idnits 2.17.1 draft-ietf-tls-tls13-vectors-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 09, 2018) is 2089 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '1' on line 2873 Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 TLS M. Thomson 3 Internet-Draft Mozilla 4 Intended status: Informational July 09, 2018 5 Expires: January 10, 2019 7 Example Handshake Traces for TLS 1.3 8 draft-ietf-tls-tls13-vectors-06 10 Abstract 12 Examples of TLS 1.3 handshakes are shown. Private keys and inputs 13 are provided so that these handshakes might be reproduced. 14 Intermediate values, including secrets, traffic keys and IVs are 15 shown so that implementations might be checked incrementally against 16 these values. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at https://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on January 10, 2019. 35 Copyright Notice 37 Copyright (c) 2018 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (https://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. Private Keys . . . . . . . . . . . . . . . . . . . . . . . . 2 54 3. Simple 1-RTT Handshake . . . . . . . . . . . . . . . . . . . 3 55 4. Resumed 0-RTT Handshake . . . . . . . . . . . . . . . . . . . 15 56 5. HelloRetryRequest . . . . . . . . . . . . . . . . . . . . . . 26 57 6. Client Authentication . . . . . . . . . . . . . . . . . . . . 38 58 7. Compatibility Mode . . . . . . . . . . . . . . . . . . . . . 49 59 8. Security Considerations . . . . . . . . . . . . . . . . . . . 60 60 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 60 61 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 60 62 10.1. Normative References . . . . . . . . . . . . . . . . . . 60 63 10.2. Informative References . . . . . . . . . . . . . . . . . 60 64 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 61 65 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 61 67 1. Introduction 69 TLS 1.3 [TLS13] defines a new key schedule and a number of new 70 cryptographic operations. This document includes sample handshakes 71 that show all intermediate values. This allows an implementation to 72 be verified incrementally, examining inputs and outputs of each 73 cryptographic computation independently. 75 A private key is included with the traces so that implementations can 76 be checked by importing these values and verifying that the same 77 outputs are produced. 79 Note: Invocations of HMAC-based Extract-and-Expand Key Derivation 80 Function (HKDF) [RFC5869] are not labelled, but can be identified 81 through the use the labels used by HKDF. 83 2. Private Keys 85 Ephemeral private keys are shown as they are generated in the traces. 87 The server in most examples uses an RSA certificate with a private 88 key of: 90 modulus (public): b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 91 0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab 92 bc 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 93 a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f 94 da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 95 3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 96 3f 98 public exponent: 01 00 01 100 private exponent: 04 de a7 05 d4 3a 6e a7 20 9d d8 07 21 11 a8 3c 81 