idnits 2.17.1 draft-ietf-tls-tls13-vectors-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 4, 2017) is 2335 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '1' on line 2011 == Outdated reference: A later version (-28) exists of draft-ietf-tls-tls13-22 Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 TLS M. Thomson 3 Internet-Draft Mozilla 4 Intended status: Standards Track December 4, 2017 5 Expires: June 7, 2018 7 Example Handshake Traces for TLS 1.3 8 draft-ietf-tls-tls13-vectors-03 10 Abstract 12 Examples of TLS 1.3 handshakes are shown. Private keys and inputs 13 are provided so that these handshakes might be reproduced. 14 Intermediate values, including secrets, traffic keys and ivs are 15 shown so that implementations might be checked incrementally against 16 these values. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at https://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on June 7, 2018. 35 Copyright Notice 37 Copyright (c) 2017 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (https://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. Private Keys . . . . . . . . . . . . . . . . . . . . . . . . 2 54 3. Simple 1-RTT Handshake . . . . . . . . . . . . . . . . . . . 3 55 4. Resumed 0-RTT Handshake . . . . . . . . . . . . . . . . . . . 13 56 5. HelloRetryRequest . . . . . . . . . . . . . . . . . . . . . . 22 57 6. Client Authentication . . . . . . . . . . . . . . . . . . . . 33 58 7. Security Considerations . . . . . . . . . . . . . . . . . . . 42 59 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 42 60 8.1. Normative References . . . . . . . . . . . . . . . . . . 42 61 8.2. Informative References . . . . . . . . . . . . . . . . . 42 62 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 43 63 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 43 65 1. Introduction 67 TLS 1.3 [I-D.ietf-tls-tls13] defines a new key schedule and a number 68 new cryptographic operations. This document includes sample 69 handshakes that show all intermediate values. This allows an 70 implementation to be verified incrementally, examining inputs and 71 outputs of each cryptographic computation independently. 73 Private keys are included with the traces so that implementations can 74 be checked by importing these values and verifying that the same 75 outputs are produced. 77 2. Private Keys 79 Ephemeral private keys are shown as they are generated in the traces. 81 The server in most examples uses an RSA certificate with a private 82 key of: 84 modulus (public): b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 85 0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab 86 bc 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 87 a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f 88 da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 89 3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 90 3f 92 public exponent: 01 00 01 94 private exponent: 04 de a7 05 d4 3a 6e a7 20 9d d8 07 21 11 a8 3c 81 95 e3 22 a5 92 78 b3 34 80 64 1e af 7c 0a 69 85 b8 e3 1c 44 f6 de 62 96 e1 b4 c2 30 9f 61 26 e7 7b 7c 41 e9 23 31 4b bf a3 88 13 05 dc 12 97 17 f1 6c 81 9c e5 38 e9 22 f3 69 82 8d 0e 57 19 5d 8c 84 88 46 02 98 07 b2 fa a7 26 bc f7 08 bb d7 db 7f 67 9f 89 34 92 fc 2a 62 2e 08 99 97 0a ac 44 1c e4 e0 c3 08 8d f2 5a e6 79 23 3d f8 a3 bd a2 ff 99 100 41 102 prime1: e4 35 fb 7c c8 37 37 75 6d ac ea 96 ab 7f 59 a2 cc 10 69 db 103 7d eb 19 0e 17 e3 3a 53 2b 27 3f 30 a3 27 aa 0a aa bc 58 cd 67 46 104 6a f9 84 5f ad c6 75 fe 09 4a f9 2c 4b d1 f2 c1 bc 33 dd 2e 05 15 106 prime2: ca bd 3b c0 e0 43 86 64 c8 d4 cc 9f 99 97 7a 94 d9 bb fe ad 107 8e 43 87 0a ba e3 f7 eb 8b 4e 0e ee 8a f1 d9 b4 71 9b a6 19 6c f2 108 cb ba ee eb f8 b3 49 0a fe 9e 9f fa 74 a8 8a a5 1f c6 45 62 93 03 110 exponent1: 3f 57 34 5c 27 fe 1b 68 7e 6e 76 16 27 b7 8b 1b 82 64 33 111 dd 76 0f a0 be a6 a6 ac f3 94 90 aa 1b 47 cd a4 86 9d 68 f5 84 dd 112 5b 50 29 bd 32 09 3b 82 58 66 1f e7 15 02 5e 5d 70 a4 5a 08 d3 d3 113 19 115 exponent2: 18 3d a0 13 63 bd 2f 28 85 ca cb dc 99 64 bf 47 64 f1 51 116 76 36 f8 64 01 28 6f 71 89 3c 52 cc fe 40 a6 c2 3d 0d 08 6b 47 c6 117 fb 10 d8 fd 10 41 e0 4d ef 7e 9a 40 ce 95 7c 41 77 94 e1 04 12 d1 118 39 120 coefficient: 83 9c a9 a0 85 e4 28 6b 2c 90 e4 66 99 7a 2c 68 1f 21 121 33 9a a3 47 78 14 e4 de c1 18 33 05 0e d5 0d d1 3c c0 38 04 8a 43 122 c5 9b 2a cc 41 68 89 c0 37 66 5f e5 af a6 05 96 9f 8c 01 df a5 ca 123 96 9d 125 3. Simple 1-RTT Handshake 127 In this example, the simplest possible handshake is completed. The 128 server is authenticated, but the client remains anonymous. After 129 connecting, a few application data octets are exchanged. The server 130 sends a session ticket that permits the use of 0-RTT in any resumed 131 session. 133 {client} create an ephemeral x25519 key pair: 135 private key (32 octets): b1 6a 3c 97 a7 19 0b ec c4 00 2a 2f be 136 80 40 b5 99 45 df 0b bd 0c e1 ba db f4 aa 6d 4f 0f a1 9e 138 public key (32 octets): 78 e5 89 74 13 f1 71 53 c7 0c f3 3f a3 4c 139 84 97 72 4b da b4 f5 7f 9d 01 c9 53 f5 88 f0 30 46 61 141 {client} send a ClientHello handshake message 143 {client} send handshake record: 145 payload (190 octets): 01 00 00 ba 03 03 c4 e2 ea b7 cc 4b bb 43 146 7d fa b4 7c a5 6a f8 a0 db 07 2b 90 e5 36 f9 c4 a4 9f ac 89 84 147 9c 10 b2 00 00 06 13 01 13 03 13 02 01 00 00 8b 00 00 00 0b 00 148 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 149 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 23 00 150 00 00 28 00 26 00 24 00 1d 00 20 78 e5 89 74 13 f1 71 53 c7 0c 151 f3 3f a3 4c 84 97 72 4b da b4 f5 7f 9d 01 c9 53 f5 88 f0 30 46 152 61 00 2b 00 03 02 7f 16 00 0d 00 20 00 1e 04 03 05 03 06 03 02 153 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 154 02 02 00 2d 00 02 01 01 156 ciphertext (195 octets): 16 03 01 00 be 01 00 00 ba 03 03 c4 e2 157 ea b7 cc 4b bb 43 7d fa b4 7c a5 6a f8 a0 db 07 2b 90 e5 36 f9 158 c4 a4 9f ac 89 84 9c 10 b2 00 00 06 13 01 13 03 13 02 01 00 00 159 8b 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 160 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 161 03 01 04 00 23 00 00 00 28 00 26 00 24 00 1d 00 20 78 e5 89 74 162 13 f1 71 53 c7 0c f3 3f a3 4c 84 97 72 4b da b4 f5 7f 9d 01 c9 163 53 f5 88 f0 30 46 61 00 2b 00 03 02 7f 16 00 0d 00 20 00 1e 04 164 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 165 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 167 {server} extract secret "early": 169 salt: (absent) 171 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 172 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 174 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 175 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 177 {server} create an ephemeral x25519 key pair: 179 private key (32 octets): 20 eb 30 48 af fc bf 2b ff 56 df b5 1e 180 93 4d 78 a0 f5 d2 38 29 41 70 b1 0e ea 18 31 69 68 8b 65 182 public key (32 octets): ee 31 96 ca 63 98 21 a1 7b 51 68 ab 61 0d 183 70 57 d2 b2 50 84 89 1f 87 ef 26 cf 0c 26 84 e5 d6 7e 185 {server} send a ServerHello handshake message 187 {server} derive secret for handshake "tls13 derived": 189 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 190 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 192 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 193 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 195 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 196 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 197 64 9b 93 4c a4 95 99 1b 78 52 b8 55 199 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 200 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 202 {server} extract secret "handshake": 204 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 205 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 207 ikm (32 octets): 61 d3 4a ad f2 5e 22 3a 2c e6 fb 59 f8 a0 f9 d1 208 d7 5f 18 87 df b0 6c 0f ff f8 47 6d c3 c5 0f 47 210 secret (32 octets): 79 07 c2 82 34 f1 6c a8 71 a4 6b eb 25 da 54 211 7f dc 8a ab 96 d1 4e ef f8 0f 5b 12 f9 ad 8a c9 d6 213 {server} derive secret "tls13 c hs traffic": 215 PRK (32 octets): 79 07 c2 82 34 f1 6c a8 71 a4 6b eb 25 da 54 7f 216 dc 8a ab 96 d1 4e ef f8 0f 5b 12 f9 ad 8a c9 d6 218 hash (32 octets): 2a 63 e9 0b 84 e5 c9 79 80 56 98 41 19 3b 80 94 219 22 19 36 52 19 ad 23 90 b6 80 64 c2 ae bb 09 69 221 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 222 61 66 66 69 63 20 2a 63 e9 0b 84 e5 c9 79 80 56 98 41 19 3b 80 223 94 22 19 36 52 19 ad 23 90 b6 80 64 c2 ae bb 09 69 225 output (32 octets): 40 2b 60 6f 3c b0 c8 5b 6d bf fb fd a9 df 79 226 14 58 4a 0e b9 21 1b b5 e9 0b a4 81 f2 5c 4b 94 e2 228 {server} derive secret "tls13 s hs traffic": 230 PRK (32 octets): 79 07 c2 82 34 f1 6c a8 71 a4 6b eb 25 da 54 7f 231 dc 8a ab 96 d1 4e ef f8 0f 5b 12 f9 ad 8a c9 d6 233 hash (32 octets): 2a 63 e9 0b 84 e5 c9 79 80 56 98 41 19 3b 80 94 234 22 19 36 52 19 ad 23 90 b6 80 64 c2 ae bb 09 69 236 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 237 61 66 66 69 63 20 2a 63 e9 0b 84 e5 c9 79 80 56 98 41 19 3b 80 238 94 22 19 36 52 19 ad 23 90 b6 80 64 c2 ae bb 09 69 240 output (32 octets): a2 c1 53 5b 55 26 42 8b 49 cb e6 cc 3c 19 23 241 7c 37 4e 94 db 25 6c 96 4d 4d 13 76 a9 de 1a c5 12 243 {server} derive secret for master "tls13 derived": 245 PRK (32 octets): 79 07 c2 82 34 f1 6c a8 71 a4 6b eb 25 da 54 7f 246 dc 8a ab 96 d1 4e ef f8 0f 5b 12 f9 ad 8a c9 d6 248 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 249 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 251 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 252 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 253 64 9b 93 4c a4 95 99 1b 78 52 b8 55 255 output (32 octets): 44 50 97 b3 09 4b 9c e8 35 af 72 02 5d 0f d3 256 80 ae 2b ae 88 06 08 f6 b2 b9 92 42 92 eb 04 71 d1 258 {server} extract secret "master": 260 salt (32 octets): 44 50 97 b3 09 4b 9c e8 35 af 72 02 5d 0f d3 80 261 ae 2b ae 88 06 08 f6 b2 b9 92 42 92 eb 04 71 d1 263 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 264 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 266 secret (32 octets): 23 07 37 68 ca 09 44 ef de d6 a1 fd 17 3e 7a 267 1f a7 51 b2 1b 6b f2 07 66 1c b2 94 bc 29 f4 49 c7 269 {server} send handshake record: 271 payload (90 octets): 02 00 00 56 03 03 8e 58 c0 e7 0c 99 2d 7f fc 272 80 98 eb dc 67 ba 85 05 e4 2e 44 05 bf 77 23 95 49 24 7a b2 ba 273 20 3c 00 13 01 00 00 2e 00 28 00 24 00 1d 00 20 ee 31 96 ca 63 274 98 21 a1 7b 51 68 ab 61 0d 70 57 d2 b2 50 84 89 1f 87 ef 26 cf 275 0c 26 84 e5 d6 7e 00 2b 00 02 7f 16 277 ciphertext (95 octets): 16 03 03 00 5a 02 00 00 56 03 03 8e 58 c0 278 e7 0c 99 2d 7f fc 80 98 eb dc 67 ba 85 05 e4 2e 44 05 bf 77 23 279 95 49 24 7a b2 ba 20 