TLS M. Thomson Internet-Draft Mozilla Intended status:Standards TrackInformational May02,30, 2018 Expires:November 3,December 1, 2018 Example Handshake Traces for TLS 1.3draft-ietf-tls-tls13-vectors-04draft-ietf-tls-tls13-vectors-05 Abstract Examples of TLS 1.3 handshakes are shown. Private keys and inputs are provided so that these handshakes might be reproduced. Intermediate values, including secrets, traffic keys and ivs are shown so that implementations might be checked incrementally against these values. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire onNovember 3,December 1, 2018. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Private Keys . . . . . . . . . . . . . . . . . . . . . . . . 2 3. Simple 1-RTT Handshake . . . . . . . . . . . . . . . . . . . 3 4. Resumed 0-RTT Handshake . . . . . . . . . . . . . . . . . . . 15 5. HelloRetryRequest . . . . . . . . . . . . . . . . . . . . . . 26 6. Client Authentication . . . . . . . . . . . . . . . . . . . . 38 7. Compatibility Mode . . . . . . . . . . . . . . . . . . . . . 49 8. Security Considerations . . . . . . . . . . . . . . . . . . . 59 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 60 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 609.1.10.1. Normative References . . . . . . . . . . . . . . . . . . 609.2.10.2. Informative References . . . . . . . . . . . . . . . . . 60 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 60 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 60 1. Introduction TLS 1.3 [TLS13] defines a new key schedule and a number new cryptographic operations. This document includes sample handshakes that show all intermediate values. This allows an implementation to be verified incrementally, examining inputs and outputs of each cryptographic computation independently. A private key is included with the traces so that implementations can be checked by importing these values and verifying that the same outputs are produced. 2. Private Keys Ephemeral private keys are shown as they are generated in the traces. The server in most examples uses an RSA certificate with a private key of: modulus (public): b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f public exponent: 01 00 01 private exponent: 04 de a7 05 d4 3a 6e a7 20 9d d8 07 21 11 a8 3c 81 e3 22 a5 92 78 b3 34 80 64 1e af 7c 0a 69 85 b8 e3 1c 44 f6 de 62 e1 b4 c2 30 9f 61 26 e7 7b 7c 41 e9 23 31 4b bf a3 88 13 05 dc 12 17 f1 6c 81 9c e5 38 e9 22 f3 69 82 8d 0e 57 19 5d 8c 84 88 46 02 07 b2 fa a7 26 bc f7 08 bb d7 db 7f 67 9f 89 34 92 fc 2a 62 2e 08 97 0a ac 44 1c e4 e0 c3 08 8d f2 5a e6 79 23 3d f8 a3 bd a2 ff 99 41 prime1: e4 35 fb 7c c8 37 37 75 6d ac ea 96 ab 7f 59 a2 cc 10 69 db 7d eb 19 0e 17 e3 3a 53 2b 27 3f 30 a3 27 aa 0a aa bc 58 cd 67 46 6a f9 84 5f ad c6 75 fe 09 4a f9 2c 4b d1 f2 c1 bc 33 dd 2e 05 15 prime2: ca bd 3b c0 e0 43 86 64 c8 d4 cc 9f 99 97 7a 94 d9 bb fe ad 8e 43 87 0a ba e3 f7 eb 8b 4e 0e ee 8a f1 d9 b4 71 9b a6 19 6c f2 cb ba ee eb f8 b3 49 0a fe 9e 9f fa 74 a8 8a a5 1f c6 45 62 93 03 exponent1: 3f 57 34 5c 27 fe 1b 68 7e 6e 76 16 27 b7 8b 1b 82 64 33 dd 76 0f a0 be a6 a6 ac f3 94 90 aa 1b 47 cd a4 86 9d 68 f5 84 dd 5b 50 29 bd 32 09 3b 82 58 66 1f e7 15 02 5e 5d 70 a4 5a 08 d3 d3 19 exponent2: 18 3d a0 13 63 bd 2f 28 85 ca cb dc 99 64 bf 47 64 f1 51 76 36 f8 64 01 28 6f 71 89 3c 52 cc fe 40 a6 c2 3d 0d 08 6b 47 c6 fb 10 d8 fd 10 41 e0 4d ef 7e 9a 40 ce 95 7c 41 77 94 e1 04 12 d1 39 coefficient: 83 9c a9 a0 85 e4 28 6b 2c 90 e4 66 99 7a 2c 68 1f 21 33 9a a3 47 78 14 e4 de c1 18 33 05 0e d5 0d d1 3c c0 38 04 8a 43 c5 9b 2a cc 41 68 89 c0 37 66 5f e5 af a6 05 96 9f 8c 01 df a5 ca 96 9d 3. Simple 1-RTT Handshake In this example, the simplest possible handshake is completed. The server is authenticated, but the client remains anonymous. After connecting, a few application data octets are exchanged. The server sends a session ticket that permits the use of 0-RTT in any resumed session. {client} create an ephemeral x25519 key pair: private key (32 octets):33 21 0a 80 c1 a0 781c ca bb 6e 08 b3 86 c852d6 9e db 0d00 71 0a 06 7b 00 59 68 26 01 05 f4 bf b5 94 a7 13 2b 62 34 33 ab7f 7c 36 08 47 23 4f e4 85 bc 1c fc a4 18 b2 7e 40 b8 6c 8b public key (32 octets):fa 0c d2 25 02 a7 23 6a e72e 599e e0 14 16 e8 05 d7 15 55 93 f0 28 b7 a6 f6 dd f4 9b ad 1a6f36fe 6d 68 c4 f4 02 cb 0f 49 84 1f 11 f1 ff 97 32 1d 32 42 54 d3 18 52 9a 77 cc d9 88 06 {client} send a ClientHello handshake message {client} send handshake record: payload (190 octets): 01 00 00 ba 03 033a 02 32 16 f4 df 71 db f2 af d6 09 5f aa cd 8e b9 12 02 36 ca 79 90 c2 0d 40 cb 69 0901 6a 95 72 55 63 a4 a5 2c 6a ae 5b 86 f8 ec a3 21 a9 a3 5775 3548 1e b7 84 7e 9a 9d a4 12 20 b6 66 00 00 06 13 01 13 03 13 02 01 00 00 8b 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 23 00 00 00 33 00 26 00 24 00 1d 00 20fa 0c d2 25 02 a7 23 6a e72e 599e e0 14 16 e8 05 d7 15 55 93 f0 28 b7 a6 f6 dd f4 9b ad 1a6f36fe 6d 68 c4 f4 02 cb 0f 49 84 1f 11 f1 ff 97 32 1d 32 42 54 d3 18 52 9a 77 cc d9 88 06 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 ciphertext (195 octets): 16 03 01 00 be 01 00 00 ba 03 033a 02 32 16 f4 df 71 db f2 af d6 09 5f aa cd 8e b9 12 02 36 ca 79 90 c2 0d 40 cb 69 0901 6a 95 72 55 63 a4 a5 2c 6a ae 5b 86 f8 ec a3 21 a9 a3 5775 3548 1e b7 84 7e 9a 9d a4 12 20 b6 66 00 00 06 13 01 13 03 13 02 01 00 00 8b 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 23 00 00 00 33 00 26 00 24 00 1d 00 20fa 0c d2 25 02 a7 23 6a e72e 599e e0 14 16 e8 05 d7 15 55 93 f0 28 b7 a6 f6 dd f4 9b ad 1a6f36fe 6d 68 c4 f4 02 cb 0f 49 84 1f 11 f1 ff 97 32 1d 32 42 54 d3 18 52 9a 77 cc d9 88 06 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 {server} extract secret "early": salt: (absent) ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a {server} create an ephemeral x25519 key pair: private key (32 octets):9d ae 7f c7 6c 00 9e 64 32 41 68 c613 61 1f 76 71 f7 4e fe 91 3e cb 24 26 f8 cf 48 df 50 67 f4 a7 ec b0 d0 2799 1a 97 d3 95 9e 32 e7 c8 45 0c 14 f3 b5 30 bf 75 ef 8796 af a5 2c a4 72 4f public key (32 octets):aa 6c be 84 01 8c c1 a7 43 75 b6 d4 ea 18 ad 51 71 c1 50 ae 55 80 a8 4c 6249 53 6b a3 f5 a9 f9 cf 46 7f e1 bd 67 03 52 c3 dd 92 57 e4 d5 63 22 7d a9 0a 07 d2 0c ef05 21 a1 16 8a 2596 6f {server} send a ServerHello handshake message {server} derive secret for handshake "tls13 derived": PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba {server} extract secret "handshake": salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba ikm (32 octets):de 190b c35f f1 64 46 31 c4 b4 59 9a 22 2c ee eb 31 aa 4c f3 03 ef 15 48 de 68 ea7c 6e 7c 83c966 38 4b78 1cad d8 e9 00 57 b9 c2 39 21 3e 19 8e f3 95 aa 2d 69 0a ae 1b 4e 9a 44 secret (32 octets):95 96 d5 36 cf ab b0 51 28 69 b3 c3 66 39 1f b2ee ef ce 91 5d c4 8b 22 a7 ae 76 4a d2 82 ba 41 6f 9759 36 a8 cd da 1f 8c 66 b5 f0 26 54 04 5e 6bfe 89 e5 d1 bc 89 5b 2d 91 62 35 aa a2 ae {server} derive secret "tls13 c hs traffic": PRK (32 octets):95 96 d5 36 cf ab b0 51 28 69 b3 c3 66 39 1f b2ee ef ce 91 5d c4 8b 22 a7 ae 76 4a d2 82 ba 41 6f 9759 36 a8 cd da 1f 8c 66 b5 f0 26 54 04 5e 6bfe 89 e5 d1 bc 89 5b 2d 91 62 35 aa a2 ae hash (32 octets):58 53 80 f8 31 c7 62 08 c5df 94 98 64 2c c0 b3 7f 60 42 53 bf 348c 76 be 4a 4b a6 17 fd 16 da 681b b0a9 50 38 82 fe ea ff 81 dc44 8e 3d b5 f5 c8 ab b2 39 31 9b 1c 7b 7b 2e ac 63 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 61 66 66 69 63 2058 53 80 f8 31 c7 62 08 c5df 94 98 64 2c c0 b3 7f 60 42 53 bf 348c 76 be 4a 4b a6 17 fd 16 da 681b b0a9 50 38 82 fe ea ff 81 dc44 8e 3d b5 f5 c8 ab b2 39 31 9b 1c 7b 7b 2e ac 63 output (32 octets):ed 5d 2e 57 8f 39 41 2a 63 a1 8e 68a4 d452 e4 09 21 5b 42 a8 63 40 29 f2 4c c9 c7 bbcd ed fb 3c4d 29 de07 d7 be 78 85 8c 0b 63 38 eb 48 02 f1 58 88 ad 14 c1 ef 56 20 74 35 84 06 04 {server} derive secret "tls13 s hs traffic": PRK (32 octets):95 96 d5 36 cf ab b0 51 28 69 b3 c3 66 39 1f b2ee ef ce 91 5d c4 8b 22 a7 ae 76 4a d2 82 ba 41 6f 9759 36 a8 cd da 1f 8c 66 b5 f0 26 54 04 5e 6bfe 89 e5 d1 bc 89 5b 2d 91 62 35 aa a2 ae hash (32 octets):58 53 80 f8 31 c7 62 08 c5df 94 98 64 2c c0 b3 7f 60 42 53 bf 348c 76 be 4a 4b a6 17 fd 16 da 681b b0a9 50 38 82 fe ea ff 81 dc44 8e 3d b5 f5 c8 ab b2 39 31 9b 1c 7b 7b 2e ac 63 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 61 66 66 69 63 2058 53 80 f8 31 c7 62 08 c5df 94 98 64 2c c0 b3 7f 60 42 53 bf 348c 76 be 4a 4b a6 17 fd 16 da 681b b0a9 50 38 82 fe ea ff 81 dc44 8e 3d b5 f5 c8 ab b2 39 31 9b 1c 7b 7b 2e ac 63 output (32 octets):76 53 d6 19ce 69 11 59 11 09 be 95c3 c7 b9 a7 db 6e f8 80 0d e033 30 63e2 c4 10 1d 52 15 01 1c 8a 28 36 6e 8a 44 9b b3a9 fe e9 3a 3f cc 32 bd 24 9c a0 6f 27 34 ad be 91 7c 02 06 ca {server} derive secret for master "tls13 derived": PRK (32 octets):95 96 d5 36 cf ab b0 51 28 69 b3 c3 66 39 1f b2ee ef ce 91 5d c4 8b 22 a7 ae 76 4a d2 82 ba 41 6f 9759 36 a8 cd da 1f 8c 66 b5 f0 26 54 04 5e 6bfe 89 e5 d1 bc 89 5b 2d 91 62 35 aa a2 ae hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets):ff e0 3e bf eb 8e f7 7a b4 95 7f 14 95 2f be d5 5a91 33 1f3b 9d 1c e9 4e 1e 00 f7 40 7d 99 72 99 1be1 94 ae 42 89 b8 3d f6 0d db ec 5d 38 44 94 fb 5d a8 0c 63 4d c9 21 82 7c 9c a0 50 a6 {server} extract secret "master": salt (32 octets):ff e0 3e bf eb 8e f7 7a b4 95 7f 14 95 2f be d5 5a91 33 1f3b 9d 1c e9 4e 1e 00 f7 40 7d 99 72 99 1be1 94 ae 42 89 b8 3d f6 0d db ec 5d 38 44 94 fb 5d a8 0c 63 4d c9 21 82 7c 9c a0 50 a6 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets): ef 19 6e 6f 5b 18 09 d4 96 19 c1 5d 61 97 a5 0f 4e 23 25 df be fa2f 37 bc 3a 87 b5 9c 46 10 26 2772 18 08 1759 84 d8 4e 03 5f a5 64 75 9c 1e ec 3b 96 4c e9 7aa9 82 0e b3 1f1437 {server} send handshake record: payload (90 octets): 02 00 00 56 03 03 5e d8 d9 fa bb 99 81 14 89 1b 1a c3 82 95 42ece5 d6 f8 dc 55 72 70 48 04 13 e4 7f 65e2 f1 86 19 05 8f 0a e6 42 76 a1 0d 47 b3 5d 5f 26 75 0b c5 a9 b7 aa c6 30 9f 19 75 71f6 fa af 31 00 13 01 00 00 2e 00 33 00 24 00 1d 00 20aa 6c be 84 01 8c c1 a7 43 75 b6 d4 ea 18 ad 51 71 c1 50 ae 55 80 a8 4c 6249 53 6b a3 f5 a9 f9 cf 46 7f e1 bd 67 03 52 c3 dd 92 57 e4 d5 63 22 7d a9 0a 07 d2 0c ef05 21 a1 16 8a 2596 6f 00 2b 00 02 7f 1c ciphertext (95 octets): 16 03 03 00 5a 02 00 00 56 03 03 5e d8 d9 fa bb 99 81 14 89 1b 1a c3 82 95 42ece5 d6 f8 dc 55 72 70 48 04 13 e4 7f 65e2 f1 86 19 05 8f 0a e6 42 76 a1 0d 47 b3 5d 5f 26 75 0b c5 a9 b7 aa c6 30 9f 19 75 71f6 fa af 31 00 13 01 00 00 2e 00 33 00 24 00 1d 00 20aa 6c be 84 01 8c c1 a7 43 75 b6 d4 ea 18 ad 51 71 c1 50 ae 55 80 a8 4c 6249 53 6b a3 f5 a9 f9 cf 46 7f e1 bd 67 03 52 c3 dd 92 57 e4 d5 63 22 7d a9 0a 07 d2 0c ef05 21 a1 16 8a 2596 6f 00 2b 00 02 7f 1c {server} derive write traffic keys for handshake data: PRK (32 octets):76 53 d6 19ce 69 11 59 11 09 be 95c3 c7 b9 a7 db 6e f8 80 0d e033 30 63e2 c4 10 1d 52 15 01 1c 8a 28 36 6e 8a 44 9b b3a9 fe e9 3a 3f cc 32 bd 24 9c a0 6f 27 34 ad be 91 7c 02 06 ca key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets):6b de 0a 34 c4 4233 0f a2 49 0d 3cf3 5b f4 a7 ec 1a b0 aa 06a4 eb 83 48 8e 36 f9 e8 fd 58 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets):22 07 9a 1b e6 53 89 9a 59 a4 e5 514a 86 a3 a1 e8 c7 cc 6c 37 7d fe 1a {server} send a EncryptedExtensions handshake message {server} send a Certificate handshake message {server} send a CertificateVerify handshake message {server} calculate finished "tls13 finished": PRK (32 octets):76 53 d6 19ce 69 11 59 11 09 be 95c3 c7 b9 a7 db 6e f8 80 0d e033 30 63e2 c4 10 1d 52 15 01 1c 8a 28 36 6e 8a 44 9b b3a9 fe e9 3a 3f cc 32 bd 24 9c a0 6f 27 34 ad be 91 7c 02 06 ca hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets):1c a5 43 d9 08 b8 ec 1c b7 25 55 7f 83 c4 de90 8f 48 22 03f1 71 85 07 b9 0a e4d1 39ec 84 92 c2ef da cc 57 225d4b db 67 6c 45 46 21 c6 b7 1f 0b 22 d0 a7 60 20 0b ca 6e7529 {server} send a Finished handshake message {server} send handshake record: payload (651 octets): 08 00 00 1e 00 1c 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82 01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 72 67 17 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea e8 f8 a5 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 51 56 72 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be c1 fc 63 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b 1c 3b 84 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 96 12 29 ac 91 87 b4 2b 4d e1 00 00 0f 00 00 84 08 04 00 80 57 bb 8c 7d 37 ba 54 6079 53 73 40 82 02 3f d3 8ff1 10 7b 7c d8 98 09 6d 52 90 98 c6 e9bd 96 ea50 19 cb c1 f9dd e4 45 12 7b ef 6f c8 5b 2a 29 82 27 a9 0d 26 12 28 11 7b 93f0 f76c 00 02 56 02 b8 5b e9 6e 6e 75 a2 5b 72 bd d9 38 9db6 7c97 95 f3 14 24 60 17 18 9d 4b dde8 40 81 32 d6 e5 23 86 44 ba e0 b2 3b 30b8 3890 7c 7b 70 ca 58 b0 bc 13 1b 6a 75 3a 42 03 3e b6 4b 14 ec ee de 85 f6 93 17f5 9a 5b c3 66 9a 98 d6 41 64 fd c7 80 7774 2dca 3d 06 63 79 24 1a 21f6 23 a3 8b 32c4 07 1e 21 f9 f3 f0 cd80 45 1df40c 7f 04 2a df fd 6e a2 3a 4f 78 96 ae 3b 21 a5 b0 65 bf 85 67 81 bf 03 08 df 04 06ab 1d 37 bd db 13 e1 c2 93 f8 a4 46 8b 8e7c 6c 6b 1e 41 9a 6b 4c ed cd 4f 12 5f 61 9d 1b 3d 9f 82 5bc9 09 e5 78 94 e0 f114 00 00 2016 cb aa 5b 9c 4d 04 ea 5c 83 b2 0b 4c 88 04 7e 8f 95 d9 60 5b 71 24 d1 1d debf bf 3e b191 bb 6b 6d 187c e6 5a af c8 63 19 41 f3 60 92 1b 5e 31 4a db b0 06 34 62 ca f1 e7 8b 3f c5 9b 3e ciphertext (673 octets): 17 03 03 02 9cc7 ad d2 3a 51 68 b1d1 f3 a3 49b7 59 e3 6b 17 1d ab c9 0b aa 31 29 a9 83 81 35 a2 2d a4 d2 d5 96 c9 4b 86 f6 af be 4d 7e 6d 6d bd 07 0b 84 f7 0f 33 fa 57 91 7d 7f 44 b1 e0 6d 47 46 64 3b fb 8f 2c dd 0a 2e db 1d 43 b7 32 26 b1 be88 3a ac cd f95c 34 58 417e 4f d120 fc708d 49 09 bf a3 42 e4 99 33 c1 00 02 03 3f ee 1e 82 67 0b 26 50 ba 93 c5 3a 87 f8 6d 5c bf 51 26 ad 05 58 6fda 97b1 31 4f 21 c0 b7 a2 0c 4b 4f 90 c32e 72 79 28 e5 23 19 37 a9 cf 80 66ec 8e d8 497e 15 b5 bea672 d5b2 e0 bb 88 4f 9e 98 d7 19 5a 42 8f f8 d1 26 5a 67 58 8412 ab ba c8 f38a 43 60 68 e3 72 9f 8ac2 5099 1b f8 61 37 95 0c 5e 0e b3 ad a2 2310 eb b2 c7 ba a1 34 e4 09 44 2d ee 9d 59c2 5a f7 00 31 cb 18 00 8c 2f a6 e7 c8e5 dd70 58 f8 ec e9 23 b0 96 7a c5 ed c0 39 7b 9d 9a ae cf88 3f0d cc 59 83 a4 76 9e 26 0f 15 e6 83 78 74 18 ce 06 7547adf9fa 75 93 24 7d f7 d5 a1 60 32 7b de 57 f8 eb e4 74 55bb 07 3b 28 c1 59 dc 8f 6b93 97 9f ae 3c d26f fa90 c3 b5 e7 77 d673 78 2f 49 b9 1f 00 7e 1d 8c 00 8b 6b f6 78 62 09 e6 f2 dd ef 6e e6 22 12 d2 bc 3b1bb6 ff 23 89 79 12 83 11bb8f 16 33 34 71 c1 4d 3b 0b 10 d7 07 d5 32 db 9208 a6 8d 55 06 24 6f 76 ac ef b5 7d b1 b6 3705 a7 b4 2b c7 ac 42 c6 30 56 79 d1 0a 09 66 ff af 0d 0a 71 cb a8 60 0d 30 17 a2 16 98 81 6d 30 66 f4 6c 6f a6 d4 be 37 93 09 e7 d1 3824 1da9 31 29 af 5d 2e fb b1 1f 06 aa6a 07 b7 dd 8d 45 c4 7b e1 2f 7e 5a 71 a1 00 95 02 9e ed 7e 27 8d de85 42 1c a9f4 46 2c 68 9e28 57 e6 1c e9 28 c9 60 ce 25 1bc667 ebc6 b8 84 da b71f c9 fe c9 c4 db 72 d3 f6 9c 16 e6 d6 fa c5 e8 21 7a e3 d9 f5 ba 52 41 00 9a 0b 94 57 65 a6 dd 9c 28 49 77 8a a9 62 ae a6 f9de e7 6f 30 08 73 6385 70 4b 60 0a 5a a4 03 05f9 00 3c de 12 e4 28b1 dd 27 f4 a2 e1 6e 24ff 3a 17 64 3d a1 a7 62 7c 16 6c 89f9 385c de 80 87 4b be 7a 19 ff 5c 5e 1acd94 eb 26 1b d4 90 4d 4e 70 85 24 f38d51 0d 17 2c 6d 61 79 fe e3 dc bb 80 85ed 11 38 cb c4 a5 48 fd b2f4 3f fe 1c 39 b6 4e 49 34 a3 4c08 51 9a 7d d091 fe fe ce 76 1c 74 0e 63 d1 e0 4a 83 b0 55 75 15 266b e9 90 ff 0d8b 40 b0 86 1b8c aa 5c 5f 9a e9 ea 35 6f 5d e7 a5 62 4d 5c a9 64 44 95 32 e1 a7 c7 a0 df e1 37 b1 70 11 4c d5 f5 11 98 71 18 d7 ee df cd 7591 4b 81 24 d6 ec 42 e6 74 fb e4 8b c6 cf 5a 0898 43 05 93 0e 12 26 89 26 90 f6 55 5b a1 f0 43 cf fa98 00 15 08 61 33 27 85 6e d7 3f 95 2d b6ff 2f f7 36 37 93 97 fd 65 9a 07 4e 4f c1 e0 d9 53 9feb8c c3 07 47 a9 c2 3c fa 09 0e 49 f1 17 70 e5 52 6f 8e cb 0c 2d 31 de 53 2d be 22 54 01 7c 35 6b b1 fd 9a c8 63 b6 db 9e 36 70 5f 3b 48 d7 dd 88 f2 8b 92 a5 0885 56 6d2a e8 15 73 f6 9179 3e 50 34 ac da 39 8b 40 3b 6a ce 62 35 47 d50a 2ff7 19 98 fe 316f a1 d6 ca ac 0e efd7 f6 fb 85 ea b2 06 94 db f4 d5 00 0f 22 105a 15 23 44 5b ce 23 11 52 84 7b 3b bc3d 31 24 22 f9 d5 8d e9 d3 60 39 bf 8f ae e9 e8 38 33 8cc8 47 ee 30 78 0d bf 46 6e b3 5a fc d9 e0 31 b0 c1 5e 1c ea 34 13 4e 49 5f a6 cf 36b2 b4 82 bd b5 2c 1d 52 3244 a5 dd 3ba7 4f b2 42 30 64 f9 3f e7 dc 11db 46 18 544f cd ac 52 10 b8 78 91 a1 7a51 f9 8b 94 149b 3c 83ef c9 f1 0a d5 55 a2 a0 de 25 f3 5f 7d 4a 6b 28 c4 a8f502 cd f2 68 f4 edb7 6362 f2 1e b5 9d d3 a4 99 f4 2d 3a 84 fe f1 2d a3 79 4c 61 ae 6a 77 34 71 ee 53 e0 b8 70 69 82 66 5c 08 00 7c e5 22 d0 78 e9 01f7 77 d6d3 9b 11 b5 8f 01 94 16 e6 0c f6 e9 93 e9 4c cd 45 0ae06e e1 0f c7 f5 a6 92 46 c7 83 5f36 a8 2a d6 50 a0 8d a3 64b0 92 11 82 16 b7 0e97 4d 90 ab a9 31 c1 4d 81 c6 ed 19 1f 32 36 28 72dc 83 13 66 8c d1 94 8e ea 29 69 b0 68 ef dd 6c 96 70 6e e5 b0 67 3d 38 c3 b2 59 5e 0bf9 a6 b7 3a c2 a9 e27a 897b a0 df46 49 24 67 5c 74 4b da a5 85 19 9b 13 61c6 97 35 37 a1 10 e5 d4 6c 35 62c4 27 be ad be 5e fa ed 4c ed 75 1c 17 e2 1e b8 fa 77 f7 8b 