1f2 9c 0bb0 79 18 3b 8b eb 89 8e 80 b6 5a 6c info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 61 66 66 69 63 20ad 7f 35 b9 42 29 61 a5 31 91 f1 be 86 0e 47 19 77 4f e9 ee c7 0e87 c5 9a d53f 29 fa ec af4c f0 89 e9 40 06 d8 eb b0 80 8f 8e 32 e5 44 b1f2 9c 0bb0 79 18 3b 8b eb 89 8e 80 b6 5a 6c output (32 octets):71 9b 77 1c 5c 65 41 32 a7e4 251f 09 12 92 f7 68 b6 d8 9f af 36 f3 1f 79 44 0533 b9 1b e3 2a 43 fb 9e 5b 7d 9a 00fc 16 68 b2 b72d 59 d8 c7 47 b0 83 b5 72 76 ed 98 bd 46 89 33 f6 72 {server} derive secret "tls13 exp master": PRK (32 octets):23 07fa 2f 3768 ca 09 44 ef de d6 a1 fdbc 3a 87 b5 9c 46 10 26 27 173e59 84 d8 4e 03 5f a5 64 75 9c 1e ec 3b 96 4c e9 7a 1fa7 51 b2 1b 6b f2 07 66 1c b2 94 bc 29 f4 49 c714 hash (32 octets):ad 7f 35 b9 42 29 61 a5 31 91 f1 be 86 0e 47 19 77 4f e9 ee c7 0e87 c5 9a d53f 29 fa ec af4c f0 89 e9 40 06 d8 eb b0 80 8f 8e 32 e5 44 b1f2 9c 0bb0 79 18 3b 8b eb 89 8e 80 b6 5a 6c info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 74 65 72 20ad 7f 35 b9 42 29 61 a5 31 91 f1 be 86 0e 47 19 77 4f e9 ee c7 0e87 c5 9a d53f 29 fa ec af4c f0 89 e9 40 06 d8 eb b0 80 8f 8e 32 e5 44 b1f2 9c 0bb0 79 18 3b 8b eb 89 8e 80 b6 5a 6c output (32 octets):9d 07 cc 4a ef14 2d 61 52 63 bcc1 f1 75 81 54e0 27 60 74 9e c8 d3 8e ac1a ba 78 8b 0e d5 f3 1b bc 7f a4 ca dd ce 7a 097a3e 25 42 {client} extract secret "early": salt: (absent) ikmb0 ce 85 0f c1 e3 87 85 a0 33 8b 7e 74 d4 65 b2 {server} derive write traffic keys for application data: PRK (32 octets): e4 25 33 b9 1b e3 2a 43 fb 9e 5b 7d 9a 00 2d 59 d8 c7 47 b0 83 b5 72 76 ed 98 bd 46 89 33 f6 72 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets): 4e 01 d3 e4 ac 71 a2 83 4b b5 71 29 bb 88 bf d6 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets): a4 45 9e a6 d6 d7 fb 65 91 6b b8 fa {server} derive read traffic keys for handshake data: PRK (32 octets): ed 5d 2e 57 8f 39 41 2a 63 a1 8e 68 d4 52 e4 09 21 5b 42 a8 63 40 29 f2 4c c9 c7 bb 3c 4d 29 de key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets): fd 24 5c 26 ad 85 0f e2 d3 1b f9 6d 87 fe f2 56 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets): bd 1f de f0 52 bb 30 8c 0a 88 c1 1c {client} extract secret "early": salt: (absent) ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0000secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a {client} derive secret for handshake "tls13 derived": PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba {client} extract secret "handshake": salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba ikm (32 octets):61 d3 4a ad f2 5ede 19 c3 5f f1 64 46 31 c4 b4 59 9a 223a2ce6 fb 59 f8 a0 f9 d1 d7 5f 18 87 df b0 6c 0f ff f8 47 6d c3 c5 0f 47ee eb 31 aa 4c f3 03 ef 15 48 de 68 ea 83 c9 4b 78 1c secret (32 octets):79 07 c2 82 34 f1 6c95 96 d5 36 cf ab b0 51 28 69 b3 c3 66 39 1f b2 97 59 36 a871 a4 6b eb 25cd da 1f 8c 66 b5 f0 26 547f dc 8a ab 96 d1 4e ef f8 0f 5b 12 f9 ad 8a c9 d604 5e 6b {client} derive secret "tls13 c hs traffic" (same as server) {client} derive secret "tls13 s hs traffic" (same as server) {client} derive secret for master "tls13 derived" (same as server) {client} extract secret "master" (same as server) {client} derive read traffic keys for handshake data: PRK (32 octets): 76 53 d6 19 95 c3 c7 b9 a7 db 6e f8 80 0d e0 63 e2 c4 10 1d 52 15 01 1c 8a 28 36 6e 8a 44 9b b3 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets): 6b de 0a 34 c4 42 3c f3 5b f4 a7 ec 1a b0 aa 06 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets): 22 07 9a 1b e6 53 89 9a 59 a4 e5 51 {client} calculate finished "tls13 finished" (same as server) {client} derive secret "tls13 c ap traffic" (same as server) {client} derive secret "tls13 s ap traffic" (same as server) {client} derive secret "tls13 exp master" (same as server) {client} derive write traffic keys for handshake data (same as server read traffic keys) {client} derive read traffic keys for application data (same as server write traffic keys) {client} calculate finished "tls13 finished": PRK (32 octets):40 2b 60 6f 3c b0 c8 5b 6d bf fb fd a9 df 79 14 58 4a 0e b9ed 5d 2e 57 8f 39 41 2a 63 a1 8e 68 d4 52 e4 09 211b b5 e9 0b a4 815b 42 a8 63 40 29 f25c 4b 94 e24c c9 c7 bb 3c 4d 29 de hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets):47 af3a db dd 16 1f ca 16 ee 0b 3e ee c366 da 4c 2d 41 64 19 fe c6 f7 af f1 3c589b 56 a2 6a da e0 b6 f3 7a 8d f5 2e a1 d9 3309 98 0a 62 86 14 6f ac 25 d2 7b a9 7b 2a fa 3a 66 f9 b0 {client} send a Finished handshake message {client} send handshake record: payload (36 octets): 14 00 00 203a d4 3d b6 d0 42 77 0c 3f 79 f7 a9 1ae4 dd f9 c5 4e 5c 65 83 5b e0 e9 f2 57 03 09 b1 06 f6 72 6e c0 88 2f ca e7 13 8b d7 93 cc0a 41 1fc7 1b92 21 f0 3f 9d 2a 6b 92 c4 d1 54 51 19 edciphertext (58 octets): 17 03 03 00 3532 d7 1d 7f 1b 8e f2 da f3 58 4c 6c 09 c7 4ae8 a7 c0 73 d2 d5 90 fb a2 33 02 b7 1e 8c 3c ba 0b d4 54 28 97 0c ec de d3 ae 95 24 95 98 12 7a af 08 ed85 6e 75 59 4e 6f 1415 b8 86 7b 08 67 e2 71 1d 9c e3 97 38 21 e9 a9 ca dd {client} derive write traffic keys for application data: PRK (32 octets): f7 1a e9 97 5d 12 75 6a 41 53 17 a4 4cd963 01 6e 98 39 5d 1e cd da 48f2 69 ab c19b cc0e b7 bbaf 4a 3e 86 3f 87 35 key info (13 octets): 00 1045 51 78 88 83 8f09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets): ac 85 66 33 d0 d3 1c 93 c8 53 ba 4a 5134 75 a2 59 ef 80 9b 0f 94 1fb5 de f8 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets): 0d a9 f7 fe 9e 8d f9 98 05 12 e5 46 {client} derive secret "tls13 res master": PRK (32 octets):23 07fa 2f 3768 ca 09 44 ef de d6 a1 fdbc 3a 87 b5 9c 46 10 26 27 173e59 84 d8 4e 03 5f a5 64 75 9c 1e ec 3b 96 4c e9 7a 1fa7 51 b2 1b 6b f2 07 66 1c b2 94 bc 29 f4 49 c714 hash (32 octets):2d eb 11 8e 31 f3 d3 8b 38 de 1f cc 26 4680 ec 58 20 f2 d221 ac e6 1f 97 fa 797592 23b0 7a65 9c 2b 6b 93 5113 77 80 c4 ad 21 40 4f 36 36 f0 09 11 33 eb f4 0b 9e 83 4c a4 81 45 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 74 65 72 202d eb 11 8e 31 f3 d3 8b 38 de 1f cc 26 4680 ec 58 20 f2 d221 ac e6 1f 97 fa 797592 23b0 7a65 9c 2b 6b 93 5113 77 80 c4 ad 21 40 4f 36 36 f0 09 11 33 eb f4 0b 9e 83 4c a4 81 45 output (32 octets):ba dd 11af b3 24 6c 40 8d c0 40 5b a4 c3 2f 40 3b df bb 14 8c 27 adf0 7b59f9 d1 90 56 1e 4e 69 d6 5d 2d 0c cc5a 923b 08 4a cd 70 6e 00 cd 54 e6 5b 700c f7 12 84 e8 60 8b 48 4d {server} calculate finished "tls13 finished" (same as client) {server} derive read traffic keys for application data (same as client write traffic keys) {server} derive secret "tls13 res master" (same as client) {server} generate resumption secret "tls13 resumption": PRK (32 octets):ba dd 11af b3 24 6c 40 8d c0 40 5b a4 c3 2f 40 3b df bb 14 8c 27 adf0 7b59f9 d1 90 56 1e 4e 69 d6 5d 2d 0c cc5a 923b 08 4a cd 70 6e 00 cd 54 e6 5b 700c f7 12 84 e8 60 8b 48 4d hash (2 octets): 00 00 info (22 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 75 6d 70 74 69 6f 6e 02 00 00 output (32 octets):20 b3 ed 07 48 14 86 03 09cd47 fb 810b364e db 66 32 41 4e 03 e9 a1 fb 9cf1 86 b7 09 7c b7bf 10 68 c1 3d 7e 0f 94 f7 1d a2 6a 69 51 ba f7 52 9e 76ff 57 f8 a7 ce 12 18 fa fa{server} send a NewSessionTicket handshake message {server} send handshake record: payload (205 octets): 04 00 00 c9 00 00 00 1e1a 46 fe 8d83 6a d9 92 02 00 00 00 b2f7 34 a8 af 18 42 36 ce f0 ae ea b120 69 93 e6 82 7e f6 98 84 68 d2 55 00 00 00 0068 2d 66 eb 29 13 c9 eb 94 c6 9a 57 51 5d df 2f6a 30 23 72 43 90 67 fc 81 f4 d3 17 f1 b1 ef 33 00 70c2 f3 4f 9b 2e d5 a5 30 91 16 c9 d7 4f ca eb 2b f8 87 51 9a a515 93 bc b0 32 cc ea 52 8c 5a7c 83 ff 27 fd07 c372 ba ec 38 7d be 58 8e d6 27 4b 1f f5 13 6c eb 68 ea 4a 39 ce 79 08 7c 6e 75 42 b4 9c7b 16 6f 89 7a 83 b7 15 48 18 b7 d1 1a 4e 90 7c0e 4b 97 fc 2a 29 73 27 71 8b 29 bf 63 6a ddda 4e6b 46 a4 1d f23f45 01 28 80 20 b2 6c e5 75 d4 c9 f1 87 eb e5af 4807 1b 51 19 8c 4b 10 f9 4c f7 ce 94 aa 08 1795 97 21 44 b3 a72a a8 86 64 63d9d7 7f96 8d 96 28 b6 e5 66 9cdb 81 e6 27 82 c1 33 2ece f4 26 0e 45 d6 4d 220c 55 2cd3 b6 1a b5 7b 7f 59 dd f7 e2 cf 7a 19 6f 9a 32 a3 d9 4f ea 13 eb 25 ab 2d 73 35 78 83 80 dc44 48 4be7 4d 47 76 8e cf f4 67 9e 88 af ac a6 18 97 b9 1c 53 eef7 64 3d c3 8d85 82 2c 9f 08 7b e4 05 8f ed 0d 6e b5 e2 68 e6 54 f4 ec 0c 67 5f fb 08 6e 06 7d 04 39 e3 9d ca f1 fb 60 31 98 db 00 08 00 2a 00 04 00 00 04 00 ciphertext (227 octets): 17 03 03 00 dece 84 1b 08 4c ba 5c 21 cd 70 f7 30 28 18 7c c9 a0 e9 e5 b8 88 f8 d0 ca 5a f7 7d df 96 eb cd fd 1e 70 c6 8b a2 44 a9 64 3d c8 c2 b3 9c 93 3da7 77 b6 77 11 b5 34 f1 0ea9 1a 8d 7a 35 df db 3d c338 1f 4557 bb eb e8 0c1f 16 da 00 20 dd 9a af a40b 64 b8 45 cd 04 b2 18 2e 739d b4 62 c2 35 dc cc 6d bf c6 39 9c 7e ec 88 ae 2a d6 8b 97 ca 23 b1 72 15 59f5 53 60 0b 1b 1f 8a c1 29 fd 3c f5 eb 79 91 3a e4e6 6f 67 7c e6 8c d1 06 7f 41 2702 a3 10 a77b ac 40 bb b9 3e 5b 81 0d b4 3c 1c 80 bd 8b 72 175d e117 ba 23 c6 a0 52 ef 78 b6 dc 2b be b4 da e0 06 77 8b ab 88 a7 a5 d1 7e a3 b6 3f 12 6c 24 67 33 cc 15c7 fdb6 28 b5 b7 43 71 6d 85 f8 f1 f6 770032 91 c7 37 ae 0654 2d cf 8a 7a 94 53 8d 96 d9 71 72 02 28 4b ed aff5ff ecf6 ae 95 6b c3 00 5d f2 a023 10 92 12 3e a664 94 b0bc 1265 77 68 84 3a e8 fe 95 0e be 81 da 4a c9 9c 34 e8 e5 73 d5 99 63 75 bb 82 2b 51 67 b4 aec3 a9 8c 44 27 e4 35 7c 38 16 d0 a6 c5 d0 93 aa d53f 9c09 5c 9906 7691 b5 88 cc 3c 10 8e 95 d7 f8 39 f9 ec 2c a5 18 2c 80 53 12f7 e7 94 a1c2 d0 32 88 80 97 c1 4e 38 5a 3c c5 e9 37 0e b6 4961 0f cb 12 e8 f7 9f 0805 4b 52 6475 91 3d b9 67 c8 17 90 e9 6f 60 4e35 09 2a 34 4a 74 77 b8 bb be fb 22dd 6c 06 c7 70 a2 c0 a8ff c3 9e 84 acf6 50 27 8d 22 03 94 8e a6 b2 3c 14 d3 89 97 4a {client} generate resumption secret "tls13 resumption" (same as server) {client} send application_data record: payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 ciphertext (72 octets): 17 03 03 00 4318 8a fa 7b 29 8e98 45 d6 12 28 f1 d9 a5 da a3 2a 06 64 2c 43 68 1c cf 70 65 24 e2 8def c3 eb 5e f857 15 2fdc 60 92 3b b56b 8f ac d0 89 fc 98 26 83 c3 30 a3 e1 1f 16 c5 f7 5d 2d 49 21 5cca 31 a5 64 63 dfc0 8a 13 a1 ec71 7a aa 99 77 9c c6 1f bf ca 90 73 b9 95 51 73 a0 b7 1cfd 41 a4 1bf2 b9 2d b0 60 73 e9 65 5b 64 3e 12 ef 76 d8 c8 86 91 12 aa 35b1 38 c9 63 48 92 ab 22 63 00 {server} send application_data record: payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 ciphertext (72 octets): 17 03 03 00 43d8 2701 0a4b 0b a6 c0 7455 e6 e1 14 d0 51 60 0a b9 5e e7 a3 03 82 3a 23 ae c5 79 be df fa 3f c3 e0 30 18 01 95 f8 830b 156b 58 3b af 9a 14 ae c3 77 be 43 73 a1cb 89 13 e2 21 d7 08 33 ee 02 74 58 e2 46 11 a0 d4 7f 9c d3 bd 66 ce 03 13 db 71 8e e4 d0 ef bca5 ea a1 4e af 87 9d 3f8a 4dca 6f 9b 7e35 04 3c4648 40 d8 7d eb 66 b7 7d 40 df 36 aa 7dbc 05 46 83 5d 76 71 e8 {client} send alert record: payload (2 octets): 01 00 ciphertext (24 octets): 17 03 03 00 13d5 92 9a 67 ba 50 4f 19 3a 59 7d 3a ab 2d c3 f9 04 12 7d5f 93 e1 bd 82 9d 2b 00 9c ad ac 13 3b 7f 0c 1e 8c 94 40 {server} send alert record: payload (2 octets): 01 00 ciphertext (24 octets): 17 03 03 00 1369 ed b3 40 6d 1e 57 51 97 75 4a c909 39 38 d7 0c 6a 9b 1c 9c 2e 35 6b 60 58 80 70 2719 e0 5d 71 18 67cd 6e 4. Resumed 0-RTT Handshake This handshake resumes from the handshake in Section 3. Since the server provided a session ticket that permitted 0-RTT, and the client is configured for 0-RTT, the client is able to send 0-RTT data. {client} create an ephemeral x25519 key pair: private key (32 octets):25 ee7f cf 6e 8b fb 63 48 3f 0a 1d 237a 2099 fb ce e4 d0 69 39 6c 1798 ee e8 7f 37 60 53 e1 28 50 9a be 65 e7 87 34 4f02 62 fb d9 f2b9 ff 9d 04 fd 13 8a fa46 81 11 af 24 ab 34 public key (32 octets):fa 5d e3 00 e6 9f 05 d6 19 a4 28 fc fb 02 88b557 b6 40 6a 26 fcb4 ca 2e 5113 c0 4e 4a 3c 869a44 14c8 32 92 3e af 84 f4 13 3d 53 b2 00 53 63 d5 a7 ad 8e 07 0b d0 fd 15 d6 92 08 {client} extract secret "early": salt: (absent) ikm (32 octets):20 b3 ed 07 48 14 86 03 09cd47 fb 810b364e db 66 32 41 4e 03 e9 a1 fb 9cf1 86 b7 09 7c b7 76 ff 57 f8 a7 ce 12 18 fa fa secret (32 octets): 35bf 10b5 e7 47 ce ef 42 b1 fe ff e7 a7 4f dc68 c1 3d 7e 0f52 a5 ee fc94 f7 1d a2b66a 69 51 ba f7 52 9e 76b0 82 4e 06 17 c8 64 56 16secret (32 octets): 90 a6 5b c0 8e 4a 66 d4 a9 cf 3c f7 ec 2d 85 be d7 ae 08 af 83 1d 05 d7 0d 6c c0 a9 39 9c 1e 63 {client} send a ClientHello handshake message {client} calculate finished "tls13 finished": PRK (32 octets):de 0c 49 be 25 cd 0a b1 79 a9 d1 be e0 5a c0 cc a0 3d 51 10 4f cc ac db 13 12 b6 35 40 5a db 2c04 5f b4 75 3e d5 65 30 5b 33 d2 04 0b 21 57 2d 7d 24 b3 ee 18 e7 63 bd 1a 1b 20 cf 2a a6 1a 92 hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets):e6 12 24 d1 ef b4 01 4b 18 aa e8 db 83 4e 12 5b da e8 e8 bf f1 17 2f a6 a8 8c 35 3989 60 f7 a3 5f 8e e3 52 30 20 1e cf 77c6 5a 68f8 b1 29 8f 77 73 0f 0d 84 ab 51 31 a4 bb 00 9b 4f 3d 1f {client} send handshake record: payload (512 octets): 01 00 01 fc 03 03f4 74 90 c6 31 61 6b 80 01 47 e5 62 01 b1 13 6d b0 04 92 f70b 27 b6 14 3a d0 49 dd d0 4e 5c b7 bb 33 22 d3 60 f6 0a 9b 8e 65 07 bc 79 69 84 19 5b d4 e8d9 56 2a 77 fb f9 77 1d 8a a4 6ccb 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 002833 00 26 00 24 00 1d 00 20fa 5d e3 00 e6 9f 05 d6 19 a4 28 fc fb 02 88b557 b6 40 6a 26 fcb4 ca 2e 5113 c0 4e 4a 3c 869a44 14c8 32 92 3e af 84 f4 13 3d 53 b2 00 53 63 d5 a7 ad 8e 07 0b d0 fd 15 d6 92 08 00 2a 00 00 00 2b 00 03 02 7f161c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 15 00 