101 e3 22 a5 92 78 b3 34 80 64 1e af 7c 0a 69 85 b8 e3 1c 44 f6 de 62 102 e1 b4 c2 30 9f 61 26 e7 7b 7c 41 e9 23 31 4b bf a3 88 13 05 dc 12 103 17 f1 6c 81 9c e5 38 e9 22 f3 69 82 8d 0e 57 19 5d 8c 84 88 46 02 104 07 b2 fa a7 26 bc f7 08 bb d7 db 7f 67 9f 89 34 92 fc 2a 62 2e 08 105 97 0a ac 44 1c e4 e0 c3 08 8d f2 5a e6 79 23 3d f8 a3 bd a2 ff 99 106 41 108 prime1: e4 35 fb 7c c8 37 37 75 6d ac ea 96 ab 7f 59 a2 cc 10 69 db 109 7d eb 19 0e 17 e3 3a 53 2b 27 3f 30 a3 27 aa 0a aa bc 58 cd 67 46 110 6a f9 84 5f ad c6 75 fe 09 4a f9 2c 4b d1 f2 c1 bc 33 dd 2e 05 15 112 prime2: ca bd 3b c0 e0 43 86 64 c8 d4 cc 9f 99 97 7a 94 d9 bb fe ad 113 8e 43 87 0a ba e3 f7 eb 8b 4e 0e ee 8a f1 d9 b4 71 9b a6 19 6c f2 114 cb ba ee eb f8 b3 49 0a fe 9e 9f fa 74 a8 8a a5 1f c6 45 62 93 03 116 exponent1: 3f 57 34 5c 27 fe 1b 68 7e 6e 76 16 27 b7 8b 1b 82 64 33 117 dd 76 0f a0 be a6 a6 ac f3 94 90 aa 1b 47 cd a4 86 9d 68 f5 84 dd 118 5b 50 29 bd 32 09 3b 82 58 66 1f e7 15 02 5e 5d 70 a4 5a 08 d3 d3 119 19 121 exponent2: 18 3d a0 13 63 bd 2f 28 85 ca cb dc 99 64 bf 47 64 f1 51 122 76 36 f8 64 01 28 6f 71 89 3c 52 cc fe 40 a6 c2 3d 0d 08 6b 47 c6 123 fb 10 d8 fd 10 41 e0 4d ef 7e 9a 40 ce 95 7c 41 77 94 e1 04 12 d1 124 39 126 coefficient: 83 9c a9 a0 85 e4 28 6b 2c 90 e4 66 99 7a 2c 68 1f 21 127 33 9a a3 47 78 14 e4 de c1 18 33 05 0e d5 0d d1 3c c0 38 04 8a 43 128 c5 9b 2a cc 41 68 89 c0 37 66 5f e5 af a6 05 96 9f 8c 01 df a5 ca 129 96 9d 131 3. Simple 1-RTT Handshake 133 In this example, the simplest possible handshake is completed. The 134 server is authenticated, but the client remains anonymous. After 135 connecting, a few application data octets are exchanged. The server 136 sends a session ticket that permits the use of 0-RTT data in any 137 resumed session. 139 {client} create an ephemeral x25519 key pair: 141 private key (32 octets): 01 61 d7 bf 4b a0 6c 35 68 f1 09 54 f0 142 f1 ca 08 74 60 54 9c dc 7b fe b2 77 6b 46 04 d8 2f aa c2 144 public key (32 octets): b0 f5 01 9f b0 f1 e5 37 6b 8b 1d fb 90 5f 145 1d 91 51 61 ba c3 77 07 da d8 90 7b d7 1b 98 07 b3 45 147 {client} send a ClientHello handshake message 149 {client} send handshake record: 151 payload (196 octets): 01 00 00 c0 03 03 d4 b9 50 3c 5e 95 c9 ee 152 cc 99 ce 63 76 cc ad 4d cc 06 d7 c8 f1 fa 44 b0 d9 56 00 e9 a0 153 58 6c 67 00 00 06 13 01 13 03 13 02 01 00 00 91 00 00 00 0b 00 154 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 155 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 23 00 156 00 00 33 00 26 00 24 00 1d 00 20 b0 f5 01 9f b0 f1 e5 37 6b 8b 157 1d fb 90 5f 1d 91 51 61 ba c3 77 07 da d8 90 7b d7 1b 98 07 b3 158 45 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03 02 159 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 160 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01 162 ciphertext (201 octets): 16 03 01 00 c4 01 00 00 c0 03 03 d4 b9 163 50 3c 5e 95 c9 ee cc 99 ce 63 76 cc ad 4d cc 06 d7 c8 f1 fa 44 164 b0 d9 56 00 e9 a0 58 6c 67 00 00 06 13 01 13 03 13 02 01 00 00 165 91 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 166 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 167 03 01 04 00 23 00 00 00 33 00 26 00 24 00 1d 00 20 b0 f5 01 9f 168 b0 f1 e5 37 6b 8b 1d fb 