0b 48 4e cd 8965 36 f3 16 18 72 2a3d 1f 33 56ff 7d b2 8a 53 c6 c78b 733c bb 47d5 a6 75 b4 5b 4a c1 7b ec 31 f2 0e {server} derive secret "tls13 c ap traffic": PRK (32 octets): ef 19 6e 6f 5b 18 09 d4 96 19 c1 5d 61 97 a5 0f 4e 23 25 df be fa2f 37 bc 3a 87 b5 9c 46 10 26 2772 18 08 1759 84 d8 4e 03 5f a5 64 75 9c 1e ec 3b 96 4c e9 7aa9 82 0e b3 1f1437 hash (32 octets):87 c5 9a d5 4c f0 89 e9 40 06 d8 eb b0 80 8f 8e 32 e5 44b1b0 79 18 3b 8b eb 89 8e 80a4 df 62 92 b9 0c 0f 03 58 a1 fd e1 39 90 b65afe 1c 0c 6c 62 4d 26 b0 10 06 98 82 9f b5 82 35 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 61 66 66 69 63 2087 c5 9a d5 4c f0 89 e9 40 06 d8 eb b0 80 8f 8e 32 e5 44b1b0 79 18 3b 8b eb 89 8e 80a4 df 62 92 b9 0c 0f 03 58 a1 fd e1 39 90 b65afe 1c 0c 6c 62 4d 26 b0 10 06 98 82 9f b5 82 35 output (32 octets):f7 1a e9 97 5d 12 75 6a5e 5c 1f fe 68 ac e5 1e 4153 17 a418 4f 94 b3 2b ad a9 23 ad 4c63 01 6ec5 97 aa 79 61 9839 5d 1e cd da 48 9b cc af 4a 3e 86 3f 87 35bb f6 51 5f 81 2d a6 {server} derive secret "tls13 s ap traffic": PRK (32 octets): ef 19 6e 6f 5b 18 09 d4 96 19 c1 5d 61 97 a5 0f 4e 23 25 df be fa2f 37 bc 3a 87 b5 9c 46 10 26 2772 18 08 1759 84 d8 4e 03 5f a5 64 75 9c 1e ec 3b 96 4c e9 7aa9 82 0e b3 1f1437 hash (32 octets):87 c5 9a d5 4c f0 89 e9 40 06 d8 eb b0 80 8f 8e 32 e5 44b1b0 79 18 3b 8b eb 89 8e 80a4 df 62 92 b9 0c 0f 03 58 a1 fd e1 39 90 b65afe 1c 0c 6c 62 4d 26 b0 10 06 98 82 9f b5 82 35 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 61 66 66 69 63 2087 c5 9a d5 4c f0 89 e9 40 06 d8 eb b0 80 8f 8e 32 e5 44b1b0 79 18 3b 8b eb 89 8e 80a4 df 62 92 b9 0c 0f 03 58 a1 fd e1 39 90 b65afe 1c 0c 6c 62 4d 26 b0 10 06 98 82 9f b5 82 35 output (32 octets):e4 25 33 b9 1b e3 2a 43 fb 9e 5b 7d 9a 00 2d 59 d8 c7 47 b060 28 ef a6 f1 a1 60 f6 99 83b5 72 76 ed 98 bdcc 71 fc 16 d2 58 af 39 bb ec 9f 49 20 b2 cc e9 17 df 4689 33 f6 72df ea 84 {server} derive secret "tls13 exp master": PRK (32 octets): ef 19 6e 6f 5b 18 09 d4 96 19 c1 5d 61 97 a5 0f 4e 23 25 df be fa2f 37 bc 3a 87 b5 9c 46 10 26 2772 18 08 1759 84 d8 4e 03 5f a5 64 75 9c 1e ec 3b 96 4c e9 7aa9 82 0e b3 1f1437 hash (32 octets):87 c5 9a d5 4c f0 89 e9 40 06 d8 eb b0 80 8f 8e 32 e5 44b1b0 79 18 3b 8b eb 89 8e 80a4 df 62 92 b9 0c 0f 03 58 a1 fd e1 39 90 b65afe 1c 0c 6c 62 4d 26 b0 10 06 98 82 9f b5 82 35 info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 74 65 72 2087 c5 9a d5 4c f0 89 e9 40 06 d8 eb b0 80 8f 8e 32 e5 44b1b0 79 18 3b 8b eb 89 8e 80a4 df 62 92 b9 0c 0f 03 58 a1 fd e1 39 90 b65afe 1c 0c 6c 62 4d 26 b0 10 06 98 82 9f b5 82 35 output (32 octets):14 2d 61ce d4 f0 d7 5263 bc e0 27 60 74 9e c8 d3 8e ace8 7ab0 ce 85 0f c1 e32a b4 12 e6 8b 8785 a0 33e1 d3 a9 55 63 9b 8b7e 74 d4 65 b208 9a f1 05 6d 66 88 0a e8 6b 68 92 {server} derive write traffic keys for application data: PRK (32 octets):e4 25 33 b9 1b e3 2a 43 fb 9e 5b 7d 9a 00 2d 59 d8 c7 47 b060 28 ef a6 f1 a1 60 f6 99 83b5 72 76 ed 98 bdcc 71 fc 16 d2 58 af 39 bb ec 9f 49 20 b2 cc e9 17 df 4689 33 f6 72df ea 84 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets):4e 01 d3 e4 ac 71 a2 83 4b b5 71 29 bb 88 bf d6 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 6960 22 e5 dd af 3f 2f d9 db 39 92 3d 13 65 26 a5 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets):a4 45 9e a6 d6 d7 fb 65 91 6b b8 fa93 4e 1e c5 0b 75 8e 6c 60 e6 86 aa {server} derive read traffic keys for handshake data: PRK (32 octets):ed 5d 2e 57 8f 39 41 2a 63 a1 8e 68a4 d452 e4 09 21 5b 42 a8 63 40 29 f2 4c c9 c7 bbcd ed fb 3c4d 29 de07 d7 be 78 85 8c 0b 63 38 eb 48 02 f1 58 88 ad 14 c1 ef 56 20 74 35 84 06 04 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets):fd 24 5c 26 ad 85 0f e2d4 d7 6a f0 5a 04 e1 d31b f9 6d 87 fe f2 562d 8a 1f 17 84 06 10 1f iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets):bdf1 8b 1fde f0 52 bb 30 8c 0a 88 c1 1c02 a5 01 0c 4d 45 b1 81 d9 {client} extract secret "early": salt: (absent) ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a {client} derive secret for handshake "tls13 derived": PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba {client} extract secret "handshake": salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba ikm (32 octets):de 190b c35f f1 64 46 31 c4 b4 59 9a 22 2c ee eb 31 aa 4c f3 03 ef 15 48 de 68 ea7c 6e 7c 83c966 38 4b78 1cad d8 e9 00 57 b9 c2 39 21 3e 19 8e f3 95 aa 2d 69 0a ae 1b 4e 9a 44 secret (32 octets):95 96 d5 36 cf ab b0 51 28 69 b3 c3 66 39 1f b2ee ef ce 91 5d c4 8b 22 a7 ae 76 4a d2 82 ba 41 6f 9759 36 a8 cd da 1f 8c 66 b5 f0 26 54 04 5e 6bfe 89 e5 d1 bc 89 5b 2d 91 62 35 aa a2 ae {client} derive secret "tls13 c hs traffic" (same as server) {client} derive secret "tls13 s hs traffic" (same as server) {client} derive secret for master "tls13 derived" (same as server) {client} extract secret "master" (same as server) {client} derive read traffic keys for handshake data: PRK (32 octets):76 53 d6 19ce 69 11 59 11 09 be 95c3 c7 b9 a7 db 6e f8 80 0d e033 30 63e2 c4 10 1d 52 15 01 1c 8a 28 36 6e 8a 44 9b b3a9 fe e9 3a 3f cc 32 bd 24 9c a0 6f 27 34 ad be 91 7c 02 06 ca key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets):6b de 0a 34 c4 4233 0f a2 49 0d 3cf3 5b f4 a7 ec 1a b0 aa 06a4 eb 83 48 8e 36 f9 e8 fd 58 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets):22 07 9a 1b e6 53 89 9a 59 a4 e5 514a 86 a3 a1 e8 c7 cc 6c 37 7d fe 1a {client} calculate finished "tls13 finished" (same as server) {client} derive secret "tls13 c ap traffic" (same as server) {client} derive secret "tls13 s ap traffic" (same as server) {client} derive secret "tls13 exp master" (same as server) {client} derive write traffic keys for handshake data (same as server read traffic keys) {client} derive read traffic keys for application data (same as server write traffic keys) {client} calculate finished "tls13 finished": PRK (32 octets):ed 5d 2e 57 8f 39 41 2a 63 a1 8e 68a4 d452 e4 09 21 5b 42 a8 63 40 29 f2 4c c9 c7 bbcd ed fb 3c4d 29 de07 d7 be 78 85 8c 0b 63 38 eb 48 02 f1 58 88 ad 14 c1 ef 56 20 74 35 84 06 04 hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets):3a db dd 16 1fca16 ee 0b 3e ee c3 58 09 98 0a 62 86 14 6f ac 25 d2 7b a971 d4 6a cd 46 bd 20 90 b3 c6 c4 f2 39 2e e2 13 4c e0 bf 7b2a fa 3a 66 f9 b07d ed 78 24 e3 aa b9 4c 5a 7c 4b {client} send a Finished handshake message {client} send handshake record: payload (36 octets): 14 00 00 20e4 dd f9 c5 4e 5c 65 83 5b e0 e9 f2 57 03 09 b1 06 f6 72 6e c0 88 2f ca e7 13 8b d7 93de ccc7f6 f8 1b 07 0d d0 0e 02 78 8e 04 90 94 7a 37 61 89 4c ab 21 c2 9c 4b 16 eb 3d 91 13 e4 e4 ciphertext (58 octets): 17 03 03 00 35e8 a7 c0 73 d2 d5 90 fb a2 33 02 b7 1e 8c 3c ba 0b d4 54 28 97 0c ec de d3 ae 95 24 95 9872 67 bb b3 57 e3 66 8a fe 88 38 71 31 40 7b e5 12 93 53 01 51 df 34 30 e0 32 b4 7aaf 08bd 24 87 47 42 fa 75 0d a1 84 ed15 b8 867b08 675f 1c 81 39 fc 2f 14 d2 c8 55 81 7c e271 1d 9c e3 97 38 21 e9 a9 ca dd{client} derive write traffic keys for application data: PRK (32 octets):f7 1a e9 97 5d 12 75 6a5e 5c 1f fe 68 ac e5 1e 4153 17 a418 4f 94 b3 2b ad a9 23 ad 4c63 01 6ec5 97 aa 79 61 9839 5d 1e cd da 48 9b cc af 4a 3e 86 3f 87 35bb f6 51 5f 81 2d a6 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets):ac 85 66 33 d0 d3 1c 93 c8 53 ba 4a 51 b5 de f8b3 84 bc a1 b8 df e4 3c 76 37 84 65 0f 70 e2 70 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets):0d a9 f7 fe 9e 8d f9 98 05 12 e5 4687 b1 c1 a2 d5 f8 4a e7 74 b4 51 34 {client} derive secret "tls13 res master": PRK (32 octets): ef 19 6e 6f 5b 18 09 d4 96 19 c1 5d 61 97 a5 0f 4e 23 25 df be fa2f 37 bc 3a 87 b5 9c 46 10 26 2772 18 08 1759 84 d8 4e 03 5f a5 64 75 9c 1e ec 3b 96 4c e9 7aa9 82 0e b3 1f1437 hash (32 octets):80 ec 58 20 f2 d2 75 b0 7a 13 77 80 c4 ad 21 40 4f 36 36 f0 09 11 33 eb f4 0b 9e94 4b a6 82 91 6b e1 4d 32 da d5 f8 99 79 834c a4 81 452f 6d d5 0e 47 31 15 0e 3e 86 56 39 37 3b ac 83 f7 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 74 65 72 2080 ec 58 20 f2 d2 75 b0 7a 13 77 80 c4 ad 21 40 4f 36 36 f0 09 11 33 eb f4 0b 9e94 4b a6 82 91 6b e1 4d 32 da d5 f8 99 79 834c a4 81 452f 6d d5 0e 47 31 15 0e 3e 86 56 39 37 3b ac 83 f7 output (32 octets):af b3 24 6c 40 8d c0 40 5b a4 c3 2f49 d5 94 20 403b df bb 14 8c 27 ad 5947 00 a8 e2 ee 7a cf 46 82 87 54 4f e6 01 b2 31 97 a0 e1 63 5a92 0c f7 12 84 e8 60 8b 48 4d47 4a d6 53 6d 74 {server} calculate finished "tls13 finished" (same as client) {server} derive read traffic keys for application data (same as client write traffic keys) {server} derive secret "tls13 res master" (same as client) {server} generate resumption secret "tls13 resumption": PRK (32 octets):af b3 24 6c 40 8d c0 40 5b a4 c3 2f49 d5 94 20 403b df bb 14 8c 27 ad 5947 00 a8 e2 ee 7a cf 46 82 87 54 4f e6 01 b2 31 97 a0 e1 63 5a92 0c f7 12 84 e8 60 8b 48 4d47 4a d6 53 6d 74 hash (2 octets): 00 00 info (22 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 75 6d 70 74 69 6f 6e 02 00 00 output (32 octets):cd 0b 4e46 3a 87 db66 32 41 4e 03 e9 a1 fb 9c bf 10 68 c189 89 ca 34 e2 ab 45 92 9d b5 45 89 40 23 a8 3d7e 0f 94 f7 1d a2 6a 69 51 ba f7 52 9e 7613 9b f5 68 34 17 13 19 87 47 ae 86 {server} send a NewSessionTicket handshake message {server} send handshake record: payload (205 octets): 04 00 00 c9 00 00 00 1e83 6a d9 92f4 34 71 a2 02 00 00 00 b220 69 93 e6 82 7e f6 98 84 68 d2 550f 63 7d a7 09 04 33 70 d0 60 00 06 00 00 006a 30 23 72 43 90 67 fc 81 f4 d3 1700 2d fe b5 7a a8 7b 9c f1b1 ef 3376 0a 8a b4 91 d4 fb 0f 00 7015 93 bc b0 32 cc ea 52 8c 5a 07 c3 7b 16 6f 893d 7a83 b7 15 48 18 b7 d1 1a 4e 90 7c da 4e 3f af 4842 b6 a9 87 ef d2 4a fb bd 2b c6 06 9d c9 03 d4 c2 d3 f0 4f dd 3d 8e 95 9721 44 b3 a7 d9 96 8d 960a 7b 78 aa 2c e8 28b6 e5 66 9c ce f4 26 0e 45 d6 4d 22 d3 b6 1a b575 72 4f 8a 82 75 d1 65 e7 7b7fe4 7d 59dd f7 e2 cf 7a 19 6f 9a 32 a3 d9 4f ea 13 eb 250e aa ab fa 5f 4c 2d73 35 78 83 80 dcf0 46 71 a0 44 d8 4c f5 cc da c5 88 7d 6b e74d 47 76 8e cf f4 67fe 2e 52 80 d7 a5 0f 23 fc 9c d4 a5 43 01 9e88 af ac a6 18 97 b9 1c 5341 94 63 c4 ee85 82 2c 9f 08 7b e4 0529 8fed 0d 6e b5 e2 68 e6 54 f4 ec 0c 67d3 2c 01 93 34 b7 ab bb 78 d4 f2 a1 cf 4e 0f e1 60 aa 72 86 19 3f da 28 8c 97 d5 ba 39 75 5ffb 0825 b7 a4 a8 f0 63 01 24 88 3d 2c 66 78 78 75 d6 7a 0f 6e06 7d 04 39 e3 9d ca f1 fb 60 31 98 dbb0 ba 71 00 08 00 2a 00 04 00 00 04 00 ciphertext (227 octets): 17 03 03 00 dea7 77 b6 77 11 b5 34 f1 0e 38 1f 45 1f 16 da 00 20 dd 9a af a4 9d b4 62 c2 35 dc cc 6d bf64 1b 9e 9f fc 8e 0b 0c 3f fb c639 9c 7e ec 88 ae 2a d6 8b 97 ca 23 b1 72 15 59 e6 6f 67 7c e646 44 34 fb 66 8cd1a2 63 e3 9f 89 7c 0c 55 067f 41 27 7b ac45 49 40bb b9 3e 5b 81 0d b4 3c0b 3b 29 3a 1c80 bd 8b 72 17 17 ba 23 c6 a0 52 ef 78 b6 dc 2b be b4 da e0 06 77 8b03 44 31 e9 f9 85 ab88c8 40 0b e5 fd 4f 99 29 0f 13 7b eb 4b a2 46 df a7a5 d1 7e a3 b6 3f 12 6c 24 67 33 cc 15 b6 2887 e4 5c 02 3a de b5b7 43 71 6d5b e2 f9 a8 42 09 90 f5 2a ac 47 ef e9 7e dd 85f8 f1 f6 773291 c7 37d1 14 0a d0 b1 b5 47 96 13 10 3c ed 0e 14 ad b1 16 ae06 f5f6ae 95 6b c3 00 5d f2 a074 fd 86 6494 b0 65 77 689d ec a8 8f 84 3ae8 fe 95 0e be 8123 ab 5f 3d e4 77 6b aa a3 da 74 36 4a 21 03 e3 46 ed 89 58 98 ed a4 b7 10 b7 43 c99c 34 e8 e5 73 d5 99 63 75 bb 821f 1f 53 71 e3 16 00 c1 3c 40 57 7a 2b51 67 b4 ae 3fab 9c06 76 f7 e7 94 a1 61f1 33 86 ff 41 4d 2e b8 b6 df 95 d3 a8 48 cc 8f 4f 48 18 3e 05 b8 f1 5a 05 0fcb 12 e8 f7 9f 08 75 91 3d b9 67 c8 17 90 e9 6f 60 4e ddc5 92 52 6c ab 9a d2 96 80 b5 a3 9d 53 06c7 70 a2 c0 a8 f6 50 27 8d 22 03 94 8e a6 b2 3c 1426 a9 95 ca 0d 62 73 ff 7e 67 44 3d c1 f4 59 dc 47 11 30 d389 97 4a20 0a d6 e2 5d b4 48 03 {client} generate resumption secret "tls13 resumption" (same as server) {client} send application_data record: payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 ciphertext (72 octets): 17 03 03 00 4398 45 d6 12 28 f1 d9 a597 fc be 0b 4f 37 48 da 56 92 ac fb d1 19 0f a7 b1 8b 10 5a 62 63 f4 79 a32a 06f2 6b ba 2f 31 642c 43 68 1c cf 70 65c6 fd 24e2 8d 57 15 2f 6b 8f acd5 6f d8 69 8e 4a d089 fc 98 26 83 c3 30 a3 e1 1f 16 c5 f7 5d 2d 49 21 5c c0 8a 13 a1 ec fd27 7f 2b 32 c7 d5 84 41a4 1b b1 38 c9 63 48 92 ab 22 63 0033 5f 35 0b 45 5c d6 8c 28 aa 71 fb 58 cb 86 cf 73 4a {server} send application_data record: payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 ciphertext (72 octets): 17 03 03 00 4301 0a 55 e6 e1 14 d0 51 60 0a b9 5e e746 1a 15 62 a303 82 3a 23 ae c5 79 be df fa 3f c3 e0 3041 d6 17 9b c8 c6 26 2c 33 2b 1801 95 f8 83 6b 58 3b af 9a 14 ae c3 77 be 43 73 a170 9e 1d c8 10 98 6e 54 6c aa 34 07 a2 c6 c9 38 3d 52 40 21 5a a5ea a1 4e88 9f ba ed 1b b8 f0 40 b0 6c 82 74 fb bd 41 0c b1 54 63 2b 86 a3 06 1d f5 5f 7a fa af87 9d 3f ca 6f 9b 7e 46 bc 05 46 83 5d 76 71 e8{client} send alert record: payload (2 octets): 01 00 ciphertext (24 octets): 17 03 03 00 135f 93 e1 bd 82 9d 2b 00 9c ad ac 13 3b42 db 77 cb a0 54 50 26 af 81 7f0c 1e 8c 94 4090 9e 65 3d 50 90 3e 65 {server} send alert record: payload (2 octets): 01 00 ciphertext (24 octets): 17 03 03 00 1309 39 38 d7 0c 6a 9b 1c 9c 2e 35 6b 60 58 807027 cd 6ebf 8b d2 98 53 2f 13 91 ca a6 e6 0f 83 e0 b5 1d 79 4a 4. Resumed 0-RTT Handshake This handshake resumes from the handshake in Section 3. Since the server provided a session ticket that permitted 0-RTT, and the client is configured for 0-RTT, the client is able to send 0-RTT data. {client} create an ephemeral x25519 key pair: private key (32 octets):7f cf 6e 8b fb 63 48 3f 0a 1d 23 99 fb ce e4 d0 69 39 6c 17 02 62c8 c8 db ad 72 04 fbd9 f2 46 81 11 af 24fe ed 20 ab3424 44 6a 9c 07 4d b3 5a 4b 07 ec f1 cc 9d 88 70 e8 fd 2e 1d d6 public key (32 octets):b5 b4 ca 2e 51a2 e0 04 93 2f 3c d0 b3 c6 a2 9ac8 32 92 3e af 84 f4 13 3d 53de 11 8b 46 7c 69 55 a6 c3 6a 1d 44 27 38 60 59 b200 53 63 d5 a7 ad 8e 07 0b d0 fd 15 d6 92 0826 f5 0c 0f {client} extract secret "early": salt: (absent) ikm (32 octets):cd 0b 4e46 3a 87 db66 32 41 4e 03 e9 a1 fb 9c bf 10 68 c189 89 ca 34 e2 ab 45 92 9d b5 45 89 40 23 a8 3d7e 0f 94 f7 1d a2 6a 69 51 ba f7 52 9e 7613 9b f5 68 34 17 13 19 87 47 ae 86 secret (32 octets):90 a6 5b2f 7b c4 a7 4b c7 88 49 cc ff cc 43 29 c0 11 8e4a 66 d4 a9 cf 3c f7 ec 2d 85 be d7 ae 08 af831d 05 d7 0d 6c c0 a9 39 9c 1e09 71 cd 45 63 6b 0b 4b a4 57 dc e6 a9 6e dd {client} send a ClientHello handshake message {client} calculate finished "tls13 finished": PRK (32 octets):04 5f b4 75 3e d5 65 30 5b 33 d2 04 0b 21 57 2d 7de1 6f 14 f0 eb 94 d9 54 e0 f6 24b3 ee 18 e7 63 bd 1a 1b 20 cf 2a a6 1a 925d 7d 0e d0 e8 53 9f 66 38 28 10 6f 17 30 1c f5 de b2 06 a5 50 hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets):89 60 f7 a3 5f 8e e3 52 30 2068 08 1ecf 77 f8 b1 29 8f 77 73 0f 0d 84 ab 51 31 a4 bb 00 9bcc c0 ef 70 30 ad dc 42 3a f3 95 c4 61 5c 83 67 4f3d 1f7d 0d 98 08 69 05 c5 2d a5 bf 66 4e {client} send handshake record: payload (512 octets): 01 00 01 fc 03 03 eb ef 0b27 b6 14 3a d0 49 dd d0 4e 5c b7 bb 33 22 d3 60 f6 0a 9b 8e 6592 25 8b ec d1 07bc 79 69 84 19 5b d43d cf f0 bb a7 da ad c7 b4 e8cb14 df dd 1b 77 4b 0d 43 53 95 2b c4 2b 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00 26 00 24 00 1d 00 20b5 b4 ca 2e 51a2 e0 04 93 2f 3c d0 b3 c6 a2 9ac8 32 92 3e af 84 f4 13 3d 53de 11 8b 46 7c 69 55 a6 c3 6a 1d 44 27 38 60 59 b200 53 63 d5 a7 ad 8e 07 0b d0 fd 15 d6 92 0826 f5 0c 0f 00 2a 00 00 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 15 00 5d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 29 00 dd 00 b8 00 b220 69 93 e6 82 7e f6 98 84 68 d2 550f 63 7d a7 09 04 33 70 d0 60 00 06 00 00 006a 30 23 72 43 90 67 fc 81 f4 d3 1700 2d fe b5 7a a8 7b 9c f1b1 ef 3376 0a 8a b4 91 d4 fb 0f 00 7015 93 bc b0 32 cc ea 52 8c 5a 07 c3 7b 16 6f 893d 7a83 b7 15 48 18 b7 d1 1a 4e 90 7c da 4e 3f af 4842 b6 a9 87 ef d2 4a fb bd 2b c6 06 9d c9 03 d4 c2 d3 f0 4f dd 3d 8e 95 9721 44 b3 a7 d9 96 8d 960a 7b 78 aa 2c e8 28b6 e5 66 9c ce f4 26 0e 45 d6 4d 22 d3 b6 1a b575 72 4f 8a 82 75 d1 65 e7 7b7fe4 7d 59dd f7 e2 cf 7a 19 6f 9a 32 a3 d9 4f ea 13 eb 250e aa ab fa 5f 4c 2d73 35 78 83 80 dcf0 46 71 a0 44 d8 4c f5 cc da c5 88 7d 6b e74d 47 76 8e cf f4 67fe 2e 52 80 d7 a5 0f 23 fc 9c d4 a5 43 01 9e88 af ac a6 18 97 b9 1c 5341 94 63 c4 ee85 82 2c 9f 08 7b e4 0529 8fed 0d 6e b5 e2 68 e6 54 f4 ec 0c 67d3 2c 01 93 34 b7 ab bb 78 d4 f2 a1 cf 4e 0f e1 60 aa 72 86 19 3f da 28 8c 97 d5 ba 39 75 5ffb 0825 b7 a4 a8 f0 63 01 24 88 3d 2c 66 78 78 75 d6 7a 0f 6e06 7d 04 39 e3 9d ca f1 fb 60 31 98 db 83 6a d9 95b0 ba 71 f4 34 71 a5 00 21 2058 34 0e ab 95 8d 02 3c 39 84 b4 82 81 0b 58b1 da ce 1d 97 d7 ff bf 46 1d f9 4d ec53 7c d3 d1 c6 a9 9d ca 87 1c70 f1 30 08 f9 13 4b 9c c0 40 88 d9 6d 93 cf 7357 54 1d 45 2f18 5b d8 ciphertext (517 octets): 16 03 01 02 00 01 00 01 fc 03 03 eb ef 0b27 b6 14 3a d0 49 dd d0 4e 5c b7 bb 33 22 d3 60 f6 0a 9b 8e 6592 25 8b ec d1 07bc 79 69 84 19 5b d43d cf f0 bb a7 da ad c7 b4 e8cb14 df dd 1b 77 4b 0d 43 53 95 2b c4 2b 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00 26 00 24 00 1d 00 20b5 b4 ca 2e 51a2 e0 04 93 2f 3c d0 b3 c6 a2 9ac8 32 92 3e af 84 f4 13 3d 53de 11 8b 46 7c 69 