5d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 29 00 dd 00 b8 00 b2f7 34 a8 af 18 42 36 ce f0 ae ea b120 69 93 e6 82 7e f6 98 84 68 d2 55 00 00 00 0068 2d 66 eb 29 13 c9 eb 94 c6 9a 57 51 5d df 2f6a 30 23 72 43 90 67 fc 81 f4 d3 17 f1 b1 ef 33 00 70c2 f3 4f 9b 2e d5 a5 30 91 16 c9 d7 4f ca eb 2b f8 87 51 9a a515 93 bc b0 32 cc ea 52 8c 5a7c 83 ff 27 fd07 c372 ba ec 38 7d be 58 8e d6 27 4b 1f f5 13 6c eb 68 ea 4a 39 ce 79 08 7c 6e 75 42 b4 9c7b 16 6f 89 7a 83 b7 15 48 18 b7 d1 1a 4e 90 7c0e 4b 97 fc 2a 29 73 27 71 8b 29 bf 63 6a ddda 4e6b 46 a4 1d f23f45 01 28 80 20 b2 6c e5 75 d4 c9 f1 87 eb e5af 4807 1b 51 19 8c 4b 10 f9 4c f7 ce 94 aa 08 1795 97 21 44 b3 a72a a8 86 64 63d9d7 7f96 8d 96 28 b6 e5 66 9cdb 81 e6 27 82 c1 33 2ece f4 26 0e 45 d6 4d 220c 55 2cd3 b6 1a b5 7b 7f 59 dd f7 e2 cf 7a 19 6f 9a 32 a3 d9 4f ea 13 eb 25 ab 2d 73 35 78 83 80 dc44 48 4be7 4d 47 76 8e cf f4 67 9e 88 af ac a6 18 97 b9 1c 53 eef7 64 3d c3 8d 1a 46 fe 9085 82 2c 9f 08 7b e4 05 8f ed 0d 6e b5 e2 68 e6 54 f4 ec 0c 67 5f fb 08 6e 06 7d 04 39 e3 9d ca f1 fb 60 31 98 db 83 6a d9 95 00 21 20 58 3460 d2 6b d5 55 86 97 91 90 dd 6d 8f 25 3d f3 fa d70e ab 95 8d 02 3c 39 84 b4 82 81 0b 58 ec 53 7c d3 d164 61 28 f3 d9 3d 51c6 a9 9d ca 87 1c 73 5721 3b 90 86 b354 1d 45 2f ciphertext (517 octets): 16 03 01 02 00 01 00 01 fc 03 03f4 74 90 c6 31 61 6b 80 01 47 e5 62 01 b1 13 6d b0 04 92 f70b 27 b6 14 3a d0 49 dd d0 4e 5c b7 bb 33 22 d3 60 f6 0a 9b 8e 65 07 bc 79 69 84 19 5b d4 e8d9 56 2a 77 fb f9 77 1d 8a a4 6ccb 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 002833 00 26 00 24 00 1d 00 20fa 5d e3 00 e6 9f 05 d6 19 a4 28 fc fb 02 88b557 b6 40 6a 26 fcb4 ca 2e 5113 c0 4e 4a 3c 869a44 14c8 32 92 3e af 84 f4 13 3d 53 b2 00 53 63 d5 a7 ad 8e 07 0b d0 fd 15 d6 92 08 00 2a 00 00 00 2b 00 03 02 7f161c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 15 00 5d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 29 00 dd 00 b8 00 b2f7 34 a8 af 18 42 36 ce f0 ae ea b120 69 93 e6 82 7e f6 98 84 68 d2 55 00 00 00 0068 2d 66 eb 29 13 c9 eb 94 c6 9a 57 51 5d df 2f6a 30 23 72 43 90 67 fc 81 f4 d3 17 f1 b1 ef 33 00 70c2 f3 4f 9b 2e d5 a5 30 91 16 c9 d7 4f ca eb 2b f8 87 51 9a a515 93 bc b0 32 cc ea 52 8c 5a7c 83 ff 27 fd07 c372 ba ec 38 7d be 58 8e d6 27 4b 1f f5 13 6c eb 68 ea 4a 39 ce 79 08 7c 6e 75 42 b4 9c7b 16 6f 89 7a 83 b7 15 48 18 b7 d1 1a 4e 90 7c0e 4b 97 fc 2a 29 73 27 71 8b 29 bf 63 6a ddda 4e6b 46 a4 1d f23f45 01 28 80 20 b2 6c e5 75 d4 c9 f1 87 eb e5af 4807 1b 51 19 8c 4b 10 f9 4c f7 ce 94 aa 08 1795 97 21 44 b3 a72a a8 86 64 63d9d7 7f96 8d 96 28 b6 e5 66 9cdb 81 e6 27 82 c1 33 2ece f4 26 0e 45 d6 4d 220c 55 2cd3 b6 1a b5 7b 7f 59 dd f7 e2 cf 7a 19 6f 9a 32 a3 d9 4f ea 13 eb 25 ab 2d 73 35 78 83 80 dc44 48 4be7 4d 47 76 8e cf f4 67 9e 88 af ac a6 18 97 b9 1c 53 eef7 64 3d c3 8d 1a 46 fe 9085 82 2c 9f 08 7b e4 05 8f ed 0d 6e b5 e2 68 e6 54 f4 ec 0c 67 5f fb 08 6e 06 7d 04 39 e3 9d ca f1 fb 60 31 98 db 83 6a d9 95 00 21 20 58 3460 d2 6b d5 55 86 97 91 90 dd 6d 8f 25 3d f3 fa d70e ab 95 8d 02 3c 39 84 b4 82 81 0b 58 ec 53 7c d3 d164 61 28 f3 d9 3d 51c6 a9 9d ca 87 1c 73 5721 3b 90 86 b354 1d 45 2f {client} derive secret "tls13 c e traffic": PRK (32 octets):35 10 b5 e7 47 ce ef 42 b1 fe ff e7 a7 4f dc 0f 52 a5 ee fc a2 b6 76 b0 82 4e 06 17 c8 64 56 1690 a6 5b c0 8e 4a 66 d4 a9 cf 3c f7 ec 2d 85 be d7 ae 08 af 83 1d 05 d7 0d 6c c0 a9 39 9c 1e 63 hash (32 octets):89 4e e7 2f 01 a8 67 e902 ce c3 cc87 5a 19 44 22 10 8ab1 be e951 4572 06 ff bf 5b 0e db f9 43b0 89 1f 3c ab 07 4f 12 fa c40a d8 02 05 96 0c 04 ba ff ad b6 dc d3 81 b9 0c info (53 octets): 00 20 11 74 6c 73 31 33 20 63 20 65 20 74 72 61 66 66 69 63 2089 4e e7 2f 01 a8 67 e902 ce c3 cc87 5a 19 44 22 10 8ab1 be e951 4572 06 ff bf 5b 0e db f9 43b0 89 1f 3c ab 07 4f 12 fa c40a d8 02 05 96 0c 04 ba ff ad b6 dc d3 81 b9 0c output (32 octets):7b dd 21 10 35 33 b9 d8 2b ae 6c 26 be 3e 78 e9 bd 37b0 ea 52 04 68 97 4f 914239 58 7d cf f5 6f 77 85 69 9624 db e0 a6 b3 9c e502 fb c8 0c 0c 18 50 82 79 dc bf69 eb 23d0 7b 03 {client} derive secret "tls13 e exp master": PRK (32 octets):35 10 b5 e7 47 ce ef 42 b1 fe ff e7 a7 4f dc 0f 52 a5 ee fc a2 b6 76 b0 82 4e 06 17 c8 64 56 1690 a6 5b c0 8e 4a 66 d4 a9 cf 3c f7 ec 2d 85 be d7 ae 08 af 83 1d 05 d7 0d 6c c0 a9 39 9c 1e 63 hash (32 octets):89 4e e7 2f 01 a8 67 e902 ce c3 cc87 5a 19 44 22 10 8ab1 be e951 4572 06 ff bf 5b 0e db f9 43b0 89 1f 3c ab 07 4f 12 fa c40a d8 02 05 96 0c 04 ba ff ad b6 dc d3 81 b9 0c info (54 octets): 00 20 12 74 6c 73 31 33 20 65 20 65 78 70 20 6d 61 73 74 65 72 2089 4e e7 2f 01 a8 67 e902 ce c3 cc87 5a 19 44 22 10 8ab1 be e951 4572 06 ff bf 5b 0e db f9 43b0 89 1f 3c ab 07 4f 12 fa c40a d8 02 05 96 0c 04 ba ff ad b6 dc d3 81 b9 0c output (32 octets):da 05 9b c4 d7 bd 6e 30 45bc 79 ec a3 3d c5 5e 77 f4 a2 b3df d8 ab c8 68 1b 22 47 6f 44 b4 54 22 75 12 af a9 af1d e3 b2 eb b7 ff 1a 03 16 e6 a2 ea 2e 1e d1 88 1e 65 c060 3f c1ee ba {client}send application_data record: payload (6 octets): 41 42 43 44 45 46 ciphertext (28derive write traffic keys for early application data: PRK (32 octets):17 03b0 ea 52 04 68 97 4f 91 39 58 7d cf f5 6f 77 85 69 96 02 fb c8 0c 0c 18 50 82 79 dc bf d0 7b 03 key info (13 octets): 0017 d8 3a 80 c110 09 74 6c 73 31 33 20 6b 6549 bf 19 49 38 a3 9c c1 54 a1 8b a779 00 key output (16 octets): ad 52 61 5a d7 8f ef c8 30 d7 b5 23 c5 6d 39 6c iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets): 1a 68 22 06 82 d9 52 2f 6f d9 80 cbbb a7 bf 02 e0{client} send application_data record: payload (6 octets): 41 42 43 44 45 46 ciphertext (28 octets): 17 03 03 00 17 f0 a5 2c ad f2 f8 10 e3 ea 31 4a 9e 0d 74 94 18 0c 07 e1 b6 dd 23 05 {server} extract secret "early" (same as client) {server} calculate finished "tls13 finished" (same as client) {server} create an ephemeral x25519 key pair: private key (32 octets):a3 41 34 2b 44 be 43 fa 13 b5 a2 fa 30 6a d7 24 ef 7f73a0 87 ac be 4a 79 10 82 b6 00 cd 08 b5c0 5e e2 5c db 68 51 18 f0 f7 dd 5f d2 dd 12 9d 17 a7 98 b9 1c c5 fe 62 ed 70 a9 ba af 53 2f public key (32 octets):66 62 56 0e 42 6c b1 13 d5 63 b1 69 e947 d1 32 89 df 6f a0 fc 57 3c 74 fa 73 40 a2 6f 43 38 28 70 7d e5 72b5 c47e 68 28 cb d0 81dd b6 cc f2 a5 79 39 ed d2 4b9d a9e9 b6 2f 5f76 {server} derive secret "tls13 c e traffic" (same as client) {server} derive secret "tls13 e exp master" (same as client) {server} send a ServerHello handshake message {server} derive secret for handshake "tls13 derived": PRK (32 octets):35 10 b5 e7 47 ce ef 42 b1 fe ff e7 a7 4f dc 0f 52 a5 ee fc a2 b6 76 b0 82 4e 06 17 c8 64 56 1690 a6 5b c0 8e 4a 66 d4 a9 cf 3c f7 ec 2d 85 be d7 ae 08 af 83 1d 05 d7 0d 6c c0 a9 39 9c 1e 63 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets):3c 5b 59 45 8995 c5 f6 ae c8 48 4c ad 65 ee0f a2ff f118 d3 98 fc 3c 3e 50 f70c 48 a8 4f 34 d6 53 d6 59 91 bf de 1321 65 bc 5e 20 1a69 81 97da df 8e 36 ad 16 bab3 b9 b4 5d {server} extract secret "handshake": salt (32 octets):3c 5b 59 45 8995 c5 f6 ae c8 48 4c ad 65 ee0f a2ff f118 d3 98 fc 3c 3e 50 f70c 48 a8 4f 34 d6 53 d6 59 91 bf de 1321 65 bc 5e 20 1a69 81 97da df 8e 36 ad 16 bab3 b9 b4 5d ikm (32 octets):ca 49 06 0d 44 b4 58 b8 e2 6f b7 2a 18 6e bc 44 6b a8 e4 0e 8f b1 39 5c c7 f7 56 594f 81 91 7a 09 87 67 f2 22 5f cf 33 e8 a5 d5 33 d6 88 3b d8 ee86 f8 5416 00 b2 c5 e4 f0 e8 24 02 06 37 secret (32 octets):6b a5 c1 83 92 4b a3 2c e0 99 85 c9 11 f2 97 bb 0a 7c de 2796 eb 95 b5 631a62 0c 58 ca d2 c7 37 0f b7 4b 8f 55 b2 0e 28 bd bc 2d 70 6e 6f2e e8 88 25 19 88 f3 07 54db aa 9e 9e 60 93 {server} derive secret "tls13 c hs traffic": PRK (32 octets):6b a5 c1 83 92 4b a3 2c e0 99 85 c9 11 f2 97 bb 0a 7c de 2796 eb 95 b5 631a62 0c 58 ca d2 c7 37 0f b7 4b 8f 55 b2 0e 28 bd bc 2d 70 6e 6f2e e8 88 25 19 88 f3 07 54db aa 9e 9e 60 93 hash (32 octets):ef 88 42 5a 0d c1 df 66 77 f6 2d deab e0 a2 b9 a8 84 3e 92 9379 b6a8 36 91 96 7c fa 4c d0 8d 8e fc 0b 13 63 3983 b3 a0 89 66 db aa d7 d4 c9 c6 b1 79 b3 b7a9 1a 6d 01 45 3d 32 91 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 61 66 66 69 63 20ef 88 42 5a 0d c1 df 66 77 f6 2d deab e0 a2 b9 a8 84 3e 92 9379 b6a8 36 91 96 7c fa 4c d0 8d 8e fc 0b 13 63 3983 b3 a0 89 66 db aa d7 d4 c9 c6 b1 79 b3 b7a9 1a 6d 01 45 3d 32 91 output (32 octets):a250 26 86 51 18 93 2f ba5200 9f b8 84b4 0e 7d 65 af af 93 c0 93 06c2 6c e1 8e 44 96 c8 f3 57 dde4 70 98 a4 ee 28 4c f4 6ef0 d1 a9 0b59 09 fe 25 8c a6 4fc2 7b 4c 31 92 9c {server} derive secret "tls13 s hs traffic": PRK (32 octets):6b a5 c1 83 92 4b a3 2c e0 99 85 c9 11 f2 97 bb 0a 7c de 2796 eb 95 b5 631a62 0c 58 ca d2 c7 37 0f b7 4b 8f 55 b2 0e 28 bd bc 2d 70 6e 6f2e e8 88 25 19 88 f3 07 54db aa 9e 9e 60 93 hash (32 octets):ef 88 42 5a 0d c1 df 66 77 f6 2d deab e0 a2 b9 a8 84 3e 92 9379 b6a8 36 91 96 7c fa 4c d0 8d 8e fc 0b 13 63 3983 b3 a0 89 66 db aa d7 d4 c9 c6 b1 79 b3 b7a9 1a 6d 01 45 3d 32 91 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 61 66 66 69 63 20ef 88 42 5a 0d c1 df 66 77 f6 2d deab e0 a2 b9 a8 84 3e 92 9379 b6a8 36 91 96 7c fa 4c d0 8d 8e fc 0b 13 63 3983 b3 a0 89 66 db aa d7 d4 c9 c6 b1 79 b3 b7a9 1a 6d 01 45 3d 32 91 output (32 octets):58c9 23 18 b4 c5 6f1aba 46 bf 6e ef 2a 9a 8f 02 33 a2 8b ab 9b b9cb 2d 93 70661a 1e 0b c9 fc 8c 39 1a 3467b9 9e bd 58 16 c1 8c 46 a5 28 6e 96 774a 19 32 0b b5 3c 50 10 19 {server} derive secret for master "tls13 derived": PRK (32 octets):6b a5 c1 83 92 4b a3 2c e0 99 85 c9 11 f2 97 bb 0a 7c de 2796 eb 95 b5 631a62 0c 58 ca d2 c7 37 0f b7 4b 8f 55 b2 0e 28 bd bc 2d 70 6e 6f2e e8 88 25 19 88 f3 07 54db aa 9e 9e 60 93 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets):78 31 58 10 11 a6 70 a2 ce 59 0b 80 b8 e5 44b2 da f2 ee a8 bb d9 2b 5d 84 1235 49 d6 bd 44d4 26 7a 3cf6 9e 80 e8 0a 7e 38 93 d7 7e31 6c 09 cd 45 8e 71 ab dc c6 7b e6 b1 41 6c 0f 31 {server} extract secret "master": salt (32 octets):78 31 58 10 11 a6 70 a2 ce 59 0b 80 b8 e5 44b2 da f2 ee a8 bb d9 2b 5d 84 1235 49 d6 bd 44d4 26 7a 3cf6 9e 80 e8 0a 7e 38 93 d7 7e31 6c 09 cd 45 8e 71 ab dc c6 7b e6 b1 41 6c 0f 31 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets):6b 06 1b 95 b3c5 ee bf b8 6e 50 811d 3a 8a a837 24 5d 79 91 9a 3da0 1d f0 e6 d5 c3 be43d8 3b 18 b319 61 bcb8 e8 52 78 14 2b 11 9c0d 5c c8 70 d9 08 9a 2f 30 34 b4 b9 6b 02 {server} send handshake record: payload (96 octets): 02 00 00 5c 03 034b 98 9e 4c3e 47ca 09 2a 18 78 78 ae 45 7f d5 85 6e dc a0 f7 ae cf 00 4e d0 20 3a fe 0d 57ec 55 17 e3868e 7e f5 cc bc 69 f9 2f 5b 20 b8 fa 46 a6 54 66 31 bb 99 fa 08 65 f4 af 22 8c 00 13 01 00 00 34 00 29 00 02 00 00 002833 00 24 00 1d 00 2066 62 56 0e 42 6c b1 13 d5 63 b1 69 e947 d1 32 89 df 6f a0 fc 57 3c 74 fa 73 40 a2 6f 43 38 28 70 7d e5 72b5 c47e 68 28 cb d0 81dd b6 cc f2 a5 79 39 ed d2 4b9d a9e9 b6 2f 5f76 00 2b 00 02 7f161c ciphertext (101 octets): 16 03 03 00 60 02 00 00 5c 03 034b 98 9e 4c3e 47ca 09 2a 18 78 78 ae 45 7f d5 85 6e dc a0 f7 ae cf 00 4e d0 20 3a fe 0d 57ec 55 17 e3868e 7e f5 cc bc 69 f9 2f 5b 20 b8 fa 46 a6 54 66 31 bb 99 fa 08 65 f4 af 22 8c 00 13 01 00 00 34 00 29 00 02 00 00 002833 00 24 00 1d 00 2066 62 56 0e 42 6c b1 13 d5 63 b1 69 e947 d1 32 89 df 6f a0 fc 57 3c 74 fa 73 40 a2 6f 43 38 28 70 7d e5 72b5 c47e 68 28 cb d0 81dd b6 cc f2 a5 79 39 ed d2 4b9d a9e9 b6 2f 5f76 00 2b 00 02 7f161c {server} derive write traffic keys for handshake data: PRK (32 octets): c9 23 18 b4 c5 6f ba 46 bf 6e ef 2a 9a 8f 02 33 a2 8b ab 9b b9 66 67 4a 19 32 0b b5 3c 50 10 19 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets): 0d 71 1f 45 1d c2 0e fc 7e f8 08 9b 44 79 75 ac iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets): ee 5d 71 8a 24 a8 e5 32 8d bc 58 00 {server} send a EncryptedExtensions handshake message {server} calculate finished "tls13 finished": PRK (32 octets):58c9 23 18 b4 c5 6f1aba 46 bf 6e ef 2a 9a 8f 02 33 a2 8b ab 9b b9cb 2d 93 70661a 1e 0b c9 fc 8c 39 1a 3467b9 9e bd 58 16 c1 8c 46 a5 28 6e 96 774a 19 32 0b b5 3c 50 10 19 hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets):98 90 9d e6 86 66 b5 12 80 1c 41 c6 3b89 20f9 fc 1f 7f 8f e1 19 64 75 d2 07 48c8 40 6e b4 0e d6 66e3 a1 5d 14 1566 68 95 ae 3d 8d 12 67 0e c0 e4 5f 0b cb 63 cf ef f5 13 38 e8 1a 5b {server} send a Finished handshake message {server} send handshake record: payload (74 octets): 08 00 00 22 00 20 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 00 2a 00 00 14 00 00 20c9 f5 11 e0 94 08 c2 b3 ffb5ac06 453c 7c 0a 65 c0 8c 28 c9 bc 4f 38 54 46 91 9e b8 fd 84 7c e062 14 0c b7 fa 10 da 9a 57 ff 61 7b f2 66 d7 14 b7 8b 59 41 a0 af 36 3f ac c1 8d a6 b0 ciphertext (96 octets): 17 03 03 00 5b c8 2d 5e 2c 40 f0 77 cc 7d 8b c6 f5 0a 61 52 c2 ff e0 d9 30 60 11 a6 c2 7c 1c 2a c3 88 4c a6201e f2db08 46 fb c3 dd 91 19 4e20 1f 22 8d26 b6 9a 4a 74 73b4 15 d8 5e a9a2 51 4d e7 76e1 55 27 5f 2d 89 a4 9668d7 be 48 9a 8b 85 20 5d 0b 59 30 79 e6 0e 10 6e 15 67 29 c2 11 90 0a de 1f 72 32 67 d8 c8 2b f5 dd 40 bb c592 9d 4c 77 6399 1e bc 01 1e 4964 51 21 70 9f 8a 64 a2 9d 14ea 3a ee 25 37 3e eb 31 00 36 c8 f4 44 be 45 16 4d 3a 5088 0b 6d f1 04 08 b5 74 da 7e 2e 5d 0b 6c da 9d 18 4f fe 57 62 b5 5f {server} derive secret "tls13 c ap traffic": PRK (32 octets):6b 06 1b 95 b3c5 ee bf b8 6e 50 811d 3a 8a a837 24 5d 79 91 9a 3da0 1d f0 e6 d5 c3 be43d8 3b 18 b319 61 bcb8 e8 52 78 14 2b 11 9c0d 5c c8 70 d9 08 9a 2f 30 34 b4 b9 6b 02 hash (32 octets):bc be 0c 61 2f 39 63 e4 2c 49 6c b3 03 e911 bf 9b 71 