90 5f 1d 91 51 61 ba c3 77 07 da d8 90 169 7b d7 1b 98 07 b3 45 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 170 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 171 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01 173 {server} extract secret "early": 175 salt: (absent) 177 IKM (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 178 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 180 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 181 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 183 {server} create an ephemeral x25519 key pair: 185 private key (32 octets): e2 36 b9 50 e1 aa 9b af af ed c6 d1 c9 186 31 18 67 fd 56 91 d2 c1 5e 05 3b 5a b0 85 f7 3f 75 a8 6a 188 public key (32 octets): 9d 3c 94 0d 89 69 0b 84 d0 8a 60 99 3c 14 189 4e ca 68 4d 10 81 28 7c 83 4d 53 11 bc f3 2b b9 da 1a 191 {server} send a ServerHello handshake message 193 {server} derive secret for handshake "tls13 derived": 195 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 196 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 198 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 199 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 201 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 202 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 203 64 9b 93 4c a4 95 99 1b 78 52 b8 55 205 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 206 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 208 {server} extract secret "handshake": 210 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 211 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 213 IKM (32 octets): 81 51 d1 46 4c 1b 55 53 36 23 b9 c2 24 6a 6a 0e 214 6e 7e 18 50 63 e1 4a fd af f0 b6 e1 c6 1a 86 42 216 secret (32 octets): 5b 4f 96 5d f0 3c 68 2c 46 e6 ee 86 c3 11 63 217 66 15 a1 d2 bb b2 43 45 c2 52 05 95 3c 87 9e 8d 06 219 {server} derive secret "tls13 c hs traffic": 221 PRK (32 octets): 5b 4f 96 5d f0 3c 68 2c 46 e6 ee 86 c3 11 63 66 222 15 a1 d2 bb b2 43 45 c2 52 05 95 3c 87 9e 8d 06 224 hash (32 octets): c6 c9 18 ad 2f 41 99 d5 59 8e af 01 16 cb 7a 5c 225 2c 14 cb 54 78 12 18 88 8d b7 03 0d d5 0d 5e 6d 227 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 228 61 66 66 69 63 20 c6 c9 18 ad 2f 41 99 d5 59 8e af 01 16 cb 7a 229 5c 2c 14 cb 54 78 12 18 88 8d b7 03 0d d5 0d 5e 6d 231 output (32 octets): e2 e2 32 07 bd 93 fb 7f e4 fc 2e 29 7a fe ab 232 16 0e 52 2b 5a b7 5d 64 a8 6e 75 bc ac 3f 3e 51 03 234 {server} derive secret "tls13 s hs traffic": 236 PRK (32 octets): 5b 4f 96 5d f0 3c 68 2c 46 e6 ee 86 c3 11 63 66 237 15 a1 d2 bb b2 43 45 c2 52 05 95 3c 87 9e 8d 06 239 hash (32 octets): c6 c9 18 ad 2f 41 99 d5 59 8e af 01 16 cb 7a 5c 240 2c 14 cb 54 78 12 18 88 8d b7 03 0d d5 0d 5e 6d 242 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 243 61 66 66 69 63 20 c6 c9 18 ad 2f 41 99 d5 59 8e af 01 16 cb 7a 244 5c 2c 14 cb 54 78 12 18 88 8d b7 03 0d d5 0d 5e 6d 246 output (32 octets): 3b 7a 83 9c 23 9e f2 bf 0b 73 05 a0 e0 c4 e5 247 a8 c6 c6 93 30 a7 53 b3 08 f5 e3 a8 3a a2 ef 69 79 249 {server} derive secret for master "tls13 derived": 251 PRK (32 octets): 5b 4f 96 5d f0 3c 68 2c 46 e6 ee 86 c3 11 63 66 252 15 a1 d2 bb b2 43 45 c2 52 05 95 3c 87 9e 8d 06 254 