3c 00 13 01 00 00 2e 00 28 00 24 00 1d 00 280 20 ee 31 96 ca 63 98 21 a1 7b 51 68 ab 61 0d 70 57 d2 b2 50 84 281 89 1f 87 ef 26 cf 0c 26 84 e5 d6 7e 00 2b 00 02 7f 16 283 {server} send a EncryptedExtensions handshake message 285 {server} send a Certificate handshake message 287 {server} send a CertificateVerify handshake message 288 {server} calculate finished "tls13 finished": 290 PRK (32 octets): a2 c1 53 5b 55 26 42 8b 49 cb e6 cc 3c 19 23 7c 291 37 4e 94 db 25 6c 96 4d 4d 13 76 a9 de 1a c5 12 293 hash (0 octets): (empty) 295 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 296 64 00 298 output (32 octets): d2 7d 01 ab e2 d9 d6 68 98 dc 10 f8 5d 92 2f 299 d6 ff f5 1d b8 80 f4 af 64 52 b7 1c 05 c3 fc 42 67 301 {server} send a Finished handshake message 303 {server} send handshake record: 305 payload (651 octets): 08 00 00 1e 00 1c 00 0a 00 14 00 12 00 1d 306 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 0b 307 00 01 b9 00 00 01 b5 00 01 b0 30 82 01 ac 30 82 01 15 a0 03 02 308 01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 309 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 30 1e 17 0d 31 36 310 30 37 33 30 30 31 32 33 35 39 5a 17 0d 32 36 30 37 33 30 30 31 311 32 33 35 39 5a 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 312 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 313 00 30 81 89 02 81 81 00 b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 314 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 315 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed 316 43 12 09 98 e1 87 a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d 317 44 9a 6d 38 e2 2a 5f da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9 318 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28 319 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03 01 00 01 a3 1a 30 18 30 09 320 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 05 321 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 85 322 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 72 67 17 06 18 a5 4c 5f 8a 323 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea e8 f8 a5 8c 8f 81 72 f9 31 324 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 51 56 72 60 96 fd 33 5e 5e 325 67 f2 db f1 02 70 2e 60 8c ca e6 be c1 fc 63 a4 2a 99 be 5c 3e 326 b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b 1c 3b 84 e0 a8 b2 f7 59 40 327 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 96 12 29 ac 91 87 b4 2b 4d 328 e1 00 00 0f 00 00 84 08 04 00 80 35 dc 65 98 6e 5d 7a 91 25 7a 329 91 01 85 5d 87 54 9c 1b 0d 19 6b 6c 19 da a2 67 38 30 ff 73 a4 330 51 ab 79 48 55 ca c3 40 e8 48 fd 10 5a 96 ed b4 23 48 99 8c d9 331 ac 0d f6 63 d8 92 7e 88 67 25 57 0a 41 52 28 af 19 67 a2 2d 9b 332 4d 36 7b b0 90 e4 f0 76 ea 5f a4 7d c5 7c ac 77 cb e6 21 7f 3e 333 fa 6f 10 53 12 9e b9 1a cb 05 48 c6 38 16 89 8d 36 79 8d 6a c0 334 38 89 c4 13 c9 27 de df f9 39 d0 58 8c 14 00 00 20 4a 81 42 ca 335 b4 49 41 89 68 94 06 27 07 e6 92 d6 32 a8 6a 12 4c be 2a 81 6b 336 3d ef a1 b3 15 40 db 338 ciphertext (673 octets): 17 03 03 02 9c 6f 0c 3d 25 89 2d 11 1b 339 9e 10 b7 bf 9e cb 09 ec 5e 87 75 53 b3 15 3e b9 80 12 4c 44 59 340 58 b1 71 01 41 8b 00 d8 f0 2f af cc 55 ba 06 25 88 ba 53 0e f0 341 9a 8f b4 c7 d6 de 1f 8b 7e b8 d8 b6 d2 1e 01 34 a9 75 74 ae 71 342 2d 5c b6 c1 5d 19 b3 47 c7 8a 88 4a 71 ff b8 c2 e7 60 02 22 16 343 a7 93 8f 10 81 8c 3f 81 16 b4 5a 39 79 d0 9d 72 52 e3 b4 4f 10 344 ae 68 f5 a6 1b 31 d8 e0 b4 15 f8 09 7d d5 14 f1 ba d1 49 dc bc 345 e5 cb 35 48 55 f6 1d 56 08 c7 b9 d5 85 9a d9 f4 e2 02 84 45 5d 346 9d ab 37 d5 6e 09 5e bd 88 68 89 a2 36 3f c9 7b 16 62 06 63 7c 347 ca 01 ab 37 7e 9d 3f 3d 06 4f 6a fc 87 22 1a bf e6 d5 23 27 e9 348 96 91 6e d4 a3 ed 24 9d 5e 71 04 44 dc 78 64 e4 31 6d a8 01 83 349 b0 cc 0c 3b 38 0a 0a 87 a8 36 17 13 86 c7 f1 b8 db 0b 15 30 a4 350 39 6c 1a d4 53 2a 60 7a 55 31 90 63 83 f7 bb 9c cc 20 da a8 ec 351 47 af 17 e5 7e d6 fc c5 f0 61 b7 cb 5a 42 6d 96 96 19 3f e4 a5 352 13 56 82 a2 2e 0c 3f a2 26 9f 0a bf c6 31 6a 19 6f e8 7c f8 91 353 29 b7 7c 43 41 ae 6c 12 b6 c5 70 d6 fb b5 46 0f f7 c6 5d a5 80 354 b1 17 0c 49 12 e4 bd b5 9b 2d 14 f2 7a 05 35 3e 51 d2 18 a3 60 355 15 4c bf 08 f2 9c 64 4b 28 8f 3d 42 4e e8 ea bb f1 26 fd 6b e4 356 b2 b0 f1 97 5f e4 73 a3 df a8 83 78 bd 5b ea ce ee 52 0e 6e 2d 357 c7 40 8e 83 8f 34 36 29 c1 a4 a3 dd fa 58 c3 c3 f8 08 5a 79 3a 358 f2 49 38 3d e5 51 a8 a9 50 4a ea 31 31 28 27 ad d1 0c ed b3 39 359 e4 a2 32 11 85 aa 27 6f 76 2b 0a 6b cd 9e f8 f8 2c 0f de ac 3b 360 60 d6 5d 10 94 99 b9 1f 19 4b 88 4a cd c7 b0 d6 3b 8c f6 f0 d8 361 cb ab f1 3c a9 96 69 42 e1 6a 3d 75 24 ad f3 3e ee e5 de e8 91 362 6b 57 31 c3 6e 21 1a 2d fb fb 65 60 07 91 3b 51 c5 a0 97 50 df 363 a9 70 8d 38 e0 a2 0b 5c ee c9 58 4b c7 aa 83 70 94 b9 6e fd 55 364 b0 7a c3 72 00 42 4c f9 eb 54 2d 53 b5 6e 71 32 33 83 c1 93 f2 365 cd f6 22 08 35 48 07 a0 19 3e cd 23 78 ed dd 72 74 27 fe 9d f9 366 d0 46 28 b8 9c 38 0b 3b 83 b5 e6 95 cf ba 2d 8d 2f 30 ce 0e 19 367 17 ee 05 2e 7e c9 4d 4d da 39 b6 93 e0 1e a9 68 ad 95 1d 40 cc 368 99 66 82 0e 7a 95 ff 17 e0 fd 0b 4d d0 d2 a8 70 d0 b5 ab d9 10 369 79 5a 3e d7 2d 66 54 ba e0 a7 3a 85 fc dc 9b f8 98 53 82 8c 2c 370 4e 07 51 be e6 e4 a7 de 11 372 {server} derive secret "tls13 c ap traffic": 374 PRK (32 octets): 23 07 37 68 ca 09 44 ef de d6 a1 fd 17 3e 7a 1f 375 a7 51 b2 1b 6b f2 07 66 1c b2 94 bc 29 f4 49 c7 377 hash (32 octets): ad 7f 35 b9 42 29 61 a5 31 91 f1 be 86 0e 47 19 378 77 4f e9 ee c7 0e d5 3f 29 fa ec af b1 f2 9c 0b 380 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 381 61 66 66 69 63 20 ad 7f 35 b9 42 29 61 a5 31 91 f1 be 86 0e 47 382 19 77 4f e9 ee c7 0e d5 3f 29 fa ec af b1 f2 9c 0b 384 output (32 octets): 4f c9 93 4a 78 39 af bf b1 ad 4a 09 f9 13 90 385 aa 58 f8 16 40 60 8d 63 86 38 78 c0 b9 9f 6c da aa 387 {server} derive secret "tls13 s ap traffic": 389 PRK (32 octets): 23 07 37 68 ca 09 44 ef de d6 a1 fd 17 3e 7a 1f 390 a7 51 b2 1b 6b f2 07 66 1c b2 94 bc 29 f4 49 c7 392 hash (32 octets): ad 7f 35 b9 42 29 61 a5 31 91 f1 be 86 0e 47 19 393 77 4f e9 ee c7 0e d5 3f 29 fa ec af b1 f2 9c 0b 395 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 396 61 66 66 69 63 20 ad 7f 35 b9 42 29 61 a5 31 91 f1 be 86 0e 47 397 19 77 4f e9 ee c7 0e d5 3f 29 fa ec af b1 f2 9c 0b 399 output (32 octets): 71 9b 77 1c 5c 65 41 32 a7 25 1f 09 12 92 f7 400 68 b6 d8 9f af 36 f3 1f 79 44 05 00 fc 16 68 b2 b7 402 {server} derive secret "tls13 exp master": 404 PRK (32 octets): 23 07 37 68 ca 09 44 ef de d6 a1 fd 17 3e 7a 1f 405 a7 51 b2 1b 6b f2 07 66 1c b2 94 bc 29 f4 49 c7 407 hash (32 octets): ad 7f 35 b9 42 29 61 a5 31 91 f1 be 86 0e 47 19 408 77 4f e9 ee c7 0e d5 3f 29 fa ec af b1 f2 9c 0b 410 info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 411 74 65 72 20 ad 7f 35 b9 42 29 61 a5 31 91 f1 be 86 0e 47 19 77 412 4f e9 ee c7 0e d5 3f 29 fa ec af b1 f2 9c 0b 414 output (32 octets): 9d 07 cc 4a ef bc c1 f1 75 81 54 ac 1a ba 78 415 8b 0e d5 f3 1b bc 7f a4 ca dd ce 7a 09 7a 3e 25 42 417 {client} extract secret "early": 419 salt: (absent) 421 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 422 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 424 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 425 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 427 {client} derive secret for handshake "tls13 derived": 429 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 430 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 432 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 433 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 435 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 436 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 437 64 9b 93 4c a4 95 99 1b 78 52 b8 55 439 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 440 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 442 {client} extract secret "handshake": 444 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 445 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 447 ikm (32 octets): 61 d3 4a ad f2 5e 22 3a 2c e6 fb 59 f8 a0 f9 d1 448 d7 5f 18 87 df b0 6c 0f ff f8 47 6d c3 c5 0f 47 450 secret (32 octets): 79 07 c2 82 34 f1 6c a8 71 a4 6b eb 25 da 54 451 7f dc 8a ab 96 d1 4e ef f8 0f 5b 12 f9 ad 8a c9 d6 453 {client} derive secret "tls13 c hs traffic" (same as server) 455 {client} derive secret "tls13 s hs traffic" (same as server) 457 {client} derive secret for master "tls13 derived" (same as server) 459 {client} extract secret "master" (same as server) 461 {client} calculate finished "tls13 finished" (same as server) 463 {client} derive secret "tls13 c ap traffic" (same as server) 465 {client} derive secret "tls13 s ap traffic" (same as server) 467 {client} derive secret "tls13 exp master" (same as server) 469 {client} calculate finished "tls13 finished": 471 PRK (32 octets): 40 2b 60 6f 3c b0 c8 5b 6d bf fb fd a9 df 79 14 472 58 4a 0e b9 21 1b b5 e9 0b a4 81 f2 5c 4b 94 e2 474 hash (0 octets): (empty) 476 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 477 64 00 479 output (32 octets): 47 af c3 66 da 4c 2d 41 64 19 fe c6 f7 af f1 480 3c 58 9b 56 a2 6a da e0 b6 f3 7a 8d f5 2e a1 d9 33 482 {client} send a Finished handshake message 484 {client} send handshake record: 486 payload (36 octets): 14 00 00 20 3a d4 3d b6 d0 42 77 0c 3f 79 f7 487 a9 1a cc 0a 41 1f 1b 92 21 f0 3f 9d 2a 6b 92 c4 d1 54 51 19 ed 489 ciphertext (58 octets): 17 03 03 00 35 32 d7 1d 7f 1b 8e f2 da f3 490 58 4c 6c 09 c7 4a ed 85 6e 75 59 4e 6f 14 67 4c d9 48 f2 69 ab 491 c1 cc 0e b7 bb 10 45 51 78 88 83 8f 51 34 75 a2 59 ef 80 9b 0f 492 94 1f 494 {client} derive secret "tls13 res master": 496 PRK (32 octets): 23 07 37 68 ca 09 44 ef de d6 a1 fd 17 3e 7a 1f 497 a7 51 b2 1b 6b f2 07 66 1c b2 94 bc 29 f4 49 c7 499 hash (32 octets): 2d eb 11 8e 31 f3 d3 8b 38 de 1f cc 26 46 d2 21 500 ac e6 1f 97 fa 79 75 92 23 7a 65 9c 2b 6b 93 51 502 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 503 74 65 72 20 2d eb 11 8e 31 f3 d3 8b 38 de 1f cc 26 46 d2 21 ac 504 e6 1f 97 fa 79 75 92 23 7a 65 9c 2b 6b 93 51 506 output (32 octets): ba dd 11 ad f0 7b 59 f9 d1 90 56 1e 4e 69 d6 507 5d 2d 0c cc 92 3b 08 4a cd 70 6e 00 cd 54 e6 5b 70 509 {server} calculate finished "tls13 finished" (same as client) 511 {server} derive secret "tls13 res master" (same as client) 513 {server} generate resumption secret "tls13 resumption": 515 PRK (32 octets): ba dd 11 ad f0 7b 59 f9 d1 90 56 1e 4e 69 d6 5d 516 2d 0c cc 92 3b 08 4a cd 70 6e 00 cd 54 e6 5b 70 518 hash (2 octets): 00 00 520 info (22 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 75 6d 70 74 521 69 6f 6e 02 00 00 523 output (32 octets): 20 b3 ed 07 48 14 86 03 09 cd 47 fb 81 0b 36 524 9c f1 86 