55 a6 c3 6a 1d 44 27 38 60 59 b200 53 63 d5 a7 ad 8e 07 0b d0 fd 15 d6 92 0826 f5 0c 0f 00 2a 00 00 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 15 00 5d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 29 00 dd 00 b8 00 b220 69 93 e6 82 7e f6 98 84 68 d2 550f 63 7d a7 09 04 33 70 d0 60 00 06 00 00 006a 30 23 72 43 90 67 fc 81 f4 d3 1700 2d fe b5 7a a8 7b 9c f1b1 ef 3376 0a 8a b4 91 d4 fb 0f 00 7015 93 bc b0 32 cc ea 52 8c 5a 07 c3 7b 16 6f 893d 7a83 b7 15 48 18 b7 d1 1a 4e 90 7c da 4e 3f af 4842 b6 a9 87 ef d2 4a fb bd 2b c6 06 9d c9 03 d4 c2 d3 f0 4f dd 3d 8e 95 9721 44 b3 a7 d9 96 8d 960a 7b 78 aa 2c e8 28b6 e5 66 9c ce f4 26 0e 45 d6 4d 22 d3 b6 1a b575 72 4f 8a 82 75 d1 65 e7 7b7fe4 7d 59dd f7 e2 cf 7a 19 6f 9a 32 a3 d9 4f ea 13 eb 250e aa ab fa 5f 4c 2d73 35 78 83 80 dcf0 46 71 a0 44 d8 4c f5 cc da c5 88 7d 6b e74d 47 76 8e cf f4 67fe 2e 52 80 d7 a5 0f 23 fc 9c d4 a5 43 01 9e88 af ac a6 18 97 b9 1c 5341 94 63 c4 ee85 82 2c 9f 08 7b e4 0529 8fed 0d 6e b5 e2 68 e6 54 f4 ec 0c 67d3 2c 01 93 34 b7 ab bb 78 d4 f2 a1 cf 4e 0f e1 60 aa 72 86 19 3f da 28 8c 97 d5 ba 39 75 5ffb 0825 b7 a4 a8 f0 63 01 24 88 3d 2c 66 78 78 75 d6 7a 0f 6e06 7d 04 39 e3 9d ca f1 fb 60 31 98 db 83 6a d9 95b0 ba 71 f4 34 71 a5 00 21 2058 34 0e ab 95 8d 02 3c 39 84 b4 82 81 0b 58b1 da ce 1d 97 d7 ff bf 46 1d f9 4d ec53 7c d3 d1 c6 a9 9d ca 87 1c70 f1 30 08 f9 13 4b 9c c0 40 88 d9 6d 93 cf 7357 54 1d 45 2f18 5b d8 {client} derive secret "tls13 c e traffic": PRK (32 octets):90 a6 5b2f 7b c4 a7 4b c7 88 49 cc ff cc 43 29 c0 11 8e4a 66 d4 a9 cf 3c f7 ec 2d 85 be d7 ae 08 af831d 05 d7 0d 6c c0 a9 39 9c 1e09 71 cd 45 63 6b 0b 4b a4 57 dc e6 a9 6e dd hash (32 octets):02 ce c3 cc b1 be e9 72 06 ff bf 5b 0e db f9 43 0a d8 02 05 96 0c8a ec fe eb b4 23 6e fd 8b 78 bb 3f f1 c7 af e0 87 2b fb b2 60 0f 04ba ff ad b6 dc d3 81 b9 0c69 ed 58 6f 23 39 7a e0 2d info (53 octets): 00 20 11 74 6c 73 31 33 20 63 20 65 20 74 72 61 66 66 69 63 2002 ce c3 cc b1 be e9 72 06 ff bf 5b 0e db f9 43 0a d8 02 05 96 0c8a ec fe eb b4 23 6e fd 8b 78 bb 3f f1 c7 af e0 87 2b fb b2 60 0f 04ba ff ad b6 dc d3 81 b9 0c69 ed 58 6f 23 39 7a e0 2d output (32 octets):b0 ea 52 04 68 97 4f 91 396c 59 9c 07 27 75 ad e3 57 01 587d17 a2 f1 cf 4f 3b ed 5e 44 7b a6 1c 75 1a 3a 45 f56f 77 85 69 96 02 fb c8 0c 0c 18 50 82 79 dc76 a5 bfd0 7b 0375 {client} derive secret "tls13 e exp master": PRK (32 octets):90 a6 5b2f 7b c4 a7 4b c7 88 49 cc ff cc 43 29 c0 11 8e4a 66 d4 a9 cf 3c f7 ec 2d 85 be d7 ae 08 af831d 05 d7 0d 6c c0 a9 39 9c 1e09 71 cd 45 63 6b 0b 4b a4 57 dc e6 a9 6e dd hash (32 octets):02 ce c3 cc b1 be e9 72 06 ff bf 5b 0e db f9 43 0a d8 02 05 96 0c8a ec fe eb b4 23 6e fd 8b 78 bb 3f f1 c7 af e0 87 2b fb b2 60 0f 04ba ff ad b6 dc d3 81 b9 0c69 ed 58 6f 23 39 7a e0 2d info (54 octets): 00 20 12 74 6c 73 31 33 20 65 20 65 78 70 20 6d 61 73 74 65 72 2002 ce c3 cc b1 be e9 72 06 ff bf 5b 0e db f9 43 0a d8 02 05 96 0c8a ec fe eb b4 23 6e fd 8b 78 bb 3f f1 c7 af e0 87 2b fb b2 60 0f 04ba ff ad b6 dc d3 81 b9 0c69 ed 58 6f 23 39 7a e0 2d output (32 octets):bc 79 ec a3 3d c5 5e 77 f4 a2 b3 1d e3 b2 eb b7 ff 1a 03 16 e6 a2 ea 2e 1e d1 88 1e 65 c0 ee baa8 fd 17 f5 b4 63 f3 82 fa 6c 36 e4 72 51 41 55 d6 c1 df 3b 20 43 31 4c 9c 15 6c 36 b1 c2 7b d3 {client} derive write traffic keys for early application data: PRK (32 octets):b0 ea 52 04 68 97 4f 91 396c 59 9c 07 27 75 ad e3 57 01 587d17 a2 f1 cf 4f 3b ed 5e 44 7b a6 1c 75 1a 3a 45 f56f 77 85 69 96 02 fb c8 0c 0c 18 50 82 79 dc76 a5 bfd0 7b 0375 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets):ad 52 61 5a d7 8f ef c8 30 d7 b562 9d 26 ba f5 21 45 c0 4f 7d 23c5 6d 39 6cdc 78 c3 55 49 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets):1a 68 22 06 82 d9 52 2f 6f d9 80 cbd7 a4 2a a7 a5 00 ef fb e7 dc 61 89 {client} send application_data record: payload (6 octets): 41 42 43 44 45 46 ciphertext (28 octets): 17 03 03 00 17f0cd 4e a6 16 28 3d 3e a52cadf2 f8 10 e3 ea 31 4a 9e 0d 74 94 18 0c 07af 68 9b a4 12 e1b6 dd 23a2 31 05 d3 83 0f 11 85 {server} extract secret "early" (same as client) {server} calculate finished "tls13 finished" (same as client) {server} create an ephemeral x25519 key pair: private key (32 octets):73 c0 5e e2 5c db 68 51 18 f0 f7 dd 5f d2 dd 12 9d 17 a7 98 b9 1c c5 fe 62 ed 7000 a9baa0 a6 d0 03 a5 a8 48 b0 ec c7 99 93 b6 a7 f4 c7 b2 3d 52 28 7f 34 61 a0 af 7e e0 532f0e c2 public key (32 octets):47 d1 32 89 df6fa0 fc 57 3c 74e0 56 e9 fe b7 db 5f 5c fa73 40 a2 6f 433828 70 7d e5 72 7e 68 28 cb d0 81 9d a9 7666 89 ce ef 6a 11 9c e9 8b ae 4f 42 df 95 d4 e0 57 37 46 21 30 {server} derive secret "tls13 c e traffic" (same as client) {server} derive secret "tls13 e exp master" (same as client) {server} send a ServerHello handshake message {server} derive secret for handshake "tls13 derived": PRK (32 octets):90 a6 5b2f 7b c4 a7 4b c7 88 49 cc ff cc 43 29 c0 11 8e4a 66 d4 a9 cf 3c f7 ec 2d 85 be d7 ae 08 af831d 05 d7 0d 6c c0 a9 39 9c 1e09 71 cd 45 63 6b 0b 4b a4 57 dc e6 a9 6e dd hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets):95 c5 f6 ae c8 48 4c ad 65 ee ffd3 ea 7b 5e e5 70 5c 9a 63 2c c2 18 a9 c0 54 db 19 26 a5 37 7d f10c 48 a8 4f 34 d6 53 d6 59 91a6 2a 60 1f 17 55 5e 27 9b bfde 13 69 81 97 b3 b9 b4 5d{server} extract secret "handshake": salt (32 octets):95 c5 f6 ae c8 48 4c ad 65 ee ffd3 ea 7b 5e e5 70 5c 9a 63 2c c2 18 a9 c0 54 db 19 26 a5 37 7d f10c 48 a8 4f 34 d6 53 d6 59 91a6 2a 60 1f 17 55 5e 27 9b bfde 13 69 81 97 b3 b9 b4 5dikm (32 octets):4f 81 91 7a 09 87 67 f2 22 5f cf 33 e8 a540 29 ba 3a 16 b8 7f 62 16 d533 d6 88a1 3bd8d2 72 6b 3e 46 ff f7 44 ee16 00 b2 c5 e4 f0b0 9d 4f 2e df fa 22 aa 3b e824 02 06 3757 secret (32 octets):96 eb 95 b5 63 62 0c 58 ca d2 c7 37 0f b7 4b 8f 55 b2 0ede 91 a0 54 86 16 ed 5a 59 fd 0d ad d5 d1 87 fc f6 de e8 67 71 78 28bd bc 2d 70 6e 6f db aa 9e 9e 60 93fa 52 9f 16 34 b2 8c e6 10 {server} derive secret "tls13 c hs traffic": PRK (32 octets):96 eb 95 b5 63 62 0c 58 ca d2 c7 37 0f b7 4b 8f 55 b2 0ede 91 a0 54 86 16 ed 5a 59 fd 0d ad d5 d1 87 fc f6 de e8 67 71 78 28bd bc 2d 70 6e 6f db aa 9e 9e 60 93fa 52 9f 16 34 b2 8c e6 10 hash (32 octets):ab e0 a2 b9 a8 84ea a7 3e9293a8 36 91 96 7c fa 4c d0 8d 8e fc3e c9 cf a6 f6 78 92 1e e8 3f 23 0c 0d 0b13 63 39 a9 1a 6d 01 45 3d 32 9171 94 a0 f6 2b be 66 19 65 a7 1d f3 df 8e info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 61 66 66 69 63 20ab e0 a2 b9 a8 84ea a7 3e9293a8 36 91 96 7c fa 4c d0 8d 8e fc3e c9 cf a6 f6 78 92 1e e8 3f 23 0c 0d 0b13 63 39 a9 1a 6d 01 45 3d 32 9171 94 a0 f6 2b be 66 19 65 a7 1d f3 df 8e output (32 octets):50 26 86 51 18 93 2f ba 00 9f b8 84 c2ab 97 16 88 85 72 36 8f 24 6ce1 8e 44 96 c8 f3 57 dd f0 d1d9 87 3e 59 4e 9e 8c 58 a90b c2 7b 4c 31 92 9c03 9d 4b b0 86 82 ff 61 05 4b 27 48 8b {server} derive secret "tls13 s hs traffic": PRK (32 octets):96 eb 95 b5 63 62 0c 58 ca d2 c7 37 0f b7 4b 8f 55 b2 0ede 91 a0 54 86 16 ed 5a 59 fd 0d ad d5 d1 87 fc f6 de e8 67 71 78 28bd bc 2d 70 6e 6f db aa 9e 9e 60 93fa 52 9f 16 34 b2 8c e6 10 hash (32 octets):ab e0 a2 b9 a8 84ea a7 3e9293a8 36 91 96 7c fa 4c d0 8d 8e fc3e c9 cf a6 f6 78 92 1e e8 3f 23 0c 0d 0b13 63 39 a9 1a 6d 01 45 3d 32 9171 94 a0 f6 2b be 66 19 65 a7 1d f3 df 8e info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 61 66 66 69 63 20ab e0 a2 b9 a8 84ea a7 3e9293a8 36 91 96 7c fa 4c d0 8d 8e fc3e c9 cf a6 f6 78 92 1e e8 3f 23 0c 0d 0b13 63 39 a9 1a 6d 01 45 3d 32 9171 94 a0 f6 2b be 66 19 65 a7 1d f3 df 8e output (32 octets):c9 23 18 b4 c5 6f ba 46 bf 6e ef 2a 9a 8fd0 48 f1 0233 a2 8b ab 9b b9 66 67 4a 19 32 0b b5 3c 50 10d3 4c 27 a8 e1 19 24 c9 7c ff cb b1 81 4e 38 fa ce 72 98 8f c0 9d ee 5f b3 41 82 c6 {server} derive secret for master "tls13 derived": PRK (32 octets):96 eb 95 b5 63 62 0c 58 ca d2 c7 37 0f b7 4b 8f 55 b2 0ede 91 a0 54 86 16 ed 5a 59 fd 0d ad d5 d1 87 fc f6 de e8 67 71 78 28bd bc 2d 70 6e 6f db aa 9e 9e 60 93fa 52 9f 16 34 b2 8c e6 10 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets):b2 da f2 ee a8 bb d9 2b 5d 84 12 d4 26 7a 3c 3157 7e 06 13 10 df 25 c2 6c09 cd 45 8e 71 ab dce4 30 a1 e3 64 79 8b e1 0d f9 99 c67b e6 b1 41 6c 0f 31a8 79 46 33 ac 1d de 56 6b c6 5d {server} extract secret "master": salt (32 octets):b2 da f2 ee a8 bb d9 2b 5d 84 12 d4 26 7a 3c 3157 7e 06 13 10 df 25 c2 6c09 cd 45 8e 71 ab dce4 30 a1 e3 64 79 8b e1 0d f9 99 c67b e6 b1 41 6c 0f 31a8 79 46 33 ac 1d de 56 6b c6 5d ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets): ea 7a 47 05 8d 09 bb 7b e7 92 82 6c ef 8e 22 ed 8f 40 94 01 9d c5ee bf b8 6e 50 81 37 24 5d 79 91 9a 3d 43 19 61 bc 0d 5c c8 70 d9 08 9a 2f 30 34 b4 b9 6bca a9 1f 02 07 80 5f c0 3b 1c {server} send handshake record: payload (96 octets): 02 00 00 5c 03 033e 47 ec 55 1782 21 ab 7c ed 15 82 80 e4 e38e 7e f5 cc bc35 09 f8 69f9 2f 5b 20 b8 fa 46 a64f 69 3b 54661a 73 00 04 8f df 31bb 99 fa 08 65 f4 af 22 8c3b 2b f5 cb a1 3c 19 00 13 01 00 00 34 00 29 00 02 00 00 00 33 00 24 00 1d 00 2047 d1 32 89 df6fa0 fc 57 3c 74e0 56 e9 fe b7 db 5f 5c fa73 40 a2 6f 433828 70 7d e5 72 7e 68 28 cb d0 81 9d a9 7666 89 ce ef 6a 11 9c e9 8b ae 4f 42 df 95 d4 e0 57 37 46 21 30 00 2b 00 02 7f 1c ciphertext (101 octets): 16 03 03 00 60 02 00 00 5c 03 033e 47 ec 55 1782 21 ab 7c ed 15 82 80 e4 e38e 7e f5 cc bc35 09 f8 69f9 2f 5b 20 b8 fa 46 a64f 69 3b 54661a 73 00 04 8f df 31bb 99 fa 08 65 f4 af 22 8c3b 2b f5 cb a1 3c 19 00 13 01 00 00 34 00 29 00 02 00 00 00 33 00 24 00 1d 00 2047 d1 32 89 df6fa0 fc 57 3c 74e0 56 e9 fe b7 db 5f 5c fa73 40 a2 6f 433828 70 7d e5 72 7e 68 28 cb d0 81 9d a9 7666 89 ce ef 6a 11 9c e9 8b ae 4f 42 df 95 d4 e0 57 37 46 21 30 00 2b 00 02 7f 1c {server} derive write traffic keys for handshake data: PRK (32 octets):c9 23 18 b4 c5 6f ba 46 bf 6e ef 2a 9a 8fd0 48 f1 0233 a2 8b ab 9b b9 66 67 4a 19 32 0b b5 3c 50 10d3 4c 27 a8 e1 19 24 c9 7c ff cb b1 81 4e 38 fa ce 72 98 8f c0 9d ee 5f b3 41 82 c6 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets):0d 71 1f 45 1d c2 0e fc 7e f8 085f 3c 74 07 8c 9b44 79 75 ac69 ca 92 fb 9e d0 b5 24 a0 4e iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets):ee 5d 71 8a 24 a8 e5 32 8d bc 58 00c1 4a 56 2a c5 4c 08 90 4e 4c cf e1 {server} send a EncryptedExtensions handshake message {server} calculate finished "tls13 finished": PRK (32 octets):c9 23 18 b4 c5 6f ba 46 bf 6e ef 2a 9a 8fd0 48 f1 0233 a2 8b ab 9b b9 66 67 4a 19 32 0b b5 3c 50 10d3 4c 27 a8 e1 19 24 c9 7c ff cb b1 81 4e 38 fa ce 72 98 8f c0 9d ee 5f b3 41 82 c6 hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets):89 20 c8 4033 15 23 2e 79 6a 55 ab ac 23 c5 b2 6eb4 0e d6 66 66 68 95 ae 3d 8d 12 67 0e c0 e4 5f 0b cb24 3c f6 b8 3f e5 31 63cf ef f5 13 38 e8 1a 5bb1 ac 10 fb 0b ec 79 9b 39 84 33 {server} send a Finished handshake message {server} send handshake record: payload (74 octets): 08 00 00 22 00 20 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 00 2a 00 00 14 00 00 20b5 06 45 62 14 0c b7 fa 10 da 9a 57 ff 61 7b f2 66 d7 14 b7 8b 59 41 a0 af 36 3f ac c1 8dbb 25 a6b022 90 1d 44 5c 31 98 e8 ba fd 3a cf b3 bd 16 65 9f e5 6a c0 3c 50 55 5e 27 58 05 ae 7a ciphertext (96 octets): 17 03 03 00 5bc8 2d 5e 2c 400e 44 3c f1 1f 00 5f 95 22 65 d5 20 87 9e 13 f3 f9 b5 bf 91 f077 cc 7d 8b c63d a2 84 c1 9d 8a 7e fb 1e e9 8e f50a 61 52 c2 ff e0 d9 30 60 11 a6ec 1f 5b af 98 3d 8a 94 5f 0c 3b 56 34 c27c 1c 2a39 3c 67 fd 18 d4 aa cf 69 c9 16 03 37 4f 8c da c388 4ca61e f2 08 46 fb c3 dd 91 19 4e 26 b6 9a 4a 74 73 a2 51 4d e7 76 68 92 9d 4c 77 63 64 51 21 70e4 9f8a 64 a2 9d 14 88 0b 6d f1 0418 08b58f 48 38 ba 22 f5 30 41 00 31 7b ff be 74da 7e 2e 5d 0b 6c da 9d 18 4f fe 57 62 b5 5f9b 1f c6 b0 27 ed 80 14 {server} derive secret "tls13 c ap traffic": PRK (32 octets):c5 ee bf b8 6e 50 81 37 24 5d 79 91 9a 3d 43 19 61 bc 0d 5c c8 70 d9 08 9a 2f 30 34 b4 b9 6bea 7a 47 05 8d 09 bb 7b e7 92 82 6c ef 8e 22 ed 8f 40 94 01 9d c5 ca a9 1f 02 07 80 5f c0 3b 1c hash (32 octets):11 bf 9b 71 22 aa c5 07 85 59 ef90f7 8e e0 78 32 a6 79 72 a23c e9 7a ed b6 cd 73 55 8c 25 17 44 db c7f4 bd 8f 56 15bb 4c c8 f5 2b 92 d0bc 190b 44 e8 34 34 ce 7a3981 ec 60 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 61 66 66 69 63 2011 bf 9b 71 22 aa c5 07 85 59 ef90f7 8e e0 78 32 a6 79 72 a23c e9 7a ed b6 cd 73 55 8c 25 17 44 db c7f4 bd 8f 56 15bb 4c c8 f5 2b 92 d0bc 190b 44 e8 34 34 ce 7a3981 ec 60 output (32 octets):bc 39 56 2d 42 a4 e7 62 8d cc 15 1b2f d1 64 22 0e 74 bac1 16 88 06 9c 1c 56 ca cd 17 d4 cc 53 4ae8 93 70 20 38 bb0573 c6 72 4c 92 64 bb ad 2b 7b 72 37 e3c0 3e40 29 e0 c3 69 4b {server} derive secret "tls13 s ap traffic": PRK (32 octets): ea 7a 47 05 8d 09 bb 7b e7 92 82 6c ef 8e 22 ed 8f 40 94 01 9d c5ee bf b8 6e 50 81 37 24 5d 79 91 9a 3d 43 19 61 bc 0d 5c c8 70 d9 08 9a 2f 30 34 b4 b9 6bca a9 1f 02 07 80 5f c0 3b 1c hash (32 octets):11 bf 9b 71 22 aa c5 07 85 59 ef90f7 8e e0 78 32 a6 79 72 a23c e9 7a ed b6 cd 73 55 8c 25 17 44 db c7f4 bd 8f 56 15bb 4c c8 f5 2b 92 d0bc 190b 44 e8 34 34 ce 7a3981 ec 60 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 61 66 66 69 63 2011 bf 9b 71 22 aa c5 07 85 59 ef90f7 8e e0 78 32 a6 79 72 a23c e9 7a ed b6 cd 73 55 8c 25 17 44 db c7f4 bd 8f 56 15bb 4c c8 f5 2b 92 d0bc 190b 44 e8 34 34 ce 7a3981 ec 60 output (32 octets):a2 05 9e be 09 34 8a d4 2b 1d 6a 72b7 a6 20 bf bc 35 b7 1e 98 d8 40 14 02 6d e1 13 f2 0e ae 019e8b 56 75 04 8f89 06 0d e5 9f de 34 2d 4a d1 68 f2 08 5c ab c3 6088 c2 f8 b1 37 b0 f7 {server} derive secret "tls13 exp master": PRK (32 octets): ea 7a 47 05 8d 09 bb 7b e7 92 82 6c ef 8e 22 ed 8f 40 94 01 9d c5ee bf b8 6e 50 81 37 24 5d 79 91 9a 3d 43 19 61 bc 0d 5c c8 70 d9 08 9a 2f 30 34 b4 b9 6bca a9 1f 02 07 80 5f c0 3b 1c hash (32 octets):11 bf 9b 71 22 aa c5 07 85 59 ef90f7 8e e0 78 32 a6 79 72 a23c e9 7a ed b6 cd 73 55 8c 25 17 44 db c7f4 bd 8f 56 15bb 4c c8 f5 2b 92 d0bc 190b 44 e8 34 34 ce 7a3981 ec 60 info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 74 65 72 2011 bf 9b 71 22 aa c5 07 85 59 ef90f7 8e e0 78 32 a6 79 72 a23c e9 7a ed b6 cd 73 55 8c 25 17 44 db c7f4 bd 8f 56 15bb 4c c8 f5 2b 92 d0bc 190b 44 e8 34 34 ce 7a3981 ec 60 output (32 octets):e2 d41a 13 62 f12f c6 26 c2 919a 22 1e 14 9a 38 62 de52 8c 4d d2 cb 1f d2 11 b2 d8 44 d9 53 d4 7a 48 d8 17 87 64 05 88 412a fc 46 42 b5 7c aa 3b 0a 50 90 b3 f6 e3 ea 01 47 09 69 bc {server} derive write traffic keys for application data: PRK (32 octets):a2 05 9e be 09 34 8a d4 2b 1d 6a 72b7 a6 20 bf bc 35 b7 1e 98 d8 40 14 02 6d e1 13 f2 0e ae 019e8b 56 75 04 8f89 06 0d e5 9f de 34 2d 4a d1 68 f2 08 5c ab c3 6088 c2 f8 b1 37 b0 f7 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets):2e c4 83 49 b4 0013 d9 5b 20 9e 16 d7 10 96 cf 53 55 e49d bb 71 9a 98 918a 112d 997e iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets):b2 6b 47 20 2b 9a 93 55 45 90 c0 3c5b f1 cd 5c f6 f8 78 61 86 21 8a 83 {server} derive read traffic keys for early application data (same as client write traffic keys) {client} derive secret for handshake "tls13 derived": PRK (32 octets):90 a6 5b2f 7b c4 a7 4b c7 88 49 cc ff cc 43 29 c0 11 8e4a 66 d4 a9 cf 3c f7 ec 2d 85 be d7 ae 08 af831d 05 d7 0d 6c c0 a9 39 9c 1e09 71 cd 45 63 6b 0b 4b a4 57 dc e6 a9 6e dd hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets):95 c5 f6 ae c8 48 4c ad 65 ee ffd3 ea 7b 5e e5 70 5c 9a 63 2c c2 18 a9 c0 54 db 19 26 a5 37 7d f10c 48 a8 4f 34 d6 53 d6 59 91a6 2a 60 1f 17 55 5e 27 9b bfde 13 69 81 97 b3 b9 b4 5d{client} extract secret "handshake": salt (32 octets):95 c5 f6 ae c8 48 4c ad 65 ee ffd3 ea 7b 5e e5 70 5c 9a 63 2c c2 18 a9 c0 54 db 19 26 a5 37 7d f10c 48 a8 4f 34 d6 53 d6 59 91a6 2a 60 1f 17 55 5e 27 9b bfde 13 69 81 97 b3 b9 b4 5dikm (32 octets):4f 81 91 7a 09 87 67 f2 22 5f cf 33 e8 a540 29 ba 3a 16 b8 7f 62 16 d533 d6 88a1 3bd8d2 72 6b 3e 46 ff f7 44 ee16 00 b2 c5 e4 f0b0 9d 4f 2e df fa 22 aa 3b e824 02 06 3757 secret (32 octets):96 eb 95 b5 63 62 0c 58 ca d2 c7 37 0f b7 4b 8f 55 b2 0ede 91 a0 54 86 16 ed 5a 59 fd 0d ad d5 d1 87 fc f6 de e8 67 71 78 28bd bc 2d 70 6e 6f db aa 9e 9e 60 93fa 52 9f 16 34 b2 8c e6 10 {client} derive secret "tls13 c hs traffic" (same as server) {client} derive secret "tls13 s hs traffic" (same as server) {client} derive secret for master "tls13 derived" (same as server) {client} extract secret "master" (same as server) {client} derive read traffic keys for handshake data: PRK (32 octets):c9 23 18 b4 c5 6f ba 46 bf 6e ef 2a 9a 8fd0 48 f1 0233 a2 8b ab 9b b9 66 67 4a 19 32 0b b5 3c 50 10d3 4c 27 a8 e1 19 24 c9 7c ff cb b1 81 4e 38 fa ce 72 98 8f c0 9d ee 5f b3 41 82 c6 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets):0d 71 1f 45 1d c2 0e fc 7e f8 085f 3c 74 07 8c 9b44 79 75 ac69 ca 92 fb 9e d0 b5 24 a0 4e iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets):ee 5d 71 8a 24 a8 e5 32 8d bc 58 00c1 4a 56 2a c5 4c 08 90 4e 4c cf e1 {client} calculate finished "tls13 finished" (same as server) {client} derive secret "tls13 c ap traffic" (same as server) {client} derive secret "tls13 s ap traffic" (same as server) {client} derive secret "tls13 exp master" (same as server) {client} send a EndOfEarlyData handshake message {client} send handshake record: payload (4 octets): 05 00 00 00 ciphertext (26 octets): 17 03 03 00 1587 ea 08 9b c5 7f 33 1c 4f ad 29 80 d7 5e 3b7e aa 3c de 68 e7 2f f7 65 c1cc 55 40 e8 75ee 52 0e 19 94 4f 21 52 dd 19 2f {client} derive write traffic keys for handshake data: PRK (32 octets):50 26 86 51 18 93 2f ba 00 9f b8 84 c2ab 97 16 88 85 72 36 8f 24 6ce1 8e 44 96 c8 f3 57 dd f0 d1d9 87 3e 59 4e 9e 8c 58 a90b c2 7b 4c 31 92 9c03 9d 4b b0 86 82 ff 61 05 4b 27 48 8b key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets):4c 0f 31 7d 9a b1 56 f2 7b71cb ca 63 3d f7 4fbc 0c 4d c2 b7 d6 8a 2c ac 6e d6 f5 c2 81 50 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets):e3 19 71 d9 f6 41 4b 45 de 4c 4c e21b b0 fc f0 a3 03 5e e7 87 dc 3e 62 {client} derive read traffic keys for application data (same as server write traffic keys) {client} calculate finished "tls13 finished": PRK (32 octets):50 26 86 51 18 93 2f ba 00 9f b8 84 c2ab 97 16 88 85 72 36 8f 24 6ce1 8e 44 96 c8 f3 57 dd f0 d1d9 87 3e 59 4e 9e 8c 58 a90b c2 7b 4c 31 92 9c03 9d 4b b0 86 82 ff 61 05 4b 27 48 8b hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets):68 9e a0 1d d9 3b e4 b2 38 94 de ab a8 d0 7c 5697 d3 03 3129 ad 6b ef dd 7b 3d 8d ef e5b4 2e 62 1c 6a 37 2f d5 48 c2 1e bc 6c f3 c6 09 05 d3 41 9a 60 ac 51 d0 02 73 66 8e4f 7e 3a 44{client} send a Finished handshake message {client} send handshake record: payload (36 octets): 14 00 00 2052 90 13f4 08 6f f0 ce c8 b2 d0 17 a2 c7 17 8c 5a 67 55ab 06 bb fb ab 3ac8 2c 24 81cc 67 e3 6f eb 5d 8d a1 63 2ad6 74 70 7f 39 02ba 83 0a 8f c8 5f 4c 22 66 cf6c 8e e9 de c0 7e ciphertext (58 octets): 17 03 03 00 35 c8 bc f9 ae e6 c2 2a b9 74 99 f2 91 de f9 31 39ab 4d 04 21 bb 3e 2b 85 53 d0 2c ee 16 d3 78 c540 8a db d2 01 27 29 9b fc cb 55 c2 5d 7d f3 c2 25 f9 60 f9 63 49 1a c8 84 0fa8 76 fd 44 b4 d8 c6 36 26 6e 44 70 bd 05 f4 77 d4 fb 91 70 f4 42 96 e2 43 3ccb eb 780e ef c72f 06 505f 9b e1 68c7 ae 89 76 0b {client} derive write traffic keys for application data: PRK (32 octets):bc 39 56 2d 42 a4 e7 62 8d cc 15 1b2f d1 64 22 0e 74 bac1 16 88 06 9c 1c 56 ca cd 17 d4 cc 53 4ae8 93 70 20 38 bb0573 c6 72 4c 92 64 bb ad 2b 7b 72 37 e3c0 3e40 29 e0 c3 69 4b key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets):24 56 8c c4 56 c9 169d 33 13 5f 96 74 2a ef 1e a5 c0 9f a5 9c 6a17 54 e3 f8 4d da 66 230c iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets):92 d2 da ec 04 ce c8 de 21 2a 8e 0c71 12 64 6d a3 ba a6 31 70 ca 75 26 {client} derive secret "tls13 res master": PRK (32 octets): ea 7a 47 05 8d 09 bb 7b e7 92 82 6c ef 8e 22 ed 8f 40 94 01 9d c5ee bf b8 6e 50 81 37 24 5d 79 91 9a 3d 43 19 61 bc 0d 5c c8 70 d9 08 9a 2f 30 34 b4 b9 6bca a9 1f 02 07 80 5f c0 3b 1c hash (32 octets):74 61 12 2a b1 9d 89 46 41 d8 1c 0b 32 71 a9 35 909fbe 21 87 ce 40 18d181 d0 4b 1f 9b 95 8ab0 84 01 46 d6 24 97 08 30 e0 91 ae 31 7a d1 0a ae 86 cc 04 70 f8 98 87 86 2f 53 e6 6e e2 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 74 65 72 2074 61 12 2a b1 9d 89 46 41 d8 1c 0b 32 71 a9 35 909fbe 21 87 ce 40 18d181 d0 4b 1f 9b 95 8ab0 84 01 46 d6 24 97 08 30 e0 91 ae 31 7a d1 0a ae 86 cc 04 70 f8 98 87 86 2f 53 e6 6e e2 output (32 octets):98 854e70 a8 c2 0f 1b 02 44 b8 d9 f2 e9 94 37 7d 11 dd 0b 6b 09 42 29 de f0 cd 55 56ee b9 39 b9 63 8f a3 5a d7 57 84 97 13 35 9ac1 2047 a3 bc 64 4e 72 26 5c a6 f6 4d 37 52 90 d1 73 {server} derive read traffic keys for handshake data: PRK (32 octets):50 26 86 51 18 93 2f ba 00 9f b8 84 c2ab 97 16 88 85 72 36 8f 24 6ce1 8e 44 96 c8 f3 57 dd f0 d1d9 87 3e 59 4e 9e 8c 58 a90b c2 7b 4c 31 92 9c03 9d 4b b0 86 82 ff 61 05 4b 27 48 8b key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets):4c 0f 31 7d 9a b1 56 f2 7b71cb ca 63 3d f7 4fbc 0c 4d c2 b7 d6 8a 2c ac 6e d6 f5 c2 81 50 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets):e3 19 71 d9 f6 41 4b 45 de 4c 4c e21b b0 fc f0 a3 03 5e e7 87 dc 3e 62 {server} calculate finished "tls13 finished" (same as client) {server} derive read traffic keys for application data (same as client write traffic keys) {server} derive secret "tls13 res master" (same as client) {client} send application_data record: payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 ciphertext (72 octets): 17 03 03 00 4328 e8 c4 0d 6e 0a 832d db e2 e3 33 68 96 b5 df 2c f5 d3 7c f3 50 ba 01 61 52 4f 57 4d 89 44 0c62 58 8a 5a 29 e467 63 9f fc b4 2f a8 1e240a b1 8f 3c 483d 50 c8 57 f0 1f d2 25 6f a4 51 4e 2d 4c a3 77 fd ff 96 260ea6 46 a6 92 4e 93 3d 96 74 29 3f 26 ab35 d6 36 1c 66 39 58 71 7f 03 52 83 5e 8e 3a a8 40 39 48 a5 d6 e6 20 38 70 e6 a3a6 da 07 4c 16 c0 27 68 65 ab 02 df 0e 61 01c7 {server} send application_data record: payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 ciphertext (72 octets): 17 03 03 00 4354 25 7b ed c2 61 dd 2c f2 a5 bd09 f13f ed fc 93 7a 4668 49 32 61 0e 09 17 f6 34 37 02 c6 82 d2 5d 03 ee ac 0c e3 dd 1e 87 3259 9b 6f 16 df 78 2e 92 42 bd 43 b0 b4 7e 79 b6 b5 fd 5a 98 23 d7 6f a6 fc3c 25 ef e9 b3 68 ad1c 84 97 c3 8a 62 20 70 af 9e9f c7 0c 00 49 5c 38 f6 14 d5 01 ae b6 6a 2a72 6c 78 b3 ee bc 92 9b 27 6647 c6 c9 06 d8 b0 32 67 32 1b 7d 6b 32 82 01 be 0b c0 6a {client} send alert record: payload (2 octets): 01 00 ciphertext (24 octets): 17 03 03 00 135a d6 a3 97 6d 9d 6c b8 66 b4 a3 5c 0f b4 53 90 ae dd 88c5 fa f2 2d f7 ce ea b6 f2 0b 3b da ee 3b d9 69 e8 7b aa {server} send alert record: payload (2 octets): 01 00 ciphertext (24 octets): 17 03 03 00 131d 7f 76 5d 2c d2 65 53 b2 f3 a8 c4 0a 71 a7 e6 48 c3 87b5 3a d6 ce 3d 3a 44 c6 4c 0c 85 67 64 6f ee 6e 7c de aa 5. HelloRetryRequest In this example, the client initiates a handshake with an X25519 [RFC7748] share. The server however prefers P-256 [FIPS186] and sends a HelloRetryRequest that requires the client to generate a key share on the P-256 curve. {client} create an ephemeral x25519 key pair: private key (32 octets):2f 74 42 ae 1b ce d7 5e 82 f95d be34 3c af cd fd 6c 14 28 e6 19 f1 f5 1a ae 58 68 01 1b 94 4c3b b2 1c d0 ab b9 c2 ab 42 90 1c bc 23 c8 c2 b8 84 58 ac 6b e9 14 25 dd dd 3a 98 b0 93 b2 public key (32 octets):1877ec d6 d3 b5 46 fb 68 dd 27 35 0f 25 24 87 b7 e8 7b 8a 91 2c e1 a6 a8a1 f8 c2 bf f9 ae ce f0 f3 7c 60 14 f0 5c 82 7f 5f fe 60 5c 3c 32 67 1d 79 8cd0 bb 02 cd 15 491a 29 50 7c 6d {client} send a ClientHello handshake message {client} send handshake record: payload (174 octets): 01 00 00 aa 03 03 fd a5 c0 5a 01 de 6f 64 0f 13 2a 1a a8 b7c9 bc 82 7e a9 0b 53 72 b5 ba 58 29 7e 40 ba 82 77 ce bf be eb 8e af 94 e8 85 36 5ba0 5a 9f 17 91c5 bbca 88 fd f1 ac 8e 07 5e 50 cf 69 0c c9 00 00 06 13 01 13 03 13 02 01 00 00 7b 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06 00 1d 00 17 00 18 00 33 00 26 00 24 00 1d 00 201877ec d6 d3 b5 46 fb 68 dd 27 35 0f 25 24 87 b7 e8 7b 8a 91 2c e1 a6 a8a1 f8 c2 bf f9 ae ce f0 f3 7c 60 14 f0 5c 82 7f 5f fe 60 5c 3c 32 67 1d 79 8cd0 bb 02 cd 15 491a 29 50 7c 6d 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 ciphertext (179 octets): 16 03 01 00 ae 01 00 00 aa 03 03 fd a5 c0 5a 01 de 6f 64 0f 13 2a 1a a8 b7c9 bc 82 7e a9 0b 53 72 b5 ba 58 29 7e 40 ba 82 77 ce bf be eb 8e af 94 e8 85 36 5ba0 5a 9f 17 91c5 bbca 88 fd f1 ac 8e 07 5e 50 cf 69 0c c9 00 00 06 13 01 13 03 13 02 01 00 00 7b 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06 00 1d 00 17 00 18 00 33 00 26 00 24 00 1d 00 201877ec d6 d3 b5 46 fb 68 dd 27 35 0f 25 24 87 b7 e8 7b 8a 91 2c e1 a6 a8a1 f8 c2 bf f9 ae ce f0 f3 7c 60 14 f0 5c 82 7f 5f fe 60 5c 3c 32 67 1d 79 8cd0 bb 02 cd 15 491a 29 50 7c 6d 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 {server} send a ServerHello handshake message {server} send handshake record: payload (176 octets): 02 00 00 ac 03 03 cf 21 ad 74 e5 9a 61 11 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c 5e 07 9e 09 e2 c8 a8 33 9c 00 13 01 00 00 84 00 33 00 02 00 17 00 2c 00 74 00 7220be 27 61 a6 66 36 1ce9 22 bf 9a 57 cc 0c 63 8a 0281 90 47 cf 51 00 00 00 00b5 89 27 72 3a 7b 57 e1 de 6d 9d 65 d4 9b5a 99 8e 4c1dc3 d8 dd 02 5b bb e1 0d a6 f2 b2 d1 00 3039 bc 6d f6 e6 1b 34 45 a1 12 cf 2c 5d f4 b3 bd 4c db 05 07 08 57 d9b0 3a 58 2f 9c c5 81 d1 0f 62 6c f022 e8 6a c7 df 91 a9 4a 1b e9 fd 61 ac b3 22 13e3 b9 3d 14 d4 65 f9 48 83 5a 2a b5 31 3a 23 a1 9a eb a3 67 1e 7ad5 63 70 dc fa 29 55 aa c6 d6 ab 28 a2 98 43 62 89 9d 38 b7 b0 9b 3c 4d0d 41 0e 17 4f d0 04 f6 53 f1 08 25 17 3d 1a 90 37 cd ea b4 8676 a4 8b b2df 4e 79 c6bd 05 02 fc c5 61 b5 50 2e87 f9 d9 b1 b9 e2 ae 81 1e 0b 97 4e 8f 82 7b b1 66 a8 2d f7 a1 00 2b 00 02 7f 1c ciphertext (181 octets): 16 03 03 00 b0 02 00 00 ac 03 03 cf 21 ad 74 e5 9a 61 11 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c 5e 07 9e 09 e2 c8 a8 33 9c 00 13 01 00 00 84 00 33 00 02 00 17 00 2c 00 74 00 7220be 27 61 a6 66 36 1ce9 22 bf 9a 57 cc 0c 63 8a 0281 90 47 cf 51 00 00 00 00b5 89 27 72 3a 7b 57 e1 de 6d 9d 65 d4 9b5a 99 8e 4c1dc3 d8 dd 02 5b bb e1 0d a6 f2 b2 d1 00 3039 bc 6d f6 e6 1b 34 45 a1 12 cf 2c 5d f4 b3 bd 4c db 05 07 08 57 d9b0 3a 58 2f 9c c5 81 d1 0f 62 6c f022 e8 6a c7 df 91 a9 4a 1b e9 fd 61 ac b3 22 13e3 b9 3d 14 d4 65 f9 48 83 5a 2a b5 31 3a 23 a1 9a eb a3 67 1e 7ad5 63 70 dc fa 29 55 aa c6 d6 ab 28 a2 98 43 62 89 9d 38 b7 b0 9b 3c 4d0d 41 0e 17 4f d0 04 f6 53 f1 08 25 17 3d 1a 90 37 cd ea b4 8676 a4 8b b2df 4e 79 c6bd 05 02 fc c5 61 b5 50 2e87 f9 d9 b1 b9 e2 ae 81 1e 0b 97 4e 8f 82 7b b1 66 a8 2d f7 a1 00 2b 00 02 7f 1c {client} create an ephemeral P-256 key pair: private key (32 octets):12 04 90 37 70 08 12 91 d2 e2 8c 2e 4c cc ae fd fa be a9 02 d6d3 b7 74 44 db 98 f0 23 a7 9b 88 d4 18 e3 74 80 27 67 43 24cc 53 7e 17ae 7ef4 62 e0 4e 689d 7f 25 33 46 34 b7 eb 40 f6 public key (65 octets): 0434 64 59 40 3b b6 5d 0e 0d 11 d1 039c 86 50 ec 41 c5 a8 df da c7 8be7 1b 03 a7 56 2b 01 e0 3a a1 b5 80 25 c41f 35 6588 a4 09 3f 1c 75 98 bd42 16 cf cf 8c792d b5 09 31 58 59 3b 33 22 1a 60 4b f7 df f9 a4 7d cf 13 ee7e fc 5b a7 49 bdcb 29 be 5c 243c 10 82 12 3a 37 f9 3f 9a 00 8c ff 64 5b c4 e5 8f 2073 21 48 2f 44 51 57 b7 33 1e e4 af 71 7b 59 7e 07 6d 56 e9 {client} send a ClientHello handshake message {client} send handshake record: payload (512 octets): 01 00 01 fc 03 03 fd a5 c0 5a 01 de 6f 64 0f 13 2a 1a a8 b7c9 bc 82 7e a9 0b 53 72 b5 ba 58 29 7e 40 ba 82 77 ce bf be eb 8e af 94 e8 85 36 5ba0 5a 9f 17 91c5 bbca 88 fd f1 ac 8e 07 5e 50 cf 69 0c c9 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06 00 1d 00 17 00 18 00 33 00 47 00 45 00 17 00 41 0434 64 59 40 3b b6 5d 0e 0d 11 d1 039c 86 50 ec 41 c5 a8 df da c7 8be7 1b 03 a7 56 2b 01 e0 3a a1 b5 80 25 c41f 35 6588 a4 09 3f 1c 75 98 bd42 16 cf cf 8c792d b5 09 31 58 59 3b 33 22 1a 60 4b f7 df f9 a4 7d cf 13 ee7e fc 5b a7 49 bdcb 29 be 5c 243c 10 82 12 3a 37 f9 3f 9a 00 8c ff 64 5b c4 e5 8f 2073 21 48 2f 44 51 57 b7 33 1e e4 af 71 7b 59 7e 07 6d 56 e9 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2c 00 74 00 7220be 27 61 a6 66 36 1ce9 22 bf 9a 57 cc 0c 63 8a 0281 90 47 cf 51 00 00 00 00b5 89 27 72 3a 7b 57 e1 de 6d 9d 65 d4 9b5a 99 8e 4c1dc3 d8 dd 02 5b bb e1 0d a6 f2 b2 d1 00 3039 bc 6d f6 e6 1b 34 45 a1 12 cf 2c 5d f4 b3 bd 4c db 05 07 08 57 d9b0 3a 58 2f 9c c5 81 d1 0f 62 6c f022 e8 6a c7 df 91 a9 4a 1b e9 fd 61 ac b3 22 13e3 b9 3d 14 d4 65 f9 48 83 5a 2a b5 31 3a 23 a1 9a eb a3 67 1e 7ad5 63 70 dc fa 29 55 aa c6 d6 ab 28 a2 98 43 62 89 9d 38 b7 b0 9b 3c 4d0d 41 0e 17 4f d0 04 f6 53 f1 08 25 17 3d 1a 90 37 cd ea b4 8676 a4 8b b2df 4e 79 c6bd 05 02 fc c5 61 b5 50 2e87 f9 d9 b1 b9 e2 ae 81 1e 0b 97 4e 8f 82 7b b1 66 a8 2d f7 a1 00 2d 00 02 01 01 00 15 00 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ciphertext (517 octets): 16 03 03 02 00 01 00 01 fc 03 03 fd a5 c0 5a 01 de 6f 64 0f 13 2a 1a a8 b7c9 bc 82 7e a9 0b 53 72 b5 ba 58 29 7e 40 ba 82 77 ce bf be eb 8e af 94 e8 85 36 5ba0 5a 9f 17 91c5 bbca 88 fd f1 ac 8e 07 5e 50 cf 69 0c c9 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06 00 1d 00 17 00 18 00 33 00 47 00 45 00 17 00 41 0434 64 59 40 3b b6 5d 0e 0d 11 d1 039c 86 50 ec 41 c5 a8 df da c7 8be7 1b 03 a7 56 2b 01 e0 3a a1 b5 80 25 c41f 35 6588 a4 09 3f 1c 75 98 bd42 16 cf cf 8c792d b5 09 31 58 59 3b 33 22 1a 60 4b f7 df f9 a4 7d cf 13 ee7e fc 5b a7 49 bdcb 29 be 5c 243c 10 82 12 3a 37 f9 3f 9a 00 8c ff 64 5b c4 e5 8f 2073 21 48 2f 44 51 57 b7 33 1e e4 af 71 7b 59 7e 07 6d 56 e9 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2c 00 74 00 7220be 27 61 a6 66 36 1ce9 22 bf 9a 57 cc 0c 63 8a 0281 90 47 cf 51 00 00 00 00b5 89 27 72 3a 7b 57 e1 de 6d 9d 65 d4 9b5a 99 8e 4c1dc3 d8 dd 02 5b bb e1 0d a6 f2 b2 d1 00 3039 bc 6d f6 e6 1b 34 45 a1 12 cf 2c 5d f4 b3 bd 4c db 05 07 08 57 d9b0 3a 58 2f 9c c5 81 d1 0f 62 6c f022 e8 6a c7 df 91 a9 4a 1b e9 fd 61 ac b3 22 13e3 b9 3d 14 d4 65 f9 48 83 5a 2a b5 31 3a 23 a1 9a eb a3 67 1e 7ad5 63 70 dc fa 29 55 aa c6 d6 ab 28 a2 98 43 62 89 9d 38 b7 b0 9b 3c 4d0d 41 0e 17 4f d0 04 f6 53 f1 08 25 17 3d 1a 90 37 cd ea b4 8676 a4 8b b2df 4e 79 c6bd 05 02 fc c5 61 b5 50 2e87 f9 d9 b1 b9 e2 ae 81 1e 0b 97 4e 8f 82 7b b1 66 a8 2d f7 a1 00 2d 00 02 01 01 00 15 00 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 {server} extract secret "early": salt: (absent) ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a {server} create an ephemeral P-256 key pair: private key (32 octets):02 033b 21a8 85 5a 5c ce 43 5e c4 eb 2c 747a 4d b8 ab 31 549d cd 14 b2 50 cc 88 ae b4 e1 a8 27 77 a2 a8 3dd8 f1 ca 4f fc a0 c3 3f 04 8f 1a 06 01 e2 9f 8b b7 f7 9b 36 8c 65 ba a6 public key (65 octets): 04a9 fc65 7e a5 e0 7c 82 1e 25 fd 9e f2 61 4c 08 9f 9d 21 b4 8c c5 44 26e5 99 e4 8d ed 07 36 f4 b1 b2 20 2b77 0d f49c f3 e5 eb 5a 37 0b aa 88 8b 45 50 27 32 36ef 95 8a 85e5 e8 eb 52 e1 d3c5 e0 3c e3 8b 5e 7e 7b 6f 6373 0892 f0 e3 6c f1 11 9a 9b 59 59 76d4 4a 1a cf 53 25 8e a6 e1 75 c1 4c 5f 20 2c a0 eb b8 a7 3a f2 3479 83 93 19 e4 0e d1 f0 9a 06 81 d2 ec 71 {server} send a ServerHello handshake message {server} derive secret for handshake "tls13 derived": PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba {server} extract secret "handshake": salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba ikm (32 octets):67 5e 8f e3 7d f3 8e b4 ae d1 ac 3e a4 a0 a1 63 a7 26 56 83 e4 3d cafe b0 20 4b f7 6c ce 9540 43 87 73 24 aa cf 7068 ae ef fa 0b 10 ef c7 64 06 5c 03 48 cc f4 f2 f8 97 22 f2 f5 5c df a8 secret (32 octets):56 b6 d9 4c b7 89 04 5691 35 3f 0785 86 b5 d6 5d 69 69 bc 7c 48 51 ff 7f 95 33 75 ed cb e2 60 4c 1f 8e99 0d 6d 5a e0 43 f2 dd 4b 36 45 a8 2d d7 a4 8b 91 73 36 5c af 7e 09 80 ba f4 9d 15 {server} derive secret "tls13 c hs traffic": PRK (32 octets):56 b6 d9 4c b7 89 04 5691 35 3f 0785 86 b5 d6 5d 69 69 bc 7c 48 51 ff 7f 95 33 75 ed cb e2 60 4c 1f 8e99 0d 6d 5a e0 43 f2 dd 4b 36 45 a8 2d d7 a4 8b 91 73 36 5c af 7e 09 80 ba f4 9d 15 hash (32 octets):0b 61 d4 9c 83 fe f7 da 0312 5d 040f e3 5e 729c 5f a7 94 33fe01 e3 0c 64 53 2d 45 00 66 c7 be b0 cd 26 bd0f 47 e2 c0 e0 9c 85 a4 a1 2f 89 a0 04 a1 6f3f 7a 33 43 ab 7c fc bb 0d info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 61 66 66 69 63 200b 61 d4 9c 83 fe f7 da 0312 5d 040f e3 5e 729c 5f a7 94 33fe01 e3 0c 64 53 2d 45 00 66 c7 be b0 cd 26 bd0f 47 e2 c0 e0 9c 85 a4 a1 2f 89 a0 04 a1 6f3f 7a 33 43 ab 7c fc bb 0d output (32 octets):96 f0 1d 63 6d66 65 be 10 30 f9 05 87b9 36 1c 0b 8b 93 0c74 35 d5 6b 4a 9b d8 ded9 7b 59 06 0b 89 3b e27f 4e5d 64 b5 25 86 c0 3937 1c ef 29 5b ac1839 7b 98 d7 35 f5 16 54 {server} derive secret "tls13 s hs traffic": PRK (32 octets):56 b6 d9 4c b7 89 04 5691 35 3f 0785 86 b5 d6 5d 69 69 bc 7c 48 51 ff 7f 95 33 75 ed cb e2 60 4c 1f 8e99 0d 6d 5a e0 43 f2 dd 4b 36 45 a8 2d d7 a4 8b 91 73 36 5c af 7e 09 80 ba f4 9d 15 hash (32 octets):0b 61 d4 9c 83 fe f7 da 0312 5d 040f e3 5e 729c 5f a7 94 33fe01 e3 0c 64 53 2d 45 00 66 c7 be b0 cd 26 bd0f 47 e2 c0 e0 9c 85 a4 a1 2f 89 a0 04 a1 6f3f 7a 33 43 ab 7c fc bb 0d info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 61 66 66 69 63 200b 61 d4 9c 83 fe f7 da 0312 5d 040f e3 5e 729c 5f a7 94 33fe01 e3 0c 64 53 2d 45 00 66 c7 be b0 cd 26 bd0f 47 e2 c0 e0 9c 85 a4 a1 2f 89 a0 04 a1 6f3f 7a 33 43 ab 7c fc bb 0d output (32 octets):48 c0 79 83 b0 b1 9b 41 75 36 af 49 aa 3c 4f a1 20 26 fe fa 16 d0 40 12 8b 7f 87d6 d3 a4 da b6 55 19 ef aa d1 8e 18 4a f2 6f 6a 2f 41 08 a3 6cab fe 14e9 90 ef 5c 36 bb d9 d2 36 d8 d7 {server} derive secret for master "tls13 derived": PRK (32 octets):56 b6 d9 4c b7 89 04 5691 35 3f 0785 86 b5 d6 5d 69 69 bc 7c 48 51 ff 7f 95 33 75 ed cb e2 60 4c 1f 8e99 0d 6d 5a e0 43 f2 dd 4b 36 45 a8 2d d7 a4 8b 91 73 36 5c af 7e 09 80 ba f4 9d 15 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets):ef ff c0 f0 7a 08 0f cd c7 7e558a 02 f1 77 f7 32 a9 ff 20 12 8b3a 3f 4d 42 b9 da 6e 66a0 dee71c a3 99 74 ba c826 49 40 2d 1e 00 25 e3 de 0e 87 51 0d f7 ab 88 0e 85 bc e4 7f ae {server} extract secret "master": salt (32 octets):ef ff c0 f0 7a 08 0f cd c7 7e558a 02 f1 77 f7 32 a9 ff 20 12 8b3a 3f 4d 42 b9 da 6e 66a0 dee71c a3 99 74 ba c826 