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 255 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 257 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 258 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 259 64 9b 93 4c a4 95 99 1b 78 52 b8 55 261 output (32 octets): c8 61 57 19 e2 40 37 47 b6 10 76 2c 72 b8 f4 262 da 5c 60 99 57 65 d4 04 a9 d0 06 b9 b0 72 7b a5 83 264 {server} extract secret "master": 266 salt (32 octets): c8 61 57 19 e2 40 37 47 b6 10 76 2c 72 b8 f4 da 267 5c 60 99 57 65 d4 04 a9 d0 06 b9 b0 72 7b a5 83 269 IKM (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 272 secret (32 octets): 5c 79 d1 69 42 4e 26 2b 56 32 03 62 7b e4 eb 273 51 03 3f 58 8c 43 c9 ce 03 73 37 2d bc bc 01 85 a7 275 {server} send handshake record: 277 payload (90 octets): 02 00 00 56 03 03 ee fc e7 f7 b3 7b a1 d1 63 278 2e 96 67 78 25 dd f7 39 88 cf c7 98 25 df 56 6d c5 43 0b 9a 04 279 5a 12 00 13 01 00 00 2e 00 33 00 24 00 1d 00 20 9d 3c 94 0d 89 280 69 0b 84 d0 8a 60 99 3c 14 4e ca 68 4d 10 81 28 7c 83 4d 53 11 281 bc f3 2b b9 da 1a 00 2b 00 02 03 04 283 ciphertext (95 octets): 16 03 03 00 5a 02 00 00 56 03 03 ee fc e7 284 f7 b3 7b a1 d1 63 2e 96 67 78 25 dd f7 39 88 cf c7 98 25 df 56 285 6d c5 43 0b 9a 04 5a 12 00 13 01 00 00 2e 00 33 00 24 00 1d 00 286 20 9d 3c 94 0d 89 69 0b 84 d0 8a 60 99 3c 14 4e ca 68 4d 10 81 287 28 7c 83 4d 53 11 bc f3 2b b9 da 1a 00 2b 00 02 03 04 289 {server} derive write traffic keys for handshake data: 291 PRK (32 octets): 3b 7a 83 9c 23 9e f2 bf 0b 73 05 a0 e0 c4 e5 a8 292 c6 c6 93 30 a7 53 b3 08 f5 e3 a8 3a a2 ef 69 79 294 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 296 key output (16 octets): c6 6c b1 ae c5 19 df 44 c9 1e 10 99 55 11 297 ac 8b 299 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 301 iv output (12 octets): f7 f6 88 4c 49 81 71 6c 2d 0d 29 a4 303 {server} send a EncryptedExtensions handshake message 305 {server} send a Certificate handshake message 307 {server} send a CertificateVerify handshake message 309 {server} calculate finished "tls13 finished": 311 PRK (32 octets): 3b 7a 83 9c 23 9e f2 bf 0b 73 05 a0 e0 c4 e5 a8 312 c6 c6 93 30 a7 53 b3 08 f5 e3 a8 3a a2 ef 69 79 314 hash (0 octets): (empty) 316 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 317 64 00 319 output (32 octets): a8 0c b7 d1 5d b3 4a 17 ab b0 c2 37 65 be 68 320 c2 6d 3f 10 da 34 90 5b 09 99 47 e5 5e 37 db 17 b3 322 {server} send a Finished handshake message 324 {server} send handshake record: 326 payload (657 octets): 08 00 00 24 00 22 00 0a 00 14 00 12 00 1d 327 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c 00 02 40 328 01 00 00 00 00 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82 01 ac 30 329 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d 330 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 331 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17 0d 32 36 332 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06 03 55 04 333 03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 334 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f 82 79 30 335 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 d3 90 1a 336 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1a f1 9e 