22 aa c5 07 85 5989 ba 96 f6 21 00 34ef 90 f7 8e e0 78 32 a6 79 72 a2 c7 f463 05 b9 75 2a 53 d9 a7 ddbd 8f 56 15 d0 bc 19 7a 39 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 61 66 66 69 63 20bc be 0c 61 2f 39 63 e4 2c 49 6c b3 03 e911 bf 9b 71 22 aa c5 07 85 5989 ba 96 f6 21 00 34ef 90 f7 8e e0 78 32 a6 79 72 a2 c7 f463 05 b9 75 2a 53 d9 a7 ddbd 8f 56 15 d0 bc 19 7a 39 output (32 octets):c9 d1 12 6d be c2 7c a1 72 21 37 3f ef 10 4e cf a0 6d c4 a1 c4 5c 1d 55 3f 2b 1a 84bc 39 56 2d 42 a4 e7 62 8d cc 15 1b ba c1 16b4 6e cb88 06 9c 1c 56 ca cd 17 d4 cc 53 4a bb 05 e3 c0 3e {server} derive secret "tls13 s ap traffic": PRK (32 octets):6b 06 1b 95 b3c5 ee bf b8 6e 50 811d 3a 8a a837 24 5d 79 91 9a 3da0 1d f0 e6 d5 c3 be43d8 3b 18 b319 61 bcb8 e8 52 78 14 2b 11 9c0d 5c c8 70 d9 08 9a 2f 30 34 b4 b9 6b 02 hash (32 octets):bc be 0c 61 2f 39 63 e4 2c 49 6c b3 03 e911 bf 9b 71 22 aa c5 07 85 5989 ba 96 f6 21 00 34ef 90 f7 8e e0 78 32 a6 79 72 a2 c7 f463 05 b9 75 2a 53 d9 a7 ddbd 8f 56 15 d0 bc 19 7a 39 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 61 66 66 69 63 20bc be 0c 61 2f 39 63 e4 2c 49 6c b3 03 e911 bf 9b 71 22 aa c5 07 85 5989 ba 96 f6 21 00 34ef 90 f7 8e e0 78 32 a6 79 72 a2 c7 f463 05 b9 75 2a 53 d9 a7 ddbd 8f 56 15 d0 bc 19 7a 39 output (32 octets):aa 91 af 99 99 34 3a 32 8e cf ad 72 cba2 05 9e bee1 20 71 d7 79 b309 34 8a3d 18 5a 7d c7 c4 e7 f8 33 33 1cd4 2b 1d 6a 72 01 9e 8f 89 06 0d e5 9f de 34 2d 4a d1 68 f2 08 5c ab c3 60 {server} derive secret "tls13 exp master": PRK (32 octets):6b 06 1b 95 b3c5 ee bf b8 6e 50 811d 3a 8a a837 24 5d 79 91 9a 3da0 1d f0 e6 d5 c3 be43d8 3b 18 b319 61 bcb8 e8 52 78 14 2b 11 9c0d 5c c8 70 d9 08 9a 2f 30 34 b4 b9 6b 02 hash (32 octets):bc be 0c 61 2f 39 63 e4 2c 49 6c b3 03 e911 bf 9b 71 22 aa c5 07 85 5989 ba 96 f6 21 00 34ef 90 f7 8e e0 78 32 a6 79 72 a2 c7 f463 05 b9 75 2a 53 d9 a7 ddbd 8f 56 15 d0 bc 19 7a 39 info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 74 65 72 20bc be 0c 61 2f 39 63 e4 2c 49 6c b3 03 e911 bf 9b 71 22 aa c5 07 85 5989 ba 96 f6 21 00 34ef 90 f7 8e e0 78 32 a6 79 72 a2 c7 f463 05 b9 75 2a 53 d9 a7 ddbd 8f 56 15 d0 bc 19 7a 39 output (32 octets):3d 65 4f f5 ca 07e2 d4 f1 2f c6 26 c2 91 de 52 8c 4d d2 cb 1f d2 11 b2 d8 44 d9 53 d4 7a 48 d8 17 8785 69 3164 05 88 41 {server} derive write traffic keys for application data: PRK (32 octets): a2 05 9e be 09 34 8a d4 2b 1d 6a 72 01cc 71 0f 46 e2 93 5b 5e9e 8f 89 06 0d e5 9f de 34 2d 4a d1 68 f2 08 5c ab c3 60 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets): 2e c461 14 ca83 49 b4 00 e4 9d bb 71 9a 98 91 11 2d 99 iv info (12 octets): 00 0c 0835 41 a0 84 66 d1 8474 6c 73 31 33 20 69 76 00 iv output (12 octets): b2 6b 47 20 2b 9a 93 55 45 90 c0 3c {server} derive read traffic keys for early application data (same as client write traffic keys) {client} derive secret for handshake "tls13 derived": PRK (32 octets):35 10 b5 e7 47 ce ef 42 b1 fe ff e7 a7 4f dc 0f 52 a5 ee fc a2 b6 76 b0 82 4e 06 17 c8 64 56 1690 a6 5b c0 8e 4a 66 d4 a9 cf 3c f7 ec 2d 85 be d7 ae 08 af 83 1d 05 d7 0d 6c c0 a9 39 9c 1e 63 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets):3c 5b 59 45 8995 c5 f6 ae c8 48 4c ad 65 ee0f a2ff f118 d3 98 fc 3c 3e 50 f70c 48 a8 4f 34 d6 53 d6 59 91 bf de 1321 65 bc 5e 20 1a69 81 97da df 8e 36 ad 16 bab3 b9 b4 5d {client} extract secret "handshake": salt (32 octets):3c 5b 59 45 8995 c5 f6 ae c8 48 4c ad 65 ee0f a2ff f118 d3 98 fc 3c 3e 50 f70c 48 a8 4f 34 d6 53 d6 59 91 bf de 1321 65 bc 5e 20 1a69 81 97da df 8e 36 ad 16 bab3 b9 b4 5d ikm (32 octets):ca 49 06 0d 44 b4 58 b8 e2 6f b7 2a 18 6e bc 44 6b a8 e4 0e 8f b1 39 5c c7 f7 56 594f 81 91 7a 09 87 67 f2 22 5f cf 33 e8 a5 d5 33 d6 88 3b d8 ee86 f8 5416 00 b2 c5 e4 f0 e8 24 02 06 37 secret (32 octets):6b a5 c1 83 92 4b a3 2c e0 99 85 c9 11 f2 97 bb 0a 7c de 2796 eb 95 b5 631a62 0c 58 ca d2 c7 37 0f b7 4b 8f 55 b2 0e 28 bd bc 2d 70 6e 6f2e e8 88 25 19 88 f3 07 54db aa 9e 9e 60 93 {client} derive secret "tls13 c hs traffic" (same as server) {client} derive secret "tls13 s hs traffic" (same as server) {client} derive secret for master "tls13 derived" (same as server) {client} extract secret "master" (same as server) {client} derive read traffic keys for handshake data: PRK (32 octets): c9 23 18 b4 c5 6f ba 46 bf 6e ef 2a 9a 8f 02 33 a2 8b ab 9b b9 66 67 4a 19 32 0b b5 3c 50 10 19 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets): 0d 71 1f 45 1d c2 0e fc 7e f8 08 9b 44 79 75 ac iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets): ee 5d 71 8a 24 a8 e5 32 8d bc 58 00 {client} calculate finished "tls13 finished" (same as server) {client} derive secret "tls13 c ap traffic" (same as server) {client} derive secret "tls13 s ap traffic" (same as server) {client} derive secret "tls13 exp master" (same as server) {client} send a EndOfEarlyData handshake message {client} send handshake record: payload (4 octets): 05 00 00 00 ciphertext (26 octets): 17 03 03 00 151d ee d387 ea 08 9b27 ffc5 7f 33 1c 4f3c 92 2f fd ef 73 89 56ad 29 80 d7 5e 3b c1 cc7955 40 e8 75 {client} derive write traffic keys for handshake data: PRK (32 octets): 50 26 86 51 18 93 2f ba 00 9f b8 84 c2 6c e1 8e 44 96 c8 f3 57 dd f0 d113a9 0b c2 7b 4c 31 92 9c key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets): 4c 0f 31 7d 9a b1 56 f2 7b 71 cb ca 63 3d f7 4f iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets): e3 19 71 d9 f6 41 4b 45 de 4c 4c e2 {client} derive read traffic keys for application data (same as server write traffic keys) {client} calculate finished "tls13 finished": PRK (32 octets):a250 26 86 51 18 93 2f ba5200 9f b8 84b4 0e 7d 65 af af 93 c0 93 06c2 6c e1 8e 44 96 c8 f3 57 dde4 70 98 a4 ee 28 4c f4 6ef0 d1 a9 0b59 09 fe 25 8c a6 4fc2 7b 4c 31 92 9c hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets):67 02 97 87 4f 08 e5 10 32 7268 9e a0 1d d9 3b e4 b2 38 94 de ab a8be 0c 6d c3 b4 39 6e 82 28 34 62d0 7c 56 31 29 ad 6b21 e6 be 28 b9 d4 b4 35 05ef dd 7b 3d 8d ef e5 8e 4f 7e 3a 44 {client} send a Finished handshake message {client} send handshake record: payload (36 octets): 14 00 00 2060 c3 2e 99 5e c1 0d d0 1d 73 7952 90 13 55 ab 06 bb fb ab 3a 81 cc 67 e3 6f ebf1 9f 75 ef 74 0b 18 d4 24 06 c9 62 db 37 a4 53 74 9d 765d 8d a1 63 2a 02 ba 83 0a 8f c8 5f 4c 22 66 cf ciphertext (58 octets): 17 03 03 00 35b1 a439 ab 4d 04 21 bb 3e 2b 85 53 d0 2c ee 16 d3 78 c5 0f a8 76 fd 44 b4 d8 c6 36 26 6e 44 70 bd 05 f4 77 d4 fb 91 70 f4 42 96 e2 43 3c 78 0e ef c7 50 5f 9b e1 68 {client} derive write traffic keys for application data: PRK (32 octets): bc 39 56 2dde c8 7d 6a42 a4 e7 62 8d cc 15 1b ba c1 16 88 06 9c 1c 56 ca cd 17a5d4 cc 5319 3b 47 a64a bb 05 e3 c0 3e key info (13 octets): 00 10 09 74 6c32 b4 51 ab73 31 33 20 6b 65 79 00 key output (16 octets): 24 56 8c c4 56 c9 16 6a 17 54 e3 f848 dc df 68 21 3b 44 214d da 66 23 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76a9 e5 9b 8e cf 5e 1a fe d8 94 43 9a 9d f0 c3 a2 4b00 iv output (12 octets): 92 d2 daac 97 fc 34 55ec 04 ce c8 de 21 2a 8e 0c {client} derive secret "tls13 res master": PRK (32 octets):6b 06 1b 95 b3c5 ee bf b8 6e 50 811d 3a 8a a837 24 5d 79 91 9a 3da0 1d f0 e6 d5 c3 be43d8 3b 18 b319 61 bcb8 e8 52 78 14 2b 11 9c0d 5c c8 70 d9 08 9a 2f 30 34 b4 b9 6b 02 hash (32 octets):04 5f 9f 6c d4 c6 84 65 a7 79 f474 61 12 2a b1 9d 89b7 13 57 7f 42 e9 91 c1 b7 b7 34 db 01 28 a5 7b 88 3546 4127d8 1c 0b 32 71 a9 35 90 9f be 21 87 ce 40 18 d1 81 d0 4b 1f 9b 95 8a info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 74 65 72 2004 5f 9f 6c d4 c6 84 65 a7 79 f474 61 12 2a b1 9d 89b7 13 57 7f 4246 41 d8 1c 0b 32 71 a9 35 90 9f be 21 87 ce 40 18 d1 81 d0 4b 1f 9b 95 8a output (32 octets): 98 85 4e 70 a8 c2 0f 1b 02 44 b8 d9 f2 e99194 37 7d 11 dd 0b 6b 09 42 29 de f0 cd 55 56 9a c1b7 b7 34 db 01 28 a520 {server} derive read traffic keys for handshake data: PRK (32 octets): 50 26 86 51 18 93 2f ba 00 9f b8 84 c2 6c e1 8e 44 96 c8 f3 57 dd f0 d1 a9 0b c2 7b88 35 41 274c 31 92 9c key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output(32(16 octets):404c 0f 31 7d 9a b1 56 f2 7b7c fa 1a 5d cd71 cb ca 63 3d f7 4f iv info (12 octets): 00 0c 08 74 6c 73e2 75 a6 80 13 16 68 24 4e a8 88 6431 33 20 69 76 00 iv output (12 octets): e3 19a6 fe cc 01 f5 7b df d5 5d 15 2a71 d9 f6 41 4b 45 de 4c 4c e2 {server} calculate finished "tls13 finished" (same as client) {server} derive read traffic keys for application data (same as client write traffic keys) {server} derive secret "tls13 res master" (same as client) {client} send application_data record: payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 ciphertext (72 octets): 17 03 03 00 4389 8d 41 41 71 76 9c 87 23 f5 46 43 1e c6 80 4928 e8 c4 0d 6e 0a 83 0c 62 58 8a 5afa29 e4 1e 24 48 3d 50 c8 57 f0 1f d2 25 6f a4 51 4e 2d 4c a3 77 fd ff 96 26 0e a6ac 32 5d 66 2f a5 9d46 a6 92 4e 935a 99 d2 f5 94 63 b8 d9 cd d3 c1 b1 36 79 08 1d d0 98 7c 4d3d 96 74 29 3f 2640 9a bd 40 ca d0 beab a3 a6d5 95 85 01 b1 fcda 07 4c 16 c0 27 68 65 ab 0215 08 6d b9df 0e 61 01 {server} send application_data record: payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 ciphertext (72 octets): 17 03 03 00 438e 95 04 14 52 07 ad 99 f9 26 b4 7c 28 f6 0f54 25 7b ed c2 61 dd 2c f2 a531 b9 7d 35 4f 55 ac fe 46 59 b0 37bd f194 6e 6a 8d c8 da f7 a9 fc 36 27 023fc1 df 0b a1 8c a5 90 11ed fc2f 39 96 ea bc 2f 6d 50 8593d6 0b7a 46 dd 32 59 9b 6f 16 df 78 2e 92 42 bd 43 b0 b4 7e 79 b6 b5 fd 5a 98 2387 d4d7 6f a6 fc ad 1c 84 97 c3 8a 62 20 70 af 9e 2a 72 6c 78 b3 ee bc 92 9b 27 66 {client} send alert record: payload (2 octets): 01 00 ciphertext (24 octets): 17 03 03 00 13e4 f4 3b 1b 15 b0 75 40 6c 2f 32 68 61 99 82 355a d6 a3 97 6d789d 6c b8 66 b4 a3 5c 0f b4 53 90 ae dd 88 {server} send alert record: payload (2 octets): 01 00 ciphertext (24 octets): 17 03 03 00 1306 18 b6 94 51 58 6b 0d b9 6c 39 08 0f 6b d7 d1 f1 0b 411d 7f 76 5d 2c d2 65 53 b2 f3 a8 c4 0a 71 a7 e6 48 c3 87 5. HelloRetryRequest In this example, the client initiates a handshake with an X25519 [RFC7748] share. The server however prefers P-256 [FIPS186] and sends a HelloRetryRequest that requires the client to generate a key share on the P-256 curve. {client} create an ephemeral x25519 key pair: private key (32 octets):52 99 b5 dc 31 26 3d a4 eb 70 79 f32f 74 42 ae 1b ce d7 5e 82 f929be 34 3c af cd fd 6c 14 28 e6 19 f1 f5 1a ae 58 68d5 1e ce c2 0c 3b aa 64 67 f2 d8 d2 c2 49 88 09 1001 1b 94 4c ab public key (32 octets):9e d2 81 f2 d1 e0 f8 c3 99 a4 90 a8 6a cd 71 9d 46 5618 77db dc b4 45 1f 97 39 e1 22 40ec d6 d3 b5 46 fb 68 dd 27 35 0f 25 24 87 b7 e8 7b 8ad4 3291 2c e1 a6 a8 8c d0 bb 02 cd 15 49 {client} send a ClientHello handshake message {client} send handshake record: payload (174 octets): 01 00 00 aa 03 0324 cc 22 ad 4c 8b 8c ed c8 e7 ee ac 95 93 1b 24 9d 3a dd 7d 98b7 c9 bc 82 7e a9 0b 53 72 b5 ba 58 29 7e 40 ba 82 77 ce bf be eb 8e af 94 e8 85 36 5b 91 c5e0 d8 35 f5 d7 81 0d fb b1 80bb 00 00 06 13 01 13 03 13 02 01 00 00 7b 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06 00 1d 00 17 00 18 002833 00 26 00 24 00 1d 00 209e d2 81 f2 d1 e0 f8 c3 99 a4 90 a8 6a cd 71 9d 46 5618 77db dc b4 45 1f 97 39 e1 22 40ec d6 d3 b5 46 fb 68 dd 27 35 0f 25 24 87 b7 e8 7b 8ad4 3291 2c e1 a6 a8 8c d0 bb 02 cd 15 49 00 2b 00 03 02 7f161c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 ciphertext (179 octets): 16 03 01 00 ae 01 00 00 aa 03 0324 cc 22 ad 4c 8b 8c ed c8 e7 ee ac 95 93 1b 24 9d 3a dd 7d 98b7 c9 bc 82 7e a9 0b 53 72 b5 ba 58 29 7e 40 ba 82 77 ce bf be eb 8e af 94 e8 85 36 5b 91 c5e0 d8 35 f5 d7 81 0d fb b1 80bb 00 00 06 13 01 13 03 13 02 01 00 00 7b 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06 00 1d 00 17 00 18 002833 00 26 00 24 00 1d 00 209e d2 81 f2 d1 e0 f8 c3 99 a4 90 a8 6a cd 71 9d 46 5618 77db dc b4 45 1f 97 39 e1 22 40ec d6 d3 b5 46 fb 68 dd 27 35 0f 25 24 87 b7 e8 7b 8ad4 3291 2c e1 a6 a8 8c d0 bb 02 cd 15 49 00 2b 00 03 02 7f161c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 {server} send a ServerHello handshake message {server} send handshake record: payload (176 octets): 02 00 00 ac 03 03 cf 21 ad 74 e5 9a 61 11 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c 5e 07 9e 09 e2 c8 a8 33 9c 00 13 01 00 00 84 002833 00 02 00 17 00 2c 00 74 00 723c c7 0f 98 68 ee 6d bc bb 7b 7c 2120 1c e9 22 bf 9a 57 cc 0c 63 8a 02 00 00 00 0073 d2 77 2a 29 c9 93 b4 e0 c3 78b5 89 27 72 3a 7b 57 e1 de45 9e 99 ea6d 9d 65 d4 9b 4c 1d 00 3097 19 7d a5 86 38 74 31 85 03 d3 dd e2 41 7d 5f b7 8c 92 76 13 14 10 ea39 bc 6d f6 e6 1b 34 45 a1 12 cf 2c 5d f4 b3 bd 4c db 05 07 08 57 d9 f0 22 e8 6a c7 df 91 a92e 9e 8a f5 4e a0 92 86 7b 67 7d 64 4f 96 d8 c54a 1b e9 fd48 30 d161 ac b3 22 13 7a d5 63 70dd 1b 3f 8a 85 17 ab ee 19 60 52 d8 e4dc fa 293d55 aa c6 d6 ab 28 a2 98 43 62f0 3b 6d 29 b6 88 4b 7c 00 cc 5e 6c e7 ac 36 47 0e a789 9d 38 b7 b0 9b 3c 4d 86 76 a4 8b b2 c6 bd 05 02 fc c5 61 b5 50 2e 00 2b 00 02 7f161c ciphertext (181 octets): 16 03 03 00 b0 02 00 00 ac 03 03 cf 21 ad 74 e5 9a 61 11 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c 5e 07 9e 09 e2 c8 a8 33 9c 00 13 01 00 00 84 002833 00 02 00 17 00 2c 00 74 00 723c c7 0f 98 68 ee 6d bc bb 7b 7c 2120 1c e9 22 bf 9a 57 cc 0c 63 8a 02 00 00 00 0073 d2 77 2a 29 c9 93 b4 e0 c3 78b5 89 27 72 3a 7b 57 e1 de45 9e 99 ea6d 9d 65 d4 9b 4c 1d 00 3097 19 7d a5 86 38 74 31 85 03 d3 