49 40 2d 1e 00 25 e3 de 0e 87 51 0d f7 ab 88 0e 85 bc e4 7f ae ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets):67 f3 ca a1 17 80 44 45 c3 84 1d f029 c7 bf 4a b3 ef 65 96 1b 70 85 62 2f cf 5d d6 c8 6b 01 4e d5 7d 6d 33 92 76 9b 58 d8 cf0c be 84 eb 2d 1e 29 29 3c de 0e 59 8b c0 79 99 24 003b a4 {server} send handshake record: payload (123 octets): 02 00 00 77 03 03a9 8d a5b0 4a 61 26 aa 7b 5c f3 0f 4a 09 1c 8f 2f 38 1267 95 e8 50 bf d4 69 ae 41 2c 8a d6 c6 a2 43 da b5 ca 6885 d7 7c bc db 73 9bcc 37 7b 7f 45 7e 93 576a 26 f3 73 0e 2c aa a8 f2 00 13 01 00 00 4f 00 33 00 45 00 17 00 41 04a9 fc65 7e a5 e0 7c 82 1e 25 fd 9e f2 61 4c 08 9f 9d 21 b4 8c c5 44 26e5 99 e4 8d ed 07 36 f4 b1 b2 20 2b77 0d f49c f3 e5 eb 5a 37 0b aa 88 8b 45 50 27 32 36ef 95 8a 85e5 e8 eb 52 e1 d3c5 e0 3c e3 8b 5e 7e 7b 6f 6373 0892 f0 e3 6c f1 11 9a 9b 59 59 76d4 4a 1a cf 53 25 8e a6 e1 75 c1 4c 5f 20 2c a0 eb b8 a7 3a f2 3479 83 93 19 e4 0e d1 f0 9a 06 81 d2 ec 71 00 2b 00 02 7f 1c ciphertext (128 octets): 16 03 03 00 7b 02 00 00 77 03 03a9 8d a5b0 4a 61 26 aa 7b 5c f3 0f 4a 09 1c 8f 2f 38 1267 95 e8 50 bf d4 69 ae 41 2c 8a d6 c6 a2 43 da b5 ca 6885 d7 7c bc db 73 9bcc 37 7b 7f 45 7e 93 576a 26 f3 73 0e 2c aa a8 f2 00 13 01 00 00 4f 00 33 00 45 00 17 00 41 04a9 fc65 7e a5 e0 7c 82 1e 25 fd 9e f2 61 4c 08 9f 9d 21 b4 8c c5 44 26e5 99 e4 8d ed 07 36 f4 b1 b2 20 2b77 0d f49c f3 e5 eb 5a 37 0b aa 88 8b 45 50 27 32 36ef 95 8a 85e5 e8 eb 52 e1 d3c5 e0 3c e3 8b 5e 7e 7b 6f 6373 0892 f0 e3 6c f1 11 9a 9b 59 59 76d4 4a 1a cf 53 25 8e a6 e1 75 c1 4c 5f 20 2c a0 eb b8 a7 3a f2 3479 83 93 19 e4 0e d1 f0 9a 06 81 d2 ec 71 00 2b 00 02 7f 1c {server} derive write traffic keys for handshake data: PRK (32 octets):48 c0 79 83 b0 b1 9b 41 75 36 af 49 aa 3c 4f a1 20 26 fe fa 16 d0 40 12 8b 7f 87d6 d3 a4 da b6 55 19 ef aa d1 8e 18 4a f2 6f 6a 2f 41 08 a3 6cab fe 14e9 90 ef 5c 36 bb d9 d2 36 d8 d7 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets):c9 66 8b e3 a4 eb 59 74 eb 92 ff 0251 dc bbd7 2e 0bf8 4c a6 41 9d 5c 5f 52 32 da 05 c0 af iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets):a0 3e bc f0 df 01 00 7b 81 7b 21 deb1 c3 52 60 1b c5 a8 3d 37 e1 27 fe {server} send a EncryptedExtensions handshake message {server} send a Certificate handshake message {server} send a CertificateVerify handshake message {server} calculate finished "tls13 finished": PRK (32 octets):48 c0 79 83 b0 b1 9b 41 75 36 af 49 aa 3c 4f a1 20 26 fe fa 16 d0 40 12 8b 7f 87d6 d3 a4 da b6 55 19 ef aa d1 8e 18 4a f2 6f 6a 2f 41 08 a3 6cab fe 14e9 90 ef 5c 36 bb d9 d2 36 d8 d7 hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets):c9 32 f8 bb a8 09 0c d8 3c fa ae 73 f8 41 79 6c bb a9 97 73 28 e4 53 d6 a1 da c8 8c8e 5f be fe 35 d1 12 a80b 2b ecbd 57 10 e8 b1 00 dd 61 dc 48 a3 d0 29 87 3e fb c3 ab 67 07 01 8e 86 6e {server} send a Finished handshake message {server} send handshake record: payload (639 octets): 08 00 00 12 00 10 00 0a 00 08 00 06 00 17 00 18 00 1d 00 00 00 00 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82 01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 72 67 17 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea e8 f8 a5 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 51 56 72 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be c1 fc 63 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b 1c 3b 84 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 96 12 29 ac 91 87 b4 2b 4d e1 00 00 0f 00 00 84 08 04 00 807d 29 50 6f 66 e0 87 bd b7 c1 5b 15 f5 f9 32 72 41 8a 59 c5 74 59 13 33 9c f31a 785a 39c0 8678 55 66 d7 95 2d 9e a9 ab 9f 77 87 6e 6a7a 27 20 398b 5b 88 2c 83 e5 43 d3 c1 80db d4 e2 9530 ef 30 70 fb e4ae e0 eba9 07 2c 6cce a5 67 5c 09 f6 c6 2d b9 f3 9d 94 9b c2 2e 1e 2395 6b de1c eb dc b8 a6 ec 2e b3 7f 98 bb bf bb eb f7 64 bb b6 80 45 48 b7 78 52 f4 92 15 60 35 1f 99 8f 42 0d f7 ea ad 47 4b 3a 1a 50 db cb 0e6140 eb 2a 58 5b 64 5e 0b 4cd0 13 aa e7 9c b1 86 76 0a9555 aa 7c 62 2a 29 5c13 6c 02 87 ce9e f4 7b eb 28 06 10 29 4e a0 a4 cc ca 29 92 00 ab f2 25 44 3d 0b 50 d1 f8 b1 fa 9b 98 f3 38 b82e 74 ee 5b 99 48 43 77 e3 de ee 00 13 49 9c aa a2 2f 13 6508 87fb 26 21 05 83 26 d3 6a 92 47 56 d3 ae 8c b9 3b 14 00 00 2043 2a 866b a4 58 68 e6 28 c9 7a e3 b0 e14a 5e 66 f5 57 83 3f 3968 c6 eaeb 85 71 13 0b cd 59 ba 06 5d 8d 6d b4 26 ac 11 43 da 0eff 9e 58 e5 97 58 28 76 29 c5 93 68 c6 21 27 61 b6 a3 ciphertext (661 octets): 17 03 03 02 902a 10 90 52 02 96 ad d1 82 97 945b bc c2 f4 05 15 00 8f 44 54 2c 78 a4 87 46 58 09 04 6f 46 b0 e1 7452 0da9 e8 ad fa 07 60 b7 1b 25ef c8 1d 11 77 14 c5 0d4d a3 19 49 d532 d9 df f1 fa fe 96 c7d7 0f 3b66 e4 7d 81 e6 25 2b 66 86 b8 86 37 10 26 0e 15 4b c4 8d 8a e2 f2 67 45 f5 98 ee 7b 46 70 cb 87 89 3a 73 81 7f cb 09 45 5f1a 6b 6d c2 1c 5a 68 1a af bf e58d 49 5c 07 7a70 caa3 b3 ae 9ccb 35 7b 47 00 cca4 58 5b 12 6d f474 68 4c c2 99 ba f1 96 02 d5 55 b2 d9 66 4a 35 de 49 37 7e 8c5f a4 f9 d2 b4 b5 0b dcb7 a5 10 b9 c1 ba 4e a6 99 68 3d 39 1b 86 d7 31 e3 2e 1d bc 86 72a8 42 eb 09 5f 71 f92477 d4 5d d8 ee 69 62 81 87 86 0d f3 d62d 90 f9 36 27 cd 12 39 65 4c 6b 05 92 5e f0 8b80 a3 c7 c7 d4 ca4f 3661 69 2f a4 64 23 f5 64 2d 73 6e7c e3 4d 5f 08 ce 41 27 63b0 41 07 47 f6 55 eb db 18 37 c1 6f 59 bd c2 db 64d1 e392 fd 9223 ae dd 7a 94 c4 db cc 13 85 5a 31 cc 3a 32 68 fa f4 49 ef 17 b2 90 65 77b0 ac e7eb 7e 49 04 bf 9a 9f eb af 80 1c1a 1518 61 dd 18 e7 0f c7 ee 58 38 dae4 13 6c 84 aa 17 7b 69 4d 33 e0 b0 ac 68 0b f0 46 54 d0 03 75 84 c9 b4 0690 38 90 5987 ff 49 02 70 07 f9 1b9529 ef a3 87 2c 6a df a9 a9 f8 75 4a 57 f2 a1 6c 16 d3 34 06 ac 27 a8 93 ca 13 2c c3 3a 89 d2 2f f1 fa 70 c0 c6 06 10 1d 89 64 ff 42 3d 13 b7 ac 11 b7 e958 f9 4791 b0 51 45 6a 9b 6f 41 b6 66 00 79 60 8e 87 22 d2 ad 87 36 92d4 70 bfdb 79 f2 9e 67cf 94 29 2a ca 94 83 e4 62 bf 2b c8 a6 166d 82 a9 5c be 36 e3 d1 6788f5 32e1 5b 47 7c 88 e4 337b f9 4cbf546e ad 2e 97 ac 4a 15 d0 27 60 d1 3102 22 4eb2 45ee 98 0d 05 d4 68 fa dc 12 91 a2 6f 13 81 01 5c 21 f3 d525 57 0b 67 e4 d636 9f 29 5127 e0 1f b3 de eb 33 f4 97 7ea2 f6 1b 9b 7f 20 6a 63 c8 10 d1 3b 74 e4 29 e6 6d 08 1e 41 7f 9643 ea 5d 1c f5 f1 8d 27 14 f1 bd ea 6e82 8843 9c bb 07 6a 02 76 01 e3 ac 60 39 d7 85 d6 8b 11 ed 5f dd 8b 17 87 27 12 31 c1 cd daa517 a2 70 85 522d b6 cb 22 35 33cf 1c c2 c9 b9 1d d3 54 77 f7 96 5e 15 87 8c a8 5b b5 a2 03 08 be ed d6e6 84 2a 70 6c e0 9f 3d 1210 af 47 82 76 60 f2 b2 cd b3 b7 d5 3b b7 9e 19b6 4f 08 f5 f4 d2 ca 3d 55 6d 88da 0a 641f39 d5 b9 48 f2 5e f0 fc 9b c4 2f 83 ce 09 40 5f 46 1625 de 1e4d 06 6f 71 07 9d ff cc 28 cb f3 ba 4f 4b 655f39 1d 49 c9 1d 6a 92 58 67 52 8f e5 a1 09 1c 5c 86 29 cb 0b 7b 91 50 a9 f8 17c1e4 18 91 0a f4 0b f9 cd f0a5 a485 c6 d7 a3 be 2c 9c79 62 00 022e 2e 63 f5 86 68 2d22 cd cb 70 8c 27 fd d4 16 7aa868 fa17 c5 c8 ba b8 ee 8c 8d 26 8a 2f f7be b6 ca 42 e250 73 eb c2 76 fb 6c 65 17 33 dad2 b828 50 0d a77c 3f a8 68 83 35 de 97 f9 06 bf 6909 df 4f 95 04 d8 23 ca 32 de e7 2a 0b 18 b1 16 28 20 ab a1 c0 1b e8 0b 3f c4 24 d2 8b 66 39 6c c5 45 d3 6d 88 65 1e c7 24 c9 91 18 86 cb 60b4 23 dd 9c 1a 7e 9e c2 3c 78 4c52 cc 8f cd 83 7a 26 82 0b 69 41 9d fd a7a0 44 35 6cc1 79 57 aa 11 26 62 3a 6a 4e de 84 30 a3 e127 c3 54 73 ed 92 49 feff c5 38 59 a5 95 d6 681a 70 ca60 e1 07 59 01 11db c1 e5 4f 51 12 ae 74 d1 88 c2 db dc f08d 33 9b a9 bb 04 ff 78 20 2c 6c b9 23 23 ad 6613 28 02 10 5e 8b de ae4b 3a e3 c3 c5 5350 b1 b3 55a4 b7 34a6 82 91 7303fb ebda 89 2e 653b bc 4b 0c 5c 7740 60 14 78 81 4bb2 94 dc 50 44 c4 7f 70 5b d6e0 ce 3f da 97 05 0b 72 63 8073 af 3a e5 c6 45 29 1e fc 9d 9c 17 6b 19 bd 95 47 55 dc a2 2e 2b 52 13 a5 37 2ed96b 9f 89 f6 30 80 89 f3 98 2a 13d6 d9 a9 55 36 48 c1 05 4f 96 9a 6a 1a 6f d7 f241 30 3b 2e 5d c0 d4 3f fa 73 16 d2 79 bd 78 d1 65 e0 33 61 16 66 fd 79 a3 9088 46 8d 0e 62 69 95db f5 5a 43 e0 89 b1 3b db 6a 33 ef b399 4c e5 b4 2a 4f bb0b 67 9c589d 2a16 3e4f 56 18 46 dd 9ba6 e2 f1 1b 73 8c 07 34c4 68 a9 ce 4d bd 63 59 2991 1a 2b c2 9d 06 f3 38 f7b5 1f 21 a9 67 92a3 83 ae 50 9722 7d 7e71 ea 11 f5 18 38 29 42 5d 89 27 d3 2a 39 18 1d 6a a1db 4c91 8d 25 {server} derive secret "tls13 c ap traffic": PRK (32 octets):67 f3 ca a1 17 80 44 45 c3 84 1d f029 c7 bf 4a b3 ef 65 96 1b 70 85 62 2f cf 5d d6 c8 6b 01 4e d5 7d 6d 33 92 76 9b 58 d8 cf0c be 84 eb 2d 1e 29 29 3c de 0e 59 8b c0 79 99 24 003b a4 hash (32 octets):91 14 ee f5 c3 d5 c0 86 d1 1a a9 f3 32 fd 35 54 51 f8 70 7c 4f 14 92 ed 2e 84 7e 08 7e 6a bf 980c cb 7b d0 f0 9f 0e 88 25 77 3f a6 3d 47 60 d0 de b1 ca 2d 33 34 a8 b3 3f 93 2d d4 83 11 b4 1d info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 61 66 66 69 63 2091 14 ee f5 c3 d5 c0 86 d1 1a a9 f3 32 fd 35 54 51 f8 70 7c 4f 14 92 ed 2e 84 7e 08 7e 6a bf 980c cb 7b d0 f0 9f 0e 88 25 77 3f a6 3d 47 60 d0 de b1 ca 2d 33 34 a8 b3 3f 93 2d d4 83 11 b4 1d output (32 octets):33 6062 b9 5d 5d 7033 79 0d 4d 7d 0f d0e3 61 a7 ac dbd9 6f 3c 78 21 75 8f 78 14 79 4f 9b b1 e9 c9 17 de4c 1d 0b 76 ad 8e 52 40 72 d8 65 7bef d4 b2c5 60 45 19 7c 56 95 ae 7d 1f {server} derive secret "tls13 s ap traffic": PRK (32 octets):67 f3 ca a1 17 80 44 45 c3 84 1d f029 c7 bf 4a b3 ef 65 96 1b 70 85 62 2f cf 5d d6 c8 6b 01 4e d5 7d 6d 33 92 76 9b 58 d8 cf0c be 84 eb 2d 1e 29 29 3c de 0e 59 8b c0 79 99 24 003b a4 hash (32 octets):91 14 ee f5 c3 d5 c0 86 d1 1a a9 f3 32 fd 35 54 51 f8 70 7c 4f 14 92 ed 2e 84 7e 08 7e 6a bf 980c cb 7b d0 f0 9f 0e 88 25 77 3f a6 3d 47 60 d0 de b1 ca 2d 33 34 a8 b3 3f 93 2d d4 83 11 b4 1d info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 61 66 66 69 63 2091 14 ee f5 c3 d5 c0 86 d1 1a a9 f3 32 fd 35 54 51 f8 70 7c 4f 14 92 ed 2e 84 7e 08 7e 6a bf 980c cb 7b d0 f0 9f 0e 88 25 77 3f a6 3d 47 60 d0 de b1 ca 2d 33 34 a8 b3 3f 93 2d d4 83 11 b4 1d output (32 octets):82 4f 40 74 98 f3bb 4b e6 55f7 c4 56 7d 1a c4 9d a3 cc75 24 ef c0 ea d5 e4 1f 3a a7 9b 66 2d 54 e7 441c fe a5 7c 86 6d 01 28 04 88 63b9 60 bf 4d 74bb 4f a184 12 98 ea 3c 94 a3 {server} derive secret "tls13 exp master": PRK (32 octets):67 f3 ca a1 17 80 44 45 c3 84 1d f029 c7 bf 4a b3 ef 65 96 1b 70 85 62 2f cf 5d d6 c8 6b 01 4e d5 7d 6d 33 92 76 9b 58 d8 cf0c be 84 eb 2d 1e 29 29 3c de 0e 59 8b c0 79 99 24 003b a4 hash (32 octets):91 14 ee f5 c3 d5 c0 86 d1 1a a9 f3 32 fd 35 54 51 f8 70 7c 4f 14 92 ed 2e 84 7e 08 7e 6a bf 980c cb 7b d0 f0 9f 0e 88 25 77 3f a6 3d 47 60 d0 de b1 ca 2d 33 34 a8 b3 3f 93 2d d4 83 11 b4 1d info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 74 65 72 2091 14 ee f5 c3 d5 c0 86 d1 1a a9 f3 32 fd 35 54 51 f8 70 7c 4f 14 92 ed 2e 84 7e 08 7e 6a bf 980c cb 7b d0 f0 9f 0e 88 25 77 3f a6 3d 47 60 d0 de b1 ca 2d 33 34 a8 b3 3f 93 2d d4 83 11 b4 1d output (32 octets):aaac 26 20 81 4f 70 43 09d036 bed1 a3 70c0 84 924b bd 25 44 60 e7b8 5d 36 3f 71 2f c4f1 3c 0a 68 8f 6b b9 f5 b1 e3 35f6 7b7282 a7 7b 5e 75 e3 42c9 17ee 11 3c {server} derive write traffic keys for application data: PRK (32 octets):82 4f 40 74 98 f3bb 4b e6 55f7 c4 56 7d 1a c4 9d a3 cc75 24 ef c0 ea d5 e4 1f 3a a7 9b 66 2d 54 e7 441c fe a5 7c 86 6d 01 28 04 88 63b9 60 bf 4d 74bb 4f a184 12 98 ea 3c 94 a3 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets):1d dde313 e4 23 c0 bb08 90 8b 31 47 94 f7 9e 88 ee 2a 58 69 b46e 21 55 4e 62 bc 028c iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets):1d 33 01 7e 40 29 4c bc df b2 cd ec32 03 04 48 9a 32 bb fe 2f 16 eb 30 {server} derive read traffic keys for handshake data: PRK (32 octets):96 f0 1d 63 6d66 65 be 10 30 f9 05 87b9 36 1c 0b 8b 93 0c74 35 d5 6b 4a 9b d8 ded9 7b 59 06 0b 89 3b e27f 4e5d 64 b5 25 86 c0 3937 1c ef 29 5b ac1839 7b 98 d7 35 f5 16 54 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets):dd e8 55 4c 07 08 a0 f7 7c dd da 22 50 43 b4 8223 36 dc fa e3 03 4b 23 54 7b 1c 94 1f bd 99 00 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets):107d 1a b0 07 49 38 3b 72 75 4e 9001 0f e7 e8 21 c7 40 6b 82 d0cb {client} extract secret "early": salt: (absent) ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a {client} derive secret for handshake "tls13 derived": PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba {client} extract secret "handshake": salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba ikm (32 octets):67 5e 8f e3 7d f3 8e b4 ae d1 ac 3e a4 a0 a1 63 a7 26 56 83 e4 3d cafe b0 20 4b f7 6c ce 9540 43 87 73 24 aa cf 70 secret (32 octets): 56 b6 d9 4c b7 89 04 56 07 85 86 b5 d6 5d 69 69 bc 7c68 ae ef fa 0b 10 ef c7 64 06 5c 03 4851 ff 7f 95 33 75 ed cb e2 60 4c 1f 8ecc f4 f2 f8 97 22 f2 f5 5c df a8 secret (32 octets): 91 35 3f 07 99 0d 6d 5a e0 43 f2 dd 4b 36 45 a8 2d d7 a4 8b 91 73 36 5c af 7e 09 80 ba f4 9d 15 {client} derive secret "tls13 c hs traffic" (same as server) {client} derive secret "tls13 s hs traffic" (same as server) {client} derive secret for master "tls13 derived" (same as server) {client} extract secret "master" (same as server) {client} derive read traffic keys for handshake data: PRK (32 octets):48 c0 79 83 b0 b1 9b 41 75 36 af 49 aa 3c 4f a1 20 26 fe fa 16 d0 40 12 8b 7f 87d6 d3 a4 da b6 55 19 ef aa d1 8e 18 4a f2 6f 6a 2f 41 08 a3 6cab fe 14e9 90 ef 5c 36 bb d9 d2 36 d8 d7 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets):c9 66 8b e3 a4 eb 59 74 eb 92 ff 0251 dc bbd7 2e 0bf8 4c a6 41 9d 5c 5f 52 32 da 05 c0 af iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets):a0 3e bc f0 df 01 00 7b 81 7b 21 deb1 c3 52 60 1b c5 a8 3d 37 e1 27 fe {client} calculate finished "tls13 finished" (same as server) {client} derive secret "tls13 c ap traffic" (same as server) {client} derive secret "tls13 s ap traffic" (same as server) {client} derive secret "tls13 exp master" (same as server) {client} derive write traffic keys for handshake data (same as server read traffic keys) {client} derive read traffic keys for application data (same as server write traffic keys) {client} calculate finished "tls13 finished": PRK (32 octets):96 f0 1d 63 6d66 65 be 10 30 f9 05 87b9 36 1c 0b 8b 93 0c74 35 d5 6b 4a 9b d8 ded9 7b 59 06 0b 89 3b e27f 4e5d 64 b5 25 86 c0 3937 1c ef 29 5b ac1839 7b 98 d7 35 f5 16 54 hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets):a2 e7 bc 56 e4 4c 66 f7 b1 f7 e9 5f 43 4b 03 492e 93 ce 7c0964 a9 1173 969d d3 1e c3 f0 4d 01 8b 22 b86e03 9e ce 90 91 a188 a2 e7 5e 4b 5b 52 bd3b bc 48 4c bf 3c 11 44 f6 {client} send a Finished handshake message {client} send handshake record: payload (36 octets): 14 00 00 20dd 60 b6 e8 68 65 0c d8 8a 16 ae ea be c9 ef 92 8b2d 69 87 f1 81 4d d14a 55 cc fc 9b 25 36 bb f8 5b ef cb a9 2f02 06 c9 22 e4 ab c8 26 b3 54 08 6c 19 53 1f 20 46 02 a4 b9 9f c2 07 44 35 ciphertext (58 octets): 17 03 03 00 3510 83 df 24 a1 2c 20 11 96 5e 1c 0c d5 82 85 53 dc 17 d9 4f 60 a4 b9 03 58 8cd3 c3 af 19 fd d5 cf 86 1e 1e cd b5 42 30 0063 3b de 1c 93 48 a5 38 d4 a9 67 66 ce e511 23 a8 2c fc b0 f7 324655 fa c3 52 4c84 8b cd 12 19c4 9b2f91 08 58 ca 3e d1 8e 22 a3 c3 c8 c2 00 75 9e b2 c6 95 8c 02 6b c1 c3 {client} derive write traffic keys for application data: PRK (32 octets):33 6062 b9 5d 5d 7033 79 0d 4d 7d 0f d0e3 61 a7 ac dbd9 6f 3c 78 21 75 8f 78 14 79 4f 9b b1 e9 c9 17 de4c 1d 0b 76 ad 8e 52 40 72 d8 65 7bef d4 b2c5 60 45 19 7c 56 95 ae 7d 1f key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets):74 df73 56 0a 5432 03 d8 58 9d c50e 2743 85 9f 6c cd da05 3e f9 28 d9 25 23 72 dc 82 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets): ba 7e bb 92 b1 cb 06 c1af 57 8c 97 99 e3 a6 48 08 70 3539 c7 df bd {client} derive secret "tls13 res master": PRK (32 octets):67 f3 ca a1 17 80 44 45 c3 84 1d f029 c7 bf 4a b3 ef 65 96 1b 70 85 62 2f cf 5d d6 c8 6b 01 4e d5 7d 6d 33 92 76 9b 58 d8 cf0c be 84 eb 2d 1e 29 29 3c de 0e 59 8b c0 79 99 24 003b a4 hash (32 octets):e6 a1 73 98 69f0 16 61 e7 4c ae b5 8f 27 661ddc 65 c6 67 87 41 bbdc 11 0a ed ed 74 bc07 23 24 a1 1374 65 fa33 2d 50 8a a920 ec 69 ea 9e cc 73 60 b2 9d d2cd 03 1c 3e ee info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 74 65 72 20e6 a1 73 98 69f0 16 61 e7 4c ae b5 8f 27 661ddc 65 c6 67 87 41 bbdc 11 0a ed ed 74 bc07 23 24 a1 1374 65 fa33 2d 50 8a a920 ec 69 ea 9e cc 73 60 b2 9d d2cd 03 1c 3e ee output (32 octets):5f 86 e4 2a b7 ff e8 49 b9 3e ed b3 f6 e3 88 a8 a4bd 557223 17 8e 08 61 b1cc 03 88 30 44 c6 dd 25 04 57 b9 8bc1 8a e3 0c 9f f5 a7 fe 68 f2 66 33 af 70 4a ee 1b 64 3e 3a c5 e4 f7 ef {server} calculate finished "tls13 finished" (same as client) {server} derive read traffic keys for application data (same as client write traffic keys) {server} derive secret "tls13 res master" (same as client) {client} send alert record: payload (2 octets): 01 00 ciphertext (24 octets): 17 03 03 00 13a5 48 29 ee 82 c4 6f 8a 11 08 8a ff d2 51 1e 5c 2d d6 d1f8 41 57 a0 1d b2 73 9d a1 86 c3 a8 2f 23 cb 31 83 ad e0 {server} send alert record: payload (2 octets): 01 00 ciphertext (24 octets): 17 03 03 00 13 a2 06 45 93 d6 f1 8a 0e 7e 1d c6 e8 76 69 b3 c4 5478 81 09 80 71 83 23 ed 12 c2 e3 d1 a0 c0 f4 87 72 4062 e4 6. Client Authentication In this example, the server requests client authentication. The client uses a certificate with an RSA key, the