b7 09 7c b7 76 ff 57 f8 a7 ce 12 18 fa fa 526 {server} send a NewSessionTicket handshake message 527 {server} send handshake record: 529 payload (205 octets): 04 00 00 c9 00 00 00 1e 1a 46 fe 8d 02 00 530 00 00 b2 f7 34 a8 af 18 42 36 ce f0 ae ea b1 00 00 00 00 68 2d 531 66 eb 29 13 c9 eb 94 c6 9a 57 51 5d df 2f 00 70 c2 f3 4f 9b 2e 532 d5 a5 30 91 16 c9 d7 4f ca eb 2b f8 87 51 9a a5 5a 7c 83 ff 27 533 fd c3 72 ba ec 38 7d be 58 8e d6 27 4b 1f f5 13 6c eb 68 ea 4a 534 39 ce 79 08 7c 6e 75 42 b4 9c 7c 0e 4b 97 fc 2a 29 73 27 71 8b 535 29 bf 63 6a dd 4e 6b 46 a4 1d f2 3f 45 01 28 80 20 b2 6c e5 75 536 d4 c9 f1 87 eb e5 48 07 1b 51 19 8c 4b 10 f9 4c f7 ce 94 aa 08 537 17 a7 2a a8 86 64 63 d9 d7 7f 9c db 81 e6 27 82 c1 33 2e 22 0c 538 55 2c dc 44 48 4b e7 ee f7 64 3d c3 8d 00 08 00 2a 00 04 00 00 539 04 00 541 ciphertext (227 octets): 17 03 03 00 de ce 84 1b 08 4c ba 5c 21 542 cd 70 f7 30 28 18 7c c9 a0 e9 e5 b8 88 f8 d0 ca 5a f7 7d df 96 543 eb cd fd 1e 70 c6 8b a2 44 a9 64 3d c8 c2 b3 9c 93 3d 0e a9 1a 544 8d 7a 35 df db 3d c3 45 57 bb eb e8 0c a4 0b 64 b8 45 cd 04 b2 545 18 2e 73 59 f5 53 60 0b 1b 1f 8a c1 29 fd 3c f5 eb 79 91 3a e4 546 27 02 a3 10 a7 17 5d e1 15 c7 fd 77 00 06 54 2d cf 8a 7a 94 53 547 8d 96 d9 71 72 02 28 4b ed af f5 ff ec a0 23 10 92 12 3e a6 b0 548 bc 12 99 ae c3 a9 8c 44 27 e4 35 7c 38 16 d0 a6 c5 d0 93 aa d5 549 9c 09 5c 99 76 91 b5 88 cc 3c 10 8e 95 d7 f8 39 f9 ec 2c a5 18 550 2c 80 53 12 a1 c2 d0 32 88 80 97 c1 4e 38 5a 3c c5 e9 37 0e b6 551 49 08 05 4b 52 64 4e 35 09 2a 34 4a 74 77 b8 bb be fb 22 a8 ff 552 c3 9e 84 ac 554 {client} generate resumption secret "tls13 resumption" (same as 555 server) 557 {client} send application_data record: 559 payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 560 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 561 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 563 ciphertext (72 octets): 17 03 03 00 43 18 8a fa 7b 29 8e 8d ef c3 564 eb 5e f8 2f dc 60 92 3b b5 5c ca 31 a5 64 63 df ec 71 7a aa 99 565 77 9c c6 1f bf ca 90 73 b9 95 51 73 a0 b7 1c 1b f2 b9 2d b0 60 566 73 e9 65 5b 64 3e 12 ef 76 d8 c8 86 91 12 aa 35 568 {server} send application_data record: 570 payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 571 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 572 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 574 ciphertext (72 octets): 17 03 03 00 43 d8 27 0a 4b 0b a6 c0 74 c3 575 83 0b 15 58 a1 cb 89 13 e2 21 d7 08 33 ee 02 74 58 e2 46 11 a0 576 d4 7f 9c d3 bd 66 ce 03 13 db 71 8e e4 d0 ef bc 3f 8a 4d 7e 35 577 04 3c 46 48 40 d8 7d eb 66 b7 7d 40 df 36 aa 7d 579 {client} send alert record: 581 payload (2 octets): 01 00 583 ciphertext (24 octets): 17 03 03 00 13 d5 92 9a 67 ba 50 4f 19 3a 584 59 7d 3a ab 2d c3 f9 04 12 7d 586 {server} send alert record: 588 payload (2 octets): 01 00 590 ciphertext (24 octets): 17 03 03 00 13 69 ed b3 40 6d 1e 57 51 97 591 75 4a c9 27 19 e0 5d 71 18 67 593 4. Resumed 0-RTT Handshake 595 This handshake resumes from the handshake in Section 3. Since the 596 server provided a session ticket that permitted 0-RTT, and the client 597 is configured for 0-RTT, the client is able to send 0-RTT data. 599 {client} create an ephemeral x25519 key pair: 601 private key (32 octets): 25 ee 23 7a 20 17 98 ee e8 7f 37 60 53 602 e1 28 50 9a be 65 e7 87 34 4f f2 b9 ff 9d 04 fd 13 8a fa 604 public key (32 octets): fa 5d e3 00 e6 9f 05 d6 19 a4 28 fc fb 02 605 88 b5 57 b6 40 6a 26 fc 51 13 c0 4e 4a 3c 86 9a 44 14 607 {client} extract secret "early": 609 salt: (absent) 611 ikm (32 octets): 20 b3 ed 07 48 14 86 03 09 cd 47 fb 81 0b 36 9c 612 f1 86 b7 09 7c b7 76 ff 57 f8 a7 ce 12 18 fa fa 614 secret (32 octets): 35 10 b5 e7 47 ce ef 42 b1 fe ff e7 a7 4f dc 615 0f 52 a5 ee fc a2 b6 76 b0 82 4e 06 17 c8 64 56 16 617 {client} send a ClientHello handshake message 619 {client} calculate finished "tls13 finished": 621 PRK (32 octets): de 0c 49 be 25 cd 0a b1 79 a9 d1 be e0 5a c0 cc 622 a0 3d 51 10 4f cc ac db 13 12 b6 35 40 5a db 2c 624 hash (0 octets): (empty) 626 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 627 64 00 629 output (32 octets): e6 12 24 d1 ef b4 01 4b 18 aa e8 db 83 4e 12 630 5b da e8 e8 bf f1 17 2f a6 a8 8c 35 39 77 c6 5a 68 632 {client} send handshake record: 634 payload (512 octets): 01 00 01 fc 03 03 f4 74 90 c6 31 61 6b 80 635 01 47 e5 62 01 b1 13 6d b0 04 92 f7 e8 d9 56 2a 77 fb f9 77 1d 636 8a a4 6c 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00 637 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 638 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 28 00 639 26 00 24 00 1d 00 20 fa 5d e3 00 e6 9f 05 d6 19 a4 28 fc fb 02 640 88 b5 57 b6 40 6a 26 fc 51 13 c0 4e 4a 3c 86 9a 44 14 00 2a 00 641 00 00 2b 00 03 02 7f 16 00 0d 00 20 00 1e 04 03 05 03 06 03 02 642 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 643 02 02 00 2d 00 02 01 01 00 15 00 5d 00 00 00 00 00 00 00 00 00 644 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 645 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 646 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 647 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 648 00 29 00 dd 00 b8 00 b2 f7 34 a8 af 18 42 36 ce f0 ae ea b1 00 649 00 00 00 68 2d 66 eb 29 13 c9 eb 94 c6 9a 57 51 5d df 2f 00 70 650 c2 f3 4f 9b 2e d5 a5 30 91 16 c9 d7 4f ca eb 2b f8 87 51 9a a5 651 5a 7c 83 ff 27 fd c3 72 ba ec 38 7d be 58 8e d6 27 4b 1f f5 13 652 6c eb 68 ea 4a 39 ce 79 08 7c 6e 75 42 b4 9c 7c 0e 4b 97 fc 2a 653 29 73 27 71 8b 29 bf 63 6a dd 4e 6b 46 a4 1d f2 3f 45 01 28 80 654 20 b2 6c e5 75 d4 c9 f1 87 eb e5 48 07 1b 51 19 8c 4b 10 f9 4c 655 f7 ce 94 aa 08 17 a7 2a a8 86 64 63 d9 d7 7f 9c db 81 e6 27 82 656 c1 33 2e 22 0c 55 2c dc 44 48 4b e7 ee f7 64 3d c3 8d 1a 46 fe 657 90 00 21 20 34 60 d2 6b d5 55 86 97 91 90 dd 6d 8f 25 3d f3 fa 658 d7 d1 64 61 28 f3 d9 3d 51 57 21 3b 90 86 b3 660 ciphertext (517 octets): 16 03 01 02 00 01 00 01 fc 03 03 f4 74 661 90 c6 31 61 6b 80 01 47 e5 62 01 b1 13 6d b0 04 92 f7 e8 d9 56 662 2a 77 fb f9 77 1d 8a a4 6c 00 00 06 13 01 13 03 13 02 01 00 01 663 cd 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 664 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 665 03 01 04 00 28 00 26 00 24 00 1d 00 20 fa 5d e3 00 e6 9f 05 d6 666 19 a4 28 fc fb 02 88 b5 57 b6 40 6a 26 fc 51 13 c0 4e 4a 3c 86 667 9a 44 14 00 2a 00 00 00 2b 00 03 02 7f 16 00 0d 00 20 00 1e 04 668 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 669 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 15 00 5d 00 00 00 670 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 671 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 672 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 673 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 674 00 00 00 00 00 00 00 29 00 dd 00 b8 00 b2 f7 34 a8 af 18 42 36 675 ce f0 ae ea b1 00 00 00 00 68 2d 66 eb 29 13 c9 eb 94 c6 9a 57 676 51 5d df 2f 00 70 c2 f3 4f 9b 2e d5 a5 30 91 16 c9 d7 4f ca eb 677 2b f8 87 51 9a a5 5a 7c 83 ff 27 fd c3 72 ba ec 38 7d be 58 8e 678 d6 27 4b 1f f5 13 6c eb 68 ea 4a 39 ce 79 08 7c 6e 75 42 b4 9c 679 7c 0e 4b 97 fc 2a 29 73 27 71 8b 29 bf 63 6a dd 4e 6b 46 a4 1d 680 f2 3f 45 01 28 80 20 b2 6c e5 75 d4 c9 f1 87 eb e5 48 07 1b 51 681 19 8c 4b 10 f9 4c f7 ce 94 aa 08 17 a7 2a a8 86 64 63 d9 d7 7f 682 9c db 81 e6 27 82 c1 33 2e 22 0c 55 2c dc 44 48 4b e7 ee f7 64 683 3d c3 8d 1a 46 fe 90 00 21 20 34 60 d2 6b d5 55 86 97 91 90 dd 684 6d 8f 25 3d f3 fa d7 d1 64 61 28 f3 d9 3d 51 57 21 3b 90 86 b3 686 {client} derive secret "tls13 c e traffic": 688 PRK (32 octets): 35 10 b5 e7 47 ce ef 42 b1 fe ff e7 a7 4f dc 0f 689 52 a5 ee fc a2 b6 76 b0 82 4e 06 17 c8 64 56 16 691 hash (32 octets): 89 4e e7 2f 01 a8 67 e9 cc 87 5a 19 44 22 10 8a 692 e9 51 45 f9 43 b0 89 1f 3c ab 07 4f 12 fa c4 0a 694 info (53 octets): 00 20 11 74 6c 73 31 33 20 63 20 65 20 74 72 61 695 66 66 69 63 20 89 4e e7 2f 01 a8 67 e9 cc 87 5a 19 44 22 10 8a 696 e9 51 45 f9 43 b0 89 1f 3c ab 07 4f 12 fa c4 0a 698 output (32 octets): 7b dd 21 10 35 33 b9 d8 2b ae 6c 26 be 3e 78 699 e9 bd 37 91 42 96 24 db e0 a6 b3 9c e5 bf 69 eb 23 701 {client} derive secret "tls13 e exp master": 703 PRK (32 octets): 35 10 b5 e7 47 ce ef 42 b1 fe ff e7 a7 4f dc 0f 704 52 a5 ee fc a2 b6 76 b0 82 4e 06 17 c8 64 56 16 706 hash (32 octets): 89 4e e7 2f 01 a8 67 e9 cc 87 5a 19 44 22 10 8a 707 e9 51 45 f9 43 b0 89 1f 3c ab 07 4f 12 fa c4 0a 709 info (54 octets): 00 20 12 74 6c 73 31 33 20 65 20 65 78 70 20 6d 710 61 73 74 65 72 20 89 4e e7 2f 01 a8 67 e9 cc 87 5a 19 44 22 10 711 8a e9 51 45 f9 43 b0 89 1f 3c ab 07 4f 12 fa c4 0a 713 output (32 octets): da 05 9b c4 d7 bd 6e 30 45 b3 df d8 ab c8 68 714 1b 22 47 6f 44 b4 54 22 75 12 af a9 af c0 60 3f c1 716 {client} send application_data record: 718 payload (6 octets): 41 42 43 44 45 46 720 ciphertext (28 octets): 17 03 03 00 17 d8 3a 80 c1 65 49 bf 19 49 721 38 a3 9c c1 54 a1 8b a7 cb bb a7 bf 02 e0 723 {server} extract secret "early" (same as client) 725 {server} calculate finished "tls13 finished" (same as client) 727 {server} create an ephemeral x25519 key pair: 729 private key (32 octets): a3 41 34 2b 44 be 43 fa 13 b5 a2 fa 30 730 6a d7 24 ef 7f 73 a0 87 ac be 4a 79 10 82 b6 00 cd 08 b5 732 public key (32 octets): 66 62 56 0e 42 6c b1 13 d5 63 b1 69 e9 72 733 b5 c4 81 dd b6 cc f2 a5 79 39 ed d2 4b a9 e9 b6 2f 5f 735 {server} derive secret "tls13 c e traffic" (same as client) 737 {server} derive secret "tls13 e exp master" (same as client) 739 {server} send a ServerHello handshake message 741 {server} derive secret for handshake "tls13 derived": 743 PRK (32 octets): 35 10 b5 e7 47 ce ef 42 b1 fe ff e7 a7 4f dc 0f 744 52 a5 ee fc a2 b6 76 b0 82 4e 06 17 c8 64 56 16 746 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 747 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 749 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 750 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 751 64 9b 93 4c a4 95 99 1b 78 52 b8 55 753 output (32 octets): 3c 5b 59 45 89 ee 0f a2 f1 18 d3 98 fc 3c 3e 754 50 f7 13 21 65 bc 5e 20 1a 97 da df 8e 36 ad 16 ba 756 {server} extract secret "handshake": 758 salt (32 octets): 3c 5b 59 45 89 ee 0f a2 f1 18 d3 98 fc 3c 3e 50 759 f7 13 21 65 bc 5e 20 1a 97 da df 8e 36 ad 16 ba 761 ikm (32 octets): ca 49 06 0d 44 b4 58 b8 e2 6f b7 2a 18 6e bc 44 762 6b a8 e4 0e 8f b1 39 5c c7 f7 56 59 ee 86 f8 54 764 secret (32 octets): 6b a5 c1 83 92 4b a3 2c e0 99 85 c9 11 f2 97 765 bb 0a 7c de 27 63 1a 6f 2e e8 88 25 19 88 f3 07 54 767 {server} derive secret "tls13 c hs traffic": 769 PRK (32 octets): 6b a5 c1 83 92 4b a3 2c e0 99 85 c9 11 f2 97 bb 770 0a 7c de 27 63 1a 6f 2e e8 88 25 19 88 f3 07 54 772 hash (32 octets): ef 