dd e2 41 7d 5f b7 8c 92 76 13 14 10 ea39 bc 6d f6 e6 1b 34 45 a1 12 cf 2c 5d f4 b3 bd 4c db 05 07 08 57 d9 f0 22 e8 6a c7 df 91 a92e 9e 8a f5 4e a0 92 86 7b 67 7d 64 4f 96 d8 c54a 1b e9 fd48 30 d161 ac b3 22 13 7a d5 63 70dd 1b 3f 8a 85 17 ab ee 19 60 52 d8 e4dc fa 293d55 aa c6 d6 ab 28 a2 98 43 62f0 3b 6d 29 b6 88 4b 7c 00 cc 5e 6c e7 ac 36 47 0e a789 9d 38 b7 b0 9b 3c 4d 86 76 a4 8b b2 c6 bd 05 02 fc c5 61 b5 50 2e 00 2b 00 02 7f161c {client} create an ephemeral P-256 key pair: private key (32 octets):e5 d7 d7 16 54 b7 0d 85 b7 ef f8 ff 9f b4 10 f812 04 90 37 70 08 12 91 d2 e2 8c 2e 4c cc6d 5c 0d 46 cb 4f 3c 96 28 61 c5 20 88 5dae fd fa be a9 02 d6 24 cc 53 7e 17 7e f4 62 e0 4e 68 public key (65 octets): 0417 35 66 97 92 26 4a 94 82 cf 17 8e 99 0a e8 49 a3 55 2f 71 ec b8 4c 7b 02 2b 84 f0 57 eb b934 64 59 40 3b b6 5d 0e 0d 11 d1 03a28b e7ad 9d 2f 7d 44 e3 59 1a d0 04 33 a6 b2 d8 6d 57 9a af1b6a03 a7 56 2b 0172 df 0e 6ee0 3a a1 b5 80 25 c4 65 88 a4 09 3f 1c 75 98 bd 8c 79 ee 7e fc 5b a7 49 bd 24 3c 10 82 12 3a 37 f9 3f 9a 0008 7a bb8c ff 64 5b c4 e5 8f 20 {client} send a ClientHello handshake message {client} send handshake record: payload (512 octets): 01 00 01 fc 03 0324 cc 22 ad 4c 8b 8c ed c8 e7 ee ac 95 93 1b 24 9d 3a dd 7d 98b7 c9 bc 82 7e a9 0b 53 72 b5 ba 58 29 7e 40 ba 82 77 ce bf be eb 8e af 94 e8 85 36 5b 91 c5e0 d8 35 f5 d7 81 0d fb b1 80bb 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06 00 1d 00 17 00 18 002833 00 47 00 45 00 17 00 41 0417 35 66 97 92 26 4a 94 82 cf 17 8e 99 0a e8 49 a3 55 2f 71 ec b8 4c 7b 02 2b 84 f0 57 eb b934 64 59 40 3b b6 5d 0e 0d 11 d1 03a28b e7ad 9d 2f 7d 44 e3 59 1a d0 04 33 a6 b2 d8 6d 57 9a af1b6a03 a7 56 2b 0172 df 0e 6ee0 3a a1 b5 80 25 c4 65 88 a4 09 3f 1c 75 98 bd 8c 79 ee 7e fc 5b a7 49 bd 24 3c 10 82 12 3a 37 f9 3f 9a 0008 7a bb8c ff 64 5b c4 e5 8f 20 00 2b 00 03 02 7f161c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2c 00 74 00 723c c7 0f 98 68 ee 6d bc bb 7b 7c 2120 1c e9 22 bf 9a 57 cc 0c 63 8a 02 00 00 00 0073 d2 77 2a 29 c9 93 b4 e0 c3 78b5 89 27 72 3a 7b 57 e1 de45 9e 99 ea6d 9d 65 d4 9b 4c 1d 00 3097 19 7d a5 86 38 74 31 85 03 d3 dd e2 41 7d 5f b7 8c 92 76 13 14 10 ea39 bc 6d f6 e6 1b 34 45 a1 12 cf 2c 5d f4 b3 bd 4c db 05 07 08 57 d9 f0 22 e8 6a c7 df 91 a92e 9e 8a f5 4e a0 92 86 7b 67 7d 64 4f 96 d8 c54a 1b e9 fd48 30 d161 ac b3 22 13 7a d5 63 70dd 1b 3f 8a 85 17 ab ee 19 60 52 d8 e4dc fa 293d55 aa c6 d6 ab 28 a2 98 43 62f0 3b 6d 29 b6 88 4b 7c 00 cc 5e 6c e7 ac 36 47 0e a789 9d 38 b7 b0 9b 3c 4d 86 76 a4 8b b2 c6 bd 05 02 fc c5 61 b5 50 2e 00 2d 00 02 01 01 00 15 00 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ciphertext (517 octets): 16 03 03 02 00 01 00 01 fc 03 0324 cc 22 ad 4c 8b 8c ed c8 e7 ee ac 95 93 1b 24 9d 3a dd 7d 98b7 c9 bc 82 7e a9 0b 53 72 b5 ba 58 29 7e 40 ba 82 77 ce bf be eb 8e af 94 e8 85 36 5b 91 c5e0 d8 35 f5 d7 81 0d fb b1 80bb 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06 00 1d 00 17 00 18 002833 00 47 00 45 00 17 00 41 0417 35 66 97 92 26 4a 94 82 cf 17 8e 99 0a e8 49 a3 55 2f 71 ec b8 4c 7b 02 2b 84 f0 57 eb b934 64 59 40 3b b6 5d 0e 0d 11 d1 03a28b e7ad 9d 2f 7d 44 e3 59 1a d0 04 33 a6 b2 d8 6d 57 9a af1b6a03 a7 56 2b 0172 df 0e 6ee0 3a a1 b5 80 25 c4 65 88 a4 09 3f 1c 75 98 bd 8c 79 ee 7e fc 5b a7 49 bd 24 3c 10 82 12 3a 37 f9 3f 9a 0008 7a bb8c ff 64 5b c4 e5 8f 20 00 2b 00 03 02 7f161c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2c 00 74 00 723c c7 0f 98 68 ee 6d bc bb 7b 7c 2120 1c e9 22 bf 9a 57 cc 0c 63 8a 02 00 00 00 0073 d2 77 2a 29 c9 93 b4 e0 c3 78b5 89 27 72 3a 7b 57 e1 de45 9e 99 ea6d 9d 65 d4 9b 4c 1d 00 3097 19 7d a5 86 38 74 31 85 03 d3 dd e2 41 7d 5f b7 8c 92 76 13 14 10 ea39 bc 6d f6 e6 1b 34 45 a1 12 cf 2c 5d f4 b3 bd 4c db 05 07 08 57 d9 f0 22 e8 6a c7 df 91 a92e 9e 8a f5 4e a0 92 86 7b 67 7d 64 4f 96 d8 c54a 1b e9 fd48 30 d161 ac b3 22 13 7a d5 63 70dd 1b 3f 8a 85 17 ab ee 19 60 52 d8 e4dc fa 293d55 aa c6 d6 ab 28 a2 98 43 62f0 3b 6d 29 b6 88 4b 7c 00 cc 5e 6c e7 ac 36 47 0e a789 9d 38 b7 b0 9b 3c 4d 86 76 a4 8b b2 c6 bd 05 02 fc c5 61 b5 50 2e 00 2d 00 02 01 01 00 15 00 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 {server} extract secret "early": salt: (absent) ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a {server} create an ephemeral P-256 key pair: private key (32 octets):b1 6d 06 d1 40 ff d5 a9 3b b1 bf 4d 58 d7 3d 97 06 62 b9 a502 03 21 a8 85 5a 5c ce 43 5e c4 eb 2c 74 54 9d cd 14 b2 5025 ca 63 bc b1cc 88 ae b4f6 75 ac 73 15e1 a8 27 77 a2 a8 3d e2 public key (65 octets): 0489 cf b4 c1 91 61 f7 0ea9 fc 26 e5 99 e4 8d ed 07 36 f4 b1 b2 20 2b f4 9c f3 e5 eb 5a43 81 40 02 13 53 4637bd b4 fe d00b aa 88 8b 45 50 27 32 36 85 e5 e8 eb 52 e1 d3 63 73 08 76 d4 4a 1a cf 53 25 8e a6 e1 75 c1 4c 5f 20a9 2e 59 d9 58 10 ff2c a0 ebe3 a8 dd bd f2 e2 cc 65 71 fe 17 df 28b8 a7 3a37 22 f1 23 f3 32 fc b0 cb 3d 8b bb 9f 0b 65 e0 07 46 aef2 34 {server} send a ServerHello handshake message {server} derive secret for handshake "tls13 derived": PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba {server} extract secret "handshake": salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba ikm (32 octets):ba 1c d6 f8 aa 98 a2 de ff b7 ba bb 8e 52 4d 2f d3 e8 2d 5c ff 5d 7b67 5e 8f e30a 20 80 ef 62 6a 92 b37d f3 8e b4 ae d1 ac 3e a4 a0 a1 63 a7 26 56 83 e4 3d ca 95 40 43 87 73 24 aa cf 70 secret (32 octets):8e f8 e6 41 ab fd56 b6 d9 4c b7 89 04 56 07 85 86 b5 d6 5d 69 69 bc 7c 48 51 ff 7f 95 3302 a2 4a c0 03 d0 98 2a 3e 6e ef cd 99 4675 ed19 82 b8 1b 4dcb e2ab c8 7d e860 4c 1f 8e {server} derive secret "tls13 c hs traffic": PRK (32 octets):8e f8 e6 41 ab fd56 b6 d9 4c b7 89 04 56 07 85 86 b5 d6 5d 69 69 bc 7c 48 51 ff 7f 95 3302 a2 4a c0 03 d0 98 2a 3e 6e ef cd 99 4675 ed19 82 b8 1b 4dcb e2ab c8 7d e860 4c 1f 8e hash (32 octets):87 73 ef 3f d60b 61 d4 9c 83 fe f7 da 0364 ff ab 64 c5 f1 66 f8 30 09 c2 9e c6 70 16 76 e5 cc 60 b5 1a04 0f e3 5e 72 33 fe bd 0f 47 e2 c0 e0 9c 85 a4 a1 2f2a dd 9e 2789 a0 04 a1 6f info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 61 66 66 69 63 2087 73 ef 3f d60b 61 d4 9c 83 fe f7 da 0364 ff ab 64 c5 f1 66 f8 30 09 c2 9e c6 70 16 76 e5 cc 60 b5 1a04 0f e3 5e 72 33 fe bd 0f 47 e2 c0 e0 9c 85 a4 a1 2f2a dd 9e 2789 a0 04 a1 6f output (32 octets):1e af b2 10 3a c596e5 a8 67 3e ae 2c 42f0 1d 63 6d 87 b9 36 1c 0b 8b 93 0cff b2 d9 45 99de d900 08 947b 59 06 0bdb a8 8c a7 71 26 2689 3b e2 4e 5d 64 b5 25 86 c0 39 ac 18 {server} derive secret "tls13 s hs traffic": PRK (32 octets):8e f8 e6 41 ab fd56 b6 d9 4c b7 89 04 56 07 85 86 b5 d6 5d 69 69 bc 7c 48 51 ff 7f 95 3302 a2 4a c0 03 d0 98 2a 3e 6e ef cd 99 4675 ed19 82 b8 1b 4dcb e2ab c8 7d e860 4c 1f 8e hash (32 octets):87 73 ef 3f d60b 61 d4 9c 83 fe f7 da 0364 ff ab 64 c5 f1 66 f8 30 09 c2 9e c6 70 16 76 e5 cc 60 b5 1a04 0f e3 5e 72 33 fe bd 0f 47 e2 c0 e0 9c 85 a4 a1 2f2a dd 9e 2789 a0 04 a1 6f info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 61 66 66 69 63 2087 73 ef 3f d60b 61 d4 9c 83 fe f7 da 0364 ff ab 64 c5 f1 66 f8 30 09 c2 9e c6 70 16 76 e5 cc 60 b5 1a04 0f e3 5e 72 33 fe bd 0f 47 e2 c0 e0 9c 85 a4 a1 2f2a dd 9e 2789 a0 04 a1 6f output (32 octets):82 54 e1 25 3f 75 bf a5 bb 5c 4e f2 b1 bb48 c0 7973 e0 b7 b8 32 51 31 2b ce 86 30 8e83 b0 b1 9b 41 75 36 af 49 aa 3c 4f a127 b5 52 e020 26 fe fa 16 d0 40 12 8b 7f 87 19 6c ab fe 14 {server} derive secret for master "tls13 derived": PRK (32 octets):8e f8 e6 41 ab fd56 b6 d9 4c b7 89 04 56 07 85 86 b5 d6 5d 69 69 bc 7c 48 51 ff 7f 95 3302 a2 4a c0 03 d0 98 2a 3e 6e ef cd 99 4675 ed19 82 b8 1b 4dcb e2ab c8 7d e860 4c 1f 8e hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets):91 74 25 ca 4f 3e 40 22 e2 e6 bb 99 25 f2 f7ef ff c0 f0 7a 08e9 7c 1c 75 560f cde8 63 52 1f 40 b3c7 7e 55 8a 02 f1 77 f7 32 a9 ff 20 12 8b 66 a0 de e7 1c a3 99 74 ba c82f 49 36{server} extract secret "master": salt (32 octets):91 74 25 ca 4f 3e 40 22 e2 e6 bb 99 25 f2 f7ef ff c0 f0 7a 08e9 7c 1c 75 560f cde8 63 52 1f 40 b3c7 7e 55 8a 02 f1 77 f7 32 a9 ff 20 12 8b 66 a0 de e7 1c a3 99 74 ba c82f 49 36ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets):5f 5f 3a b7 4a c0 3b 74 79 0f 0f 40 33 f9 e9 3c 1867 f3 ca a1 17 80 4495 ac 41 03 a9 f245 c3 84 1d f0 d6 cf 0c be 84 eb 2d43 d8 dc 57 86 a2 951e 29 29 3c de 0e 59 8b c0 79 99 24 00 {server} send handshake record: payload (123 octets): 02 00 00 77 03 03eb 62 5e d0 a8 a3 3c 5f a3 c2 77 5a eb a4 c6 2a 4f 31 71 f2 ff ea e4 ea 53 38 27 30a9 8d a5 12 67 95 e8 50 bf d4 69 ae 416f f7 3a2c 8a d6 c6 a2 43 da b5 ca 68 9b cc 37 7b 7f 45 7e 93 57 00 13 01 00 00 4f 002833 00 45 00 17 00 41 0489 cf b4 c1 91 61 f7 0ea9 fc 26 e5 99 e4 8d ed 07 36 f4 b1 b2 20 2b f4 9c f3 e5 eb 5a43 81 40 02 13 53 4637bd b4 fe d00b aa 88 8b 45 50 27 32 36 85 e5 e8 eb 52 e1 d3 63 73 08 76 d4 4a 1a cf 53 25 8e a6 e1 75 c1 4c 5f 20a9 2e 59 d9 58 10 ff2c a0 ebe3 a8 dd bd f2 e2 cc 65 71 fe 17 df 28b8 a7 3a37 22 f1 23 f3 32 fc b0 cb 3d 8b bb 9f 0b 65 e0 07 46 aef2 34 00 2b 00 02 7f161c ciphertext (128 octets): 16 03 03 00 7b 02 00 00 77 03 03eb 62 5e d0 a8 a3 3c 5f a3 c2 77 5a eb a4 c6 2a 4f 31 71 f2 ff ea e4 ea 53 38 27 30a9 8d a5 12 67 95 e8 50 bf d4 69 ae 416f f7 3a2c 8a d6 c6 a2 43 da b5 ca 68 9b cc 37 7b 7f 45 7e 93 57 00 13 01 00 00 4f 002833 00 45 00 17 00 41 0489 cf b4 c1 91 61 f7 0ea9 fc 26 e5 99 e4 8d ed 07 36 f4 b1 b2 20 2b f4 9c f3 e5 eb 5a43 81 40 02 13 53 4637bd b4 fe d00b aa 88 8b 45 50 27 32 36 85 e5 e8 eb 52 e1 d3 63 73 08 76 d4 4a 1a cf 53 25 8e a6 e1 75 c1 4c 5f 20a9 2e 59 d9 58 10 ff2c a0 ebe3 a8 dd bd f2 e2 cc 65 71 fe 17 df 28b8 a7 3a37 22 f1 23 f3 32 fc b0 cb 3d 8b bb 9f 0b 65 e0 07 46 aef2 34 00 2b 00 02 7f 1c {server} derive write traffic keys for handshake data: PRK (32 octets): 48 c0 79 83 b0 b1 9b 41 75 36 af 49 aa 3c 4f a1 20 26 fe fa 16 d0 40 12 8b 7f 87 19 6c ab fe 14 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets): c9 66 8b e3 a4 eb 59 74 eb 92 ff 02 bb d7 2e 0b iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets): a0 3e bc f0 df 01 00 7b 81 7b 21 de {server} send a EncryptedExtensions handshake message {server} send a Certificate handshake message {server} send a CertificateVerify handshake message {server} calculate finished "tls13 finished": PRK (32 octets):82 54 e1 25 3f 75 bf a5 bb 5c 4e f2 b1 bb48 c0 7973 e0 b7 b8 32 51 31 2b ce 86 30 8e83 b0 b1 9b 41 75 36 af 49 aa 3c 4f a127 b5 52 e020 26 fe fa 16 d0 40 12 8b 7f 87 19 6c ab fe 14 hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets):a3 3a 40 a0 16 61 06 92 2f 96 9d 66c9 32 f8 bb a8 09 0c d8 3c fa ae 73 f8 41 79 6c bb a9 97 73 2869 0e ad 71 29 6b 1c 9f 44 14 64 e8 f4 c4 c2 33 14 10 15e4 53 d6 a1 da c8 8c a8 0b 2b ec {server} send a Finished handshake message {server} send handshake record: payload (639 octets): 08 00 00 12 00 10 00 0a 00 08 00 06 00 17 00 18 00 1d 00 00 00 00 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82 01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 72 67 17 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea e8 f8 a5 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 51 56 72 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be c1 fc 63 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b 1c 3b 84 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 96 12 29 ac 91 87 b4 2b 4d e1 00 00 0f 00 00 84 08 04 00 8096 ac7d 29 50 6f 66 e0 8745 e8 60 64 a1 18 d3 35 75 88 1c c7 db 99bd b7ad 5c f6 42 04 2f 0c 6a 4c 65 42 d6c1 5b 153e f7 b4 71 2d 9f 9f 7c 16 7af5 f9 32 72 41 8a 59 c5 74 59 13 33 9cfe 1bf3 78 5a 39 86 78 55 66 d7 95 2d 9e a9 ab 9f7a e7 41 4b ff 4c d1 3c dd 81 1d ce77 87 6e 6a 39 8b 5b 88 2c 83 e5 43 d3 c1 80 95 30 ef 30 70 fb e4 eb a9 07 2c 6c 23 95 6b de 0e 61 4c d0 13 aa e7 9c b1 86 76 0a 95 55 aa 7c 62 2a 29 5c ce229e f4 7bf2 ec 74 38 e9 22 6e 7d da 00 0e f8 34 85 60 ed 21 6beb 28a8 bc 6d b606 103c aa 9629 4e a0 a4 cc ca 29 92 00d8 84 7c a6 f0 ea 40 64 da 4f 7d 6d c7 b5ab f2 25 44 3d 0b 50 d1 f8 b1 fa 9b 98ff 54 36 a0 4e 01 7d e3 2c 12 ebf32e 55 3b e2 60 3e 0f 63 20 63 4238 b8 00 65 08 87 14 00 00 20a4 98 49 23 dd 33 35 94 bd 90 4b 9e 80 1b c1 88 73 3143 2a 86 e1 4a 5e 66 f5 57ba 4b 16 c7 6283 3f 39 ea eb 85 71 13 0b cda9 f6 f3 0f e9 a6 8859 ba 06 5d 8d 6d b4 26 ac 11 43 da 0e ciphertext (661 octets): 17 03 03 02 9011 09 c2 d4 04 4a ea 1f e6 a7 d0 e1 52 4a 86 e6 b3 fd 43 3a 4a 86 8a 8c2a 101a 58 ab b3 38 1e 66 c6 9a bc b090 52 02 96 ad d1 82 97 94 74 52 0dc0 ba d7 b4 9c c3 24 55 aa 2825 ef c8e5 13 13 a0 9b 4f 19 fc 3c b9 9b 35 5e 8a 4a fc 74 84 c4 c6 d4 de 321d 11 77 14 c5 0d d575 01 4c 53 71 48 ce 7d df 3132 d93a f5 fbdf f1ac dd b8fa fe 96 c713 32 e7 ce d7 7a 2f 4d e0 16 dd 98 5a 2c ec 063b 66 e4 7d 81 e6 25 2b 66 86 b8 86 37 10 26 0e 15 4b c4 8d 8a e2 f2 67 45 f5 98 ee 7b 46 70 cb 87 89 3a 73 81 7f cb 09 45 5f e5 8d 49fd a9 bc5c 07 7a ca a3 b3 ae 9c cc a4d7 23 19 5a df58 5b 12 6d f4 8c 5f a4 f9 d2 b4 b5 0b dc 72 a8 42 eb 09 5f 71 f9 24 77 d4 5d d8b8 03 95 00 e9 e1ee 69 62 81 87 86 0d f3 d6c6 01 20 6a 6a 85 33 56 1a ab8b 80 a3 c7 c7 d4 ca 36 61 69 2f a4 64 23 f5cc f2 e2 b7 c5 9e 74 75 1a64 2d 73 6e 27 63 b0 41ca 95 15 03 26 a8 f2 25 56 7f bb 9f ad 99 39 b6 d6 ca a207 4790 05 d9 4b b8 95f6 55 eb db 18ca 6337 c1 6f 59 bd c2 db 64 e3 92 fd 92 77 b0 ac e7 1c 1a 15 da e4 13 6c 84cf 66 dd 97 36aa 17 7b 69 4d 33 e0 b0 ac 68 0b f0 46 54 d0 03 75 84 c9 b4 06 59 87 ff 49 02 70 07 f9 1b 95 29 ef a3 87 2c 6a df a9 a9 f8 75 4a 57 