server uses an ECDSA certificate with a P-256 key. Note that private keys for this example are not included in the draft. {client} create an ephemeral x25519 key pair: private key (32 octets):6d 8b a2 5f f181 2f8809 40 11f2 67 80 03 48 ea da fc c1 c5 74 1c 65 fc 45 8d fd b4 f8 f0 19 8f 01ad f7 29 ff 7c a2 b2 4d 0d 16 49 c9 e3 d4 af 0d 1e dc 10 a1 ae 7c b8 14 a4 96 22 public key (32 octets):96 33 5a 91 2f 9a 39 44 4c cc 0479 fd51 51 f0 de 0b da6e fb c1 92 0402 75 dd 2f40 aa 32 5c dc ea 3f 3c b7 0710 5a 1c 7d 93 89 998f ea 03 13 fa 76 6a c3 76 1e dc 62 ad 2c 31 {client} send a ClientHello handshake message {client} send handshake record: payload (186 octets): 01 00 00 b6 03 031d fe f2 7382 97 3b d3 3b b449 8b 2c81 f5 37 de c6 5a cd 48 5b d4 bd aa 20 f7 d2 2f 68e0 44 af 2c 39 12 ca 6e 91 4b d8 88 f9 09 41 8b f4 8b a3 b5 75 a4 a10c 89 2f 68 45 06 51 a5 0e 00 00 06 13 01 13 03 13 02 01 00 00 87 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00 26 00 24 00 1d 00 2096 33 5a 91 2f 9a 39 44 4c cc 0479 fd51 51 f0 de 0b da6e fb c1 92 0402 75 dd 2f40 aa 32 5c dc ea 3f 3c b7 0710 5a 1c 7d 93 89 998f ea 03 13 fa 76 6a c3 76 1e dc 62 ad 2c 31 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 ciphertext (191 octets): 16 03 01 00 ba 01 00 00 b6 03 031d fe f2 7382 97 3b d3 3b b449 8b 2c81 f5 37 de c6 5a cd 48 5b d4 bd aa 20 f7 d2 2f 68e0 44 af 2c 39 12 ca 6e 91 4b d8 88 f9 09 41 8b f4 8b a3 b5 75 a4 a10c 89 2f 68 45 06 51 a5 0e 00 00 06 13 01 13 03 13 02 01 00 00 87 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00 26 00 24 00 1d 00 2096 33 5a 91 2f 9a 39 44 4c cc 0479 fd51 51 f0 de 0b da6e fb c1 92 0402 75 dd 2f40 aa 32 5c dc ea 3f 3c b7 0710 5a 1c 7d 93 89 998f ea 03 13 fa 76 6a c3 76 1e dc 62 ad 2c 31 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 {server} extract secret "early": salt: (absent) ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a {server} create an ephemeral x25519 key pair: private key (32 octets):4c 22 f1 c1 22 00 9b 54 ae dc 6f 54 2e 98 01 4d a2 91 e6 f5 b8 77 03 67 5e 49d6 8f 8d b3 5c 04 61 e2 5f 95 f610 06 ae 86 6523 04 4b 61 bd a3 9d 08 f8 5c 64 43 50 a0 4d 57 d8 9c 66 7a ca public key (32 octets):c5 4d 65 0c e2 52 6e 90 24 f2 a3 68 9e 3b 82 58 87 e5 82 b6 c0 e6 07 75 dd a0 bd 2f 8a 5b 6d 53c3 ec 4f 42 40 70 ce 83 c7 91 fa 32 8f e9 ae 00 96 ab fc cc 15 b9 aa ec eb f6 0b f4 8f 0b 0f 2e {server} send a ServerHello handshake message {server} derive secret for handshake "tls13 derived": PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba {server} extract secret "handshake": salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba ikm (32 octets):49 a2 14 3a 0c 4b 7ca1 74 df 38 d7 a4e9 c1 3a 6f 64 93 88 ec 4d 34 87 b5 dc d028 b6 2e 99 80 83 00 c6 8c e5 5a 89 1a 80 74 d9 f0 99 56 78 eb 55 6837 bd 5c 41 23 a2 e0 1e 5bfe c5 07 secret (32 octets):f4 58 19 79 77 70 fb 25 ec e8 ec 054c ce3a 97 3e76 5f ac c330 47 00 5c 29 fd f8 b0 3d15 26 36 dc 39 a9 12 ad 99 3573 ba75 ff f1 bf 21 55 3b8b 6d7a bd 5e 49 f3 76 fa 39 d6 {server} derive secret "tls13 c hs traffic": PRK (32 octets):f4 58 19 79 77 70 fb 25 ec e8 ec 054c ce3a 97 3e76 5f ac c330 47 00 5c 29 fd f8 b0 3d15 26 36 dc 39 a9 12 ad 99 3573 ba75 ff f1 bf 21 55 3b8b 6d7a bd 5e 49 f3 76 fa 39 d6 hash (32 octets):b4 76 d4 d5 07 36 d3 7a 2a ed 25 98 2a 10 6e ec 8c 28 f357ef65 198c b6 1d e4 a1 3b a276 4b f9 ac e3 84 32 c8 6d 9e 0f 72 f2 ef 6b a3 7c 9f 76 30 6e fc bb e7 781f 8d56 ad b3 41 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 61 66 66 69 63 20b4 76 d4 d5 07 36 d3 7a 2a ed 25 98 2a 10 6e ec 8c 28 f357ef65 198c b6 1d e4 a1 3b a276 4b f9 ac e3 84 32 c8 6d 9e 0f 72 f2 ef 6b a3 7c 9f 76 30 6e fc bb e7 781f 8d56 ad b3 41 output (32 octets):06 bd cc 2f 05 32 35 23 70 af 13 71 84 d5 66 31 4a cb 81 bb e1 d2 98 02 f5 78 ef80 e0 c6 f8 6e 1e43e2 f6 dd b3 ea 30 a7 fc 7226 3522 3b 9f ed 27 55 5c 8d 41 f5 8f b2 db bd 4c 0d 09 {server} derive secret "tls13 s hs traffic": PRK (32 octets):f4 58 19 79 77 70 fb 25 ec e8 ec 054c ce3a 97 3e76 5f ac c330 47 00 5c 29 fd f8 b0 3d15 26 36 dc 39 a9 12 ad 99 3573 ba75 ff f1 bf 21 55 3b8b 6d7a bd 5e 49 f3 76 fa 39 d6 hash (32 octets):b4 76 d4 d5 07 36 d3 7a 2a ed 25 98 2a 10 6e ec 8c 28 f357ef65 198c b6 1d e4 a1 3b a276 4b f9 ac e3 84 32 c8 6d 9e 0f 72 f2 ef 6b a3 7c 9f 76 30 6e fc bb e7 781f 8d56 ad b3 41 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 61 66 66 69 63 20b4 76 d4 d5 07 36 d3 7a 2a ed 25 98 2a 10 6e ec 8c 28 f357ef65 198c b6 1d e4 a1 3b a276 4b f9 ac e3 84 32 c8 6d 9e 0f 72 f2 ef 6b a3 7c 9f 76 30 6e fc bb e7 781f 8d56 ad b3 41 output (32 octets):bb 5b 26 0b 1a b5 ab eb 1b28 a9 36 51 09 57 b3 70 7b c7 72 bd be 0a f2 2363 39 ad c3 90 39 1e dc 93 38 80 54 eb 6bd9 71 d8 36 69 d687 79 d1 38 40 61 f7f0 b8 b7 4f 34 89 85 d4 f1 35 {server} derive secret for master "tls13 derived": PRK (32 octets):f4 58 19 79 77 70 fb 25 ec e8 ec 054c ce3a 97 3e76 5f ac c330 47 00 5c 29 fd f8 b0 3d15 26 36 dc 39 a9 12 ad 99 3573 ba75 ff f1 bf 21 55 3b8b 6d7a bd 5e 49 f3 76 fa 39 d6 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets):30 5e e3 40 d4 47 efc2 13 d7 c8 ea f2 1c bc 9d 09 fa 15 85 c4 27 ac 96 c3 18 32 5c d3 3c 95 93 4f 6d e8 f9 2826 2a b4 9f 3a f7 b0 2c e2 ff db c1 25 fb da 8a 36 45 f4 6f 79 04 e650 e3 {server} extract secret "master": salt (32 octets):30 5e e3 40 d4 47 efc2 13 d7 c8 ea f2 1c bc 9d 09 fa 15 85 c4 27 ac 96 c3 18 32 5c d3 3c 95 93 4f 6d e8 f9 2826 2a b4 9f 3a f7 b0 2c e2 ff db c1 25 fb da 8a 36 45 f4 6f 79 04 e650 e3 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets):c5 e8 54 45 75 ea 22 fb 0b 25 bc d1 72 1c c7 56 ed64 949c f7 7c 56 d4 24 b6 d2 eb d3 4b a7 4c eecc e1 de 53 33 83 e4 0f 2b fd 9e 2e bb 7e ba 59 9b f6 5d 22 f1 28 2e 61 14 ca 73 74 76 aa {server} send handshake record: payload (90 octets): 02 00 00 56 03 03d8 ef 9b d4 2a f5 87 b5 27 30 bd c6 67 4a 66 bf e4 04 1a 57 ef dee1 6b 86 5e 76 5e 84 ba 47 b4 2d f2 62 e3 8e 2d e6 1e 95 e3 75 3b ad fd 98 76 5c 62 98 4f63 9c c2 4c 22 f9 e9 77 7728 d3 00 13 01 00 00 2e 00 33 00 24 00 1d 00 20c5 4d 65 0c e2 52 6e 90 24 f2 a3 68 9e 3b 82 58 87 e5 82 b6 c0 e6 07 75 dd a0 bd 2f 8a 5b 6d 53c3 ec 4f 42 40 70 ce 83 c7 91 fa 32 8f e9 ae 00 96 ab fc cc 15 b9 aa ec eb f6 0b f4 8f 0b 0f 2e 00 2b 00 02 7f 1c ciphertext (95 octets): 16 03 03 00 5a 02 00 00 56 03 03d8 ef 9b d4 2a f5 87 b5 27 30 bd c6 67 4a 66 bf e4 04 1a 57 ef dee1 6b 86 5e 76 5e 84 ba 47 b4 2d f2 62 e3 8e 2d e6 1e 95 e3 75 3b ad fd 98 76 5c 62 98 4f63 9c c2 4c 22 f9 e9 77 7728 d3 00 13 01 00 00 2e 00 33 00 24 00 1d 00 20c5 4d 65 0c e2 52 6e 90 24 f2 a3 68 9e 3b 82 58 87 e5 82 b6 c0 e6 07 75 dd a0 bd 2f 8a 5b 6d 53c3 ec 4f 42 40 70 ce 83 c7 91 fa 32 8f e9 ae 00 96 ab fc cc 15 b9 aa ec eb f6 0b f4 8f 0b 0f 2e 00 2b 00 02 7f 1c {server} derive write traffic keys for handshake data: PRK (32 octets):bb 5b 26 0b 1a b5 ab eb 1b28 a9 36 51 09 57 b3 70 7b c7 72 bd be 0a f2 2363 39 ad c3 90 39 1e dc 93 38 80 54 eb 6bd9 71 d8 36 69 d687 79 d1 38 40 61 f7f0 b8 b7 4f 34 89 85 d4 f1 35 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets):44 f7 bd 7a d2 f2 13 b2 947bc7 29 be 6f b7 c412 04 e6 6d 4a cf 2d a4 da 5d 45 7e e9 97 34 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets):38 29 95 dc ff fc c2 32 16 86 39 752b 44 e2 11 46 6b 55 23 7a 3a 47 82 {server} send a EncryptedExtensions handshake message {server} send a CertificateRequest handshake message {server} send a Certificate handshake message {server} send a CertificateVerify handshake message {server} calculate finished "tls13 finished": PRK (32 octets):bb 5b 26 0b 1a b5 ab eb 1b28 a9 36 51 09 57 b3 70 7b c7 72 bd be 0a f2 2363 39 ad c3 90 39 1e dc 93 38 80 54 eb 6bd9 71 d8 36 69 d687 79 d1 38 40 61 f7f0 b8 b7 4f 34 89 85 d4 f1 35 hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets):c7 6805 6f 63 21 21 b2 14 cd 48 f9 33 92 7b 7f 8f d7 6e f6 09 703c 8c 1f 97 a6 f7 6c e1 62 ac 22 08 c4 d4 72 f3 eb 2d 72 71 1c 0f8e 2fb7 36 de 45 3e b9dc 19 2c 2b 7b e3 eb 2b ce ed {server} send a Finished handshake message {server} send handshake record: payload(510(512 octets): 08 00 00 1e 00 1c 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 0d 00 00 27 00 00 24 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 0b 00 01 3b 00 00 01 37 00 01 32 30 82 01 2e 30 81 d5 a0 03 02 01 02 02 01 07 30 0a 06 08 2a 86 48 ce 3d 04 03 02 30 13 31 11 30 0f 06 03 55 04 03 13 08 65 63 64 73 61 32 35 36 30 1e 17 0d 31 36 30 37 33 30 30 31 32 34 30 30 5a 17 0d 32 36 30 37 33 30 30 31 32 34 30 30 5a 30 13 31 11 30 0f 06 03 55 04 03 13 08 65 63 64 73 61 32 35 36 30 59 30 13 06 07 2a 86 48 ce 3d 02 01 06 08 2a 86 48 ce 3d 03 01 07 03 42 00 04 08 d5 30 16 15 75 f4 cf e7 f1 54 ee 34 48 18 00 86 00 1e 88 43 1a 79 ee 62 ee 6e 2f 83 ef 38 ba 61 e9 fb 37 f3 4e 00 7a 7d f4 d2 f5 b5 6d 1f 04 ec e4 5d 62 1f 46 84 06 f5 c3 a1 51 58 94 8d d0 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 0a 06 08 2a 86 48 ce 3d 04 03 02 03 48 00 30 45 02 21 00 df 30 fd 45 07 f5 ed d2 2c 1a 6f f8 6d b4 79 ca 69 3f ee ca 3b 71 b3 f9 ef 55 6b 29 37 c0 59 4d 02 20 62 e2 a4 72 50 d3 20 fe a8 3c 7e 2d cb 5b 76 a5 0e 02 00 c0 9a db d1 3f ee 94 6e 51 3e 01 1d 11 00 00 0f 00 004a4c 04 03 004648 304446 0220 30 e4 bf a4 27 2e fb 5c 47 f7 a8 95 68 62 1921 00 a9 92 34 f1 075ddf ae ab bb 5c a859 00f1 a183 51 88 a7 dc 81 04 7e f8 18 40 02 20 7f af cb1e a4 dd e9ab db 07 6d 0d b8 ed 0e fe 2c 90 17 47 3d a6 994e c4 3c 9f c2 4fe7 4013 9f d9 85 02 0f ef 5b 37 02 2115 e8 3e d300 88 2a c7 01 dc a9 a3 c2 4d dc 5d 83 9904 3c 7f98 9d e2 bd da f1 cf 3f 4c f5 09 85 8b 19 63 b9 0e a0 98 14 00 00 20ab a1 88 14 12b5 66 19 91 b8 78 02 73 5d ea 1f 4a b1 c9 639b 3b 55 a5c39b a4 57 c0 7f 44 92 b7 64 74 0c 52 6d 57 9e 83 98 40 5b ec 1c39 50 38 fc c7 e3 5e c4 86 2b 18 6e 89 2a 65 6f ciphertext(532(534 octets): 17 03 03 020f11 e7f9 f2 8e 34 e1 1e 5c 23 32 3394 8e43 43 e3 2f e5 17 0e 24 cf d2 64 45 c3 58 79 45 3d 2a 55 40 45 0fbf 77 b7 00 e8 65 c8 9073 32a4 4a c7 f8 13 ed 92 eb 98 bf fc 81 3f 17 f3 b67b 7a 87 36 bd 32 29 39 c9 47 e81c 18 ff5c 3a bb 07 ac b8 95 91 4e 0e 3e 2e 2e 3d 0e bb65 ba 73 71b9 31 58 5f 10 6c 5b b7 f9 c7 8d 86 91 76 5c1f e9 cb 00 bc 6a 527a bb 61 04 12 97 9a c3 6d 63 22 cd e6 a4f9 5a 6438 c5 a902 3c acb0 d1 96 15 4d a1 ec fe f3 d8 1c 41 c9 9b 39 6a df 7f 47 b5 2902 7a 68 0c 2e 0972 b6 e4a6 27 59 dc 2b 29 e9 a3 5a c173 94 af0506 f1 41 376a 5b 80 ae c1b1 91 7c a5bd c6 56 be a1 93 dc c1 5a 4a e2 65 0f 99 e2 55 94 87 83 78 0d 3e c2 e2 98 22 f8 51 b8 95 bc 3d e9 51 65 2b f2 de 1f f1e4 da 3a 61 8b ea a8 6311 c580 4e 1e 2860 54 7c b5 64 17 74 ce2d f7 c4 3f 47 c4 6d c40a 61 66 c1 fa c0 60 3e 80f248 1b02 9a 62 b8 8a 57 58 8a 6d 67 8e 8d 3f 7f79 e2 47 77 24 c6 76 daf4 cf 16 18 b6 4d eb db fc 09 88 eb 40 92ea10 bb 0e ec 14 8f 62 46 47 03 f1 15 5061 2b 73 e6 36 34 0f 35 8d77 05 5d 42 df de 74 42 7e f6 89 c7 a6 5f ff 1c bf0b 31 ad 2a a12c 5e fa 2c41 51 b1 e377 3d bf f2 a1 ea 2f92 b9 39 4b 281da5 59 d0 ce 23 79 cd 71 ad bd e9 d3 5a b0 3e 7e 8cbe 97 83 41 e8 1d 4c f0 81 01 7b 00 b2 1d 13 36 29 7c 99 19 6a 55 f9 c6 2f 78 04 dc fef1 a2 e1 09 a3 20ee 03c6 77 9c dd 9c 34ab 7b 52 5f 6a 67 f64b c8 64 54 b4 db a2 37 1c 02 33 05 c6 7c eddc cf d3 32 af 0c e6 86 3e eb 0c b8 e3 2b f1 6a 24 84 ad 1dc6de 4e3ab3 ad 78 43 04 fc d2 62 65 b4 ef 5f ac d6 6e 2181 b8 48 84 33 96 8730 b25c 41 6d 97 52 60 ab 5a 84 d8 c4 da f9 8f 53 b498 06 fdc4 db 2c 62 65 f3 93 79 ee 57 4c 75e5 e1 a9 e8 9e55 eb c3 7d 15 81 c4 70 7b 93 e1 ef b2 c1 06 cf 73 7d 40 46 e6 7b 9bfa b4 52 9e 01 7c 04 72 21 d8 99 77 d3 cc 2522 a2 96 1d d5 50 44 1b 1e 5f d9 0e 59 c6 0d b1be 85 5c ae e1 bcf8 5de8 20 9a 37fd 9d cc 29 52 55 42 a3 e9 1b 96 23 6c 8d 80 1c 0c 6f e7 3e 7f e2 4f 7a 39 42 75c9 79 2c 78 00 a77b 6f62 c2 24 b8 90 9c ff66 1b 76 cb d6 b6 05 5c ed 9e 19 8d d3 39 20 bd 31 3b 46 28 94d7 c8 38 f4 d9 5e 2c58 9d ff f7 6c 2a 90 4c 42 68 ec a6d2 6e 8e ae 0f 0c 7b ac f3 85 1c 31 1f b1 fd 0c 19 72 80 61da c0 8f43 c5 ed ba b52c d1 d8 34 0a a1 d36d 50 59 cb 7a e5 04 f4 cc 2d 42 f9 81 83 eb eb a6 e329 3c 24 c7 9a 1a 7035 d6 bd 4563 3e 4e e4 7b c2 48 b5 a6 79 97 09 57 ab fc64 f3 50 ef 15 6e 7e e054 ab 15 27 d3 19 2d 3f e8 b8 ef ce0d d6 c8 9e 23 0b aa6b 5c e2 03 4e b0 2f 65 ee 8b e1 71 a7 4a 25 07 81 40 74 5433 5b 46 0c fd 04 3b 21 cc a2 66 725e af 76 6d 5e ea 0e 26 89 64 54 9a 6e bd f5 57 c1 65 bc 2a e5 7a 65 af 5e 65 e4 4f 68 2cc6 4b 920a 84 d2 6f 29 74 b5 6e 6e f2 ee 1c 1b 8d 50 64 d7 dd 08 0a 9b e2 95 6c 14 61 e86730 20 29 ee 4c 92 d9 99 00 8e 10 72 42a9fa 04 5167 c7 88 4d fb 61 f8 88 90 4f 73 1e f8 3c 52 4d f9 27 18 86 06 89 8b ea e5 2ded 3e 38 b2 87 c8 8898 d10e bb a3 be 63 a3 10 fd de c4 7d 6f 2f ab cb 66 b4 1f 1d 4f c4 8829 2e 39 fa 15 73 7f f2 85 43 59 b092 54 e2 8f 3e 54 06 ce 1d 5c 86 31 bc eb c3 17 20 {server} derive secret "tls13 c ap traffic": PRK (32 octets):c5 e8 54 45 75 ea 22 fb 0b 25 bc d1 72 1c c7 56 ed64 949c f7 7c 56 d4 24 b6 d2 eb d3 4b a7 4c eecc e1 de 53 33 83 e4 0f 2b fd 9e 2e bb 7e ba 59 9b f6 5d 22 f1 28 2e 61 14 ca 73 74 76 aa hash (32 octets):eb b3 96 15 37 1e 46 21 1d 85 43 f4 0b c5 05 b8 80 16 8c 02cb 60 d5 fb 22 6a d3d8 37 ca 46 58 5a 19 98 b0 34 560e fc 47 ce 35 e3 3f 9a 66 59 6a e0 62 ee 1f 1a cc 95 8f 40 02 9d 23 0e df info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 61 66 66 69 63 20eb b3 96 15 37 1e 46 21 1d 85 43 f4 0b c5 05 b8 80 16 8c 02cb 60 d5 fb 22 6a d3d8 37 ca 46 58 5a 19 98 b0 34 560e fc 47 ce 35 e3 3f 9a 66 59 6a e0 62 ee 1f 1a cc 95 8f 40 02 9d 23 0e df output (32 octets):a7 95 27 3b d4f3 15 86 72 b5 85 df 78 19 1e 40 82 60 f7 9c 20 42 3f76 6c 34 b0 dd 5efd 5f a7 20 1d de 0a 28 87 92 ad 5712c7 9dcb 6a 62 53 d4 25 39 69 f8 43 fc 64 db fb 4d e8 d1{server} derive secret "tls13 s ap traffic": PRK (32 octets):c5 e8 54 45 75 ea 22 fb 0b 25 bc d1 72 1c c7 56 ed64 949c f7 7c 56 d4 24 b6 d2 eb d3 4b a7 4c eecc e1 de 53 33 83 e4 0f 2b fd 9e 2e bb 7e ba 59 9b f6 5d 22 f1 28 2e 61 14 ca 73 74 76 aa hash (32 octets):eb b3 96 15 37 1e 46 21 1d 85 43 f4 0b c5 05 b8 80 16 8c 02cb 60 d5 fb 22 6a d3d8 37 ca 46 58 5a 19 98 b0 34 560e fc 47 ce 35 e3 3f 9a 66 59 6a e0 62 ee 1f 1a cc 95 8f 40 02 9d 23 0e df info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 61 66 66 69 63 20eb b3 96 15 37 1e 46 21 1d 85 43 f4 0b c5 05 b8 80 16 8c 02cb 60 d5 fb 22 6a d3d8 37 ca 46 58 5a 19 98 b0 34 560e fc 47 ce 35 e3 3f 9a 66 59 6a e0 62 ee 1f 1a cc 95 8f 40 02 9d 23 0e df output (32 octets):92 e7 e7 04 3b 35 7d 6c a6 ca ba 36 0e f1 4f b9 c6 f8 0b f2 f4 b4 26 f2 e5 8d 62ac 6b c7 af 48 49 1d 9d c2 43 9679 b7 41 aa50 39 5d 90 1e 5b a8 20 5c 2b 83 d4 70 0a d9 a0 ce 68 8e 77 3e {server} derive secret "tls13 exp master": PRK (32 octets):c5 e8 54 45 75 ea 22 fb 0b 25 bc d1 72 1c c7 56 ed64 949c f7 7c 56 d4 24 b6 d2 eb d3 4b a7 4c eecc e1 de 53 33 83 e4 0f 2b fd 9e 2e bb 7e ba 59 9b f6 5d 22 f1 28 2e 61 14 ca 73 74 76 aa hash (32 octets):eb b3 96 15 37 1e 46 21 1d 85 43 f4 0b c5 05 b8 80 16 8c 02cb 60 d5 fb 22 6a d3d8 37 ca 46 58 5a 19 98 b0 34 560e fc 47 ce 35 e3 3f 9a 66 59 6a e0 62 ee 1f 1a cc 95 8f 40 02 9d 23 0e df info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 74 65 72 20eb b3 96 15 37 1e 46 21 1d 85 43 f4 0b c5 05 b8 80 16 8c 02cb 60 d5 fb 22 6a d3d8 37 ca 46 58 5a 19 98 b0 34 560e fc 47 ce 35 e3 3f 9a 66 59 6a e0 62 ee 1f 1a cc 95 8f 40 02 9d 23 0e df output (32 octets):ae a4 f5 ae fb fd 28 fd 24 34 e1 75 96 b2 98 21 65 bc fd db cb 01 8f 22 8149 d1 b4 ea 60 2f1d70 7c 8f 42 26 b7 47 53 64 53 9e d2 68 e7 bc 38 a6 b7 41 ed dc 99 82 1ed9 37 08 ac61 b9 {server} derive write traffic keys for application data: PRK (32 octets):92 e7 e7 04 3b 35 7d 6c a6 ca ba 36 0e f1 4f b9 c6 f8 0b f2 f4 b4 26 f2 e5 8d 62ac 6b c7 af 48 49 1d 9d c2 43 9679 b7 41 aa50 39 5d 90 1e 5b a8 20 5c 2b 83 d4 70 0a d9 a0 ce 68 8e 77 3e key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets):b5 02 c5 17 59 fd 20 90 ef 80 f0 b6 d5 3d 1d 06d9 97 d8 a3 91 e7 d4 a3 9e ab 6f 92 58 8a 4b b0 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets):19 46 48 8e ca 45 0f 53 3b eb 593e 38 3a 26 9e c2 af 30 4e bb 67 55 {server} derive read traffic keys for handshake data: PRK (32 octets):06 bd cc 2f 05 32 35 23 70 af 13 71 84 d5 66 31 4a cb 81 bb e1 d2 98 02 f5 78 ef80 e0 c6 f8 6e 1e43e2 f6 dd b3 ea 30 a7 fc 7226 3522 3b 9f ed 27 55 5c 8d 41 f5 8f b2 db bd 4c 0d 09 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets):72 ff0f 26 6c ef49 b3 34 ca dc c9 bf ec ee ae 2f 7e d54e a6 b6 37 11 64 5d a5 43 f8 30 41 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets):6b 89 8b 86 fe 32 91 19 81 ef 9f 03ed 85 15 18 dd 0d 97 5e d7 70 a4 79 {client} extract secret "early": salt: (absent) ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a {client} derive secret for handshake "tls13 derived": PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba {client} extract secret "handshake": salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba ikm (32 octets):49 a2 14 3a 0c 4b 7ca1 74 df 38 d7 a4e9 c1 3a 6f 64 93 88 ec 4d 34 87 b5 dc d028 b6 2e 99 80 83 00 c6 8c e5 5a 89 1a 80 74 d9 f0 99 56 78 eb 55 6837 bd 