88 42 5a 0d c1 df 66 77 f6 2d de 3e 93 79 b6 773 39 83 b3 a0 89 66 db aa d7 d4 c9 c6 b1 79 b3 b7 775 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 776 61 66 66 69 63 20 ef 88 42 5a 0d c1 df 66 77 f6 2d de 3e 93 79 777 b6 39 83 b3 a0 89 66 db aa d7 d4 c9 c6 b1 79 b3 b7 779 output (32 octets): a2 ba 52 84 b4 0e 7d 65 af af 93 c0 93 06 dd 780 e4 70 98 a4 ee 28 4c f4 6e 0b 59 09 fe 25 8c a6 4f 782 {server} derive secret "tls13 s hs traffic": 784 PRK (32 octets): 6b a5 c1 83 92 4b a3 2c e0 99 85 c9 11 f2 97 bb 785 0a 7c de 27 63 1a 6f 2e e8 88 25 19 88 f3 07 54 787 hash (32 octets): ef 88 42 5a 0d c1 df 66 77 f6 2d de 3e 93 79 b6 788 39 83 b3 a0 89 66 db aa d7 d4 c9 c6 b1 79 b3 b7 790 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 791 61 66 66 69 63 20 ef 88 42 5a 0d c1 df 66 77 f6 2d de 3e 93 79 792 b6 39 83 b3 a0 89 66 db aa d7 d4 c9 c6 b1 79 b3 b7 794 output (32 octets): 58 6f 1a b9 cb 2d 93 70 66 1a 1e 0b c9 fc 8c 795 39 1a 34 67 b9 9e bd 58 16 c1 8c 46 a5 28 6e 96 77 797 {server} derive secret for master "tls13 derived": 799 PRK (32 octets): 6b a5 c1 83 92 4b a3 2c e0 99 85 c9 11 f2 97 bb 800 0a 7c de 27 63 1a 6f 2e e8 88 25 19 88 f3 07 54 802 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 803 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 805 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 806 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 807 64 9b 93 4c a4 95 99 1b 78 52 b8 55 809 output (32 octets): 78 31 58 10 11 a6 70 a2 ce 59 0b 80 b8 e5 44 810 12 35 49 d6 bd 44 3c f6 9e 80 e8 0a 7e 38 93 d7 7e 812 {server} extract secret "master": 814 salt (32 octets): 78 31 58 10 11 a6 70 a2 ce 59 0b 80 b8 e5 44 12 815 35 49 d6 bd 44 3c f6 9e 80 e8 0a 7e 38 93 d7 7e 817 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 818 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 820 secret (32 octets): 6b 06 1b 95 b3 81 1d 3a 8a a8 3d a0 1d f0 e6 821 d5 c3 be 43 d8 3b 18 b3 bc b8 e8 52 78 14 2b 11 9c 823 {server} send handshake record: 825 payload (96 octets): 02 00 00 5c 03 03 4b 98 9e 4c 47 ca 09 2a 18 826 78 78 ae 45 7f d5 85 6e dc a0 f7 ae cf 00 4e d0 20 3a fe 0d 57 827 e3 86 00 13 01 00 00 34 00 29 00 02 00 00 00 28 00 24 00 1d 00 828 20 66 62 56 0e 42 6c b1 13 d5 63 b1 69 e9 72 b5 c4 81 dd b6 cc 829 f2 a5 79 39 ed d2 4b a9 e9 b6 2f 5f 00 2b 00 02 7f 16 831 ciphertext (101 octets): 16 03 03 00 60 02 00 00 5c 03 03 4b 98 832 9e 4c 47 ca 09 2a 18 78 78 ae 45 7f d5 85 6e dc a0 f7 ae cf 00 833 4e d0 20 3a fe 0d 57 e3 86 00 13 01 00 00 34 00 29 00 02 00 00 834 00 28 00 24 00 1d 00 20 66 62 56 0e 42 6c b1 13 d5 63 b1 69 e9 835 72 b5 c4 81 dd b6 cc f2 a5 79 39 ed d2 4b a9 e9 b6 2f 5f 00 2b 836 00 02 7f 16 838 {server} send a EncryptedExtensions handshake message 840 {server} calculate finished "tls13 finished": 842 PRK (32 octets): 58 6f 1a b9 cb 2d 93 70 66 1a 1e 0b c9 fc 8c 39 843 1a 34 67 b9 9e bd 58 16 c1 8c 46 a5 28 6e 96 77 845 hash (0 octets): (empty) 847 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 848 64 00 850 output (32 octets): 98 90 9d e6 86 66 b5 12 80 1c 41 c6 3b 20 f9 851 fc 1f 7f 8f e1 19 64 75 d2 07 48 66 e3 a1 5d 14 15 853 {server} send a Finished handshake message 855 {server} send handshake record: 857 payload (74 octets): 08 00 00 22 00 20 00 0a 00 14 00 12 00 1d 00 858 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 00 2a 859 00 00 14 00 00 20 c9 f5 11 e0 94 08 c2 b3 ff b5 ac 45 3c 7c 0a 860 65 c0 8c 28 c9 bc 4f 38 54 46 91 9e b8 fd 84 7c e0 862 ciphertext (96 octets): 17 03 03 00 5b f5 a6 a6 20 f2 db 4e 20 1f 863 22 8d 73 b4 15 d8 5e a9 76 e1 55 27 5f 2d 89 a4 96 68 d7 be 48 864 9a 8b 85 20 5d 0b 59 30 79 e6 0e 10 6e 15 67 29 c2 11 90 0a de 865 1f 72 32 67 d8 c8 2b f5 dd 40 bb c5 63 99 1e bc 01 1e 49 14 ea 866 3a ee 25 37 3e eb 31 00 36 c8 f4 44 be 45 16 4d 3a 50 5d 868 {server} derive secret "tls13 c ap traffic": 870 PRK (32 octets): 6b 06 1b 95 b3 81 1d 3a 8a a8 3d a0 1d f0 e6 d5 871 c3 be 43 d8 3b 18 b3 bc b8 e8 52 78 14 2b 11 9c 873 hash (32 octets): bc be 0c 61 2f 39 63 e4 2c 49 6c b3 03 e9 59 89 874 ba 96 f6 21 00 34 f4 63 05 b9 75 2a 53 d9 a7 dd 876 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 877 61 66 66 69 63 20 bc be 0c 61 2f 39 63 e4 2c 49 6c b3 03 e9 59 878 89 ba 96 f6 21 00 34 f4 63 05 b9 75 2a 53 d9 a7 dd 880 output (32 octets): c9 d1 12 6d be c2 7c a1 72 21 37 3f ef 10 4e 881 cf a0 6d c4 a1 c4 5c 1d 55 3f 2b 1a 84 16 b4 6e cb 883 {server} derive secret "tls13 s ap traffic": 885 PRK (32 octets): 6b 06 1b 95 b3 81 1d 3a 8a a8 3d a0 1d f0 e6 d5 886 c3 be 43 d8 3b 18 b3 bc b8 e8 52 78 14 2b 11 9c 888 hash (32 octets): bc be 0c 61 2f 39 63 e4 2c 49 6c b3 03 e9 59 89 889 ba 96 f6 21 00 34 f4 63 05 b9 75 2a 53 d9 a7 dd 891 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 892 61 66 66 69 63 20 bc be 0c 61 2f 39 63 e4 2c 49 6c b3 03 e9 59 893 89 ba 96 f6 21 00 34 f4 63 05 b9 75 2a 53 d9 a7 dd 895 output (32 octets): aa 91 af 99 99 34 3a 32 8e cf ad 72 cb be e1 896 20 71 d7 79 b3 8a 3d 18 5a 7d c7 c4 e7 f8 33 33 1c 898 {server} derive secret "tls13 exp master": 900 PRK (32 octets): 6b 06 1b 95 b3 81 1d 3a 8a a8 3d a0 1d f0 e6 d5 901 c3 be 43 d8 3b 18 b3 bc b8 e8 52 78 14 2b 11 9c 903 hash (32 octets): bc be 0c 61 2f 39 63 e4 2c 49 6c b3 03 e9 59 89 904 ba 96 f6 21 00 34 f4 63 05 b9 75 2a 53 d9 a7 dd 906 info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 907 74 65 72 20 bc be 0c 61 2f 39 63 e4 2c 49 6c b3 03 e9 59 89 ba 908 96 f6 21 00 34 f4 63 05 b9 75 2a 53 d9 a7 dd 910 output (32 octets): 3d 65 4f f5 ca 07 87 85 69 31 01 cc 71 0f 46 911 e2 93 5b 5e c4 61 14 ca bb 08 35 41 a0 84 66 d1 84 913 {client} derive secret for handshake "tls13 derived": 915 PRK (32 octets): 35 10 b5 e7 47 ce ef 42 b1 fe ff e7 a7 4f dc 0f 916 52 a5 ee fc a2 b6 76 b0 82 4e 06 17 c8 64 56 16 918 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 919 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 921 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 922 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 923 64 9b 93 4c a4 95 99 1b 78 52 b8 55 925 output (32 octets): 3c 5b 59 45 89 ee 0f a2 f1 18 d3 98 fc 3c 3e 926 50 f7 13 21 65 bc 5e 20 1a 97 da df 8e 36 ad 16 ba 928 {client} extract secret "handshake": 930 salt (32 octets): 3c 5b 59 45 89 ee 0f a2 f1 18 d3 98 fc 3c 3e 50 931 f7 13 21 65 bc 5e 20 1a 97 da df 8e 36 ad 16 ba 933 ikm (32 octets): ca 49 06 0d 44 b4 58 b8 e2 6f b7 2a 18 6e bc 44 934 6b a8 e4 0e 8f b1 39 5c c7 f7 56 59 ee 86 f8 54 936 secret (32 octets): 6b a5 c1 83 92 4b a3 2c e0 99 85 c9 11 f2 97 937 bb 0a 7c de 27 63 1a 6f 2e e8 88 25 19 88 f3 07 54 939 {client} derive secret "tls13 c hs traffic" (same as server) 941 {client} derive secret "tls13 s hs traffic" (same as server) 943 {client} derive secret for master "tls13 derived" (same as server) 945 {client} extract secret "master" (same as server) 947 {client} calculate finished "tls13 finished" (same as server) 949 {client} derive secret "tls13 c ap traffic" (same as server) 951 {client} derive secret "tls13 s ap traffic" (same as server) 953 {client} derive secret "tls13 exp master" (same as server) 955 {client} send a EndOfEarlyData handshake message 957 {client} send handshake record: 959 payload (4 octets): 05 00 00 00 961 ciphertext (26 octets): 17 03 03 00 15 1d ee d3 9b 27 ff 4f 3c 92 962 2f fd ef 73 89 56 5e cc 79 d1 13 71 964 {client} calculate finished "tls13 finished": 966 PRK (32 octets): a2 ba 52 84 b4 0e 7d 65 af af 93 c0 93 06 dd e4 967 70 98 a4 ee 28 4c f4 6e 0b 59 09 fe 25 8c a6 4f 969 hash (0 octets): (empty) 971 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 972 64 00 974 output (32 octets): 67 02 97 87 4f 08 e5 10 32 72 a8 be 0c 6d c3 975 b4 39 6e 82 28 34 62 6b 21 e6 be 28 b9 d4 b4 35 05 977 {client} send a Finished handshake message 979 {client} send handshake record: 981 payload (36 octets): 14 00 00 20 60 c3 2e 99 5e c1 0d d0 1d 73 79 982 e3 eb f1 9f 75 ef 74 0b 18 d4 24 06 c9 62 db 37 a4 53 74 9d 76 984 ciphertext (58 octets): 17 03 03 00 35 b1 a4 2d de c8 7d 6a 62 17 985 a5 53 19 3b 47 a6 6c 32 b4 51 ab f8 48 dc df 68 21 3b 44 21 76 986 a9 e5 9b 8e cf 5e 1a fe d8 94 43 9a 9d f0 c3 a2 4b da ac 97 fc 987 34 55 989 {client} derive secret "tls13 res master": 991 PRK (32 octets): 6b 06 1b 95 b3 81 1d 3a 8a a8 3d a0 1d f0 e6 d5 992 c3 be 43 d8 3b 18 b3 bc b8 e8 52 78 14 2b 11 9c 994 hash (32 octets): 04 5f 9f 6c d4 c6 84 65 a7 79 f4 89 b7 13 57 7f 995 42 e9 91 c1 b7 b7 34 db 01 28 a5 7b 88 35 41 27 997 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 998 74 65 72 20 04 5f 9f 6c d4 c6 84 65 a7 79 f4 89 b7 13 57 7f 42 999 e9 91 c1 b7 b7 34 db 01 28 a5 7b 88 35 41 27 1001 output (32 octets): 40 7b 7c fa 1a 5d cd 73 e2 75 a6 80 13 16 68 1002 24 4e a8 88 64 19 a6 fe cc 01 f5 7b df d5 5d 15 2a 1004 {server} calculate finished "tls13 finished" (same as client) 1006 {server} derive secret "tls13 res master" (same as client) 1007 {client} send application_data record: 1009 payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 1010 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 1011 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 1013 ciphertext (72 octets): 17 03 03 00 43 89 8d 41 41 71 76 9c 87 23 1014 f5 46 43 1e c6 80 49 5a fa a6 ac 32 5d 66 2f a5 9d 93 5a 99 d2 1015 f5 94 63 b8 d9 cd d3 c1 b1 36 79 08 1d d0 98 7c 4d 26 40 9a bd 1016 40 ca d0 be a6 d5 95 85 01 b1 fc 02 15 08 6d b9 1018 {server} send application_data record: 1020 payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 1021 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 1022 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 1024 ciphertext (72 octets): 17 03 03 00 43 8e 95 04 14 52 07 ad 99 f9 1025 26 b4 7c 28 f6 0f a5 31 b9 7d 35 4f 55 ac fe 46 59 b0 37 f1 94 1026 6e 6a 8d c8 da f7 a9 fc 36 27 02 3f c1 df 0b a1 8c a5 90 11 fc 1027 2f 39 96 ea bc 2f 6d 50 85 93 d6 0b 23 87 d4 bc 1029 {client} send alert record: 1031 payload (2 octets): 01 00 1033 ciphertext (24 octets): 17 03 03 00 13 e4 f4 3b 1b 15 b0 75 40 6c 1034 2f 32 68 61 99 82 35 6d 78 53 1036 {server} send alert record: 1038 payload (2 octets): 01 00 1040 ciphertext (24 octets): 17 03 03 00 13 06 18 b6 94 51 58 6b 0d b9 1041 6c 39 08 0f 6b d7 d1 f1 0b 41 1043 5. HelloRetryRequest 1045 In this example, the client initiates a handshake with an X25519 1046 [RFC7748] share. The server however prefers P-256 [FIPS186] and 1047 sends a HelloRetryRequest that requires the client to generate a key 1048 share on the P-256 curve. 