f2 a1 6c 16 d3 34 06 ac 27 a8 93 ca 13 2c c3 3a 89 d2 2f8c 40f1 fa 70 c0 c6 06 10 1d 89 64 ff 42 3d 1326 d4b7 ac 11 b7 e9 47 91 b0 51 45 6a 9b 6f 41 b6 66 00 79 60 8e 87 22d5 3f bd 68 1b 14 09d2 ad 87 36 92 bf db 79 f2 9e 67 e4 16ec 146d 82 a9 5c be 36 e3 d1 67 88 f5 32 33 7b f9 4c bf 54 31 02 22 4e 4532 49 04 dd 7f 63 26 96ee 98 0d 05 d4 68 fa dc 12 91 a2 6f 13 81a101 5c 21 f3 d5 d6 36f2 e6 15 f49f 29 51 7ee9 e3 2a a3 25 2e 0c 3b 1d 47 a9 92a2 f6 1b 9b 7f 20 6a 6350 b4 98 5b 96 51 ef c5 14 80 09 61c8 10 d1 3b 74 e4 29 e6 6d75 df dd e908 1e 41 7f 96 6e 82 88 da a5 52 2d b6 cb 22 35 331f e2 ae e5 44 c4 a1 40 10d6 e6 84 2adb c170 6c e0 9f 3d 12d4 4519 b6 4f 08 f5 f4 d2 ca 3d 55 6d 88 64 1f 16 25 de 1e1b 90 46 02 9e 71 b9 36 60 49 c9 ac aa 36 82 79cc 65 5f e5 17 c1 f0dc 27a5 a4 9c 79 62 00bb 15 1d 96 6d02 2d71 a7 55 44 6a 74 9f 3f fb 2b 10 11 0d 2f 9d c2 1e f7 1d b7 2b 53 ae 2b a8 70 70 f2 79 15 b8 a3 4a 4c 92 0322 cd cb 7036 3b f7 75 988c 27 fd d4 16 7a a899 3d 6d 97 45 5368 fa f76a 83 ddbe b6 ca 42 e2a5 5c 30 10 ed bf 86 ec 45 6c 5e 12 f4 fb 28da d2 b8 a7 7c 3fd5 25 e2 2b f8 4e 28 03 41 9a 1f 5c 0da8 68 837c e5 bc b1 8c 36 18 0635c1 d3 28 30 f4 af f6 60 7a 72 81 1e 4e 19 02 b1 c0 88 4e 3cde 97dd 44 3ff9 06 bf 695e e3 fe 76 db 3e cc d4 36 ae 87 0f 7f 1d b1 3e 00 cc 4109 20 60 b4 23 dd 9cc4 5a 44 69 29 921a 7e 9e c2 3c 78 4c 52 a7 a0 44 35 6c e162 41 fb 31 d4 ed e3 95 77 2b 31 fd e3 cc 4d b32764 0f 48 d8 3f 63 5f 95 be f6 7f b3 60c3c9 8e54 73 ed 92 49 fe 68 1a 70 ca 11 dbd6 ae 57c1 e5 4fae d0 dc 59 38 20 b2 48 3e 6f 2d ae 39515d 9c 54 b912 ae 74 d1 88 c2 db dc f0 665a 7c ac13 28 0216 fa 3210 5e 8b de ae 53 50 b1 b3 550a a4 46 a5 e3 7c 9d af 54 ed 38 71 3934 a6 82 91 73 03 fb eb8565 3b bc 4b 0c 5c 77 4b b2 94 dc 50 44 c4 7f 70 5b d6 80 73 af 3a e5 c6 45 29 1e fc 9d 9c 17 6b 19 bd 95 47cc 5355 dc a2 2e 2b 52 137b 02a5 374b 4a 03 4d 38 18 69 57 81 da 2a 23 ec 82 b5 812e d9 6b 9f 89 f6 30 80 89 f3 983d 69 5b 84 37 94 07 cc 87 dc 85 4e 0d 06 3e 6d 622a 13 f2 41 30 3b 2e 5d c0 d4 3f fa 73 16 d23c 97 97 5e 91 7d b6 d5 21 82 83 a2 e8 1579 bd 78 d1 65 e0 33 61 16 66 fd 79 a3 90 95 db f5 5a 4337 5fe0 89 b1 3b db 6a 33 ef b3 bb 0ba1 84 59 91 ed 6f 40 9a67 9c 58 9d 2a 3e 4f 56 18 46 dd 9b 34 c4 6831a9 ce 4d bd 63 59 29 f7 b57a 1c 5d dd 88 fe b6 e9 cc 66 ee1f3c 28 60 f6 1d f0 f8 1e bb 3b 0a 87 2d 0c 2d 00 ae 84 44 5f 47 89 3121 a9 67 92 97 22 7d02 e1 b6 75 a87e a1 dbcc 45 66 34 28 95 ff 20 77 d8 9d 20 2d 86 43 22 be4cc6 b3 f0 bf df{server} derive secret "tls13 c ap traffic": PRK (32 octets):5f 5f 3a b7 4a c0 3b 74 79 0f 0f 40 33 f9 e9 3c 1867 f3 ca a1 17 80 4495 ac 41 03 a9 f245 c3 84 1d f0 d6 cf 0c be 84 eb 2d43 d8 dc 57 86 a2 951e 29 29 3c de 0e 59 8b c0 79 99 24 00 hash (32 octets):62 05 ce91 14 ee f5 c3 d5 c0 86 d1 1a a9 f3 32 fd 35 54b4 21 f2 e9 c4 2e51 f8 70 7c 4f 14 92 ed68 3d 19 12 89 cd 9b 1f 9a2e 844d 94 c2 3e 95 b8 94 cc 4e 8a 427e 08 7e 6a bf 98 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 61 66 66 69 63 2062 05 ce91 14 ee f5 c3 d5 c0 86 d1 1a a9 f3 32 fd 35 54b4 21 f2 e9 c4 2e51 f8 70 7c 4f 14 92 ed68 3d 19 12 89 cd 9b 1f 9a2e 844d 94 c2 3e 95 b8 94 cc 4e 8a 427e 08 7e 6a bf 98 output (32 octets):de 2e 40 35 e0 1c 52 ea e4 d5 b8 b3 46 50 c3 32 04 53 6b 07 03 0933 60 70 33 79 0d 4d 7d 0f d0 db d9 6f 3c 78 21e4 31 95 37 b4 a0 90 1e e075 8f 78 14 79 4f 9b b1 e9 c9 17 de 7b ef d4 b2 {server} derive secret "tls13 s ap traffic": PRK (32 octets):5f 5f 3a b7 4a c0 3b 74 79 0f 0f 40 33 f9 e9 3c 1867 f3 ca a1 17 80 4495 ac 41 03 a9 f245 c3 84 1d f0 d6 cf 0c be 84 eb 2d43 d8 dc 57 86 a2 951e 29 29 3c de 0e 59 8b c0 79 99 24 00 hash (32 octets):62 05 ce91 14 ee f5 c3 d5 c0 86 d1 1a a9 f3 32 fd 35 54b4 21 f2 e9 c4 2e51 f8 70 7c 4f 14 92 ed68 3d 19 12 89 cd 9b 1f 9a2e 844d 94 c2 3e 95 b8 94 cc 4e 8a 427e 08 7e 6a bf 98 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 61 66 66 69 63 2062 05 ce91 14 ee f5 c3 d5 c0 86 d1 1a a9 f3 32 fd 35 54b4 21 f2 e9 c4 2e51 f8 70 7c 4f 14 92 ed68 3d 19 12 89 cd 9b 1f 9a2e 844d 94 c2 3e 95 b8 94 cc 4e 8a 427e 08 7e 6a bf 98 output (32 octets):14 ff 87 2f 92 e2 e2 5c c2 18 e0 15 bf db82 4f 40 74 98 f3 55 f7b9 1d b3 42 c7 20 00 e2 bd 1d 5c 08 06 d7c4 56ab 4d7d 1a c4 9d a3 cc 44 1c fe a5 7c 86 6d 01 28 04 88 63 74 bb 4f a1 {server} derive secret "tls13 exp master": PRK (32 octets):5f 5f 3a b7 4a c0 3b 74 79 0f 0f 40 33 f9 e9 3c 1867 f3 ca a1 17 80 4495 ac 41 03 a9 f245 c3 84 1d f0 d6 cf 0c be 84 eb 2d43 d8 dc 57 86 a2 951e 29 29 3c de 0e 59 8b c0 79 99 24 00 hash (32 octets):62 05 ce91 14 ee f5 c3 d5 c0 86 d1 1a a9 f3 32 fd 35 54b4 21 f2 e9 c4 2e51 f8 70 7c 4f 14 92 ed68 3d 19 12 89 cd 9b 1f 9a2e 844d 94 c2 3e 95 b8 94 cc 4e 8a 427e 08 7e 6a bf 98 info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 74 65 72 2062 05 ce91 14 ee f5 c3 d5 c0 86 d1 1a a9 f3 32 fd 35 54b4 21 f2 e9 c4 2e51 f8 70 7c 4f 14 92 ed68 3d 19 12 89 cd 9b 1f 9a2e 844d 94 c2 3e 95 b8 94 cc 4e 8a 427e 08 7e 6a bf 98 output (32 octets):10 9f baaa 09 d0 be d1 a3 70 92 4b bd 25 44 60 e7 71 c4 f1 3c 0a 68 8f 6b b9 f5 b1 e3 35 7bbc 8d 8672 42 c9 17 {server} derive write traffic keys for application data: PRK (32 octets): 82 4f 40 74 98 f3f855 f7 c4 56bf d67d 1a c4 9d a3 cc 44 1c fe a5 7c 86 6d 01 28 04 88 63 74 bb 4f a10e f3 c2 fb f6 8ckey info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets): 1d dd e3 13 e4 23 c0 bb b4 6e 21 55 4e 62 bc 02 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets): 1d 33 01 7e 40 29 4c bc df b2 cd ec {server} derive read traffic keys for handshake data: PRK (32 octets): 96 f0 1d 63 6d 87 b9 36 1c 0b 8b 93 0c de d9 7b 59 0670 1b ab 970b 89 3b e2 4e 5d 64 b5 25 86 c0 39 ac 18 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6ba865 79 00 key output (16 octets): dd e8 55 4c 07 08 a0 f7 7c dd da 22 50 43 b4 82 iv info (12 octets): 00 0cbf08 74 6c 73 31 33 20 69 76 0012 d5iv output (12 octets): 10 90 01 0f e7 e8 21 c7 40 6b 82 d0 {client} extract secret "early": salt: (absent) ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a {client} derive secret for handshake "tls13 derived": PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba {client} extract secret "handshake": salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba ikm (32 octets):ba 1c d6 f8 aa 98 a2 de ff b7 ba bb 8e 52 4d 2f d3 e8 2d 5c ff 5d 7b67 5e 8f e30a 20 80 ef 62 6a 92 b37d f3 8e b4 ae d1 ac 3e a4 a0 a1 63 a7 26 56 83 e4 3d ca 95 40 43 87 73 24 aa cf 70 secret (32 octets):8e f8 e6 41 ab fd56 b6 d9 4c b7 89 04 56 07 85 86 b5 d6 5d 69 69 bc 7c 48 51 ff 7f 95 3302 a2 4a c0 03 d0 98 2a 3e 6e ef cd 99 4675 ed19 82 b8 1b 4dcb e2ab c8 7d e860 4c 1f 8e {client} derive secret "tls13 c hs traffic" (same as server) {client} derive secret "tls13 s hs traffic" (same as server) {client} derive secret for master "tls13 derived" (same as server) {client} extract secret "master" (same as server) {client} derive read traffic keys for handshake data: PRK (32 octets): 48 c0 79 83 b0 b1 9b 41 75 36 af 49 aa 3c 4f a1 20 26 fe fa 16 d0 40 12 8b 7f 87 19 6c ab fe 14 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets): c9 66 8b e3 a4 eb 59 74 eb 92 ff 02 bb d7 2e 0b iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets): a0 3e bc f0 df 01 00 7b 81 7b 21 de {client} calculate finished "tls13 finished" (same as server) {client} derive secret "tls13 c ap traffic" (same as server) {client} derive secret "tls13 s ap traffic" (same as server) {client} derive secret "tls13 exp master" (same as server) {client} derive write traffic keys for handshake data (same as server read traffic keys) {client} derive read traffic keys for application data (same as server write traffic keys) {client} calculate finished "tls13 finished": PRK (32 octets):1e af b2 10 3a c596e5 a8 67 3e ae 2c 42f0 1d 63 6d 87 b9 36 1c 0b 8b 93 0cff b2 d9 45 99de d900 08 947b 59 06 0bdb a8 8c a7 71 26 2689 3b e2 4e 5d 64 b5 25 86 c0 39 ac 18 hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets):19 3b 17 c6 19 fb 94 85 1f 97 91 db 7b 9a 9ea2 e7 bc 56 e4 4c 66 f7 b1 f7 e9 5f 43 4b 039d 4f 8149 7c 09 11 73 969a 93 71 02 06b8 6e a1 88 a2 e7 5e 4b45 a3 be e9 a3 125b 52 bd {client} send a Finished handshake message {client} send handshake record: payload (36 octets): 14 00 00 203c 9c 63 c4 72 e5 d6 ab 04 4d 14 59 2e 5add 60 b6 e8 68 65 0c d8a28a 16 ae ea be c9 ef4c 1d 70 f7 f7 7a 13 3c 8d92 8b d1 4a 55 cc fc05 a6 df 529b 25 36 bb f8 5b ef cb a9 2f ciphertext (58 octets): 17 03 03 00 35cd db d8 39 c3 4d 8d b210 83 df 24 a1fc 582c 20 11 96 5e55 78 f6 5f ec 70 81 d6 95 00 88 09 02 5c1c 0c9dd5 82 85 53 dc 17 d9 4f87 5a f9 e7 10 d7 52 a2 0a 3d60 a4 b9 03 58 8c d3 00 63 3b de 1c 93 48 a5 38 d4 a9 67 66 ce e5 2c59 86 7e 92 6e b4 39 52 e232 46 4c 84 8b cd 12 19 9b 2f {client} derive write traffic keys for application data: PRK (32 octets): 33 60 70 33 79 0d 4d 7d 0f d0 db d9 6f 3c 78 21 75 8f91 8378 14 79 4f 9b b1 e9 c9 17 de 7b ef d4 b2 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets): 74 df 54 32 03 d8 58 9d c5 27 43 85 9f 6c cd da iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets): c1 af 57 8c 97 99 e3 a6 48 08 70 35 {client} derive secret "tls13 res master": PRK (32 octets):5f 5f 3a b7 4a c0 3b 74 79 0f 0f 40 33 f9 e9 3c 1867 f3 ca a1 17 80 4495 ac 41 03 a9 f245 c3 84 1d f0 d6 cf 0c be 84 eb 2d43 d8 dc 57 86 a2 951e 29 29 3c de 0e 59 8b c0 79 99 24 00 hash (32 octets):cb 0c c7e6 a1 73 98 69 66 1d dc bb dc 11 0a ed ed 74 bc35 ef 49 7c be e7 ea fa 2b ff a2 2f 8d a5 b8 28 5e 83 35 48 0c 3313 74 6581 32 22 2c c2fa a9 20 ec 69 ea 9e cc 73 60 b2 9d d2 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 74 65 72 20cb 0c c7e6 a1 73 98 69 66 1d dc bb dc 11 0a ed ed 74 bc35 ef 49 7c be e7 ea fa 2b ff a2 2f 8d a5 b8 28 5e 83 35 48 0c 3313 74 6581 32 22 2c c2fa a9 20 ec 69 ea 9e cc 73 60 b2 9d d2 output (32 octets):18 8c 90 bc 6f a9 7a 8d d5 55 1d 80 b1 ae 18 42 4c f3 e25f 86 e4 2a b7 ff e8 49 b9 3e ed b3 f690 bc 70 54e36b 33 3f 1788 a8 a4 55 72 b1 cc 03 88 3017 f344 c6 dd 25 04 57 b9 8b {server} calculate finished "tls13 finished" (same as client) {server} derive read traffic keys for application data (same as client write traffic keys) {server} derive secret "tls13 res master" (same as client) {client} send alert record: payload (2 octets): 01 00 ciphertext (24 octets): 17 03 03 00 1393 21 5e 8c f7 98 69 b6 9a 28 57 8f 90 f4 c6 94 6ea5 48 29 ee 82 c4 6f 8a 11 08 8a ff d2 51 1e 5c9b2d d6 d1 {server} send alert record: payload (2 octets): 01 00 ciphertext (24 octets): 17 03 03 00 134a b554 78 81 09 8073 c0 a8 93 de 17 76 47 6d ec d2 5e 97 8471 83 23 ed 12 c2 e3 d1 a0 c0 f4 87 72 40 6. Client Authentication In this example, the server requests client authentication. The client uses a certificate with an RSA key, the server uses an ECDSA certificate with a P-256 key. Note that private keys for this example are not included in the draft. {client} create an ephemeral x25519 key pair: private key (32 octets):a4 0d6d 8b a2 5f f1 2f 88 11 f2 67 80 03 48 ea da fc c193 0c 00 af 0e 9d 3b c2 6c f9 0f 5e ee 7d ba 97 17 1f 53 2b 71 7f ef bf bf 87 08 38c5 74 1c 65 fc 45 8d fd b4 f8 f0 19 8f 01 c9 public key (32 octets):d5 dd 20 0f ad 0896 33 5a 91 2f 9a 397b 40 f3 e6 14 45 24 0c 75 78 5e b2 e544 4c cc 04 fd 51 51 f0 de 0b72 7c 5ada 0491 64 0d c1 2c 3a 0e02 75 dd 2f 07 10 5a 1c 7d 93 89 99 13 {client} send a ClientHello handshake message {client} send handshake record: payload (186 octets): 01 00 00 b6 03 03a3 ce 03 a9 0c 76 17 79 2d ee d9 6e 55 b1 6a b8 fc 10 911d fe f2 73 b4 49 8b 2c67 f3 3d db d1 50 b3 25 d568 e0 44 af 2c 39 12 cad6 586e 91 4b d8 88 f9 09 41 8b f4 8b a3 b5 75 a4 a1 00 00 06 13 01 13 03 13 02 01 00 00 87 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 002833 00 26 00 24 00 1d 00 20d5 dd 20 0f ad 0896 33 5a 91 2f 9a 397b 40 f3 e6 14 45 24 0c 75 78 5e b2 e544 4c cc 04 fd 51 51 f0 de 0b72 7c 5ada 0491 64 0d c1 2c 3a 0e02 75 dd 2f 07 10 5a 1c 7d 93 89 99 13 00 2b 00 03 02 7f161c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 ciphertext (191 octets): 16 03 01 00 ba 01 00 00 b6 03 03a3 ce 03 a9 0c 76 17 79 2d ee d9 6e 55 b1 6a b8 fc 10 911d fe f2 73 b4 49 8b 2c67 f3 3d db d1 50 b3 25 d568 e0 44 af 2c 39 12 cad6 586e 91 4b d8 88 f9 09 41 8b f4 8b a3 b5 75 a4 a1 00 00 06 13 01 13 03 13 02 01 00 00 87 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 002833 00 26 00 24 00 1d 00 20d5 dd 20 0f ad 0896 33 5a 91 2f 9a 397b 40 f3 e6 14 45 24 0c 75 78 5e b2 e544 4c cc 04 fd 51 51 f0 de 0b72 7c 5ada 0491 64 0d c1 2c 3a 0e02 75 dd 2f 07 10 5a 1c 7d 93 89 99 13 00 2b 00 03 02 7f161c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 {server} extract secret "early": salt: (absent) ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a {server} create an ephemeral x25519 key pair: private key (32 octets): 4c 22 f1 c1 22 00 9b 54 ae dc 6f 54 2e 98 01f2 df a3 5d 2f f7 47 3c b2 b2 85 25 74 2d a0 58 a0 35 c7 f8 21 bc4d a2 91 e6 f5 b8 77 03 67 5e 49 f6 10 06 ae 86bf c2 11 72 16 be cc aa65 public key (32 octets):b5 89 13 10 62 da ed c2 12 1b b7 5c 36 88 0b 71 12 c1 96 7f fe 17 db 5f a7 ef ef 22 90c5 4d 65 0c e2 52 6e 901e 3d24 f2 a3 68 9e 3b 82 58 87 e5 82 b6 c0 e6 07 75 dd a0 bd 2f 8a 5b 6d 53 {server} send a ServerHello handshake message {server} derive secret for handshake "tls13 derived": PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba {server} extract secret "handshake": salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba ikm (32 octets):94 2f 83 fa ee 2f ad ad 24 2e eb fb c7 a6 6d 5e c7 71 04 b1 3c d4 9749 a2 14 3a 0c 4b 7c a4 e9 c1 3a 6f 64 93 88 ec 4d 34 87 b5 dc d0 68 37 bd 5c 41 23 a2 e0b1 0d 9d 70 69 1d e8 6a1e 5b secret (32 octets):53 d7 91 87 9a 6b 33 f3 86 45 35 3bf4 58 19 79 77 70 fb 25 ec e8 ec 05 ce 3a 97 3e03 49 e5 e0 88 e4 0b 6c 37c3 30 47 0012 0c 80 04 25 d3 d5 e9 9f5c 29 fd f8 b0 3d 35 73 ba 3b 8b 6d {server} derive secret "tls13 c hs traffic": PRK (32 octets):53 d7 91 87 9a 6b 33 f3 86 45 35 3bf4 58 19 79 77 70 fb 25 ec e8 ec 05 ce 3a 97 3e03 49 e5 e0 88 e4 0b 6c 37c3 30 47 0012 0c 80 04 25 d3 d5 e9 9f5c 29 fd f8 b0 3d 35 73 ba 3b 8b 6d hash (32 octets): b4 76 d4 d5 07 36 d3 7aa62a ed 25 98 2a 10 6e ec 8c 28 f363 a4 49 35 45 a9 31 9b da 72 05 5957 ef 19 8ce1 5c bc 83 48 40 ce 04 c0 0e 8f 96 0b 27 80 7bb6 1d e4 a1 3b a2 78 1f 8d info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 61 66 66 69 63 20 b4 76 d4 d5 07 36 d3 7aa62a ed 25 98 2a 10 6e ec 8c 28 f363 a4 49 35 45 a9 31 9b da 72 05 5957 ef 19 8ce1 5c bc 83 48 40 ce 04 c0 0e 8f 96 0b 27 80 7bb6 1d e4 a1 3b a2 78 1f 8d output (32 octets):e8 d406 bd cc 2f 05 32 35 23 70 af 13 71 84 d5 66 31 4a cb 81 bb93 8c a3 de 6d 1d 7ce1 d2 98 02 f5 7801 a5 57 20 aa df cd 34 2d c8 a4 47 04 1d 21 7c 83 c8 df f3 94ef 1e 43 72 26 35 {server} derive secret "tls13 s hs traffic": PRK (32 octets):53 d7 91 87 9a 6b 33 f3 86 45 35 3bf4 58 19 79 77 70 fb 25 ec e8 ec 05 ce 3a 97 3e03 49 e5 e0 88 e4 0b 6c 37c3 30 47 0012 0c 80 04 25 d3 d5 e9 9f5c 29 fd f8 b0 3d 35 73 ba 3b 8b 6d hash (32 octets): b4 76 d4 d5 07 36 d3 7aa62a ed 25 98 2a 10 6e ec 8c 28 f363 a4 49 35 45 a9 31 9b da 72 05 5957 ef 19 8ce1 5c bc 83 48 40 ce 04 c0 0e 8f 96 0b 27 80 7bb6 1d e4 a1 3b a2 78 1f 8d info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 61 66 66 69 63 20 b4 76 d4 d5 07 36 d3 7aa62a ed 25 98 2a 10 6e ec 8c 28 f363 a4 49 35 45 a9 31 9b da 72 05 5957 ef 19 8ce1 5c bc 83 48 40 ce 04 c0 0e 8f 96 0b 27 80 7bb6 1d e4 a1 3b a2 78 1f 8d output (32 octets):8b fc e8 b0 11 4e ac cd 83 64 68bb 5b 26 0b 1a b5e4 60 30 fd 32 1c 37 20 7a 41 cd 22 66 4f 56 53 14 f2ab eb 1b 23 63 39 ad c3 90 39 1e05dc 93 38 80 54 eb 6b d6 87 79 d1 38 40 61 f7 {server} derive secret for master "tls13 derived": PRK (32 octets):53 d7 91 87 9a 6b 33 f3 86 45 35 3bf4 58 19 79 77 70 fb 25 ec e8 ec 05 ce 3a 97 3e03 49 e5 e0 88 e4 0b 6c 37c3 30 47 0012 0c 80 04 25 d3 d5 e9 9f5c 29 fd f8 b0 3d 35 73 ba 3b 8b 6d hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets):6f d8 3c 95 03 f0 45 fb a0 08 69 a3 23 2230 5e e3 40 d4 47 ef 6d 280f 38 85 3f cd 95 15 f1 3c e5 09 60 f026 2a b4 9f 3a f7 b0 2c e2 ff db c1 25 fb da 8a 36 45 f4 6f 79 04 e600 24 84{server} extract secret "master": salt (32 octets):6f d8 3c 95 03 f0 45 fb a0 08 69 a3 23 2230 5e e3 40 d4 47 ef 6d 280f 38 85 3f cd 95 15 f1 3c e5 09 60 f026 2a b4 9f 3a f7 b0 2c e2 ff db c1 25 fb da 8a 36 45 f4 6f 79 04 e600 24 84ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets):86 05 00 52 9e e3 a6 0a 26 44 3e 62 2a 4c 00 0a b3 ff 0dc5 e8 54 45 75 ea05 05 5c c322 fb 0b 25 bc d1 72 1c c7 56 edf3 bf 0194 9c f711 db ba7c 56 d4 24 b6 d2 eb d3 4b a7 4c ee {server} send handshake record: payload (90 octets): 02 00 00 56 03 030b 21 fe 7a 05 5c 66 77d8 ef 9b d4 2a f5 87 b5 27 30 bd c6 677b 21 e0 7d fc4a 66 bf e4 04 1a 57 ef de 4f 63 9c c2 4c 22 f965 92 1c 5c 3e 0c c8 85 b1 71 5e 2e 01 a8 91 3de9 77 77 00 13 01 00 00 2e 002833 00 24 00 1d 00 20b5 89 13 10 62 da ed c2 12 1b b7 5c 36 88 0b 71 12 c1 96 7f fe 17 db 5f a7 ef ef 22 90c5 4d 65 0c e2 52 6e 901e 3d24 f2 a3 68 9e 3b 82 58 87 e5 82 b6 c0 e6 07 75 dd a0 bd 2f 8a 5b 6d 53 00 2b 00 02 7f161c ciphertext (95 octets): 16 03 03 00 5a 02 00 00 56 03 030b 21 fe 7a 05 5c 66 77d8 ef 9b d4 2a f5 87 b5 27 30 bd c6 677b 21 e0 7d fc4a 66 bf e4 04 1a 57 ef de 4f 63 9c c2 4c 22 f965 92 1c 5c 3e 0c c8 85 b1 71 5e 2e 01 a8 91 3de9 77 77 00 13 01 00 00 2e 002833 00 24 00 1d 00 20b5 89 13 10 62 da ed c2 12 1b b7 5c 36 88 0b 71 12 c1 96 7f fe 17 db 5f a7 ef ef 22 90c5 4d 65 0c e2 52 6e 901e 3d24 f2 a3 68 9e 3b 82 58 87 e5 82 b6 c0 e6 07 75 dd a0 bd 2f 8a 5b 6d 53 00 2b 00 02 7f 1c {server} derive write traffic keys for handshake data: PRK (32 octets): bb 5b 26 0b 1a b5 ab eb 1b 23 63 39 ad c3 90 39 1e dc 93 38 80 54 eb 6b d6 87 79 d1 38 40 61 f7 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets): 44 f7 bd 7a d2 f2 13 b2 94 7b c7 29 be 6f b7 c4 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets): 38 29 95 dc ff fc c2 32 16 86 39 75 {server} send a EncryptedExtensions handshake message {server} send a CertificateRequest handshake message {server} send a Certificate handshake message {server} send a CertificateVerify handshake message {server} calculate finished "tls13 finished": PRK (32 octets):8b fc e8 b0 11 4e ac cd 83 64 68bb 5b 26 0b 1a b5e4 60 30 fd 32 1c 37 20 7a 41 cd 22 66 4f 56 53 14 f2ab eb 1b 23 63 39 ad c3 90 39 1e05dc 93 38 80 54 eb 6b d6 87 79 d1 38 40 61 f7 hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets):23 48 7f 1e 47 29 a3 ef 3d fbc7 68 70 3c 8c 1f 97 a6 f7 6c e161 bd 0c d1 c0 42 51 86 74 be 62 54 5b f16225 7a d7 d9 4e 9dac 22 08 c4 d4 72 f3 eb 2d 72 71 1c 0f 2f b7 36 de 45 3e b9 {server} send a Finished handshake message {server} send handshake record: payload(512(510 octets): 08 00 00 1e 00 1c 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 0d 00 00 27 00 00 24 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 0b 00 01 3b 00 00 01 37 00 01 32 30 82 01 2e 30 81 d5 a0 03 02 01 02 02 01 07 30 0a 06 08 2a 86 48 ce 3d 04 03 02 30 13 31 11 30 0f 06 03 55 04 03 13 08 65 63 64 73 61 32 35 36 30 1e 17 0d 31 36 30 37 33 30 30 31 32 34 30 30 5a 17 0d 32 36 30 37 33 30 30 31 32 34 30 30 5a 30 13 31 11 30 0f 06 03 55 04 03 13 08 65 63 64 73 61 32 35 36 30 59 30 13 06 07 2a 86 48 ce 3d 02 01 06 08 2a 86 48 ce 3d 03 01 07 03 42 00 04 08 d5 30 16 15 75 f4 cf e7 f1 54 ee 34 48 18 00 86 00 1e 88 43 1a 79 ee 62 ee 6e 2f 83 ef 38 ba 61 e9 fb 37 f3 4e 00 7a 7d f4 d2 f5 b5 6d 1f 04 ec e4 5d 62 1f 46 84 06 f5 c3 a1 51 58 94 8d d0 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 0a 06 08 2a 86 48 ce 3d 04 03 02 03 48 00 30 45 02 21 00 df 30 fd 45 07 f5 ed d2 2c 1a 6f f8 6d b4 79 ca 69 3f ee ca 3b 71 b3 f9 ef 55 6b 29 37 c0 59 4d 02 20 62 e2 a4 72 50 d3 20 fe a8 3c 7e 2d cb 5b 76 a5 0e 02 00 c0 9a db d1 3f ee 94 6e 51 3e 01 1d 11 00 00 0f 00 004c4a 04 03 0048 30 46 02 21 00 f746ae b2 e0 10 2f 37 94 0d d8 90 2b 0a 80 63 33 b7 63 69 06 28 9b ae f0 a9 7d 92 12 ab 1430 44 022120 30 e4 bf a4 27 2e fb 5c 47 f7 a8 95 68 62 19 07 5d a8 59 00 a1 83 51 88 a7 dc 8131 62 2d 82 7b ce 23 d504c77e f81e 2a 78 d7 fb d6 59 fa 09 e118 40 02 20 7f af cb e9 ab db 07 6d 0d b8 ed 0e fe 2c 90 17 47 3d a6 99 4f e74c 5a 74 b9 b0 e5 5f40 21 15 e8 3e d3 99 04 3c 7f 14 00 00 20c6ab a1 88 14 12 63 9b 3b 55 a5 c3 9b a4 57 c0d6 02 f0 3c e57f 44 926cb7 64 74 0c 52 6d 57 9e53 05 04 a0 0a 5f d583 98 4097 5d de c4 6a fd 8a 18 fa 20 85 17 08 d65b ec 1c ciphertext(534(532 octets): 17 03 03 0211 17 bf 02 f60f e7 f9 f2 8e 34 e1 1e 5c 23 32 33 8e 43 43 e3 2f e5be bf f8 97 3f de17 0e 24 cf d2 64 45 c3 58 79 45 3d 2a 55 40 45 0f 90 73 32 b6 7b 7a 87 36 bd 32 29 39 c9 47 e8 ff 5c 3a bb 07 ac b8 95 91 4e 0e 3e 2e 2e 3d 0e bb 71 b9 31 58 5f0c cd 77 d7 5e 02 12 69 d8 47 5d 82 a4 26 74 bf e310 6c 5b b7 f9 c7a2 89 6f 63 42 3a aa 5f e2 b2 f8 96 6a 858d 86 91 76 5c 52 7a bb 61cb 25 f4 c4 e2 8e c2 df 74 64 85 cf 64 fd f4 2804 12 97 9a c3 6d 63 22 cd e6fb c9 02 49 89 3a 62 a8 15a4 64 38 c57a f9 8d 03 73 44 4f 90 85 40a9 ac b0 d1 96 15 4d a1 ec fe f3 d8 1ce2 5f 4b fb 30 e9 99 8541 c9 9b 39 6ab0 eb 87 70 ef b0 1a cb 7e 30 c3 be d5 3d a3 03 32 b7 dc 1b 31 78 89 49 a8df 7f 47 b5 29 09 72 b6 e4 c1 73 94 af 0571 4a0681 75 4bf1 41d4 57 93 c8 b8 28 2937 c1 b19f 6a fa91 7c a5 f1 e4 da 3a 61 8b eab5 bc c1 78 3d 0b 5e 39a8 6303c5 80 4e 1e 28 ce 2d f7 c4 3f 47 c4 6d c4 80 f2 1b 02 9a 62 b8 8a 57 58 8a 6d 677e8e 8d 3f 7f da f4 cf 16 18 b6 4d eb db fc73 26 5a 2c 0c cc 07 02 6f e0 9809 88 eb 40 92 ea 10 bb 0e ec 14 8f 62 463b47 03 f1 15 50 8d 77 05 5d 42 df de 74 42 7ee1 d7f6 89 c7e9 81a6 5f ff7c 89 61 d0 9d e7 fc be 92 77 98 25 98 a5 e9 0f 53 3a 231c bf a1 2c 5e1afa 2c e3 77 3d bf f2 a1 ea 2f 28 1d 8c be 97 83 41 e8 1d 4c f0 81 01fc 87 07 69 3e c3 ff 90 47 757b 00 b2 1d 13 36 29 7c 99 19 6a 55 f9 c6 2f 78 04 dc fe 20 ee 03 34 ab 7b 5287 91 74 655f 6a 67 f6 ed dc cf d3a6 44 12 2c 73 6c 1f e5 98 a2 a9 45 87 c3 d2 4f32 af 0c e6 86 3e eb 0c b8 e3 2b f1 6ad2 18 97 2d 99 38 c0 89 42 ce 28 64 20 db a4 3a 39 84 46 55 5f 3b 12 d024 845b e9 c8 fe 0c 8d 71 f6 99 97 b7 08 b7 51 9c 7b 78 70 98 5dad45 89 40 a5 8f e4 1a 93 be 45 1f 31 08 42 7a d7 fd1d c6 de 4e 3a6f 27 ef e0 9f 35 d4 ad b3 a5 61b341 87ad07 59 9078 43 04 fc d2 62 65 b4 ef 5f aca8 b1 4c ecd6 6e 21cd c3 1b 78 e8 bb b8 e087 30d7 f7 c8 0c 56 dc 7c 2f f8 b5 53 0f 95 8c 0f ab 81 3b c8 3e b3 d7 a9 72 5d 36 0fb2d8 33 7c df c9 3c b3 d7 ed ea ea 75b4 98 06 fd 75cd cc 43 64 a1 a9 f2 19 e4 aee5 e1 a93c c0 6e 2a 31 51 a8 c7 f0 ef 15 16 a2 fd 34 1a bf b5 b3 9f 32e8 9e 70 06 7b 9b fa b4 52 9e 01 7c6b 31 54 33 6e 5c 6e 94 ed 2c c2 ca 95 ff 69 d4 25 48 3c 63 d2 a40460 b0 03 c0 4a b6 f5 bf 0e dc 3c 4e 6672 21 d8 99 77 d3 cc 25 b1 be 85 5c ae e1 bc 5d e8 20 9a 37 75 c9 79 2c 78 00 a7 6f 62 c2 24 b8 90 9c ffff 1a 4dbd 94 d7 c8 38 f4 d9 5e 2c a6 d2 6e 8e ae84 7b 17 b8 e5 ea 2b b5 47 e0 5f e3 8a0fdc 63 780c 7b ac f3 85 1c 31 1f b1 fdcf 45 5c b9 92 170c 19 72 80 61 8fe6 12 9d bd a3 49 a443 c56ced ba b5 d31e6d 50 59 cb 7a e5 04ab bc 4c 5df4 cc 2df542 f9 81 83 eb eb a6 e3 70 35 d6 bd 45 fc 64 f3 50 ef 15 6e 7e e0 15 ce 0d d6 c8 9e 23 0b aa 54 33 5b 46 0c06fd 0475 ec 11 8b 0e 3d 82 f0 79 cb 5e ec 44 1f c1 f1 783b 21 cc a2 66 72 2c c6 4b 92 e8 67 42 a9 51 67 c7 88db f7 9b 04 f4 fa4d fb 61 f8 88 90 4f 73 1e f8 3c 52 4d f9 27 18 86 06 89 8b ea e5 2d 87 88 98 d1 88 29 2e 39ab be 4f 65 c4 b6 26fa 15 73 7f f2 85 435c c8 dc59 b0 {server} derive secret "tls13 c ap traffic": PRK (32 octets):86 05 00 52 9e e3 a6 0a 26 44 3e 62 2a 4c 00 0a b3 ff 0dc5 e8 54 45 75 ea05 05 5c c322 fb 0b 25 bc d1 72 1c c7 56 edf3 bf 0194 9c f711 db ba7c 56 d4 24 b6 d2 eb d3 4b a7 4c ee hash (32 octets):35 56 64 82 3a 07 6c 67 8f 60 11 3d f2 c4 fa 18 3e 44 c0 0b 0a 94 38 c7 93 d2eb b3 96e9 2a 76 e3 0615 37 1e 46 21 1d 85 43 f4 0b c5 05 b8 80 16 8c 02 d3 d8 37 ca 46 58 5a 19 98 b0 34 56 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 61 66 66 69 63 2035 56 64 82 3a 07 6c 67 8f 60 11 3d f2 c4 fa 18 3e 44 c0 0b 0a 94 38 c7 93 d2eb b3 96e9 2a 76 e3 0615 37 1e 46 21 1d 85 43 f4 0b c5 05 b8 80 16 8c 02 d3 d8 37 ca 46 58 5a 19 98 b0 34 56 output (32 octets):49 94 c4 1b d3 5f 90 84 9c da c8 1c ee eb 48 cf 0aa7 95 27 3b d4 3f 76 6c 34 b0 dd 5e 57 12 9d cb 6a 62 53 d4 2508 9c da 15 66 d0 c8 51 ce 42 67 55 0e 4239 69 f8 43 fc 64 db fb 4d e8 d1 {server} derive secret "tls13 s ap traffic": PRK (32 octets):86 05 00 52 9e e3 a6 0a 26 44 3e 62 2a 4c 00 0a b3 ff 0dc5 e8 54 45 75 ea05 05 5c c322 fb 0b 25 bc d1 72 1c c7 56 edf3 bf 0194 9c f711 db ba7c 56 d4 24 b6 d2 eb d3 4b a7 4c ee hash (32 octets):35 56 64 82 3a 07 6c 67 8f 60 11 3d f2 c4 fa 18 3e 44 c0 0b 0a 94 38 c7 93 d2eb b3 96e9 2a 76 e3 0615 37 1e 46 21 1d 85 43 f4 0b c5 05 b8 80 16 8c 02 d3 d8 37 ca 46 58 5a 19 98 b0 34 56 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 61 66 66 69 63 2035 56 64 82 3a 07 6c 67 8f 60 11 3d f2 c4 fa 18 3e 44 c0 0b 0a 94 38 c7 93 d2eb b3 96e9 2a 76 e3 0615 37 1e 46 21 1d 85 43 f4 0b c5 05 b8 80 16 8c 02 d3 d8 37 ca 46 58 5a 19 98 b0 34 56 output (32 octets): 92 e7 e7 0494 45 e63b 35 7d 6c a6 cab5 c5 4c 87 af 8a d9 c9ba 36 0e f1 4fc1 28 14 f5 4c 22 bb c4 6a 08 5e 9e 3f 55 91 1e 77 0cb9 c6 f8 0b f2 f4 b4 26 f2 e5 8d 62 96 79 b7 41 aa {server} derive secret "tls13 exp master": PRK (32 octets):86 05 00 52 9e e3 a6 0a 26 44 3e 62 2a 4c 00 0a b3 ff 0dc5 e8 54 45 75 ea05 05 5c c322 fb 0b 25 bc d1 72 1c c7 56 edf3 bf 0194 9c f711 db ba7c 56 d4 24 b6 d2 eb d3 4b a7 4c ee hash (32 octets):35 56 64 82 3a 07 6c 67 8f 60 11 3d f2 c4 fa 18 3e 44 c0 0b 0a 94 38 c7 93 d2eb b3 96e9 2a 76 e3 0615 37 1e 46 21 1d 85 43 f4 0b c5 05 b8 80 16 8c 02 d3 d8 37 ca 46 58 5a 19 98 b0 34 56 info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 74 65 72 2035eb b3 96 15 37 1e 46 21 1d 85 43 f4 0b c5 05 b8 80 16 8c 02 d3 d8 37 ca 46 58 5a 19 98 b0 34 5664 82 3a 07 6c 67output (32 octets): ae a4 f5 ae fb fd 28 fd 24 34 e1 75 96 b2 98 21 65 bc fd db cb 01 8f60 11 3d f2 c4 fa 18 3e 44 c022 81 2f 1d 1e d9 37 08 ac {server} derive write traffic keys for application data: PRK (32 octets): 92 e7 e7 04 3b 35 7d 6c a6 ca ba 36 0e f1 4f b9 c6 f8 0b0a 94 38 c7 93 d2f2 f4 b4 26 f2 e5 8d 62 96e9 2a 76 e379 b7 41 aa key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets): b5 02 c5 17 59 fd 20 90 ef 80 f0 b6 d5 3d 1d 06 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets): 19 46 48 8e ca 45 0f 53 3b eb 59 3e {server} derive read traffic keys for handshake data: PRK (32 octets): 06 bd cc 2f 05 32 35 23 70 af 13 71 8469 2c 16 37 b0 91 ce 55d5 66 31 4a cb 81 bb e1 d2 98 02 f5 78 ef 1e 43 72 26 35 key info (13 octets): 00 10 09 74 6c 737a bc e2 46 9b31 33 20 6b 65 79 00 key output (16 octets): 72 ff ef 49 b3 34 ca dc c9 bf ec ee ae 2f 7e d5 iv info (12 octets): 00 0c 08 745c f4 77 80 ea d7 68 be 99 35 59 2c 16 0d 0d 576c 73 31 33 20 69 76 