5c 41 23 a2 e0 1e 5bfe c5 07 secret (32 octets):f4 58 19 79 77 70 fb 25 ec e8 ec 054c ce3a 97 3e76 5f ac c330 47 00 5c 29 fd f8 b0 3d15 26 36 dc 39 a9 12 ad 99 3573 ba75 ff f1 bf 21 55 3b8b 6d7a bd 5e 49 f3 76 fa 39 d6 {client} derive secret "tls13 c hs traffic" (same as server) {client} derive secret "tls13 s hs traffic" (same as server) {client} derive secret for master "tls13 derived" (same as server) {client} extract secret "master" (same as server) {client} derive read traffic keys for handshake data: PRK (32 octets):bb 5b 26 0b 1a b5 ab eb 1b28 a9 36 51 09 57 b3 70 7b c7 72 bd be 0a f2 2363 39 ad c3 90 39 1e dc 93 38 80 54 eb 6bd9 71 d8 36 69 d687 79 d1 38 40 61 f7f0 b8 b7 4f 34 89 85 d4 f1 35 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets):44 f7 bd 7a d2 f2 13 b2 947bc7 29 be 6f b7 c412 04 e6 6d 4a cf 2d a4 da 5d 45 7e e9 97 34 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets):38 29 95 dc ff fc c2 32 16 86 39 752b 44 e2 11 46 6b 55 23 7a 3a 47 82 {client} calculate finished "tls13 finished" (same as server) {client} derive secret "tls13 c ap traffic" (same as server) {client} derive secret "tls13 s ap traffic" (same as server) {client} derive secret "tls13 exp master" (same as server) {client} derive write traffic keys for handshake data (same as server read traffic keys) {client} derive read traffic keys for application data (same as server write traffic keys) {client} send a Certificate handshake message {client} send a CertificateVerify handshake message {client} calculate finished "tls13 finished": PRK (32 octets):06 bd cc 2f 05 32 35 23 70 af 13 71 84 d5 66 31 4a cb 81 bb e1 d2 98 02 f5 78 ef80 e0 c6 f8 6e 1e43e2 f6 dd b3 ea 30 a7 fc 7226 3522 3b 9f ed 27 55 5c 8d 41 f5 8f b2 db bd 4c 0d 09 hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets):87 1c e8 63 61 9c 37 09 02 b2 fc aa 08 16 68 dbb8 55 e7 3a ba 6f 0fc5 32 8b8e 02 45 0a 15 be c7 96 d8 47 8c 75 ae 7e 00 bc3f 0e df 74 66 01 e3 ad e7 d205 b1 45 39 a2 ed 9b 68 a5 {client} send a Finished handshake message {client} send handshake record: payload (623 octets): 0b 00 01 bf 00 00 01 bb 00 01 b6 30 82 01 b2 30 82 01 1b a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 11 31 0f 30 0d 06 03 55 04 03 13 06 63 6c 69 65 6e 74 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 11 31 0f 30 0d 06 03 55 04 03 13 06 63 6c 69 65 6e 74 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 c3 81 75 e0 04 a6 8d 09 3f 82 3b 9c 37 9d 20 1f bc 0b b7 a1 c7 91 90 5e 3f bf 76 84 7e 44 e7 51 eb bc d3 60 bd 94 5c 81 e5 22 2b cc 88 46 d3 a8 a0 f9 3e 9b f5 be ba bd 92 ed f1 de 1f f1 90 21 70 3e 7a b6 c0 90 15 13 f9 7e 39 b1 11 f0 9c 93 48 97 1c 7b 21 19 84 a7 54 cd 45 fe 09 5a f0 ea 42 36 82 9b cc f7 a7 fe 9b 28 88 e7 8a b4 77 69 0a 5b 9e 1c cb e9 1c 6a 4a 0f 97 a7 e0 28 42 01 02 03 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 1a 7a 5a 01 85 32 b0 22 af 07 67 d4 86 16 0c ff 2d 16 7a 19 15 d2 38 35 b5 45 94 91 6d c6 80 be 5d 2e 62 60 76 c5 d5 27 22 eb cc 77 5d 7d 99 f9 80 be 2f c9 4d 34 ac f6 cc 00 ba 90 cb cf b0 60 8a a1 e7 e3 97 1e f0 c0 7a 41 d4 7a d8 34 5d 1f 81 fe 41 8a 1c f4 10 54 42 9f d2 17 bd 77 7d c1 cf 08 f0 5d f9 07 99 c6 59 36 1e 0f 1a 8e e4 ac 0f 78 97 42 0b db c8 23 da 80 a2 f2 ba 23 08 1c 00 00 0f 00 00 84 08 04 00 80 0b de ba ae 67 e8 1c 4f 30 0d 83 1b 21 b4 8c72 81 c7 26 a8f3 cb2ebf 81 af be 3e17 d1 22 7f 3ab2 0b dc 44 e8 83 7b ed cf 85 8f 8d 0e c0 5677 69 f4 31 a0 9c e1 3729 f2 ba 93 26 00 7a a5 f918 83 11 6c 53 4c d2 09 89 40 27 9b a9 1d dc d7 17 7f 71 70 59 43 1b d6 c5 0bbc 24 39 b3 d8 41 60 8e bf df f3 87 d8 60 a9 777f 55 6d28 53 25 65 2fbf e4 8d c4 b9 6c 6b 5f bd cb 4c 57 5a 58 88 98 c6 e1 48 ef 5f af dd 2c 1f ee61 a4 64 13 d2 e3 8c a3 39 d1 70 a7 5e fc 2a 83 6e 91 19 ad 14 17 16 13 2d 3c 0e a53f 56 72 f0 aa b4 1f 9a 22 cb3c ce c3 c2 32 ad 13 b3 fae4 e0 8b 29 5b67 09 80 1499 c4 71 a8 6a 86 65 55 92 f0 f6 a0 43 d3 fd48 58 aa 84 d2 b5 e0 050e 7b b4 b7 6f 9f 26 76 c7 12 9adf 25 b6 78 07 73 59 88 91 b6 56 04 14 00 00 2034 ef 9a 48 bb 59 75 19 12 14 15 7f 60 73 9f 40 9a a4 f0 0b 68 b7 9e 1d ee d2 91 e545 88 6e 7d 4d 30 f1 3d 16 30 a7 cf 54 51 37 be fa db 8e 8e b4 f4 c1 08 c1 69 4b cf 0976 32 df45 9f 17 ciphertext (645 octets): 17 03 03 02 80bd 53 8f 8a 51 8e 53 29 91 44 38 97 42 f7 be 7c e8 d5 cc bc dc4f 18 6c 35 497e 99 7e fb eb 45 60 ae 3f64 14 72 cd a8 6a 17 ea 94 2e ac dd 1f cb b9 3e 73 49 21 c1 a9 63 5c 86 32 8e 85 9f ff a3 acab 2f 07 82 53 1a 3a ed 15 9b 74 88410492 6a 3a cb 7b c6 3a 66 dc95 9b 90 63 7d 8c f5 a6 24 25 d5 f3 b7 164f 66 68 65 576b b3 c0 13 99 92 62 0bfe 0a d0 f3 94 1f 07 98 45 95 b9 7c 91ee 02 fa 02 32 3c 8c 3e c9 e6 a6d1cc 3b 4a e1 37 94 38fd 43 df 76 23 36 0a dac9 17 39 8d c9 5c 33 94 19 f756 5b 44 fc a1 2d fa a2 99 f6 64 55 cf 1c 86 24 54 70 d9 b7 b4c0 a8 4e 04 73 af 06 50 4d dc e9 df 3d 7e5b 8a b5a5 3e dd 17 8d 2a 4f 83 c9 2f fa d2 3e 8c 28 a6 17 94 f3ff 6c 65 d5 6e 8e c845 96 b1 77 0e c5 b4 ec 1f a4 0a 068ce0 40 61 dc 80 1b d0 d3ee 82 e8 ff 6c 8b 2c de e3 cd 65 a7d0 73 10 0d c6 e7 42 7d aa 0c 9b 8d 2f 4e 16 c4 e4 3c 84 16 22a6 5c 58 07 b4ae e1 5e c7 e3 3ad7 cb c1b6 4f 74ed 857e 8982 e1 7d 8a 58 75 99 f885 3d 9a 5e 36 96ae ef 84 41 71 95 35 7e d2 6c 86 9dad 26 08 b6 88 1f cc2c 03 ee ae 50 d6 33 6a 27a7 39 aafa 299a ce c4 73d4 05 51 c3 ef 6c c3 f7d96a 09 32 dd f2 50 22 a3 2b 64 36 ac 4a 1a a1 59 7f a6 10 83 da 75 d2 47 39 b0 0d 10 d3 45 2e e3 0d 92 f4 f573 4e 5b87 fc f0 c3 cf 43 2d 3c 8e 4b 4f 6d 4d df 45 e1 24d904 73 01 87 90 b2 a0 09 91 e0 0a 5c 41 75 99 23 d8 9d c7 6c cd ba 5730 4a a5 6b 06 1c befc a3 84 df 91 d9 b1 67 c1 70 58 b8 ad 7b 4a 92 8d 6f 2a fe 68 f9 7a 82 e3 50 2a 63 48 1b 50 cf 7b 11 e5 ce 21 65 4a f0 b50f 3f 20 3a1e 13 aa fe 1f fc 02 f4 0e a0 d1 a4 64 cb bf 4d 99 91 2c 27 f4 d8 0f ca62ad aa e7 8c 1d fc 56 5c da 59 e6 74 1a 27 aa 82 c2 4f 04 767d 9d 2b 7c dc00 65 19 4f 62 a5 7cce 9d 05 df ec 43 dc a6 9a d4 2d2b 79 1e 57 4c 56 70 c5 82 f57a 09 3d 0a e0 b6 e0 a9 40 dc 0e dc 04 27dd 33 3f 36 83 ed d8 97 11 57 94 d0 78 6e 4e 25 8cae fe f8 ec 26 8f 29 5c 9ccc76 3e 38 f2 f1 e16c 75 e9 3d 33 ee c4 dd 61 7fd6 14 17 b663 35 e0 aabc 31 a1 94eb d5 08 8c 24 d6 ad 03 15 8a b9 8e bb 0b96 1e ba 3e 85 cd 58 23 fa e7 28 99 9d ec f1 b0 7c3a b1 cca4 72 94 88 f1 c7 d1 ab e2d4 03 41 2a 5688 17 ad 19 4f 71 f5 16 cc 30 28 fa 6e0a 38a1 8f 40 e3 bf 68 41 88 84 c6 94eb b6 69 53 05 9b 93 e0 c1 d3 ad 81 5f 3c 00 3f e4 5ade5f 0751 b0 ab fe 09 d5 1d 4e 3b d9c1 fd 71 7b 29 95b5 50 b5 da 84 61 79 30 a5 98 89 1981 56 99 8e 91 95 7f 6c c0 ed 13 84 c9 59 3d2c b22b 7e 7a 4f 67 2e aa f0 ad db 58 10 a0 0c 27 0c 25 56 55 dd 38 d3 90 18 5f 96ec d9 1be8 1e ea fa 16 c7 02 9c 95 9c 4a e9 bb 1e b6 fc b5 22 a1 b6 75 17 2e 4c 02 5c 31 57 a6cd d1 09 1c ff d8 d9 1475 6e b378 1a 43 3e e7 67 03ee e3 9e 6a ef 59 32 97 f1 6b 8f 19ca ed 45 d5 83 de 8b 66 b3 49 3e df 82 bc d9 14 ba ce68 59 e3 0a 83 0622 2a 3b 34 de 7f 1c a4 85 7b 9c 9d 19 72 b9 7a a8 26 34 01 be db 19 3b 20 1d f8 dc 336f e3e9 d6 a6 b8 b0 bc be d3 02 36 08 9a 19 7d 18 8f 21 a0b5 4f 87 aa 72ec 42 7e 5a b8b5 52 76 58 e5 ea 6e 11 c1 72 17 02 6a ae 623c 4c 2e 84 ad 88b7 f8 91ff9a cc 40 d9 1d 50 ae c2 cb b8 3f cf 1b 51 96 3c 08 57 9fb1 68 69 a3 69 63 0d a6 5b f507 b6 e2 04 e4 a2 c0 36 48 64 1c 1d 0d bb e8 62 8b bc 61 b6 0c 7a 22 4a6c 92 fa fc 7d 3f b3 00 7e dc88 11 39 f7 0c 58 47 1b 3b 54 4d 0d 3a b77b 55 82 9f 06 ac 49 9f 6a 9b 2a 26 9d a0ef27 67 29 c9 37 84 db6d0c 81 e7 d6 2a e6 8a d5 c5 6a db 21 40 a1 1a 6ab7 fd 8b 3a 4b 10 24 54 c8 08 c2 cd 95 ed8c 35 e7 9f ab 13 5d 37 79 d9 9e 9f 8e a4 58 c7 7f 9f 15 f1 53 7c 4c 16 25 fb f3 d7 6c d1 a2 d9 e5 39a0 93 62 84 8f e3 0d 63 1f 3426 70 9b 69 32 33 2d 66 76 c4 e6 71 0a 73f3 cf 8e 4a 6d 49 aa f6 2c 64 d81e e5 57 c4 39 81 99 7d 89 74 c2 51 b4 d5 4f 4b cd bc 61 a8 fc c4 a0 d3 ba a6 c0 a6 0a8d 1c 70 d4 {client} derive write traffic keys for application data: PRK (32 octets):a7 95 27 3b d4f3 15 86 72 b5 85 df 78 19 1e 40 82 60 f7 9c 20 42 3f76 6c 34 b0 dd 5efd 5f a7 20 1d de 0a 28 87 92 ad 5712c7 9dcb 6a 62 53 d4 25 39 69 f8 43 fc 64 db fb 4d e8 d1key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets):99 a9 9b 02 57 00 7a b1 61 ba cf 9d e9 80 30 5b5f 75 27 06 1e 34 51 95 77 55 81 e4 ea 5a 1d 62 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets):4a f0 6c c7 ce bef1 59 e4 60 d3 df 3c 5e 2b d7 bcff e2 0d 0d9e {client} derive secret "tls13 res master": PRK (32 octets):c5 e8 54 45 75 ea 22 fb 0b 25 bc d1 72 1c c7 56 ed64 949c f7 7c 56 d4 24 b6 d2 eb d3 4b a7 4c eecc e1 de 53 33 83 e4 0f 2b fd 9e 2e bb 7e ba 59 9b f6 5d 22 f1 28 2e 61 14 ca 73 74 76 aa hash (32 octets):52 fc a8 f6 61 6c 96 7faa 82 ed e5 08 e5 40 e0 d5 ee 0e93 42 dd ab67 69 89 c0 8c 66 01 a5 e5 c3 b4 fe 34 31 7903 1d 64 cf 07 e3 56 f4 75 13 33 1c 37 05 61 9471 ce 9bff69 4b e6 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 74 65 72 2052 fc a8 f6 61 6c 96 7faa 82 ed e5 08 e5 40 e0 d5 ee 0e93 42 dd ab67 69 89 c0 8c 66 01 a5 e5 c3 b4 fe 34 31 7903 1d 64 cf 07 e3 56 f4 75 13 33 1c 37 05 61 9471 ce 9bff69 4b e6 output (32 octets):8b 90 6f 3a d8 2dba9254 7d 20 f6b9 ad 03 7f 71 e3 f4 70 eb13 f6 8e f2 11 96 e4 c6 89 f463 68 7a36 24 db ac 5c 2c92 ec ee ca 3a20 f4 2252 be aff6 a8 39 e2 80 a1 8e 7d {server} calculate finished "tls13 finished" (same as client) {server} derive read traffic keys for application data (same as client write traffic keys) {server} derive secret "tls13 res master" (same as client) {client} send alert record: payload (2 octets): 01 00 ciphertext (24 octets): 17 03 03 00 1343 c0 93 e4 62 a8c5 1d 97 36 4e 8d 186c fe a7 1e 94 46 ff ba bd e7 3bbe 9e 79 eb a9 7b 85 3f 3b 34 d6 01 {server} send alert record: payload (2 octets): 01 00 ciphertext (24 octets): 17 03 03 00 138e d0 6a 3a 56 ab b0 fb 05 04 ed 3b 3f f9 1d 8c79 be 79 28 e0 e0 62 2e 48 e8 bc 9f 09 9377 8eac 02 98 b9 f6 7. Compatibility Mode This example shows use of the handshake with the client requesting that the server use compatibility mode as defined in Appendix D.4 of [TLS13]. {client} create an ephemeral x25519 key pair: private key (32 octets):90 d4 67 c3 48 e3 d2 4d 7e bb 3d d0 4c 46 169a16 bb 64 ec 6c d3 4d 56 45 ee ac 7c 2f 02 c9 b571 27 21 33 44 89 32 c6 de c0 d4 39 a6 e2 94 09 22 79 c6 f7 bf d5 89 33 14 b4 a7 70 18 3e 37 public key (32 octets):17 6f 7c 2d 12 36 9d 89 37 4c ae 31 9c 3655 34ca 43 0f 82 d6 89 60 90 9b ef3a 1d87 ad 1e 9d 32 328d 02 64 b0 78 f1 6d 70 39 f6 9b c9 4e a9 f2 ee 26 f3 51 91 6d 37 d9 73 aa 38 79 03 {client} send a ClientHello handshake message {client} send handshake record: payload (218 octets): 01 00 00 d6 03 0354 dd 27 fd c8 0f93 ee 06 65 40 d4 cf 08 fa e8 b4 86ea09 f8 f5 29 d0 64 f2 bc 65 28 ab a7d3 79 873a 40 4673 58 44 60 31 0f 38 aa ec 8f e9 3d 6c 32 b8 c0 0b e1 9c0c 82 0d 86 cd 20ae 8b b2 af 77ed db e1 46 860c f6 9d 70 e9 70 b65a 2981 c5 2531 2b 13 c7 4d 5665 9d 47 33 c2 ab e8 54 86 3e fe 09 ea4e 43 6c 3c a0 92 4e b3 db 86 2d 67 a7 ed f9 7b 88 0e db 00 06 13 01 13 03 13 02 01 00 00 87 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00 26 00 24 00 1d 00 2017 6f 7c 2d 12 36 9d 89 37 4c ae 31 9c 3655 34ca 43 0f 82 d6 89 60 90 9b ef3a 1d87 ad 1e 9d 32 328d 02 64 b0 78 f1 6d 70 39 f6 9b c9 4e a9 f2 ee 26 f3 51 91 6d 37 d9 73 aa 38 79 03 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 ciphertext (223 octets): 16 03 01 00 da 01 00 00 d6 03 0354 dd 27 fd c8 0f93 ee 06 65 40 d4 cf 08 fa e8 b4 86ea09 f8 f5 29 d0 64 f2 bc 65 28 ab a7d3 79 873a 40 4673 58 44 60 31 0f 38 aa ec 8f e9 3d 6c 32 b8 c0 0b e1 9c0c 82 0d 86 cd 20ae 8b b2 af 77ed db e1 46 860c f6 9d 70 e9 70 b65a 2981 c5 2531 2b 13 c7 4d 5665 9d 47 33 c2 ab e8 54 86 3e fe 09 ea4e 43 6c 3c a0 92 4e b3 db 86 2d 67 a7 ed f9 7b 88 0e db 00 06 13 01 13 03 13 02 01 00 00 87 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00 26 00 24 00 1d 00 2017 6f 7c 2d 12 36 9d 89 37 4c ae 31 9c 3655 34ca 43 0f 82 d6 89 60 90 9b ef3a 1d87 ad 1e 9d 32 328d 02 64 b0 78 f1 6d 70 39 f6 9b c9 4e a9 f2 ee 26 f3 51 91 6d 37 d9 73 aa 38 79 03 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 {server} extract secret "early": salt: (absent) ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a {server} create an ephemeral x25519 key pair: private key (32 octets):50 16 8d 5c 6e 6c a8 2d 2a a3 35 ba ae c1 bd 59 f5 19 94 ee42 05 eb 84 23 9b 8c e9 4ad9 79 86 5b 3d fa dc 3c 71 aa18 f3 d6 22 4d 52 23 a5 1a 3d 56 74 18 c2 43 11 96 15 56 56 81 8b 35 public key (32 octets):37 69 88 a2 1d dd bc 38 a2 e6 fc de 82 33 7a ff e6 79 a3 9c3b ae b0 1c aa 0c 5c 3fe3 fb 5a 29 f9 5f 9f e8e5a006 3e 42 b2 6a f6 f5 ba 95 83 7d 54 29 3f 4d 9a 33 36 b9 9b 35 bd 05 {server} send a ServerHello handshake message {server} send handshake record: payload (122 octets): 02 00 00 76 03 0321 c5 c5 ee bb d5 fc 32 cd 26 52 41 8e 6d 51 4b da df d0 51 e5 d4 37 e0 bf 0c 0a 315a 34 53 70 5a ec 8d30 a4 b7 20 ae 8b b2 af 776f 89 e7 1f 60 d2 860c f6 9d 706d 82 3d e970 b664 f1 00 1e c1 20 32 f8 00 c0 16 0d e6 a8 20 ed db e1 46 86 5a 2981 c5 2531 2b 13 c7 4d 5665 9d 47 33 c2 ab e8 54 86 3e fe 09 ea4e 43 6c 3c a0 92 4e b3 db 86 2d 67 a7 ed f9 7b 88 0e db 13 01 00 00 2e 00 33 00 24 00 1d 00 2037 69 88 a2 1d dd bc 38 a2 e6 fc de 82 33 7a ff e6 79 a3 9c3b ae b0 1c aa 0c 5c 3fe3 fb 5a 29 f9 5f 9f e8e5a006 3e 42 b2 6a f6 f5 ba 95 83 7d 54 29 3f 4d 9a 33 36 b9 9b 35 bd 05 00 2b 00 02 7f 1c ciphertext (127 octets): 16 03 03 00 7a 02 00 00 76 03 0321 c5 c5 ee bb d5 fc 32 cd 26 52 41 8e 6d 51 4b da df d0 51 e5 d4 37 e0 bf 0c 0a 315a 34 53 70 5a ec 8d30 a4 b7 20 ae 8b b2 af 776f 89 e7 1f 60 d2 860c f6 9d 706d 82 3d e970 b664 f1 00 1e c1 20 32 f8 00 c0 16 0d e6 a8 20 ed db e1 46 86 5a 2981 c5 2531 2b 13 c7 4d 5665 9d 47 33 c2 ab e8 54 86 3e fe 09 ea4e 43 6c 3c a0 92 4e b3 db 86 2d 67 a7 ed f9 7b 88 0e db 13 01 00 00 2e 00 33 00 24 00 1d 00 2037 69 88 a2 1d dd bc 38 a2 e6 fc de 82 33 7a ff e6 79 a3 9c3b ae b0 1c aa 0c 5c 3fe3 fb 5a 29 f9 5f 9f e8e5a006 3e 42 b2 6a f6 f5 ba 95 83 7d 54 29 3f 4d 9a 33 36 b9 9b 35 bd 05 00 2b 00 02 7f 1c {server} send change_cipher_spec record: payload (1 octets): 01 ciphertext (6 octets): 14 03 03 00 01 01 {server} derive secret for handshake "tls13 derived": PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba {server} extract secret "handshake": salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba ikm (32 octets):18 5a df 44 30 f3 14 a49f 52 3e a8 87 a404 47 0e 5d d5 45 35 b3 cb46 5a 4fb7 9f 75 da 58 b616 49 f9 faf7 e2 cf1f b1 60 84 f4 ae ff 99 e4 55 ca 1c 41 bb f03608 3f 5d 0d secret (32 octets):50 9a 53 59 61 77 d3 24 94 53 e7 bf ac fe 6e 6d 1d be 83 7e d6 bd ab 06 d2e4 41 f1 02 2b 79 40 f1 65 d0 b8 d897 59 33 b9 07 d9a9 5a 6b e5 48 4d 1b bf 68 93 b4 3d e6 f8 08 56 8f 2c e4 85 {server} derive secret "tls13 c hs traffic": PRK (32 octets):50 9a 53 59 61 77 d3 24 94 53 e7 bf ac fe 6e 6d 1d be 83 7e d6 bd ab 06 d2e4 41 f1 02 2b 79 40 f1 65 d0 b8 d897 59 33 b9 07 d9a9 5a 6b e5 48 4d 1b bf 68 93 b4 3d e6 f8 08 56 8f 2c e4 85 hash (32 octets):b3 8d da d9 ff b9 64 09 bb de 07 05 47 b4 c6 94 cc b7 9b 4a ed a1 71 a4 6f 09 2d 7963 9d 32 6e 5c ad 8c 4d aefb e718 bf 2f 4c ce bb 55 4c be ae 3d 4e 88 a8 1e cf 3e 44 db 33 08 81 dd info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 61 66 66 69 63 20b3 8d da d9 ff b9 64 09 bb de 07 05 47 b4 c6 94 cc b7 9b 4a ed a1 71 a4 6f 09 2d 7963 9d 32 6e 5c ad 8c 4d aefb e718 bf 2f 4coutput (32 octets): 4bce bb 55 4cd4 8c 4f 39 9c 05 77 bd 73 11 5b b5 12 f1 afbe ae 3d 4e3c 65 fa da 60 d5 24 6b88 a8 1e cf 3e6444 db 33 08 81 dd output (32 octets): 00 0f 13 8f 78 2f 68 a0 95 23 56 27 e0 bf 6d 89 ca 95 33 9a 43 83 b57d c5 ecf0 a1 54 e5 d3 1b ae dd bf {server} derive secret "tls13 s hs traffic": PRK (32 octets):50 9a 53 59 61 77 d3 24 94 53 e7 bf ac fe 6e 6d 1d be 83 7e d6 bd ab 06 d2e4 41 f1 02 2b 79 40 f1 65 d0 b8 d897 59 33 b9 07 d9a9 5a 6b e5 48 4d 1b bf 68 93 b4 3d e6 f8 08 56 8f 2c e4 85 hash (32 octets):b3 8d da d9 ff b9 64 09 bb de 07 05 47 b4 c6 94 cc b7 9b 4a ed a1 71 a4 6f 09 2d 7963 9d 32 6e 5c ad 8c 4d aefb e718 bf 2f 4c ce bb 55 4c be ae 3d 4e 88 a8 1e cf 3e 44 db 33 08 81 dd info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 61 66 66 69 63 20b3 8d da d9 ff b9 64 09 bb de 07 05 47 b4 c6 94 cc b7 9b 4a ed a1 71 a4 6f 09 2d 7963 9d 32 6e 5c ad 8c 4d aefb e718 bf 2f 4c ce bb 55 4c be ae 3d 4e 88 a8 1e cf 3e 44 db 33 08 81 dd output (32 octets):2c e0 bf ee 1c 9c bf 77 3a69 c6 07 a1 9b 25 3c 20 09 b8 21 7b bf ac 40b1 4b 14 a0 8c 65 de ee 09 4a bc db 0f 01 8a 1d 50 33 1f 30 cd55 99 57 97 b2 26 a1 87 8f 45 c8 92 a1 00 32 60 10 {server} derive secret for master "tls13 derived": PRK (32 octets):50 9a 53 59 61 77 d3 24 94 53 e7 bf ac fe 6e 6d 1d be 83 7e d6 bd ab 06 d2e4 41 f1 02 2b 79 40 f1 65 d0 b8 d897 59 33 b9 07 d9a9 5a 6b e5 48 4d 1b bf 68 93 b4 3d e6 f8 08 56 8f 2c e4 85 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets):42 60 f458 bc75 60 30 9b de 2754 77 72 3179 f9 2c 94 f1 13 e3 10 02 fb ba b3 b3 17 98 a3 05 04 10 e2 33e8 db 87 75 4a 9d bd ed d4 c1 1d b9 4e ea 7e cd 20 f0 16 4e e8 bb 6d 61 40 a7 {server} extract secret "master": salt (32 octets):42 60 f458 bc75 60 30 9b de 2754 77 72 3179 f9 2c 94 f1 13 e3 10 02 fb ba b3 b3 17 98 a3 05 04 10 e2 33e8 db 87 75 4a 9d bd ed d4 c1 1d b9 4e ea 7e cd 20 f0 16 4e e8 bb 6d 61 40 a7 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets):6a c7 28 bf 27 30 55 d8 24 4f 71 01 07ea 35 3f 3a 81 83 26 4b fe11 91 ec63 23 b2 97 bb 3047 c0 e9 86 14 aa d5 2f 51 62 27 7f 00 7b10 09 b2 da d6 a7 f8 25 40 17 1f 37 57 cf 7a d1 a4 {server} derive write traffic keys for handshake data: PRK (32 octets):2c e0 bf ee 1c 9c bf 77 3a69 c6 07 a1 9b 25 3c 20 09 b8 21 7b bf ac 40b1 4b 14 a0 8c 65 de ee 09 4a bc db 0f 01 8a 1d 50 33 1f 30 cd55 99 57 97 b2 26 a1 87 8f 45 c8 92 a1 00 32 60 10 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets):1e f6 3e cc 95 0c e3 96 b0 11 16 ad 52 35 3f f187 7d a8 47 c3 41 75 bb 28 cb d2 8d 0d 02 e9 98 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets):73 ab 6b 2d c5 8a 11 fd 05 70 4a ce9c 82 74 92 f8 a5 87 6a 42 85 42 55 {server} send a EncryptedExtensions handshake message {server} send a Certificate handshake message {server} send a CertificateVerify handshake message {server} calculate finished "tls13 finished": PRK (32 octets):2c e0 bf ee 1c 9c bf 77 3a69 c6 07 a1 9b 25 3c 20 09 b8 21 7b bf ac 40b1 4b 14 a0 8c 65 de ee 09 4a bc db 0f 01 8a 1d 50 33 1f 30 cd55 99 57 97 b2 26 a1 87 8f 45 c8 92 a1 00 32 60 10 hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets):37 10 db 07 3f 25 97 e5 f6 0f cb 4b 14dfbb ff 45 1e 50 c4 af 44 24 c2 6b 04b8 1d 7b e3 86 4f f9 93 fd 55 87 e1 27 f7 1d f5 cd 12 19 a0 c7 77 d7 01 ee ba f7 f1de 1f 14 410a 46 98 {server} send a Finished handshake message {server} send handshake record: payload (651 octets): 08 00 00 1e 00 1c 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82 01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 72 67 17 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea e8 f8 a5 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 51 56 72 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be c1 fc 63 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b 1c 3b 84 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 96 12 29 ac 91 87 b4 2b 4d e1 00 00 0f 00 00 84 08 04 00 80 38 58c8 c3 2b e7 b4 d2 a7 42 2b f3 32 1d 0b dc 63 4c68 8e54 7e 12 0e 57 f8 90 ac 3c 2b 93 b1 c9 9d 36 4b 9a 599ead7b 4e e9 95 84 b2 b0 36 c6 01 b0 f4cb10 1750 22 2f 65ce 41 da 33 a6 40 4a 61aa b6 b6 89 10 15 eb 6b 273d 5c 40 b5 64 f1 e6 20 fa c0 f7 d5 4c21 72 4a df 97 f0 00 ff 03 de 8f 14 24 53 28 5f26 c9 7f f3 d9 a5 26 b44b 7e 65 96 7c ea 58 74 3e a1 cb 7a 28 62 d0 18 12 64 6b ffa0 5004 9e 5b e1 eaf1 16 40 d6 e7 1f ec cc 07 e6 06 98 ba 60 5dc3 50 ed 7e 53 a458 d2 6a 20 d6 6c 385d d3 f006 7d 65 c9 c6 78 41 18 10 c5 28 f4 a6 76 8b aadc e40f df ca 98 f4 fb 47 29 0e f5 a6 3e cd a3 70 a3 bcec 9d 64 8f 82 0d e1 3d da e4 2f 9f 96 209c 79 55 17 08 4a 86 e2 93 02 66 32 45 8d f4 ea 7b dc b8 2d f7 d5 9e 14 00 00 20ed 0a 13bc 28 ae 92 94 56 be 73 73 cf b0 58 e3 ba e0 70 f0 52 e2 57 0d 2e 77 dc 07 2b 7e 85 52 23 5fe8 fb 5b 43 aa aa 7b ab 9e 46 34 63 64 11 0a 1b 25 33 75 ab fc 6d ea 46 ef 91 c0c5 ciphertext (673 octets): 17 03 03 02 9c1e 4e 15 9f 57 8e 9d 1d 73 88 13 e5 1b e1 89 ea 1c 80 1b 85 ab bc2a 03 4f0d 52 92 7f aa 30 6c 04 e6 7f a8 02 ab 0282 98 74 ce 19 68 3856 18 aa 0e b3 d1 af a0bd 4a 5a 8462 ec f3 a0 041f 5f ed 01 22 3e d0 a5f2 dc 51 be 25 10 8f dd d6 38 92 04 88 3a 396d 12 e5 9c 73 11 60 75 5b a2 6f 31 27 e1 b7 eb bdf1 0d bbc8 f7 7c 01 d5 be de5f 33 4a64 92 bc f4 c5bf 11 8586 a9 85 a3 89 dec0 38 2d cf 00 b2 69 135a 7b 4f 8afe 27 28 37e3 49 0cc1f8 95 0e b6 ec d1 a9 02 3a 98 27 1a 5e fc f8 dd e9 cc 52 8e 9a3d 58 12 4c b18e 33 99be b9 7c a0 a8 a9 ab af 01 c2 38 f2 9c 457f 51 52 13 14 b530 28 f8 d8 d2 2a 49 0b d8 2c f2 53 3a 76 72 4dc5 c1 19 07 67d8 a7 2a b0 fb 94 53 63 fb 92 4f 8c a5 e1 32 e6 b3 3c8f 99 0c 59 b2 01 fe 58 81 e8 5c 75 fa a1 8529 4b 1297 7c 1e cc b6 1c69 8d df 37 52 ec f3 bc b9f9 7f 92 83 bb b901 3726 f4 02 06 dc ef 51 e3 2b e3 0f b6 ae c4 9e 1d db c3 af d0 fb 9f 1b aa 73 4a a3 7c a0 94 a3 bf b5 7e d3ad 0ddd 61 1c 16 e2 87 8c 0a f2 be fd04 52 2c 27 1e 63 23 11 37 93 a5 c7 36 ee fa65 b3 e4 ff f8 e7 4c 08 f8 b273 a4 79 c3 d8 b0 07 2d 0c 39 d976 4f f7 fd 83 df d6 7d 00 01 52 b8 64 1f 7d 1bea c3 2f 02 15 be 4563 bb e5 00 16 5f 05 08 8e 72 43 04 5b 23 e8 91 76 8b 73 146e 83 c8 d3 37 c8 27 e7 f026 05d4 83 a8 46 ef 6c c82c 12 90 1a13 ed 52 88 d1 69 4e c177 2f f5 27 b6 54 b5 bd 38 ae 76 ae a27f fb 6211 f2 a8 70 b9 47 5a 6f d3 dd 8f c7 a2 12 b6 10 a5 4e e0 e0 10 58 c593 ab 1ece 0b 43 dfdc 8c 6f 0c ec 57 34 7a e8 81 abe0 5a 21 74 17ab a9 49 b4 f5 1a 0b 61 49 09 00 ff 92 16 bd b2 26 99 5b 54 9c 8d 5d 19 31 a0 11 de 06 bf 75 0f 8c 1c 5424 33 ce a4 d0 a1 c6 e5 e5 8b4b0f f2 50 ed 5c b0 90 e1 63 33 e6 c7 a7 9c d7 34 3f cf 9c e7 99 dc 32 12 e1 bb 002d 9a 76 7e 7b 66 77 f6 4bd2 a0 3f 34 90 85 0b d0 67 37 0a 1d 10 cb d8 e7a5 ce 3c 55 5e 7b 8b c6 ed e8 72 f5 d9 6a fa c0 50 e9 a0 2c 80 1a 0f 15 12 4a 46 42 aa 89 cc77 0c 3a d0e5 fe b6 70 a907 2d aa 9b 8d 76 ec 78 97 47 23 56 bc 68dd db 31 7b fc e9 db 82 9f 63 d4 5a bf30 06 13 43 05 6f 6b e61a f9 56 d1 b333 c6ea 8d fe 17 3be8 bf 13d3 db 6900 78 21 ef 17 6b a2 47 4b 3d e1 e8 bd 1e 89 c9 46 75 99 6c 47 387b 54 23 f21e 68 6e 7f 78d2 d7 49c2 e19e 2e 61e8 4d 71 16 d3 c5 b4 a6 08 d4 d1 fc 58 33 62 bc f685 b6 e6 57 40 8f 9930 4e ab 91 78 0a ac cb 30 f9 55 3ab51c 01 b45c 3c dc ed fd be9c e7 45 3e 08 1a 84 a0 85 94 ad 5e 6b 44b0 5f 6a dd 3a 5d e9 30 46 f2 af bb 30 ea0326 47 eb 7d b7 8a c4 6a 1c 54 52 e3 e9 39 69 82 ef 55 2e 69 cc a5 a7 9d 57 af 22 10 2f da 06 7d 2dc6 ed 93 bf be cd c0 d7 48f6 9a 91 5c 41 87 81 29 10 ece4 40 09 35 4c b47e 76 41 78 e0 ad cc 92bb 5c c7 b9 0c 10 07 00 04 a1 d0 d5 98 e1 42bc 9f3b e9 cd e7 37 30 cf b4 90 1a db 00 35 ee 1b ac44 53 54 09 10 b5 02 9d 79 e4 1f 87 d2 66 01 1656 5a ee 7f 1845 2b 38 b0 0f 97 a6 32 20 3034 cd 7f da 4d eb 13 14 90 71 e8 34 7d 4cd8 56 b8 0c f7 d72a f0dc70 fe 4d b8 d9 a2 df 00 35 c3 51 e6 2a ab 84 8e 8c 70 98 e1 36 99 4e 36 71 c5 61 a5 fd b7 79 27 75 59 23 32 35 3b 88 49 64 c3 c3 94 e7 21 32 33 62 88 3d cd 09 a1 46 19 1d 27 bd 2a 56 bd cf 9b 05 cf c4 fc 54 307d 2b1c c2 1c a2 28 27 ef 7b f3 f0 53 98 9b57 db 57 ad 29 3a5a 79 c3 62 7f 58 85f9 4f c2 659c 5e 03 1e 9f c4 9b 7f 9b c184 af d9 0b 85 a2 52 12 f52c 9b 38 8f de 57 1b 10 69 dd a1 b1 d6 d7 e4 94 e4 6c8c c8 29 c1 b7b8 d16d ce 0b 8b 48 26 44 2d 7924 93 0c f2 6f76 fb 1a 8d ff d3 06 96 cf 07 c8 c9584af5 42 e2 ef 9c 75 9b 0a 9c c0 e6 0b 74 a0 6e 7e f6 15 ef f9 19 95 3c bd 76 5e ba4c 86 4b f4 75 12 fb 8c a3 3f 8d94 14 bc 2a c5 2a 02 64 2d 961a 5b 66 68 d1 b5 ad c3 8f 16 aa 8b 87 91 be da 44 5c a4 89 8b 0b c8 c8 de 04 22 81 25 21 42 50 cf 49 f4 3d ce d2 28 f5 4c 01 d6 b2 e1 fa d719 d0 ac c6 e3 95 3350 e9 a3 69 1e ee fc af 8a 4c a3 66 45 92 0e 72 97 af 36 1e 01 27 0e d1 fe62 89 {server} derive secret "tls13 c ap traffic": PRK (32 octets):6a c7 28 bf 27 30 55 d8 24 4f 71 01 07ea 35 3f 3a 81 83 26 4b fe11 91 ec63 23 b2 97 bb 3047 c0 e9 86 14 aa d5 2f 51 62 27 7f 00 7b10 09 b2 da d6 a7 f8 25 40 17 1f 37 57 cf 7a d1 a4 hash (32 octets):9e4d 58 ee 58 f7 6b 48 18 cc 66 89 46 6188 ec d4 0e c8 d1 45 81 2f 15 70 04 59 47 bc 41 6a fc cf a8 ca 34 1a91 25 8f 4a76 01 f6 a7 39 cd42 e6 75 26 f3 55 e1 4c 3c 2f 54 87 d6 7e b0 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 61 66 66 69 63 209e4d 58 ee 58 f7 6b 48 18 cc 66 89 46 6188 ec d4 0e c8 d1 45 81 2f 15 70 04 59 47 bc 41 6a fc cf a8 ca 34 1a91 25 8f 4a76 01 f6 a7 39 cd42 e6 75 26 f3 55 e1 4c 3c 2f 54 87 d6 7e b0 output (32 octets):07 04 02 00 14 0c 44 d3 60 5a 53 0b 0d b2 ee e6 ad 5b ffa1 4a51a6 67 74 22 a7 8a 73 7c ad 36 29 c5 05 6420 df 10 95 d6 26 15 b5 3b be7c 87 e4 ed 21 91 65 41 68 bd 66 ea ce ed 6e 69 {server} derive secret "tls13 s ap traffic": PRK (32 octets):6a c7 28 bf 27 30 55 d8 24 4f 71 01 07ea 35 3f 3a 81 83 26 4b fe11 91 ec63 23 b2 97 bb 3047 c0 e9 86 14 aa d5 2f 51 62 27 7f 00 7b10 09 b2 da d6 a7 f8 25 40 17 1f 37 57 cf 7a d1 a4 hash (32 octets):9e4d 58 ee 58 f7 6b 48 18 cc 66 89 46 6188 ec d4 0e c8 d1 45 81 2f 15 70 04 59 47 bc 41 6a fc cf a8 ca 34 1a91 25 8f 4a76 01 f6 a7 39 cd42 e6 75 26 f3 55 e1 4c 3c 2f 54 87 d6 7e b0 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 61 66 66 69 63 209e4d 58 ee 58 f7 6b 48 18 cc 66 89 46 6188 ec d4 0e c8 d1 45 81 2f 15 70 04 59 47 bc 41 6a fc cf a8 ca 34 1a91 25 8f 4a76 01 f6 a7 39 cd42 e6 75 26 f3 55 e1 4c 3c 2f 54 87 d6 7e b0 output (32 octets):a1 16 af 52 37 f0 00 ca 95 4a 76 f0 bf 59 78 2d db 81 45 9ec1 2e 61 d3 35 07 b5f0 36 eb 72 10 ed 9eaa b2 ab6c 23 36be 90 b9 83 9e 1f d7 6e 18 67 1c 7b 7c 37 4a a5 d5 92 ef ce 05 67 {server} derive secret "tls13 exp master": PRK (32 octets):6a c7 28 bf 27 30 55 d8 24 4f 71 01 07ea 35 3f 3a 81 83 26 4b fe11 91 ec63 23 b2 97 bb 3047 c0 e9 86 14 aa d5 2f 51 62 27 7f 00 7b10 09 b2 da d6 a7 f8 25 40 17 1f 37 57 cf 7a d1 a4 hash (32 octets):9e4d 58 ee 58 f7 6b 48 18 cc 66 89 46 6188 ec d4 0e c8 d1 45 81 2f 15 70 04 59 47 bc 41 6a fc cf a8 ca 34 1a91 25 8f 4a76 01 f6 a7 39 cd42 e6 75 26 f3 55 e1 4c 3c 2f 54 87 d6 7e b0 info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 74 65 72 209e4d 58 ee 58 f7 6b 48 18 cc 66 89 46 6188 ec d4 0e c8 d1 45 81 2f 15 70 04 59 47 bc 41 6a fc cf a8 ca 34 1a91 25 8f 4a76 01 f6 a7 39 cd42 e6 75 26 f3 55 e1 4c 3c 2f 54 87 d6 7e b0 output (32 octets):a6 e6 ca 68 ff 08 6289 a9 80 32 78 0a 83 03 97 d2 5b 01 22 a3 a1 d3 40 9c 17 d4 0e f8 fe 4a 3bca de 3d 27 35 95 eb ae 49 93 aa e4 7d c1 d8 cf 2f 1d 12 e9 d8 ee90 915eb5 c2 72 29 c9 {server} derive write traffic keys for application data: PRK (32 octets):a1 16 af 52 37 f0 00 ca 95 4a 76 f0 bf 59 78 2d db 81 45 9ec1 2e 61 d3 35 07 b5f0 36 eb 72 10 ed 9eaa b2 ab6c 23 36be 90 b9 83 9e 1f d7 6e 18 67 1c 7b 7c 37 4a a5 d5 92 ef ce 05 67 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets):b2 1c 13 11 a2 57 45 a0 c1 d8 de 68 c7 ce 7a dca7 52 9a 38 6b 50 bf 52 04 44 bf 07 bc 6f 2c 5f iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets):d1 7b 34 2a f3 32 e9 90 1f 42 44 4338 d0 dc f9 0a d6 63 89 a7 bf 36 31 {server} derive read traffic keys for handshake data: PRK (32 octets):4b 4c d4 8c 4f 39 9c 05 77 bd 73 11 5b b5 12 f1 af 4e 3c 65 fa da 60 d5 24 6b 3e 6400 0f 13 8f 78 2f 68 a0 95 23 56 27 e0 bf 6d 89 ca 95 33 9a 43 83 b57d c5 ecf0 a1 54 e5 d3 1b ae dd bf key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets):cc 08 24 4c 19 61 00 74 6d 6e bd e5 6f ee e9 014b 0e 0b e7 86 ab 5c 8f a3 7c b4 c4 b7 12 ed 67 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets):c0 52 e0 7a ce 1d 8e 0f af aa f1 a90c 9b b3 47 89 4e 14 37 3d 9e 0d b3 {client} extract secret "early": salt: (absent) ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a {client} derive secret for handshake "tls13 derived": PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba {client} extract secret "handshake": salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba ikm (32 octets):18 5a df 44 30 f3 14 a49f 52 3e a8 87 a404 47 0e 5d d5 45 35 b3 cb46 5a 4fb7 9f 75 da 58 b616 49 f9 faf7 e2 cf1f b1 60 84 f4 ae ff 99 e4 55 ca 1c 41 bb f03608 3f 5d 0d secret (32 octets):50 9a 53 59 61 77 d3 24 94 53 e7 bf ac fe 6e 6d 1d be 83 7e d6 bd ab 06 d2e4 41 f1 02 2b 79 40 f1 65 d0 b8 d897 59 33 b9 07 d9a9 5a 6b e5 48 4d 1b bf 68 93 b4 3d e6 f8 08 56 8f 2c e4 85 {client} derive secret "tls13 c hs traffic" (same as server) {client} derive secret "tls13 s hs traffic" (same as server) {client} derive secret for master "tls13 derived" (same as server) {client} extract secret "master" (same as server) {client} derive read traffic keys for handshake data: PRK (32 octets):2c e0 bf ee 1c 9c bf 77 3a69 c6 07 a1 9b 25 3c 20 09 b8 21 7b bf ac 40b1 4b 14 a0 8c 65 de ee 09 4a bc db 0f 01 8a 1d 50 33 1f 30 cd55 99 57 97 b2 26 a1 87 8f 45 c8 92 a1 00 32 60 10 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets):1e f6 3e cc 95 0c e3 96 b0 11 16 ad 52 35 3f f187 7d a8 47 c3 41 75 bb 28 cb d2 8d 0d 02 e9 98 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets):73 ab 6b 2d c5 8a 11 fd 05 70 4a ce9c 82 74 92 f8 a5 87 6a 42 85 42 55 {client} calculate finished "tls13 finished" (same as server) {client} derive secret "tls13 c ap traffic" (same as server) {client} derive secret "tls13 s ap traffic" (same as server) {client} derive secret "tls13 exp master" (same as server) {client} send change_cipher_spec record: payload (1 octets): 01 ciphertext (6 octets): 14 03 03 00 01 01 {client} derive write traffic keys for handshake data (same as server read traffic keys) {client} derive read traffic keys for application data (same as server write traffic keys) {client} calculate finished "tls13 finished": PRK (32 octets):4b 4c d4 8c 4f 39 9c 05 77 bd 73 11 5b b5 12 f1 af 4e 3c 65 fa da 60 d5 24 6b 3e 6400 0f 13 8f 78 2f 68 a0 95 23 56 27 e0 bf 6d 89 ca 95 33 9a 43 83 b57d c5 ecf0 a1 54 e5 d3 1b ae dd bf hash (0 octets): (empty) info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 64 00 output (32 octets):00 f1 67 b7 01 24 2f d4 77 08 23 d6 4b a7 f5 09a9 dd b3 5b 53 e6 8e b1 c0 87 d8 b0 a3 4c 68 40 be 0e8b 93 bd 24c8 b9 7a 71 7c 47 09 e7 c3 79 7e 13 9dbd 4d 1d 2f 6c 75 e3 4d 68 4a8b {client} send a Finished handshake message {client} send handshake record: payload (36 octets): 14 00 00 209c dd a7 08 0e f0 6b ce 6c 90 bb d0 03 1e 1b c8 82 1a 64 70 ea 2a13 a4 3b 47 05 72 8b 46 ef ed 3e 61d6 d8 42 b1 51 a6 1cc6 66 85 d1 3c b4 44 47 352c28 fb 9f 04 c6 5f 1f ce 68 df 4b ciphertext (58 octets): 17 03 03 00 35df 43 9f 06 1c 68 4c 3c 96 08 9b 15 58 8c 8d bf af 32 67 a3 d0 83 60fe d4 a2 5e db 44 ef aeb1 d1 59 ce 92 85 f7 4e 91 b7 91 7b4d7a 1d9d a9 11 d7 86 65 13 31 c5 a2 80 fd d0 79 09 8a d67d cf 8b 8c fe 4c afc9 8d aa a5 4f fb 40 22 4f d7 5a 5da9 58 b4 a97e 53 dd 1d c8 9c f3 28 2e 97 fb 84 88 be 19 {client} derive write traffic keys for application data: PRK (32 octets):07 04 02 00 14 0c 44 d3 60 5a 53 0b 0d b2 ee e6 ad 5b ffa1 4a51a6 67 74 22 a7 8a 73 7c ad 36 29 c5 05 6420 df 10 95 d6 26 15 b5 3b be7c 87 e4 ed 21 91 65 41 68 bd 66 ea ce ed 6e 69 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key output (16 octets):f01f 78 66 90 72a4 38 13 be 60 17 99 b4 c1 21 2c 45 2883 c6 18 41 da f0 04 8c 12 9a e6 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv output (12 octets):47 c6 45 c2 e579 51 ad 9f 92 8f 1c04 f6 e9 21 f4 9945 fb 71 83 91 {client} derive secret "tls13 res master": PRK (32 octets):6a c7 28 bf 27 30 55 d8 24 4f 71 01 07ea 35 3f 3a 81 83 26 4b fe11 91 ec63 23 b2 97 bb 3047 c0 e9 86 14 aa d5 2f 51 62 27 7f 00 7b10 09 b2 da d6 a7 f8 25 40 17 1f 37 57 cf 7a d1 a4 hash (32 octets):7a 0a 30 81 19 4d bc f1 bd af c6 f4 02 a075 dd 85 3e d0 fe 62a2 b1 e3 3a c96eea 6f c3 22 62 c5 20 49 bf d7 1af3 5f b8 66 98 a2 28 73 26 df 91 48 cd 8e 34 67 f9 ae c4 b6 36 2e b3 68 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 74 65 72 207a 0a 30 81 19 4d bc f1 bd af c6 f4 02 a075 dd 85 3e d0 fe 62a2 b1 e3 3a c96eea 6f c3 22 62 c5 20 49 bf d7 1af3 5f b8 66 98 a2 28 73 26 df 91 48 cd 8e 34 67 f9 ae c4 b6 36 2e b3 68 output (32 octets):69 5c b5 3a dd e2 0c 27 6b 9d 87 11 a8 df 03 6c cc7c 04 cebe 5c 82 ed ab 0c 3a 6c 5f 39 84 54 1e 77b7 db f9 f5 5e 8f 56 fa 0b d3 a4 d3 5e e1 c0 00 6f 2b ec cd 87 8e d9 65 c5 79 e5 20 c6 {server} calculate finished "tls13 finished" (same as client) {server} derive read traffic keys for application data (same as client write traffic keys) {server} derive secret "tls13 res master" (same as client) {client} send alert record: payload (2 octets): 01 00 ciphertext (24 octets): 17 03 03 00 1385 3c c0 b9 9c 64 e3 78 5c c8 53 b5 61 a128 16 c6 d8 c7 76 a7 a3 d9 6a b2 01 41 16 05 240f f6 35 7597 f2 b4 {server} send alert record: payload (2 octets): 01 00 ciphertext (24 octets): 17 03 03 00 132b cd 23 33 71 26 6e b4 bcce2d 27 56 f3 8f 37 15 ea 19d1 f4 91 1b 36 18 48 49 33 38 c6 79 60 b0 34 4c 0c 54 8. Security Considerations It probably isn't a good idea to use the private key here. If it weren't for the fact that it is too small to provide any meaningful security, it is now very well known. 9. IANA Considerations This document makes no requests of IANA. 10. References9.1.10.1. Normative References [TLS13] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", draft-ietf-tls-tls13-28 (work in progress), March 2018.9.2.10.2. Informative References [FIPS186] National Institute of Standards and Technology (NIST), "Digital Signature Standard (DSS)", NIST PUB 186-4 , July 2013. [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves for Security", RFC 7748, DOI 10.17487/RFC7748, January 2016, <https://www.rfc-editor.org/info/rfc7748>.9.3.10.3. URIs [1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS Appendix A. Acknowledgements This draft is generated using tests that were written for NSS [1]. None of this would have been possible without Franziskus Kiefer, Eric Rescorla and Tim Taubert, who did a lot of the work in NSS. Author's Address Martin Thomson Mozilla Email: martin.thomson@gmail.com