1050 {client} create an ephemeral x25519 key pair: 1052 private key (32 octets): 52 99 b5 dc 31 26 3d a4 eb 70 79 f3 f9 1053 29 68 d5 1e ce c2 0c 3b aa 64 67 f2 d8 d2 c2 49 88 09 10 1055 public key (32 octets): 9e d2 81 f2 d1 e0 f8 c3 99 a4 90 a8 6a cd 1056 71 9d 46 56 77 db dc b4 45 1f 97 39 e1 22 40 8a d4 32 1058 {client} send a ClientHello handshake message 1060 {client} send handshake record: 1062 payload (174 octets): 01 00 00 aa 03 03 24 cc 22 ad 4c 8b 8c ed 1063 c8 e7 ee ac 95 93 1b 24 9d 3a dd 7d 98 c5 e0 d8 35 f5 d7 81 0d 1064 fb b1 80 00 00 06 13 01 13 03 13 02 01 00 00 7b 00 00 00 0b 00 1065 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06 1066 00 1d 00 17 00 18 00 28 00 26 00 24 00 1d 00 20 9e d2 81 f2 d1 1067 e0 f8 c3 99 a4 90 a8 6a cd 71 9d 46 56 77 db dc b4 45 1f 97 39 1068 e1 22 40 8a d4 32 00 2b 00 03 02 7f 16 00 0d 00 20 00 1e 04 03 1069 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 1070 02 05 02 06 02 02 02 00 2d 00 02 01 01 1072 ciphertext (179 octets): 16 03 01 00 ae 01 00 00 aa 03 03 24 cc 1073 22 ad 4c 8b 8c ed c8 e7 ee ac 95 93 1b 24 9d 3a dd 7d 98 c5 e0 1074 d8 35 f5 d7 81 0d fb b1 80 00 00 06 13 01 13 03 13 02 01 00 00 1075 7b 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 1076 00 0a 00 08 00 06 00 1d 00 17 00 18 00 28 00 26 00 24 00 1d 00 1077 20 9e d2 81 f2 d1 e0 f8 c3 99 a4 90 a8 6a cd 71 9d 46 56 77 db 1078 dc b4 45 1f 97 39 e1 22 40 8a d4 32 00 2b 00 03 02 7f 16 00 0d 1079 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 1080 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 1082 {server} send a ServerHello handshake message 1084 {server} send handshake record: 1086 payload (176 octets): 02 00 00 ac 03 03 cf 21 ad 74 e5 9a 61 11 1087 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c 5e 07 9e 09 e2 c8 1088 a8 33 9c 00 13 01 00 00 84 00 28 00 02 00 17 00 2c 00 74 00 72 1089 3c c7 0f 98 68 ee 6d bc bb 7b 7c 21 00 00 00 00 73 d2 77 2a 29 1090 c9 93 b4 e0 c3 78 de 45 9e 99 ea 00 30 97 19 7d a5 86 38 74 31 1091 85 03 d3 dd e2 41 7d 5f b7 8c 92 76 13 14 10 ea a9 2e 9e 8a f5 1092 4e a0 92 86 7b 67 7d 64 4f 96 d8 c5 fd 48 30 d1 70 dd 1b 3f 8a 1093 85 17 ab ee 19 60 52 d8 e4 29 3d 62 f0 3b 6d 29 b6 88 4b 7c 00 1094 cc 5e 6c e7 ac 36 47 0e a7 00 2b 00 02 7f 16 1096 ciphertext (181 octets): 16 03 03 00 b0 02 00 00 ac 03 03 cf 21 1097 ad 74 e5 9a 61 11 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c 1098 5e 07 9e 09 e2 c8 a8 33 9c 00 13 01 00 00 84 00 28 00 02 00 17 1099 00 2c 00 74 00 72 3c c7 0f 98 68 ee 6d bc bb 7b 7c 21 00 00 00 1100 00 73 d2 77 2a 29 c9 93 b4 e0 c3 78 de 45 9e 99 ea 00 30 97 19 1101 7d a5 86 38 74 31 85 03 d3 dd e2 41 7d 5f b7 8c 92 76 13 14 10 1102 ea a9 2e 9e 8a f5 4e a0 92 86 7b 67 7d 64 4f 96 d8 c5 fd 48 30 1103 d1 70 dd 1b 3f 8a 85 17 ab ee 19 60 52 d8 e4 29 3d 62 f0 3b 6d 1104 29 b6 88 4b 7c 00 cc 5e 6c e7 ac 36 47 0e a7 00 2b 00 02 7f 16 1106 {client} create an ephemeral P-256 key pair: 1108 private key (32 octets): e5 d7 d7 16 54 b7 0d 85 b7 ef f8 ff 9f 1109 b4 10 f8 cc 6d 5c 0d 46 cb 4f 3c 96 28 61 c5 20 88 5d e0 1111 public key (65 octets): 04 17 35 66 97 92 26 4a 94 82 cf 17 8e 99 1112 0a e8 49 a3 55 2f 71 ec b8 4c 7b 02 2b 84 f0 57 eb b9 03 a2 e7 1113 ad 9d 2f 7d 44 e3 59 1a d0 04 33 a6 b2 d8 6d 57 9a af 1b 6a 2b 1114 01 72 df 0e 6e 00 08 7a bb 1116 {client} send a ClientHello handshake message 1118 {client} send handshake record: 1120 payload (512 octets): 01 00 01 fc 03 03 24 cc 22 ad 4c 8b 8c ed 1121 c8 e7 ee ac 95 93 1b 24 9d 3a dd 7d 98 c5 e0 d8 35 f5 d7 81 0d 1122 fb b1 80 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00 1123 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06 1124 00 1d 00 17 00 18 00 28 00 47 00 45 00 17 00 41 04 17 35 66 97 1125 92 26 4a 94 82 cf 17 8e 99 0a e8 49 a3 55 2f 71 ec b8 4c 7b 02 1126 2b 84 f0 57 eb b9 03 a2 e7 ad 9d 2f 7d 44 e3 59 1a d0 04 33 a6 1127 b2 d8 6d 57 9a af 1b 6a 2b 01 72 df 0e 6e 00 08 7a bb 00 2b 00 1128 03 02 7f 16 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 1129 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2c 1130 00 74 00 72 3c c7 0f 98 68 ee 6d bc bb 7b 7c 21 00 00 00 00 73 1131 d2 77 2a 29 c9 93 b4 e0 c3 78 de 45 9e 99 ea 00 30 97 19 7d a5 1132 86 38 74 31 85 03 d3 dd e2 41 7d 5f b7 8c 92 76 13 14 10 ea a9 1133 2e 9e 8a f5 4e a0 92 86 7b 67 7d 64 4f 96 d8 c5 fd 48 30 d1 70 1134 dd 1b 3f 8a 85 17 ab ee 19 60 52 d8 e4 29 3d 62 f0 3b 6d 29 b6 1135 88 4b 7c 00 cc 5e 6c e7 ac 36 47 0e a7 00 2d 00 02 01 01 00 15 1136 00 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1137 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1138 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1139 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1141 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1142 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1143 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1144 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1146 ciphertext (517 octets): 16 03 03 02 00 01 00 01 fc 03 03 24 cc 1147 22 ad 4c 8b 8c ed c8 e7 ee ac 95 93 1b 24 9d 3a dd 7d 98 c5 e0 1148 d8 35 f5 d7 81 0d fb b1 80 00 00 06 13 01 13 03 13 02 01 00 01 1149 cd 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 1150 00 0a 00 08 00 06 00 1d 00 17 00 18 00 28 00 47 00 45 00 17 00 1151 41 04 17 35 66 97 92 26 4a 94 82 cf 17 8e 99 0a e8 49 a3 55 2f 1152 71 ec b8 4c 7b 02 2b 84 f0 57 eb b9 03 a2 e7 ad 9d 2f 7d 44 e3 1153 59 1a d0 04 33 a6 b2 d8 6d 57 9a af 1b 6a 2b 01 72 df 0e 6e 00 1154 08 7a bb 00 2b 00 03 02 7f 16 00 0d 00 20 00 1e 04 03 05 03 06 1155 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 1156 06 02 02 02 00 2c 00 74 00 72 3c c7 0f 98 68 ee 6d bc bb 7b 7c 1157 21 00 00 00 00 73 d2 77 2a 29 c9 93 b4 e0 c3 78 de 45 9e 99 ea 1158 00 30 97 19 7d a5 86 38 74 31 85 03 d3 dd e2 41 7d 5f b7 8c 92 1159 76 13 14 10 ea a9 2e 9e 8a f5 4e a0 92 86 7b 67 7d 64 4f 96 d8 1160 c5 fd 48 30 d1 70 dd 1b 3f 8a 85 17 ab ee 19 60 52 d8 e4 29 3d 1161 62 f0 3b 6d 29 b6 88 4b 7c 00 cc 5e 6c e7 ac 36 47 0e a7 00 2d 1162 00 02 01 01 00 15 00 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 1163 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1164 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1165 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1166 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1167 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1168 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1169 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1172 {server} extract secret "early": 1174 salt: (absent) 1176 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1177 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1179 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 1180 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 1182 {server} create an ephemeral P-256 key pair: 1184 private key (32 octets): b1 6d 06 d1 40 ff d5 a9 3b b1 bf 4d 58 1185 d7 3d 97 06 62 b9 a5 50 25 ca 63 bc b1 b4 f6 75 ac 73 15 1187 public key (65 octets): 04 89 cf b4 c1 91 61 f7 0e b1 5a 43 81 40 1188 02 13 53 46 37 bd b4 fe d0 20 a9 2e 59 d9 58 10 ff eb e3 a8 dd 1189 bd f2 e2 cc 65 71 fe 17 df 28 3a 37 22 f1 23 f3 32 fc b0 cb 3d 1190 8b bb 9f 0b 65 e0 07 46 ae 1192 {server} send a ServerHello handshake message 1194 {server} derive secret for handshake "tls13 derived": 1196 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 1197 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 1199 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 1200 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1202 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 1203 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 1204 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1206 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 1207 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 1209 {server} extract secret "handshake": 1211 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 1212 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 1214 ikm (32 octets): ba 1c d6 f8 aa 98 a2 de ff b7 ba bb 8e 52 4d 2f 1215 d3 e8 2d 5c ff 5d 7b e3 0a 20 80 ef 62 6a 92 b3 1217 secret (32 octets): 8e f8 e6 41 ab fd 33 02 a2 4a c0 03 d0 98 2a 1218 3e 6e ef cd 99 46 ed 19 82 b8 1b 4d e2 ab c8 7d e8 1220 {server} derive secret "tls13 c hs traffic": 1222 PRK (32 octets): 8e f8 e6 41 ab fd 33 02 a2 4a c0 03 d0 98 2a 3e 1223 6e ef cd 99 46 ed 19 82 b8 1b 4d e2 ab c8 7d e8 1225 hash (32 octets): 87 73 ef 3f d6 03 64 ff ab 64 c5 f1 66 f8 30 09 1226 c2 9e c6 70 16 76 e5 cc 60 b5 1a 2f 2a dd 9e 27 1228 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 1229 61 66 66 69 63 20 87 73 ef 3f d6 03 64 ff ab 64 c5 f1 66 f8 30 1230 09 c2 9e c6 70 16 76 e5 cc 60 b5 1a 2f 2a dd 9e 27 1232 output (32 octets): 1e af b2 10 3a c5 96 e5 a8 67 3e ae 2c 42 0c 1233 ff b2 d9 45 99 d9 00 08 94 0b db a8 8c a7 71 26 26 1235 {server} derive secret "tls13 s hs traffic": 1237 PRK (32 octets): 8e f8 e6 41 ab fd 33 02 a2 4a c0 03 d0 98 2a 3e 1238 6e ef cd 99 46 ed 19 82 b8 1b 4d e2 ab c8 7d e8 1240 hash (32 octets): 87 73 ef 3f d6 03 64 ff ab 64 c5 f1 66 f8 30 09 1241 c2 9e c6 70 16 76 e5 cc 60 b5 1a 2f 2a dd 9e 27 1243 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 1244 61 66 66 69 63 20 87 73 ef 3f d6 03 64 ff ab 64 c5 f1 66 f8 30 1245 09 c2 9e c6 70 16 76 e5 cc 60 b5 1a 2f 2a dd 9e 27 1247 output (32 octets): 82 54 e1 25 3f 75 bf a5 bb 5c 4e f2 b1 bb 79 1248 73 e0 b7 b8 32 51 31 2b ce 86 30 8e a1 27 b5 52 e0 1250 {server} derive secret for master "tls13 derived": 1252 PRK (32 octets): 8e f8 e6 41 ab fd 33 02 a2 4a c0 03 d0 98 2a 3e 1253 6e ef cd 99 46 ed 19 82 b8 1b 4d e2 ab c8 7d e8 1255 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 1256 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1258 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 1259 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 1260 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1262 output (32 octets): 91 74 25 ca 4f 3e 40 22 e2 e6 bb 99 25 f2 f7 1263 08 e9 7c 1c 75 56 cd e8 63 52 1f 40 b3 c8 2f 49 36 1265 {server} extract secret "master": 1267 salt (32 octets): 91 74 25 ca 4f 3e 40 22 e2 e6 bb 99 25 f2 f7 08 1268 e9 7c 1c 75 56 cd e8 63 52 1f 40 b3 c8 2f 49 36 1270 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1271 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1273 secret (32 octets): 5f 5f 3a b7 4a c0 3b 74 79 0f 0f 40 33 f9 e9 1274 3c 18 44 95 ac 41 03 a9 f2 2d 43 d8 dc 57 86 a2 95 1276 {server} send handshake record: 1278 payload (123 octets): 02 00 00 77 03 03 eb 62 5e d0 a8 a3 3c 5f 1279 a3 c2 77 5a eb a4 c6 2a 4f 31 71 f2 ff ea e4 ea 53 38 27 30 41 1280 6f f7 3a 00 13 01 00 00 4f 00 28 00 45 00 17 00 41 04 89 cf b4 1281 c1 91 61 f7 0e b1 5a 43 81 40 02 13 53 46 37 bd b4 fe d0 20 a9 1282 2e 59 d9 58 10 ff eb e3 a8 dd bd f2 e2 cc 65 71 fe 17 df 28 3a 1283 37 22 f1 23 f3 32 fc b0 cb 3d 8b bb 9f 0b 65 e0 07 46 ae 00 2b 