00 iv output (12 octets): 6b 89 8b 86 fe 32 91 19 81 ef 9f 03 {client} extract secret "early": salt: (absent) ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a {client} derive secret for handshake "tls13 derived": PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba {client} extract secret "handshake": salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba ikm (32 octets):94 2f 83 fa ee 2f ad ad 24 2e eb fb c7 a6 6d 5e c7 71 04 b1 3c d4 9749 a2 14 3a 0c 4b 7c a4 e9 c1 3a 6f 64 93 88 ec 4d 34 87 b5 dc d0 68 37 bd 5c 41 23 a2 e0b1 0d 9d 70 69 1d e8 6a1e 5b secret (32 octets):53 d7 91 87 9a 6b 33 f3 86 45 35 3bf4 58 19 79 77 70 fb 25 ec e8 ec 05 ce 3a 97 3e03 49 e5 e0 88 e4 0b 6c 37c3 30 47 0012 0c 80 04 25 d3 d5 e9 9f5c 29 fd f8 b0 3d 35 73 ba 3b 8b 6d {client} derive secret "tls13 c hs traffic" (same as server) {client} derive secret "tls13 s hs traffic" (same as server) {client} derive secret for master "tls13 derived" (same as server) {client} extract secret "master" (same as server) {client} derive read traffic keys for handshake data: PRK (32 octets): bb 5b 26 0b 1a b5 ab eb 1b 23 63 39 ad c3 90 39 1e dc 93 38 80 54 eb 6b d6 87 79 d1 38 40 61 f7 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets): 44 f7 bd 7a d2 f2 13 b2 94 7b c7 29 be 6f b7 c4 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets): 38 29 95 dc ff fc c2 32 16 86 39 75 {client} calculate finished "tls13 finished" (same as server) {client} derive secret "tls13 c ap traffic" (same as server) {client} derive secret "tls13 s ap traffic" (same as server) {client} derive secret "tls13 exp master" (same as server) {client} derive write traffic keys for handshake data (same as server read traffic keys) {client} derive read traffic keys for application data (same as server write traffic keys) {client} send a Certificate handshake message {client} send a CertificateVerify handshake message {client} calculate finished "tls13 finished": PRK (32 octets):e8 d406 bd cc 2f 05 32 35 23 70 af 13 71 84 d5 66 31 4a cb 81 bb93 8c a3 de 6d 1d 7ce1 d2 98 02 f5 7801 a5 57 20 aa df cd 34 2d c8 a4 47 04 1d 21 7c 83 c8 df f3 94ef 1e 43 72 26 35 hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets):03 c1 ff eb e1 ec af c187 1c e8 63 61 9c 37 09 02 b2 fc aa 08 1694 42 a3 5f b7 8c 4a f4 3d 55 4e c8 5b 94 ae 3f e9 1868 db 0f c5 32 8b bc 3f54 55 f1 840e df 74 66 01 e3 ad e7 d2 a2 {client} send a Finished handshake message {client} send handshake record: payload (623 octets): 0b 00 01 bf 00 00 01 bb 00 01 b6 30 82 01 b2 30 82 01 1b a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 11 31 0f 30 0d 06 03 55 04 03 13 06 63 6c 69 65 6e 74 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 11 31 0f 30 0d 06 03 55 04 03 13 06 63 6c 69 65 6e 74 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 c3 81 75 e0 04 a6 8d 09 3f 82 3b 9c 37 9d 20 1f bc 0b b7 a1 c7 91 90 5e 3f bf 76 84 7e 44 e7 51 eb bc d3 60 bd 94 5c 81 e5 22 2b cc 88 46 d3 a8 a0 f9 3e 9b f5 be ba bd 92 ed f1 de 1f f1 90 21 70 3e 7a b6 c0 90 15 13 f9 7e 39 b1 11 f0 9c 93 48 97 1c 7b 21 19 84 a7 54 cd 45 fe 09 5a f0 ea 42 36 82 9b cc f7 a7 fe 9b 28 88 e7 8a b4 77 69 0a 5b 9e 1c cb e9 1c 6a 4a 0f 97 a7 e0 28 42 01 02 03 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 1a 7a 5a 01 85 32 b0 22 af 07 67 d4 86 16 0c ff 2d 16 7a 19 15 d2 38 35 b5 45 94 91 6d c6 80 be 5d 2e 62 60 76 c5 d5 27 22 eb cc 77 5d 7d 99 f9 80 be 2f c9 4d 34 ac f6 cc 00 ba 90 cb cf b0 60 8a a1 e7 e3 97 1e f0 c0 7a 41 d4 7a d8 34 5d 1f 81 fe 41 8a 1c f4 10 54 42 9f d2 17 bd 77 7d c1 cf 08 f0 5d f9 07 99 c6 59 36 1e 0f 1a 8e e4 ac 0f 78 97 42 0b db c8 23 da 80 a2 f2 ba 23 08 1c 00 00 0f 00 00 84 08 04 00 8084 10 d9 4d 75 9a c5 a1 87 9c 61 71 49 48 04 09 7f 9d 94 6f 41 e0 02 2a 66 ee 8e 0d 3b bc f4 37 c2 6f db8c 72 81 c7 26 a8 cb1d b62e 3e 17 d1 22 7f 3a 56 77 6945 94 f9 01 71 82 e2 80 5c 1a 68 24f4 31 a0 9c e106 d1 86 dd 4237 f9 18 83 11 6c 53604c d2 09 8914 3d 06 12 ec 33 08 50 2c d5 a1 54 3e 82 fb 9d b5 58 7e 54 07 6e 18 7a d6 ad40 27 9b89 35 42 a7 54a9 1df0 47 49dc d7 17 7ffb71 70 59 43 1b d6 c5 0b 24 77 7f 55 6d 2f bf e4 8d c4 b9 6ce2 5d df f8 fd e7 ed 8a 676b 5f bd cb 4c 57 5a 58 88 98f2 b7 dec6 e1 48 ef 5f af dd 2c 1f ee a5 3f 56 72 f0 aa b4 1f 9a 22 cb fa e4 e0 8b 29 5b 14 99 c4 71 a8d9 f9 676a 86 65 55 92 f0 f6 a0 43 d3 fd 84 05 0e 7b b4 b7 6f 9f 26 7615 3a 3d 01 9c 5a cc af 97c7 12 9a 14 00 00 2049 3e e4 87 b7 fc 2b f534 ef 9a 48 bb 59 75 19b7 cd 2b 6b 33 b5 0f 5b e6 d5 23 3712 14 15 7f 60 73 9f 40 9a a496 2e 39 d0 ec 13 92f0 0b 68 b7 9e 1d ee d2 91 e5 09 768032 df ciphertext (645 octets): 17 03 03 02 804d 75 abbd 53 8f1d 72 06 a6 3e 00 ac cd 41 c6 aa d6 3f e1 4d df 208a 51 8e 53 29 91 44 38 97 428f 59 68 d7 fc 60 61 2f d2 5f f6f7 be 7c e8 d5 cc bc dc 49 7e 99 7e fb eb 45 60 ae82 c6 2e 3b 1e 6b 0d 07 d4 26 ae d43fa8 1f c2 76ac ab 2f 07 82 53 1a 3a ed 1543 92 5d 9a9b 74 88 41 04 dc 95 9b 90 63 7d 8c53f5 a6 24 25 d5 f3 b7 16 57b2 0d 5d f1 7d fe 67 7d 8f df 7c6b b35f 07 48c0 13 99 92 62 0b 91 ee 02a0 c5 5a 12 31 de a8 d4 27 1dfa5f 5d 65 21 a4 f4 67 c4 78 5d b0 54 1d f1 fb 84 8f 8b 0102 32 3c 8c 3e c9 e68d cb 9c 63 a3 86 3a 6b d3 e8 8d b5 a3 67 34 53 2d f3 68 b0 f5 7a 12 b5 65 94 b2a6 d1 cc 3b 4a e16b 69 4e 5c e6 c1 e6 f3 ab 6f 1f a0 a9 f5 40 e3 80 2d 6b f2 4f eb e4 2b 72 1f 13 ab 80 90 f1 54 e4 14 54 72 f9 1b 9a fe d6 c5 b4 5137 94 38 da c9 17 397e a0 fd8d c9 5c 33 94 198cf7 b4 c0 a8 4e 0448 af7344 42 91 57 43 11 53af 06 50 4d22 91 07 65 9b 88 00 5c f0 51 db 32 70 83 44 4c 2c 00 14dc e922 a2 bd 94 a2df 3d 7e b5 a5 3e dd 17 8d 2a 4f 83 c9d8 40 70 7b 4c 76 0c 56 ff 09 362f fa d2 3e 8c 28 a6 17 94 f3 c8 45 96 b1b7 ad77 0e c5 b4 ec 1f a4 0a 06 8c76 f7 bf c2e0 40 61 dc8b 75 19 d2 29 ad 7b a5 6d 0a 16 1280 1b d056 f8 78 da 5a b9 91 c9 ce 3dd3 a7 d044 62 8c 5a 0f ab 4d 51 14 af 7f 95 7e f1 f5 27 05 6b 5d73 10 0d c6 e7 42 7d aa 0c 9b 8d 2f 4e 160e 8b b2 ad 6d b0 a9 3b e2c4 e4 3c5f 68 7e 0a 28 ec 76 32 a2 1f 24 4f 9e ac 1d 0484 16 22 b4 ae e1 5e c7 e3 3a c1 b6 4ff9 2d 3c 1f b1 8e74 85 7e 89 82 f81a bb cf 38 08 24 d4 cb 1c e4 51 7a d6 c1 45 f0 56 8b 41 b985 3d 9a 5e 36 96 9d ad 2665 68 ac 23 1e c9 48 eb b3 32 1f 5f b0 14 36 21 af 9b 3c e7 51 7b08 b6 88e0 71 c6 17 4b 7b 051f cc 27 a7bf39 aa 29 9a cea2 d9 e2 50 16 1a f7 0f 93c4 73a9 c2 fc 2d 41 06 85 52 38 bc 54 f0 78 40 6c 75 82 7a 46 1e c2 c3 59 19 f6 75 16 44 fd ce b6 11 31 3ef7 d9 f5 73 4e 5b 24 d9 570930 4a a5 6b 06 1c be 70 b52b 32 69 24 12 32 920f 3f 20 3a d1bd 9d 1d 19 2f 6d 4d d6 bd e8 f3 c8 2c 30 49 f4 f6 dd f7 4d 18 4d 7264 ca 62 7657 9f7d 9d 2b 7c dc 7c ce90 a6 6b bd 6b 50 17 82 6d cd 0d 31 25 bc a5 479d 05 dfb2 f9 ab 53ec 43fd a4 2a bb eb 5b f9 ca 6d 02 45 8e 7e 7b af 21 04 70 e5 e6 93 ee a4 c2 ca 50 2f e8 e6dc a6 9a d478 7b 57 18 6d 85 40 7d df 0d 5e 0c 8a be 1a 73 46 d6 cd 30 86 5a c5 fc 9d f2 d3 8e 84 1e f3 67 91 be e0 dd 3a 1a 95 b9 c32d3e 8e 97 04 c8 7b fe bd 35 eaf5cb db 4a 72 32 46 827a 09 3d 0a e0 b6 e0 a9 40 dc 0e dc 04a5 75 63 2c ed2776 70 6c d5 02 a5 66 d1 30 c1 ab 40 9a 1c e4 ab 08 c58c04ae75 33 94 8b 63 4b fffe f8 ec 26 8f 29 5c 9c cc 76 3e 38 f2 f1 e1 dd 7f d6 145417 b691aa bc 31 a1e994 0b 96 1e ba 3e 85 cd 58 23 fa e7 28 99 9d ec f1 b0 7c cc a4 72 94 88 f1 c7 d1 ab e2 56 88 17 ad 19 4f 71 f5 16 cc 30 28 fa 6e 38 a1 8f 40 e3 bf 68 41 88 84 c6 94 5a de54 85 7e 12 05 65 fc bc 6e 3d 01 ed fa 7a07 51 b0 abc5 f9fe 09 d5 1d 4e 3b d9 95 b5 50 b5 da 84 61 79 30 a5 98 89 19 56 3d 2c b2 96 ec d9 1b a6 cd d1 09 1c ff d8 d9 14 b3 78 1a 43 3e e7 67 03 19 ca ed 45b4d5 83 de 8b 66 b3 49 3e df22 50 c0 {client} derive secret "tls13 res master": PRK (32 octets): 86 05 00 52 9e82 bc d9 14 ba ce e3a6 0a 26 44 3e 6206 22 2a4c 00 0a b33b 34 de 7f 1c a4 85 7b 9c 9d 19 72 b9 7a a8 26 34 01 be db 19 3b 20 1d f8 dc 33 e3 e9 d6 a6 b8 b0 bc be d3 02 36 08 9a 19 7d 18 8f 21 a0 72 ec 42 7e 5a b8 e5 62 3c 4c 2e 84 ad 88 91 ff 9f b1 68 69 a3 69 63 0dea 05 05 5c c3a6 5b f5 0d 4a 6c 92 fa fc 7d 3f b3 00 7e dc b7 7b 55 82 9f 06 ac 49 9f 6a 9b 2a 26 9d a0 ef 27 67 29 c9 37 84 db 6d 0c 81 e7 d6 2a e6 8a d5 c5 6a db 21 40 a1 1a 6a ed 8c 35 e7 9f ab 13 5d 37 79 d9 9e 9f 8e a4 58 c7 7f 9f 15 f1 53 7c 4c 16 25 fb f3bf 01 f7 11d7 6c d1 a2 d9 e5 39 a0 34 26 70 9b 69 32 33 2d 66 76 c4 e6 71 0a 73 d8 1e e5 57 c4 39 81 99 7d 89 74 c2 51 b4 d5 4f 4b cd bc 61 a8 fc c4 a0 d3 ba a6 c0 a6 0a {client} derive write traffic keys for application data: PRK (32 octets): a7 95 27 3b d4 3f 76 6c 34 b0 dd 5e 57 12 9d cb 6a 62 53 d4 25 39 69 f8 43 fc 64 db fb 4d e8 d1 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets): 99 a9 9b 02 57 00 7a b1 61 ba cf 9d e9 80 30 5b iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets): 4a f0 6c c7 ce be e4 bc ff e2 0d 0d {client} derive secret "tls13 res master": PRK (32 octets): c5 e8 54 45 75 ea 22 fb 0b 25 bc d1 72 1c c7 56 ed 94 9c f7 7c 56 d4 24 b6 d2 eb d3 4b a7 4c ee hash (32 octets): 52 fc a8 f6 61 6c 96 7f 0e 93 42 dd ab 79 03 1d 64 cf 07 e3 56 f4 75 13 33 1c 37 05 61 94 9b ff info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 74 65 72 20 52 fc a8 f6 61 6c 96 7f 0e 93 42 dd ab 79 03 1d 64 cf 07 e3 56 f4 75 13 33 1c 37 05 61 94 9b ff output (32 octets): 8b 90 6f 3a d8 2d ba 92 f6 b9 ad 03 7f 71 e3 f4 70 eb f4 63 68 7a 2c 92 ec ee ca 3a 22 52 be af {server} calculate finished "tls13 finished" (same as client) {server} derive read traffic keys for application data (same as client write traffic keys) {server} derive secret "tls13 res master" (same as client) {client} send alert record: payload (2 octets): 01 00 ciphertext (24 octets): 17 03 03 00 13 43 c0 93 e4 62 a8 18 6c fe a7 1e 94 46 ff ba bd e7 3b 79 {server} send alert record: payload (2 octets): 01 00 ciphertext (24 octets): 17 03 03 00 13 8e d0 6a 3a 56 ab b0 fb 05 04 ed 3b 3f f9 1d 8c 93 77 8e 7. Compatibility Mode This example shows use of the handshake with the client requesting that the server use compatibility mode as defined in Appendix D.4 of [TLS13]. {client} create an ephemeral x25519 key pair: private key (32 octets): 90 d4 67 c3 48 e3 d2 4d 7e bb 3d d0 4c 46 16 9a 16 bb 64 ec 6c d3 4d 56 45 ee ac 7c 2f 02 c9 b5 public key (32 octets): 17 6f 7c 2d4e126e36 9d 89 37 4c ae 31 9c 36 34 ca 43 0f 82 d6 89 60 90 9b ef 1d 87 ad 1e 9d 32 32 {client} send a ClientHello handshake message {client} send handshake record: payload (218 octets): 01 00 00 d6 03 03 54 dd 27 fd c8 0f 86 ea a7 d3 79 87 46 736258 44 60 31 0f 38 aa ec 8f e9 3d 6c 32 b8 c0 0b e1 9c 20 ae2f8b b2 af 77 86 0c f6 9d 70 e9 70 b6 29 81 c5 25 56 65 9d 47 33 c2 ab e8 54 86 3e fe 09 ea3c b9 1f86 00 06 13 01 13 03 13 02 01 00 00 87 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00 26 00 24 00 1d 00 20 17 6f 7c 2d 12 36 9d 89 37 4c ae 31 9c 36 34 ca 43 0f 82 d6 89 60 90 9b ef 1d 87 ad 1e 9d 32ec b0 f7 ba32 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 ciphertext (223 octets): 16 03 01 00 da 01 00 00 d6 03 03 54 dd 27 fd c8 0f 86 ea a7 d3 79 87 46 73 58 44 60c4 ee a4 4131 0f8038 aa ec 8f e9 3d 6c 32 b8 c0 0b e1 9c 20 ae 8b b2 af 77 86 0c f6 9d 70 e9 70 b6 29 81 c5 25 56 65 9d 47 33 c2 ab e8 54 86 3e fe 09 ea 86 00 06 13 01 13 03 13 02 01 00 00 87 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00 26 00 24 00 1d 00 20 17 6f 7c 2d 12 36 9d 89 37 4c ae 31 9c 36 34 ca 43 0f 82 d6 89 60 90 9b ef 1d 87 ad 1e 9d 32 32 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 {server} extract secret "early": salt: (absent) ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a {server} create an ephemeral x25519 key pair: private key (32 octets): 50 16 8d 5c 6e 6c a8 2d 2a a3 35 ba ae c1 bd 59 f5 19 94 ee 4a d9 79 86 5b 3d fa dc 3c 71 aa 22 public key (32 octets): 37 69 88 a2 1d dd bc 38 a2 e6 fc de 82 33 7a ff e6 79 a3 9c 3f e3 fb 5a 29 f9 5f 9f e8 e5 a0 42 {server} send a ServerHello handshake message {server} send handshake record: payload (122 octets): 02 00 00 76 03 03 21 c5 c5 ee bb d5 fc 32 cd 26 52 41 8e 6d 51 4b da df d0 51 e5 d4 37 e0 bf 0c 0a 31 8d 30 a4 b7 20 ae 8b b2 af 77 86 0c f6 9d 70 e9 70 b6 29 81 c5 25 56 65 9d 47 33 c2 ab e8 54 86 3e fe 09 ea 86 13 01 00 00 2e 00 33 00 24 00 1d 00 20 37 69 88 a2 1d dd bc 38 a2 e6 fc de 82 33 7a ff e6 79 a3 9c 3f e3 fb 5a 29 f9 5f 9f e8 e5 a0 42 00 2b 00 02 7f 1c ciphertext (127 octets): 16 03 03 00 7a 02 00 00 76 03 03 21 c5 c5 ee bb d5 fc 32 cd 26 52 41 8e 6d 51 4b da df d0 51 e5 d4 37 e0 bf 0c 0a 31 8d 30 a4 b7 20 ae 8b b2 af 77 86 0c f6 9d 70 e9 70 b6 29 81 c5 25 56 65 9d 47 33 c2 ab e8 54 86 3e fe 09 ea 86 13 01 00 00 2e 00 33 00 24 00 1d 00 20 37 69 88 a2 1d dd bc 38 a2 e6 fc de 82 33 7a ff e6 79 a3 9c 3f e3 fb 5a 29 f9 5f 9f e8 e5 a0 42 00 2b 00 02 7f 1c {server} send change_cipher_spec record: payload (1 octets): 01 ciphertext (6 octets): 14 03 03 00 01 01 {server} derive secret for handshake "tls13 derived": PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info(52(49 octets): 00 20100d 74 6c 73 31 33 20 64 65 72 69 76 657364 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba {server} extract secret "handshake": salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba ikm (32 octets): 18 5a df 44 30 f3 14 a4 a4 04 47 0e 5d d5 45 35 b3 cb 4f b7 9f 75 da 58 b6 fa f7 e2 cf ff f0 36 secret (32 octets): 50 9a 53 59 61 77 d3 24 94 53 e7 bf ac fe 6e 6d 1d be 83 7e d6 bd ab 06 d2 d8 97 59 33 b9 07 d9 {server} derive secret "tls13 c hs traffic": PRK (32 octets): 50 9a 53 59 61 77 d3 24 94 53 e7 