1284 00 02 7f 16 1286 ciphertext (128 octets): 16 03 03 00 7b 02 00 00 77 03 03 eb 62 1287 5e d0 a8 a3 3c 5f a3 c2 77 5a eb a4 c6 2a 4f 31 71 f2 ff ea e4 1288 ea 53 38 27 30 41 6f f7 3a 00 13 01 00 00 4f 00 28 00 45 00 17 1289 00 41 04 89 cf b4 c1 91 61 f7 0e b1 5a 43 81 40 02 13 53 46 37 1290 bd b4 fe d0 20 a9 2e 59 d9 58 10 ff eb e3 a8 dd bd f2 e2 cc 65 1291 71 fe 17 df 28 3a 37 22 f1 23 f3 32 fc b0 cb 3d 8b bb 9f 0b 65 1292 e0 07 46 ae 00 2b 00 02 7f 16 1294 {server} send a EncryptedExtensions handshake message 1295 {server} send a Certificate handshake message 1297 {server} send a CertificateVerify handshake message 1299 {server} calculate finished "tls13 finished": 1301 PRK (32 octets): 82 54 e1 25 3f 75 bf a5 bb 5c 4e f2 b1 bb 79 73 1302 e0 b7 b8 32 51 31 2b ce 86 30 8e a1 27 b5 52 e0 1304 hash (0 octets): (empty) 1306 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 1307 64 00 1309 output (32 octets): a3 3a 40 a0 16 61 06 92 2f 96 9d 66 28 69 0e 1310 ad 71 29 6b 1c 9f 44 14 64 e8 f4 c4 c2 33 14 10 15 1312 {server} send a Finished handshake message 1314 {server} send handshake record: 1316 payload (639 octets): 08 00 00 12 00 10 00 0a 00 08 00 06 00 17 1317 00 18 00 1d 00 00 00 00 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82 1318 01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48 1319 86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 1320 72 73 61 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17 1321 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06 1322 03 55 04 03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7 1323 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f 1324 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 1325 d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1326 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52 1327 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74 1328 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 1329 ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03 1330 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 1331 03 55 1d 0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 1332 01 0b 05 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 1333 72 67 17 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea 1334 e8 f8 a5 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 1335 51 56 72 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be 1336 c1 fc 63 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b 1337 1c 3b 84 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 1338 96 12 29 ac 91 87 b4 2b 4d e1 00 00 0f 00 00 84 08 04 00 80 96 1339 ac 87 45 e8 60 64 a1 18 d3 35 75 88 1c c7 db 99 b7 ad 5c f6 42 1340 04 2f 0c 6a 4c 65 42 d6 15 3e f7 b4 71 2d 9f 9f 7c 16 7a 9c fe 1341 1b 9f 7a e7 41 4b ff 4c d1 3c dd 81 1d ce 07 ce 22 7b f2 ec 74 1342 38 e9 22 6e 7d da 00 0e f8 34 85 60 ed 21 6b 28 a8 bc 6d b6 10 1343 3c aa 96 00 d8 84 7c a6 f0 ea 40 64 da 4f 7d 6d c7 b5 98 ff 54 1344 36 a0 4e 01 7d e3 2c 12 eb f3 2e 55 3b e2 60 3e 0f 63 20 63 42 1345 b8 14 00 00 20 a4 98 49 23 dd 33 35 94 bd 90 4b 9e 80 1b c1 88 1346 73 31 57 ba 4b 16 c7 62 cd a9 f6 f3 0f e9 a6 88 1348 ciphertext (661 octets): 17 03 03 02 90 11 09 c2 d4 04 4a ea 1f 1349 e6 a7 d0 e1 52 4a 86 e6 b3 fd 43 3a 4a 86 8a 8c 10 1a 58 ab b3 1350 38 1e 66 c6 9a bc b0 0d c0 ba d7 b4 9c c3 24 55 aa 28 c8 e5 13 1351 13 a0 9b 4f 19 fc 3c b9 9b 35 5e 8a 4a fc 74 84 c4 c6 d4 de 32 1352 d5 75 01 4c 53 71 48 ce 7d df 31 d9 3a f5 fb f1 ac dd b8 c7 13 1353 32 e7 ce d7 7a 2f 4d e0 16 dd 98 5a 2c ec 06 8a e2 49 fd a9 bc 1354 a4 d7 23 19 5a df d8 b8 03 95 00 e9 e1 d6 c6 01 20 6a 6a 85 33 1355 56 1a ab ca f5 cc f2 e2 b7 c5 9e 74 75 1a 41 ca 95 15 03 26 a8 1356 f2 25 56 7f bb 9f ad 99 39 b6 d6 ca a2 47 90 05 d9 4b b8 95 18 1357 ca 63 84 cf 66 dd 97 36 2f 8c 40 13 26 d4 22 d5 3f bd 68 1b 14 1358 09 16 ec 14 31 45 32 49 04 dd 7f 63 26 96 81 a1 36 f2 e6 15 f4 1359 7e e9 e3 2a a3 25 2e 0c 3b 1d 47 a9 92 63 50 b4 98 5b 96 51 ef 1360 c5 14 80 09 61 6d 75 df dd e9 33 1f e2 ae e5 44 c4 a1 40 10 2a 1361 db c1 12 d4 45 1e 1b 90 46 02 9e 71 b9 36 60 49 c9 ac aa 36 82 1362 79 f0 dc 27 00 bb 15 1d 96 6d 2d 71 a7 55 44 6a 74 9f 3f fb 2b 1363 10 11 0d 2f 9d c2 1e f7 1d b7 2b 53 ae 2b a8 70 70 f2 79 15 b8 1364 a3 4a 4c 92 03 70 36 3b f7 75 98 a8 99 3d 6d 97 45 53 f7 6a 83 1365 dd e2 a5 5c 30 10 ed bf 86 ec 45 6c 5e 12 f4 fb 28 3f d5 25 e2 1366 2b f8 4e 28 03 41 9a 1f 5c 0d 83 7c e5 bc b1 8c 36 18 06 35 c1 1367 d3 28 30 f4 af f6 60 7a 72 81 1e 4e 19 02 b1 c0 88 4e 3c 97 dd 1368 44 3f 69 5e e3 fe 76 db 3e cc d4 36 ae 87 0f 7f 1d b1 3e 00 cc 1369 41 9c c4 5a 44 69 29 92 c2 e1 62 41 fb 31 d4 ed e3 95 77 2b 31 1370 fd e3 cc 4d b3 27 64 0f 48 d8 3f 63 5f 95 be f6 7f b3 60 c3 c9 1371 8e db d6 ae 57 4f ae d0 dc 59 38 20 b2 48 3e 6f 2d ae 39 51 5d 1372 9c 54 b9 d1 66 5a 7c ac 02 16 fa 32 55 0a a4 46 a5 e3 7c 9d af 1373 54 ed 38 71 39 eb 85 47 cc 53 13 7b 02 37 4b 4a 03 4d 38 18 69 1374 57 81 da 2a 23 ec 82 b5 81 98 3d 69 5b 84 37 94 07 cc 87 dc 85 1375 4e 0d 06 3e 6d 62 d2 3c 97 97 5e 91 7d b6 d5 21 82 83 a2 e8 15 1376 16 43 37 5f 0b a1 84 59 91 ed 6f 40 9a 68 31 b5 7a 1c 5d dd 88 1377 fe b6 e9 cc 66 ee 1f 3c 28 60 f6 1d f0 f8 1e bb 3b 0a 87 2d 0c 1378 2d 00 ae 84 44 5f 47 89 31 7d 02 e1 b6 75 a8 db cc 45 66 34 28 1379 95 ff 20 77 d8 9d 20 2d 86 43 22 be 4c c6 b3 f0 bf df 1381 {server} derive secret "tls13 c ap traffic": 1383 PRK (32 octets): 5f 5f 3a b7 4a c0 3b 74 79 0f 0f 40 33 f9 e9 3c 1384 18 44 95 ac 41 03 a9 f2 2d 43 d8 dc 57 86 a2 95 1386 hash (32 octets): 62 05 ce 54 b4 21 f2 e9 c4 2e ed 68 3d 19 12 89 1387 cd 9b 1f 9a 84 4d 94 c2 3e 95 b8 94 cc 4e 8a 42 1389 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 1390 61 66 66 69 63 20 62 05 ce 54 b4 21 f2 e9 c4 2e ed 68 3d 19 12 1391 89 cd 9b 1f 9a 84 4d 94 c2 3e 95 b8 94 cc 4e 8a 42 1393 output (32 octets): de 2e 40 35 e0 1c 52 ea e4 d5 b8 b3 46 50 c3 1394 32 04 53 6b 07 03 09 21 e4 31 95 37 b4 a0 90 1e e0 1396 {server} derive secret "tls13 s ap traffic": 1398 PRK (32 octets): 5f 5f 3a b7 4a c0 3b 74 79 0f 0f 40 33 f9 e9 3c 1399 18 44 95 ac 41 03 a9 f2 2d 43 d8 dc 57 86 a2 95 1401 hash (32 octets): 62 05 ce 54 b4 21 f2 e9 c4 2e ed 68 3d 19 12 89 1402 cd 9b 1f 9a 84 4d 94 c2 3e 95 b8 94 cc 4e 8a 42 1404 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 1405 61 66 66 69 63 20 62 05 ce 54 b4 21 f2 e9 c4 2e ed 68 3d 19 12 1406 89 cd 9b 1f 9a 84 4d 94 c2 3e 95 b8 94 cc 4e 8a 42 1408 output (32 octets): 14 ff 87 2f 92 e2 e2 5c c2 18 e0 15 bf db f7 1409 b9 1d b3 42 c7 20 00 e2 bd 1d 5c 08 06 d7 56 ab 4d 1411 {server} derive secret "tls13 exp master": 1413 PRK (32 octets): 5f 5f 3a b7 4a c0 3b 74 79 0f 0f 40 33 f9 e9 3c 1414 18 44 95 ac 41 03 a9 f2 2d 43 d8 dc 57 86 a2 95 1416 hash (32 octets): 62 05 ce 54 b4 21 f2 e9 c4 2e ed 68 3d 19 12 89 1417 cd 9b 1f 9a 84 4d 94 c2 3e 95 b8 94 cc 4e 8a 42 1419 info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 1420 74 65 72 20 62 05 ce 54 b4 21 f2 e9 c4 2e ed 68 3d 19 12 89 cd 1421 9b 1f 9a 84 4d 94 c2 3e 95 b8 94 cc 4e 8a 42 1423 output (32 octets): 10 9f ba 7b bc 8d 86 f3 f8 56 bf d6 a1 0e f3 1424 c2 fb f6 8c 6e 06 70 1b ab 97 6b a8 0c bf 00 12 d5 1426 {client} extract secret "early": 1428 salt: (absent) 1430 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1431 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1433 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 1434 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 1436 {client} derive secret for handshake "tls13 derived": 1438 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 1439 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 1441 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 1442 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1444 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 1445 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 1446 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1448 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 1449 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 1451 {client} extract secret "handshake": 1453 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 1454 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 1456 ikm (32 octets): ba 1c d6 f8 aa 98 a2 de ff b7 ba bb 8e 52 4d 2f 1457 d3 e8 2d 5c ff 5d 7b e3 0a 20 80 ef 62 6a 92 b3 1459 secret (32 octets): 8e f8 e6 41 ab fd 33 02 a2 4a c0 03 d0 98 2a 1460 3e 6e ef cd 99 46 ed 19 82 b8 1b 4d e2 ab c8 7d e8 1462 {client} derive secret "tls13 c hs traffic" (same as server) 1464 {client} derive secret "tls13 s hs traffic" (same as server) 1466 {client} derive secret for master "tls13 derived" (same as server) 1468 {client} extract secret "master" (same as server) 1470 {client} calculate finished "tls13 finished" (same as server) 1472 {client} derive secret "tls13 c ap traffic" (same as server) 1474 {client} derive secret "tls13 s ap traffic" (same as server) 1476 {client} derive secret "tls13 exp master" (same as server) 1478 {client} calculate finished "tls13 finished": 1480 PRK (32 octets): 1e af b2 10 3a c5 96 e5 a8 67 3e ae 2c 42 0c ff 1481 b2 d9 45 99 d9 00 08 94 0b db a8 8c a7 71 26 26 1483 hash (0 octets): (empty) 1484 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 1485 64 00 1487 output (32 octets): 19 3b 17 c6 19 fb 94 85 1f 97 91 db 7b 9a 9e 1488 03 9d 4f 81 96 9a 93 71 02 06 4b 45 a3 be e9 a3 12 1490 {client} send a Finished handshake message 1492 {client} send handshake record: 1494 payload (36 octets): 14 00 00 20 3c 9c 63 c4 72 e5 d6 ab 04 4d 14 1495 59 2e 5a d8 a2 ef 4c 1d 70 f7 f7 7a 13 3c 8d cc fc 05 a6 df 52 1497 ciphertext (58 octets): 17 03 03 00 35 cd db d8 39 c3 4d 8d b2 a1 1498 fc 58 5e 55 78 f6 5f ec 70 81 d6 95 00 88 09 02 5c 0c 9d 4f 87 1499 5a f9 e7 10 d7 52 a2 0a 3d 2c 59 86 7e 92 6e b4 39 52 e2 8f 91 1500 83 da 1502 {client} derive secret "tls13 res master": 1504 PRK (32 octets): 5f 5f 3a b7 4a c0 3b 74 79 0f 0f 40 33 f9 e9 3c 1505 18 44 95 ac 41 03 a9 f2 2d 43 d8 dc 57 86 a2 95 1507 hash (32 octets): cb 0c c7 bc 35 ef 49 7c be e7 ea fa 2b ff a2 2f 1508 8d a5 b8 28 5e 83 35 48 0c 33 65 81 32 22 2c c2 1510 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 1511 74 65 72 20 cb 0c c7 bc 35 ef 49 7c be e7 ea fa 2b ff a2 2f 8d 1512 a5 b8 28 5e 83 35 48 0c 33 65 81 32 22 2c c2 1514 output (32 octets): 18 8c 90 bc 6f a9 7a 8d d5 55 1d 80 b1 ae 18 1515 42 4c f3 e2 f6 90 bc 70 54 e3 6b 33 3f 17 30 17 f3 1517 {server} calculate finished "tls13 finished" (same as client) 1519 {server} derive secret "tls13 res master" (same as client) 1521 {client} send alert record: 1523 payload (2 octets): 01 00 1525 ciphertext (24 octets): 17 03 03 00 13 93 21 5e 8c f7 98 69 b6 9a 1526 28 57 8f 90 f4 c6 94 6e 5c 9b 1528 {server} send alert record: 1530 payload (2 octets): 01 00 1531 ciphertext (24 octets): 17 03 03 00 13 4a b5 80 73 c0 a8 93 de 17 1532 76 47 6d ec d2 5e 97 84 e3 d1 1534 6. Client Authentication 1536 In this example, the server requests client authentication. The 1537 client uses a certificate with an RSA key, the server uses an ECDSA 1538 certificate with a P-256 key. 1540 {client} create an ephemeral x25519 key pair: 1542 private key (32 octets): a4 0d c1 93 0c 00 af 0e 9d 3b c2 6c f9 1543 0f 5e ee 7d ba 97 17 1f 53 2b 71 7f ef bf bf 87 08 38 c9 1545 public key (32 octets): d5 dd 20 0f ad 08 39 7b 40 f3 e6 14 45 24 1546 0c 75 78 5e b2 e5 0b 72 7c 5a 04 91 64 0d c1 2c 3a 0e 1548 {client} send a ClientHello handshake message 1550 {client} send handshake record: 1552 payload (186 octets): 01 00 00 b6 03 03 a3 ce 03 a9 0c 76 17 79 1553 2d ee d9 6e 55 b1 6a b8 fc 10 91 2c 67 f3 3d db d1 50 b3 25 d5 1554 ca d6 58 00 00 06 13 01 13 03 13 02 01 00 00 87 00 00 00 0b 00 1555 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 1556 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 28 00 1557 26 00 24 00 1d 00 20 d5 dd 20 0f ad 08 39 7b 40 f3 e6 14 45 24 1558 0c 75 78 5e b2 e5 0b 72 7c 5a 04 91 64 0d c1 2c 3a 0e 00 2b 00 1559 03 02 7f 16 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 1560 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 1561 00 02 01 01 1563 ciphertext (191 octets): 16 03 01 00 ba 01 00 00 b6 03 03 a3 ce 1564 03 a9 0c 76 17 79 2d ee d9 6e 55 b1 6a b8 fc 10 91 2c 67 f3 3d 1565 db d1 50 b3 25 d5 ca d6 58 00 00 06 13 01 13 03 13 02 01 00 00 1566 87 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 1567 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 1568 03 01 04 00 28 00 26 00 24 00 1d 00 20 d5 dd 20 0f ad 08 39 7b 1569 40 f3 e6 14 45 24 0c 75 78 5e b2 e5 0b 72 7c 5a 04 91 64 0d c1 1570 2c 3a 0e 00 2b 00 03 02 7f 16 00 0d 00 20 00 1e 04 03 05 03 06 1571 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 1572 06 02 02 02 00 2d 00 02 01 01 1574 {server} extract secret "early": 1576 salt: (absent) 1577 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1578 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1580 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 1581 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 1583 {server} create an ephemeral x25519 key pair: 1585 private key (32 octets): 01 f2 df a3 5d 2f f7 47 3c b2 b2 85 25 1586 74 2d a0 58 a0 35 c7 f8 21 bc 86 bf c2 11 72 16 be cc aa 1588 public key (32 octets): b5 89 13 10 62 da ed c2 12 1b b7 5c 36 88 1589 0b 71 12 c1 96 7f fe 17 db 5f a7 ef ef 22 90 90 1e 3d 1591 {server} send a ServerHello handshake message 1593 {server} derive secret for handshake "tls13 derived": 1595 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 1596 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 1598 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 1599 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1601 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 1602 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 1603 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1605 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 1606 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 1608 {server} extract secret "handshake": 1610 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 1611 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 1613 ikm (32 octets): 94 2f 83 fa ee 2f ad ad 24 2e eb fb c7 a6 6d 5e 1614 c7 71 04 b1 3c d4 97 e0 b1 0d 9d 70 69 1d e8 6a 1616 secret (32 octets): 53 d7 91 87 9a 6b 33 f3 86 45 35 3b 3e 03 49 1617 e5 e0 88 e4 0b 6c 37 00 12 0c 80 04 25 d3 d5 e9 9f 1619 {server} derive secret "tls13 c hs traffic": 1621 PRK (32 octets): 53 d7 91 87 9a 6b 33 f3 86 45 35 3b 3e 03 49 e5 1622 e0 88 e4 0b 6c 37 00 12 0c 80 04 25 d3 d5 e9 9f 1624 hash (32 octets): 7a a6 f3 63 a4 49 35 45 a9 31 9b da 72 05 59 8c 1625 e1 5c bc 83 48 40 ce 04 c0 0e 8f 96 0b 27 80 7b 1627 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 1628 61 66 66 69 63 20 7a a6 f3 63 a4 49 35 45 a9 31 9b da 72 05 59 1629 8c e1 5c bc 83 48 40 ce 04 c0 0e 8f 96 0b 27 80 7b 1631 output (32 octets): e8 d4 bb 93 8c a3 de 6d 1d 7c 78 01 a5 57 20 1632 aa df cd 34 2d c8 a4 47 04 1d 21 7c 83 c8 df f3 94 1634 {server} derive secret "tls13 s hs traffic": 1636 PRK (32 octets): 53 d7 91 87 9a 6b 33 f3 86 45 35 3b 3e 03 49 e5 1637 e0 88 e4 0b 6c 37 00 12 0c 80 04 25 d3 d5 e9 9f 1639 hash (32 octets): 7a a6 f3 63 a4 49 35 45 a9 31 9b da 72 05 59 8c 1640 e1 5c bc 83 48 40 ce 04 c0 0e 8f 96 0b 27 80 7b 1642 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 1643 61 66 66 69 63 20 7a a6 f3 63 a4 49 35 45 a9 31 9b da 72 05 59 1644 8c e1 5c bc 83 48 40 ce 04 c0 0e 8f 96 0b 27 80 7b 1646 output (32 octets): 8b fc e8 b0 11 4e ac cd 83 64 68 b5 e4 60 30 1647 fd 32 1c 37 20 7a 41 cd 22 66 4f 56 53 14 f2 1e 05 1649 {server} derive secret for master "tls13 derived": 1651 PRK (32 octets): 53 d7 91 87 9a 6b 33 f3 86 45 35 3b 3e 03 49 e5 1652 e0 88 e4 0b 6c 37 00 12 0c 80 04 25 d3 d5 e9 9f 1654 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 1655 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1657 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 1658 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 1659 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1661 output (32 octets): 6f d8 3c 95 03 f0 45 fb a0 08 69 a3 23 22 28 1662 0f 38 85 3f cd 95 15 f1 3c e5 09 60 f0 e6 00 24 84 1664 {server} extract secret "master": 1666 salt (32 octets): 6f d8 3c 95 03 f0 45 fb a0 08 69 a3 23 22 28 0f 1667 38 85 3f cd 95 15 f1 3c e5 09 60 f0 e6 00 24 84 1669 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1670 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1672 secret (32 octets): 86 05 00 52 9e e3 a6 0a 26 44 3e 62 2a 4c 00 1673 0a b3 ff 0d ea 05 05 5c c3 ed f3 bf 01 f7 11 db ba 1675 {server} send handshake record: 1677 payload (90 octets): 02 00 00 56 03 03 0b 21 fe 7a 05 5c 66 77 67 1678 7b 21 e0 7d fc 22 f9 65 92 1c 5c 3e 0c c8 85 b1 71 5e 2e 01 a8 1679 91 3d 00 13 01 00 00 2e 00 28 00 24 00 1d 00 20 b5 89 13 10 62 1680 da ed c2 12 1b b7 5c 36 88 0b 71 12 c1 96 7f fe 17 db 5f a7 ef 1681 ef 22 90 90 1e 3d 00 2b 00 02 7f 16 1683 ciphertext (95 octets): 16 03 03 00 5a 02 00 00 56 03 03 0b 21 fe 1684 7a 05 5c 66 77 67 7b 21 e0 7d fc 22 f9 65 92 1c 5c 3e 0c c8 85 1685 b1 71 5e 2e 01 a8 91 3d 00 13 01 00 00 2e 00 28 00 24 00 1d 00 1686 20 b5 89 13 10 62 da ed c2 12 1b b7 5c 36 88 0b 71 12 c1 96 7f 1687 fe 17 db 5f a7 ef ef 22 90 90 1e 3d 00 2b 00 02 7f 16 1689 {server} send a EncryptedExtensions handshake message 1691 {server} send a CertificateRequest handshake message 1693 {server} send a Certificate handshake message 1695 {server} send a CertificateVerify handshake message 1697 {server} calculate finished "tls13 finished": 1699 PRK (32 octets): 8b fc e8 b0 11 4e ac cd 83 64 68 b5 e4 60 30 fd 1700 32 1c 37 20 7a 41 cd 22 66 4f 56 53 14 f2 1e 05 1702 hash (0 octets): (empty) 1704 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 1705 64 00 1707 output (32 octets): 23 48 7f 1e 47 29 a3 ef 3d fb e1 61 bd 0c d1 1708 c0 42 51 86 74 be 62 54 5b f1 62 25 7a d7 d9 4e 9d 1710 {server} send a Finished handshake message 1712 {server} send handshake record: 1714 payload (512 octets): 08 00 00 1e 00 1c 00 0a 00 14 00 12 00 1d 1715 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 0d 1716 00 00 27 00 00 24 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 1717 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 1718 0b 00 01 3b 00 00 01 37 00 01 32 30 82 01 2e 30 81 d5 a0 03 02 1719 01 02 02 01 07 30 0a 06 08 2a 86 48 ce 3d 04 03 02 30 13 31 11 1720 30 0f 06 03 55 04 03 13 08 65 63 64 73 61 32 35 36 30 1e 17 0d 1721 31 36 30 37 33 30 30 31 32 34 30 30 5a 17 0d 32 36 30 37 33 30 1722 30 31 32 34 30 30 5a 30 13 31 11 30 0f 06 03 55 04 03 13 08 65 1723 63 64 73 61 32 35 36 30 59 30 13 06 07 2a 86 48 ce 3d 02 01 06 1724 08 2a 86 48 ce 3d 03 01 07 03 42 00 04 08 d5 30 16 15 75 f4 cf 1725 e7 f1 54 ee 34 48 18 00 86 00 1e 88 43 1a 79 ee 62 ee 6e 2f 83 1726 ef 38 ba 61 e9 fb 37 f3 4e 00 7a 7d f4 d2 f5 b5 6d 1f 04 ec e4 1727 5d 62 1f 46 84 06 f5 c3 a1 51 58 94 8d d0 a3 1a 30 18 30 09 06 1728 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 1729 30 0a 06 08 2a 86 48 ce 3d 04 03 02 03 48 00 30 45 02 21 00 df 1730 30 fd 45 07 f5 ed d2 2c 1a 6f f8 6d b4 79 ca 69 3f ee ca 3b 71 1731 b3 f9 ef 55 6b 29 37 c0 59 4d 02 20 62 e2 a4 72 50 d3 20 fe a8 1732 3c 7e 2d cb 5b 76 a5 0e 02 00 c0 9a db d1 3f ee 94 6e 51 3e 01 1733 1d 11 00 00 0f 00 00 4c 04 03 00 48 30 46 02 21 00 f7 46 ae b2 1734 e0 10 2f 37 94 0d d8 90 2b 0a 80 63 33 b7 63 69 06 28 9b ae f0 1735 a9 7d 92 12 ab 14 30 02 21 00 a7 81 31 62 2d 82 7b ce 23 d5 04 1736 c7 f8 1e 2a 78 d7 fb d6 59 fa 09 e1 e7 4c 5a 74 b9 b0 e5 5f 3e 1737 14 00 00 20 c6 c0 d6 02 f0 3c e5 92 6c 9e 53 05 04 a0 0a 5f d5 1738 40 97 5d de c4 6a fd 8a 18 fa 20 85 17 08 d6 1740 ciphertext (534 octets): 17 03 03 02 11 17 bf 02 f6 e5 be bf f8 1741 97 3f de b8 5f 0c cd 77 d7 5e 02 12 69 d8 47 5d 82 a4 26 74 bf 1742 e3 6c c7 a2 89 6f 63 42 3a aa 5f e2 b2 f8 96 6a 85 61 cb 25 f4 1743 c4 e2 8e c2 df 74 64 85 cf 64 fd f4 28 e6 fb c9 02 49 89 3a 62 1744 a8 15 c5 7a f9 8d 03 73 44 4f 90 85 40 1c e2 5f 4b fb 30 e9 99 1745 85 6a b0 eb 87 70 ef b0 1a cb 7e 30 c3 be d5 3d a3 03 32 b7 dc 1746 1b 31 78 89 49 a8 05 71 4a 06 81 75 4b 41 d4 57 93 c8 b8 28 29 1747 b1 9f 6a fa ea b5 bc c1 78 3d 0b 5e 39 63 03 67 7e fc 73 26 5a 1748 2c 0c cc 07 02 6f e0 98 46 3b 7e e1 d7 c7 e9 81 ff 7c 89 61 d0 1749 9d e7 fc be 92 77 98 25 98 a5 e9 0f 53 3a 23 5e 1a e3 81 01 fc 1750 87 07 69 3e c3 ff 90 47 75 52 87 91 74 65 d3 a6 44 12 2c 73 6c 1751 1f e5 98 a2 a9 45 87 c3 d2 4f b8 6a d2 18 97 2d 99 38 c0 89 42 1752 ce 28 64 20 db a4 3a 39 84 46 55 5f 3b 12 d0 84 5b e9 c8 fe 0c 1753 8d 71 f6 99 97 b7 08 b7 51 9c 7b 78 70 98 5d ad 45 89 40 a5 8f 1754 e4 1a 93 be 45 1f 31 08 42 7a d7 fd 3a 6f 27 ef e0 9f 35 d4 ad 1755 b3 a5 61 b3 41 87 ad 07 59 90 ac a8 b1 4c ec 21 cd c3 1b 78 e8 1756 bb b8 e0 30 d7 f7 c8 0c 56 dc 7c 2f f8 b5 53 0f 95 8c 0f ab 81 1757 3b c8 3e b3 d7 a9 72 5d 36 0f b2 d8 33 7c df c9 3c b3 d7 ed ea 1758 ea 75 75 cd cc 43 64 a1 a9 f2 19 e4 ae a9 3c c0 6e 2a 31 51 a8 1759 c7 f0 ef 15 16 a2 fd 34 1a bf b5 b3 9f 32 7c 6b 31 54 33 6e 5c 1760 6e 94 ed 2c c2 ca 95 ff 69 d4 25 48 3c 63 d2 a4 04 60 b0 03 c0 1761 4a b6 f5 bf 0e dc 3c 4e 66 21 a7 6f ff ff 1a 4d ae 84 7b 17 b8 1762 e5 ea 2b b5 47 e0 5f e3 8a 0f dc 63 78 fd cf 45 5c b9 92 17 8f 1763 e6 12 9d bd a3 49 a4 c5 6c d3 1e 04 ab bc 4c 5d 2d f5 0d 0c 06 1764 04 75 ec 11 8b 0e 3d 82 f0 79 cb 5e ec 44 1f c1 f1 78 88 db f7 1765 9b 04 f4 fa 89 39 ab be 4f 65 