bf ac fe 6e 6d 1d be 83 7e d6 bd ab 06 d2 d8 97 59 33 b9 07 d9 hash (32 octets): b3 8d da d9 ff b9 64 09 bb de 07 05 47 b4 c6 94 cc b7 9b 4a ed a1 71 a4 6f 09 2d 79 ae fb e7 4c info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 746572 61 66 66 69 63 207fb3 8d da d9 ff b9 64 09 bb de 07 05 47 b4 c6 94 cc b7 9b 4a ed a1 71 a4 6f 09 2d4e79 ae fb e7 4c output (32 octets): 4b 4c d4 8c 4f 39 9c 05 77 bd 73 11 5b b5 12 f1 af 4e 3c 65 fa da 60 d5 24 6b 3e 64 b5 7d c5 ec {server} derive secret "tls13 s hs traffic": PRK (32 octets): 50 9a 53 59 61 77 d3 24 94 53 e7 bf ac fe 6e73 626d 1d be 83 7e d6 bd ab 06 d2 d8 97 59 33 b9 07 d9 hash (32 octets): b3 8d da d9 ff b9 64 09 bb de 07 05 47 b4 c6 94 cc b7 9b 4a ed a1 71 a4 6f 09 2d 79 ae2f ea 3cfb e7 4c info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 61 66 66 69 63 20 b3 8d da d9 ff b9 64 09 bb de 07 05 47 b4 c6 94 cc b7 9b 4a ed a1 71 a4 6f 09 2d 79 ae fb e7 4c output (32 octets): 2c e0 bf ee 1c 9c bf 77 3a 21 40 b1 4b 14 a0 8c 65 de ee 09 4a bc db 0f 01 8a 1d 50 33 1f32 ec30 cd {server} derive secret for master "tls13 derived": PRK (32 octets): 50 9a 53 59 61 77 d3 24 94 53 e7 bf ac fe 6e 6d 1d be 83 7e d6 bd ab 06 d2 d8 97 59 33 b9 07 d9 hash (32 octets): e3 b0f7 ba 7f 60c4ee42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 42 60 f4 bc 75 60 30 9b de 27 31 79 f9 2c 94 f1 13 e3 10 02 fb ba b3 b3 17 98 a3 05 04 10 e2 33 {server} extract secret "master": salt (32 octets): 42 60 f4 bc 75 60 30 9b de 27 31 79 f9 2c 94 f1 13 e3 10 02 fb ba b3 b3 17 98 a3 05 04 10 e2 33 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets): 6a c7 28 bf 27 30 55 d8 24 4f 71 01 07 fe 11 91 ec 30 47 c0 e9 86 14 aa d5 2f 51 62 27 7f 00 7b {server} derive write traffic keys for handshake data: PRK (32 octets): 2c e0 bf ee 1c 9c bf 77 3a 21 40 b1 4b 14 a0 8c 65 de ee 09 4a bc db 0f80 26 dc01 8a 1d 50 33251f 30 cd key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets): 1e f6 3e cc 95 0c e3 96 b0 11 16 ad 52 35 3f f1 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets): 73 ab 6b 2d c5 8a 11 fd 05 70 4a ce {server} send a EncryptedExtensions handshake message {server} send a Certificate handshake message {server} send a CertificateVerify handshake message {server} calculate finished "tls13 finished": PRK (32 octets): 2c e0 bf ee 1c 9c bf 77883a 21 40 b1 4b 14 a0 8c 65 de ee 09 4a bc db 0f 01 8a 1d 50 33 1f 30 cd hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets):4237 10 db 07 3f 25 97 e5 f6 0f cb 4b 14 df bb ff 45 1e 50 c4 af 44 24 c2 6b 04 55 f1 de 1f 14 41 {server} send a Finished handshake message {server} send handshake record: payload (651 octets): 08 00 00 1e 00 1c 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 0b5400 01 b9 00 00 01 b5 00 01 b0 30 82 01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30 0dee 8406 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 72 67 17 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea e8 f8 a5 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 51 56 72 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be c1 fc 63 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b 1c 3b 84 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 96 12 29 ac 91 87 b4 2b 4d e1 00 00 0f 00 00 84 08 04 00 80 58 c8 c3 2b e7 b4 d2 a7 42 2b f3 32 1d 0b dc 63 4c 8e 54 7e 12 0e 57 f8 90 ac 3c 2b 93 b1 c9 9d 36 4b 9a 59 9e ad f4 cb 17 50 22 2f 65 61 aa b6 b6 89 10 15 eb 6b 27 4c 21 72 4a df 97 f0 00 ff 03 de 8f 14 24 53 28 5f b4 4b 7e 65 96 7c ea 58 74 3e a1 cb 7a 28 62 d0 18 12 64 6b ff 50 04 9e 5b e1 ea 5d c3 50 ed 7e 53 a4 38 5d d3 f0 aa dc e4 bc ec 9d 64 8f 82 0d e1 3d da e4 2f 9f 96 20 14 00 00 20 ed 0a 13 2e 5f e8 fb 5b 43 aa aa 7b ab 9e 46 34 63 64 11 0a 1b 25 33 75 ab fc 6d ea 46 ef 91 c0 ciphertext (673 octets): 17 03 03 02 9c 1e 4e 15 9f 57 8e 9d 1d 73 88 13 e5 1b e1 89 ea 1c 80 1b 85 ab bc 4f 0d 52 92 7f aa 30 6c 04 e6 7f a8 02 ab 02 38 56 18 aa 0e b3 d1 af a0 84 62 ec f3 a0 04 a5 f2 dc 51 be 25 10 8f dd d6 38 92 04 88 3a 39 bd f1 0d bb de 5f 33 4a c5 bf 11 85 86 de c0 38 2d cf 00 b2 69 13 8a fe 27 28 37 0c c1 9a 3d 58 12 4c b1 99 be b9 7c a0 a8 a9 ab af 01 c2 38 f2 9c 45 b5 30 28 f8 d8 d2 2a 49 0b d8 2cf7f2 53 3a 76 72 4d 67 d8 a7 2a b0 fb 94 53 63 fb 92 4f 8c a5 e1 32 e6 b3 3c 85 29 4b 12 1c 69 8d df 37 52 ec f3 bc b9 f9 b9 01 37 bf d3 ad 0d fd 04 52 2c 27 1e 63 23 11 37 93 a5 c7 36 ee fa b2 73 a4 79 c3 d8 b0 07 2d 0c 39 d9 4f 7d 1b ea c3 2f 02 15 be 45 04 14 6e 83 c8 d3 37 c8 27 e7 f0 05 d4 83 a8 46 ef 6c c8 1a 13 ed 52 88 d1 69 4e c1 76 a2 7f fb 62 c5 93 ab 1e df dc 8c 6f 0c ec 57 34 7a e8 81 ab 17 ab a9 49 b4 f5 1a 0b 61 49 09 00 ff 92 16 bd b2 26 99 5b 54 9c 8d 5d 19 31 a0 11 de 06 bf 75 0f 8c 1c 54 8b 4b d7 00 2d 9a 76 7e 7b 66 77 f6 4b d2 3f e7 a5 ce 3c 55 5e 7b 8b c6 ed e8 72 f5 d9 6a fa c0 50 e9 a0 2c 80 1a 0f 15 12 4a 46 42 aa 89 cc d0 e5 fe b6 70 a9 68 dd db 31 7b fc e9 db 82 9f 63 d4 5a bf e6 1a f9 56 d1 b3 c6 ea 8d fe 17 3b 13 d3 db 69 38 7b 54 23 f2 78 d2 d7 49 e1 9e 2e 61 d4 f6 85 b6 e6 57 40 8f 99 3a b5 b4 5c 3c dc ed fd be 44 b0 5f 6a dd 3a 5d e9 30 46 f2 af bb 30 ea 03 26 47 eb 7d b7 8a c4 6a 1c 54 52 e3 e9 39 69 82 ef 55 2e 69 cc a5 a7 9d 57 af 22 10 2f da 06 7d 2d 48 f6 9a 91 5c 41 87 81 29 10 ec b4 7e 76 41 78 e0 ad cc 92 10 42 bc 9f ac 44 53 54 09 10 b5 02 9d 79 e4 1f 87 d2 66 01 16 18 45 2b 38 b0 0f 97 a6 32 20 30 4c d8 56 b8 0c f7 d7 f0 dc 30 7d 2b 9b 57 db 57 ad 29 3a 58 85 f9 4f c2 65 c1 84 af d9 0b 85 a2 52 12 f5 6c 8c c8 29 c1 b7 d1 6d ce 0b 8b 48 26 44 2d 79 6f 76 fb 1a 8d ff d3 06 96 cf 07 c8 c9 58 4a f9 76 ba 4c 86 4b f4 75 12 fb 8c a3 3f 8d 96 1a 5b 66 68 d1 b5 ad c3 8f 16 aa 8b 87 91 be da 44 5c a4 89 8b 0b c8 c8 de 04 22 81 25 21 42 50 cf 49 f4 3d ce d2 28 f5 4c 01 d6 b2 e1 fa d7 33 50 e9 a3 69 1e ee fc af 8a 4c a3 66 45 92 0e 72 97 af 36 1e 01 27 0e d1 fe {server} derive secret "tls13 c ap traffic": PRK (32 octets): 6a c7 28 bf 27 30 55 d8 24 4f 71 01 07 fe 11 91 ec 30 47 c0 e9 86 14 aa d5 2f 51 62 27 7f 00 7b hash (32 octets): 9e 61 88 ec d4 0e c8 d1 45 81 2f 15 70 04 59 47 bc 41 6a fc cf a8 ca 34 1a 4a 76 01 f6 a7 39 cd info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 61 66 66 69 63 20 9e 61 88 ec d4 0e c8 d1 45 81 2f 15 70 04 59 47 bc 41 6a fc cf a8 ca 34 1a 4a 76 01 f6 a7 39 cd output (32 octets): 07 04 02 00 14 0c 44 d3 60 5a 53 0b 0d b2 ee e6 ad 5b ff 4a 51 64 20 df 10 95 d6 26 15 b5 3b be {server} derive secret "tls13 s ap traffic": PRK (32 octets): 6a c7 28 bf 27 30 55 d8 24 4f 71 01 07 fe 11 91 ec 30 47 c0 e9 86 14 aa d5 2f 51 62 27 7f 00 7b hash (32 octets): 9e 61 88a3ec d4 0e c8 d1 45 81 2f 15 70 04 59 47 bc 41 6a fc cf a8 ca 34 1a 4a 76 01 f6 a7 39 cd info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 61 66 66 69 63 20 9e 61 88 ec d4 0e c8 d1 45 81 2f 15 70 04 59 47 bc 41 6a fc cf a8 ca 34 1a 4a 76 01 f6 a7 39 cd output (32 octets): a1 16 af 52 37 f0 00 ca 95 4a 76 f0 bf 59 78 2d db 81 45 9e b5 f0 36 eb 72 10 ed 9e ab 6c 23 36 {server} derive secret "tls13 exp master": PRK (32 octets): 6a c7 28 bf 27 30 55 d8 24 4f 71 01 07 fe 11 91 ec 30 47 c0 e9 86 14 aa d5 2f 51 62 27 7f 00 7b hash (32 octets): 9e 61 88 ec d4 0e c8 d1 45 81 2f 15 70 04 59 47 bc 41 6a fc cf a8 ca 34 1a 4a 76 01 f6 a7 39 cd info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 74 65 72 20 9e 61 88 ec d4 0e c8 d1 45 81 2f 15 70 04 59 47 bc 41 6a fc cf a8 ca 34 1a 4a 76 01 f6 a7 39 cd output (32 octets): a6 e6 ca 68 ff 08 62 3b ca de 3d 27 35 95 eb ae 49 93 aa e4 7d c1 d8 cf 2f 1d 12 e9 d8 ee 91 5e {server} derive write traffic keys for application data: PRK (32 octets): a1 16 af 52 37 f0 00 ca 95 4a 76 f0 bf 59 78 2d db 81 45 9e b5 f0 36 eb 72 10 ed 9e ab 6c 23 36 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets): b2 1c 13 11 a2 57 45 a0 c1 d8cb 6fde 68 c7 ce 7a dc iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets): d1 7b 34 2a f3 32 e9 90 1f 42 44 43 {server} derive read traffic keys for handshake data: PRK (32 octets): 4b 4c d4 8c 4f 39 9c 05 77 bd 73 11 5b b5 12 f1 af 4e 3c 65 fa da 60 d5 24 6b 3e 64 b5 7d c5 ec key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets): cc 08 24 4c 19 61 00 74 6d 6e bd e5 6f ee e9 01 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets): c0 52 e0 7a ce 1d 8e 0f af aa f1 a9 {client} extract secret "early": salt: (absent) ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a {client} derive secret for handshake "tls13 derived": PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba {client} extract secret "handshake": salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba ikm (32 octets): 18 5a df 44 30 f3 14 a4 a4 04 47 0e 5d d5 45 35 b3 cb 4f b7 9f 75 da 58 b6 fa f7 e2 cf ff f0 36 secret (32 octets): 50 9a 53 59 61 77 d3 24 94 53 e7 bf ac fe 6e 6d 1d be 83 7e d6 bd ab 06 d2 d8 97 59 33 b9 07 d9 {client} derive secret "tls13 c hs traffic" (same as server) {client} derive secret "tls13 s hs traffic" (same as server) {client} derive secret for master "tls13 derived" (same as server) {client} extract secret "master" (same as server) {client} derive read traffic keys for handshake data: PRK (32 octets): 2c e0 bf ee 1c 9c bf 77 3a 21 40 b1 4b 14 a0 8c 65 de ee 09 4a bc db 0f 01 8a 1d 50 33 1f 30 cd key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets): 1e f6 3e cc 95 0c e3 96 b0 11 16 ad 52 35 3f f1 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets): 73 ab 6b 2d c5 8a 11 fd 05 70 4a ce {client} calculate finished "tls13 finished" (same asclient) {server}server) {client} derive secret "tls13resc ap traffic" (same as server) {client} derive secret "tls13 s ap traffic" (same as server) {client} derive secret "tls13 exp master" (same asclient)server) {client} sendalertchange_cipher_spec record: payload(2(1 octets): 01 ciphertext (6 octets): 14 03 03 00 01 01 {client} derive write traffic keys for handshake data (same as server read traffic keys) {client} derive read traffic keys for application data (same as server write traffic keys) {client} calculate finished "tls13 finished": PRK (32 octets): 4b 4c d4 8c 4f 39 9c 05 77 bd 73 11 5b b5 12 f1 af 4e 3c 65 fa da 60 d5 24 6b 3e 64 b5 7d c5 ec hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets): 00 f1 67 b7 01 24 2f d4 77 08 23 d6 4b a7 f5 09 0e 8b 93 bd 24 9d bd 4d 1d 2f 6c 75 e3 4d 68 4a {client} send a Finished handshake message {client} send handshake record: payload (36 octets): 14 00 00 20 9c dd a7 08 0e f0 6b ce 6c 90 bb d0 03 1e 1b c8 82 1a 64 70 ea 2a 61 d6 d8 42 b1 51 a6 1c 35 2c ciphertext(24(58 octets): 17 03 03 0013 70 16 fa35 df 43 9f 06 1c 68 4c 3c 96 08 9b 15 58 8c 8d bf af 32 67 a3 d0 83 60 ae b1 d1 59 ce 92 85 f7 4e 91 b7 91 7b 4d 7a 1d 11 d6 7d cf 8b 8c fe 4c af 5d a9 58 b4 a9 {client} derive write traffic keys for application data: PRK (32 octets): 07 04 02 00 14 0c 44 d3 60 5a 53 0b 0d b2 ee e6 ad 5b ff 4a 51 64 20 df 10 959ed6 26 15 b5 3b be key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets): f0 72 a4 38 13 be 60 17 99 b4 c1 21 2c 45 28 18 iv info (12 octets): 00 0c 08 74 6c 73 310b cf 5433 20 69 76 00 iv output (12 octets): 47 c6 45 c2 e5 1c 04 f6 e9 21 f4 99 {client} derive secret "tls13 res master": PRK (32 octets): 6a c7 28 bf 27 30 55 d8 24 4f 71 01 07 fe 1109 dd91 ec 30 47 c0 e9 86 14 aa d5 2f 51 62 27 7f 00 7b hash (32 octets): 7a 0a 30 81 19 4d bc f1 bd af c6 f4 02 a0 62 a2 b1 e3 3a c9 6e ea 6f c3 22 62 c5 20 49 bf d7 1a info (52 octets): 00 20 10 74cc 4b6c 73 31 33 20 72 65 73 20 6d 61 73 74 65 72 20 7a 0a 30 81 19 4d bc f1 bd42 95af c6 f4 02 a0 62 a2 b1 e3 3a c9 6e ea 6f c3 22 62 c5 20 49 bf d7 1a output (32 octets): 69 5c b5 3a dd e2 0c 27 6b 9d 87 11 a8 df 03 6c cc ce be 5c 82 ed ab 0c 3a 6c 5f 39 84 54 1e 77 {server} calculate finished "tls13 finished" (same as client) {server} derive read traffic keys for application data (same as client write traffic keys) {server} derive secret "tls13 res master" (same as client) {client} send alert record: payload (2 octets): 01 00 ciphertext (24 octets): 17 03 03 00 139285 3c c0 b9 9c 64 e37d 92 18 1a 14 ec cf 3e78 5c c8 53 b5 61 a1 24 0f f6 35 75 {server} send alert record: payload (2 octets): 01 00 ciphertext (24 octets): 17 03 03 00 13f4 54 63 4f b1 70 d9 7.2b cd 23 33 71 26 6e b4 bc ce 2d 27 56 f3 8f 37 15 ea 19 8. Security Considerations It probably isn't a good idea to use the private key here. If it weren't for the fact that it is too small to provide any meaningful security, it is now very well known.8.9. References8.1.9.1. Normative References[I-D.ietf-tls-tls13][TLS13] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3",draft-ietf-tls-tls13-22draft-ietf-tls-tls13-28 (work in progress),November 2017. 8.2.March 2018. 9.2. Informative References [FIPS186] National Institute of Standards and Technology (NIST), "Digital Signature Standard (DSS)", NIST PUB 186-4 , July 2013. [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves for Security", RFC 7748, DOI 10.17487/RFC7748, January 2016, <https://www.rfc-editor.org/info/rfc7748>.8.3.9.3. URIs [1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS Appendix A. Acknowledgements This draft is generated using tests that were written for NSS [1]. None of this would have been possible without Franziskus Kiefer, Eric Rescorla and Tim Taubert, who did a lot of the work in NSS. Author's Address Martin Thomson Mozilla Email: martin.thomson@gmail.com