c4 b6 26 43 5c c8 dc 1767 {server} derive secret "tls13 c ap traffic": 1769 PRK (32 octets): 86 05 00 52 9e e3 a6 0a 26 44 3e 62 2a 4c 00 0a 1770 b3 ff 0d ea 05 05 5c c3 ed f3 bf 01 f7 11 db ba 1772 hash (32 octets): 35 56 64 82 3a 07 6c 67 8f 60 11 3d f2 c4 fa 18 1773 3e 44 c0 0b 0a 94 38 c7 93 d2 96 e9 2a 76 e3 06 1775 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 1776 61 66 66 69 63 20 35 56 64 82 3a 07 6c 67 8f 60 11 3d f2 c4 fa 1777 18 3e 44 c0 0b 0a 94 38 c7 93 d2 96 e9 2a 76 e3 06 1779 output (32 octets): 49 94 c4 1b d3 5f 90 84 9c da c8 1c ee eb 48 1780 cf 0a 25 08 9c da 15 66 d0 c8 51 ce 42 67 55 0e 42 1782 {server} derive secret "tls13 s ap traffic": 1784 PRK (32 octets): 86 05 00 52 9e e3 a6 0a 26 44 3e 62 2a 4c 00 0a 1785 b3 ff 0d ea 05 05 5c c3 ed f3 bf 01 f7 11 db ba 1787 hash (32 octets): 35 56 64 82 3a 07 6c 67 8f 60 11 3d f2 c4 fa 18 1788 3e 44 c0 0b 0a 94 38 c7 93 d2 96 e9 2a 76 e3 06 1790 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 1791 61 66 66 69 63 20 35 56 64 82 3a 07 6c 67 8f 60 11 3d f2 c4 fa 1792 18 3e 44 c0 0b 0a 94 38 c7 93 d2 96 e9 2a 76 e3 06 1794 output (32 octets): 04 94 45 e6 ca b5 c5 4c 87 af 8a d9 c9 4f c1 1795 28 14 f5 4c 22 bb c4 6a 08 5e 9e 3f 55 91 1e 77 0c 1797 {server} derive secret "tls13 exp master": 1799 PRK (32 octets): 86 05 00 52 9e e3 a6 0a 26 44 3e 62 2a 4c 00 0a 1800 b3 ff 0d ea 05 05 5c c3 ed f3 bf 01 f7 11 db ba 1802 hash (32 octets): 35 56 64 82 3a 07 6c 67 8f 60 11 3d f2 c4 fa 18 1803 3e 44 c0 0b 0a 94 38 c7 93 d2 96 e9 2a 76 e3 06 1805 info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 1806 74 65 72 20 35 56 64 82 3a 07 6c 67 8f 60 11 3d f2 c4 fa 18 3e 1807 44 c0 0b 0a 94 38 c7 93 d2 96 e9 2a 76 e3 06 1809 output (32 octets): 84 69 2c 16 37 b0 91 ce 55 73 7a bc e2 46 9b 1810 74 5c f4 77 80 ea d7 68 be 99 35 59 2c 16 0d 0d 57 1812 {client} extract secret "early": 1814 salt: (absent) 1815 ikm (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1816 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1818 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 1819 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 1821 {client} derive secret for handshake "tls13 derived": 1823 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 1824 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 1826 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 1827 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1829 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 1830 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 1831 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1833 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 1834 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 1836 {client} extract secret "handshake": 1838 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 1839 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 1841 ikm (32 octets): 94 2f 83 fa ee 2f ad ad 24 2e eb fb c7 a6 6d 5e 1842 c7 71 04 b1 3c d4 97 e0 b1 0d 9d 70 69 1d e8 6a 1844 secret (32 octets): 53 d7 91 87 9a 6b 33 f3 86 45 35 3b 3e 03 49 1845 e5 e0 88 e4 0b 6c 37 00 12 0c 80 04 25 d3 d5 e9 9f 1847 {client} derive secret "tls13 c hs traffic" (same as server) 1849 {client} derive secret "tls13 s hs traffic" (same as server) 1851 {client} derive secret for master "tls13 derived" (same as server) 1853 {client} extract secret "master" (same as server) 1855 {client} calculate finished "tls13 finished" (same as server) 1857 {client} derive secret "tls13 c ap traffic" (same as server) 1859 {client} derive secret "tls13 s ap traffic" (same as server) 1861 {client} derive secret "tls13 exp master" (same as server) 1862 {client} send a Certificate handshake message 1864 {client} send a CertificateVerify handshake message 1866 {client} calculate finished "tls13 finished": 1868 PRK (32 octets): e8 d4 bb 93 8c a3 de 6d 1d 7c 78 01 a5 57 20 aa 1869 df cd 34 2d c8 a4 47 04 1d 21 7c 83 c8 df f3 94 1871 hash (0 octets): (empty) 1873 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 1874 64 00 1876 output (32 octets): 03 c1 ff eb e1 ec af c1 16 94 42 a3 5f b7 8c 1877 4a f4 3d 55 4e c8 5b 94 ae 3f e9 18 3f 54 55 f1 84 1879 {client} send a Finished handshake message 1881 {client} send handshake record: 1883 payload (623 octets): 0b 00 01 bf 00 00 01 bb 00 01 b6 30 82 01 1884 b2 30 82 01 1b a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86 1885 f7 0d 01 01 0b 05 00 30 11 31 0f 30 0d 06 03 55 04 03 13 06 63 1886 6c 69 65 6e 74 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 1887 5a 17 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 11 31 0f 30 1888 0d 06 03 55 04 03 13 06 63 6c 69 65 6e 74 30 81 9f 30 0d 06 09 1889 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 1890 00 c3 81 75 e0 04 a6 8d 09 3f 82 3b 9c 37 9d 20 1f bc 0b b7 a1 1891 c7 91 90 5e 3f bf 76 84 7e 44 e7 51 eb bc d3 60 bd 94 5c 81 e5 1892 22 2b cc 88 46 d3 a8 a0 f9 3e 9b f5 be ba bd 92 ed f1 de 1f f1 1893 90 21 70 3e 7a b6 c0 90 15 13 f9 7e 39 b1 11 f0 9c 93 48 97 1c 1894 7b 21 19 84 a7 54 cd 45 fe 09 5a f0 ea 42 36 82 9b cc f7 a7 fe 1895 9b 28 88 e7 8a b4 77 69 0a 5b 9e 1c cb e9 1c 6a 4a 0f 97 a7 e0 1896 28 42 01 02 03 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 1897 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 0d 06 09 2a 86 1898 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 1a 7a 5a 01 85 32 b0 22 1899 af 07 67 d4 86 16 0c ff 2d 16 7a 19 15 d2 38 35 b5 45 94 91 6d 1900 c6 80 be 5d 2e 62 60 76 c5 d5 27 22 eb cc 77 5d 7d 99 f9 80 be 1901 2f c9 4d 34 ac f6 cc 00 ba 90 cb cf b0 60 8a a1 e7 e3 97 1e f0 1902 c0 7a 41 d4 7a d8 34 5d 1f 81 fe 41 8a 1c f4 10 54 42 9f d2 17 1903 bd 77 7d c1 cf 08 f0 5d f9 07 99 c6 59 36 1e 0f 1a 8e e4 ac 0f 1904 78 97 42 0b db c8 23 da 80 a2 f2 ba 23 08 1c 00 00 0f 00 00 84 1905 08 04 00 80 84 10 d9 4d 75 9a c5 a1 87 9c 61 71 49 48 04 09 7f 1906 9d 94 6f 41 e0 02 2a 66 ee 8e 0d 3b bc f4 37 c2 6f db cb 1d b6 1907 69 45 94 f9 01 71 82 e2 80 5c 1a 68 24 e1 06 d1 86 dd 42 37 53 1908 60 89 14 3d 06 12 ec 33 08 50 2c d5 a1 54 3e 82 fb 9d b5 58 7e 1909 54 07 6e 18 7a d6 ad 9b 89 35 42 a7 54 1d f0 47 49 7f fb 6c e2 1910 5d df f8 fd e7 ed 8a 67 98 f2 b7 de 1f a8 d9 f9 67 76 15 3a 3d 1911 01 9c 5a cc af 97 14 00 00 20 49 3e e4 87 b7 fc 2b f5 19 b7 cd 1912 2b 6b 33 b5 0f 5b e6 d5 23 37 a4 96 2e 39 d0 ec 13 92 f0 76 80 1914 ciphertext (645 octets): 17 03 03 02 80 4d 75 ab 8f 1d 72 06 a6 1915 3e 00 ac cd 41 c6 aa d6 3f e1 4d df 20 42 8f 59 68 d7 fc 60 61 1916 2f d2 5f f6 49 ae 82 c6 2e 3b 1e 6b 0d 07 d4 26 ae d4 3f a8 1f 1917 c2 76 15 43 92 5d 9a 8c 53 57 b2 0d 5d f1 7d fe 67 7d 8f df 7c 1918 b3 5f 07 48 02 a0 c5 5a 12 31 de a8 d4 27 1d fa 5f 5d 65 21 a4 1919 f4 67 c4 78 5d b0 54 1d f1 fb 84 8f 8b 01 e6 8d cb 9c 63 a3 86 1920 3a 6b d3 e8 8d b5 a3 67 34 53 2d f3 68 b0 f5 7a 12 b5 65 94 b2 1921 e1 6b 69 4e 5c e6 c1 e6 f3 ab 6f 1f a0 a9 f5 40 e3 80 2d 6b f2 1922 4f eb e4 2b 72 1f 13 ab 80 90 f1 54 e4 14 54 72 f9 1b 9a fe d6 1923 c5 b4 51 39 7e a0 fd 19 8c 04 48 af 73 44 42 91 57 43 11 53 4d 1924 22 91 07 65 9b 88 00 5c f0 51 db 32 70 83 44 4c 2c 00 14 e9 22 1925 a2 bd 94 a2 c9 d8 40 70 7b 4c 76 0c 56 ff 09 36 b1 b7 ad 8c 76 1926 f7 bf c2 dc 8b 75 19 d2 29 ad 7b a5 6d 0a 16 12 d0 56 f8 78 da 1927 5a b9 91 c9 ce 3d d0 44 62 8c 5a 0f ab 4d 51 14 af 7f 95 7e f1 1928 f5 27 05 6b 5d 16 0e 8b b2 ad 6d b0 a9 3b e2 3c 5f 68 7e 0a 28 1929 ec 76 32 a2 1f 24 4f 9e ac 1d 04 4f f9 2d 3c 1f b1 8e f8 1a bb 1930 cf 38 08 24 d4 cb 1c e4 51 7a d6 c1 45 f0 56 8b 41 b9 36 26 65 1931 68 ac 23 1e c9 48 eb b3 32 1f 5f b0 14 36 21 af 9b 3c e7 51 7b 1932 08 88 e0 71 c6 17 4b 7b 05 a7 bf ce a2 d9 e2 50 16 1a f7 0f 93 1933 73 a9 c2 fc 2d 41 06 85 52 38 bc 54 f0 78 40 6c 75 82 7a 46 1e 1934 c2 c3 59 19 f6 75 16 44 fd ce b6 11 31 3e f5 57 09 b5 2b 32 69 1935 24 12 32 92 d1 bd 9d 1d 19 2f 6d 4d d6 bd e8 f3 c8 2c 30 49 f4 1936 f6 dd f7 4d 18 4d 72 76 57 9f ce 90 a6 6b bd 6b 50 17 82 6d cd 1937 0d 31 25 bc a5 47 df b2 f9 ab 53 43 fd a4 2a bb eb 5b f9 ca 6d 1938 02 45 8e 7e 7b af 21 04 70 e5 e6 93 ee a4 c2 ca 50 2f e8 e6 d4 1939 78 7b 57 18 6d 85 40 7d df 0d 5e 0c 8a be 1a 73 46 d6 cd 30 86 1940 5a c5 fc 9d f2 d3 8e 84 1e f3 67 91 be e0 dd 3a 1a 95 b9 c3 2d 1941 3e 8e 97 04 c8 7b fe bd 35 ea f5 cb db 4a 72 32 46 82 04 a5 75 1942 63 2c ed 27 76 70 6c d5 02 a5 66 d1 30 c1 ab 40 9a 1c e4 ab 08 1943 c5 8c 04 ae 75 33 94 8b 63 4b ff 14 54 b6 91 a1 e9 88 c6 de 54 1944 85 7e 12 05 65 fc bc 6e 3d 01 ed fa 7a ab c5 f9 2c 45 b4 df 22 1945 50 c0 1947 {client} derive secret "tls13 res master": 1949 PRK (32 octets): 86 05 00 52 9e e3 a6 0a 26 44 3e 62 2a 4c 00 0a 1950 b3 ff 0d ea 05 05 5c c3 ed f3 bf 01 f7 11 db ba 1952 hash (32 octets): 7f 2d 4e 12 6e 73 62 ae 2f ea 3c b9 1f 32 ec b0 1953 f7 ba 7f 60 c4 ee a4 41 0f 80 26 dc 33 25 77 88 1955 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 1956 74 65 72 20 7f 2d 4e 12 6e 73 62 ae 2f ea 3c b9 1f 32 ec b0 f7 1957 ba 7f 60 c4 ee a4 41 0f 80 26 dc 33 25 77 88 1959 output (32 octets): 42 f1 0b 54 0d ee 84 7b 5b 1c 5b 0d 89 2c f7 1960 11 7d 9a 13 9b 89 20 64 88 a3 52 eb ee d8 cb 6f 90 1962 {server} calculate finished "tls13 finished" (same as client) 1964 {server} derive secret "tls13 res master" (same as client) 1966 {client} send alert record: 1968 payload (2 octets): 01 00 1970 ciphertext (24 octets): 17 03 03 00 13 70 16 fa 95 9e 65 31 0b cf 1971 54 11 09 dd 74 cc 4b bd 42 95 1973 {server} send alert record: 1975 payload (2 octets): 01 00 1977 ciphertext (24 octets): 17 03 03 00 13 92 e3 7d 92 18 1a 14 ec cf 1978 3e 35 13 f4 54 63 4f b1 70 d9 1980 7. Security Considerations 1982 It probably isn't a good idea to use the private key here. If it 1983 weren't for the fact that it is too small to provide any meaningful 1984 security, it is now very well known. 1986 8. References 1988 8.1. Normative References 1990 [I-D.ietf-tls-tls13] 1991 Rescorla, E., "The Transport Layer Security (TLS) Protocol 1992 Version 1.3", draft-ietf-tls-tls13-22 (work in progress), 1993 November 2017. 1995 8.2. Informative References 1997 [FIPS186] National Institute of Standards and Technology (NIST), 1998 "Digital Signature Standard (DSS)", NIST PUB 186-4 , July 1999 2013. 2001 [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves 2002 for Security", RFC 7748, DOI 10.17487/RFC7748, January 2003 2016, . 2005 8.3. URIs 2007 [1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS 2009 Appendix A. Acknowledgements 2011 This draft is generated using tests that were written for NSS [1]. 2012 None of this would have been possible without Franziskus Kiefer, Eric 2013 Rescorla and Tim Taubert, who did a lot of the work in NSS. 2015 Author's Address 2017 Martin Thomson 2018 Mozilla 2020 Email: martin.thomson@gmail.com