337 aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52 4b 1b 01 338 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74 80 30 53 339 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 ef f0 ab 340 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03 01 00 01 341 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 342 0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 343 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 72 67 17 344 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea e8 f8 a5 345 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 51 56 72 346 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be c1 fc 63 347 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b 1c 3b 84 348 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 96 12 29 349 ac 91 87 b4 2b 4d e1 00 00 0f 00 00 84 08 04 00 80 75 40 40 d0 350 dd ab 8c f0 e2 da 2b c4 99 5b 86 8a d7 45 c8 e1 56 4e 33 cd e1 351 78 80 a4 23 92 cc 62 4a ee f6 b6 7b b3 f0 ae 71 d9 d5 4a 23 09 352 73 1d 87 dc 59 f6 42 d7 33 be 2e b2 74 84 ad 8a 8c 8e b3 51 6a 353 7a c5 7f 26 25 e2 b5 c0 88 8a 85 41 f4 e7 34 f7 3d 05 47 61 df 354 1d d0 2f 0e 3e 9a 33 cf a1 0b 6e 3e b4 eb f7 ac 05 3b 01 fd ab 355 bd df c5 41 33 bc d2 4c 8b bd ce b2 23 b2 aa 03 45 2a 29 14 00 356 00 20 ac 86 ac bc 9c d2 5a 45 b5 7a d5 b6 4d b1 5d 44 05 cf 8c 357 80 e3 14 58 3e bf 32 83 ef 9a 99 31 0c 359 ciphertext (679 octets): 17 03 03 02 a2 f1 0b 26 d8 fc af 67 b5 360 b8 28 f7 12 12 22 16 a1 cd 14 18 74 65 b7 76 37 cb cd 78 53 91 361 28 bb 93 24 6d cc a1 af 56 f1 ea a2 71 66 60 77 45 5b c5 49 65 362 d8 5f 05 f9 bd 36 d6 99 61 71 eb 53 6a ff 61 3e ed dc 42 ba d5 363 a2 d2 22 7c 46 06 f1 21 5f 98 0e 7a fa f5 6b d3 b8 5a 51 be 13 364 00 03 10 1a 75 8d 07 7b 1c 89 1d 8e 7a 22 94 7e 5a 22 98 51 fd 365 42 a9 dd 42 26 08 f8 68 27 2a bf 92 b3 d4 3f b4 6a c4 20 25 93 366 46 06 7f 66 32 2f d7 08 88 56 80 f4 b4 43 3c 29 11 6f 2d fa 52 367 9e 09 bb a5 3c 7c d9 20 12 17 24 80 9e ad dc c8 43 07 ef 46 fc 368 51 a0 b3 3d 99 d3 9d b3 37 fc d7 61 ce 0f 2b 02 dc 73 de db 6f 369 dd b7 7c 4f 80 99 bd e9 3d 5b ee 08 bc f2 13 1f 29 a2 a3 7f f0 370 79 49 e8 f8 bc dd 3e 83 10 b8 bf 8b 34 44 c8 5a af 0d 2a eb 2d 371 4f 36 fd 14 d5 cb 51 fc eb ff 41 8b 38 27 13 6a b9 52 9e 9a 3d 372 3f 35 e4 c0 ae 74 9e a2 db c9 49 82 a1 28 1d 3e 6d aa b7 19 aa 373 44 60 88 93 21 a0 08 bf 10 fa 06 ac 0c 61 cc 12 2c c9 0d 5e 22 374 c0 03 0c 98 6a e8 4a 33 a0 c4 7d f1 74 bc fb d5 0b f7 8f fd f2 375 40 51 ab 42 3d b6 3d 58 15 db 2f 83 00 40 f3 05 21 13 1c 98 c6 376 6f 16 c3 62 ad dc e2 fb a0 60 2c f0 a7 dd df 22 e8 de f7 51 6c 377 df ee 95 b4 05 6c c9 ad 38 c9 53 52 33 54 21 b5 b1 ff ba df 75 378 e5 21 2f da d7 a7 5f 52 a2 80 14 86 a1 ee c3 53 95 80 be e0 e4 379 b3 37 cd a6 08 5a c9 ec cd 1a 0f 1a 46 ce bf bb 5c df a3 25 1a 380 c2 8c 3b c8 26 14 8c 6d 8c 1e b6 a0 6f 77 f6 ff 63 2c 6a 83 e2 381 83 e8 f9 df 7c 6d ba bf 1c 6e a4 06 29 a8 5b 43 ab 0c 73 d3 4f 382 9d 50 72 83 2a 10 4e da 3f 75 f5 d8 3d a6 e1 48 22 a1 8e 14 09 383 9d 74 9e af d8 23 ca 2a c7 54 20 86 50 1e ca 20 6c e7 88 79 20 384 00 85 73 75 7c e2 f2 30 a8 90 78 2b 99 cc 68 23 77 be ee 81 27 385 56 d0 4f 90 25 13 5f b5 99 d7 46 fe fe 73 16 c9 22 ac 26 5c a0 386 d2 90 21 37 5a db 63 c1 50 9c 3e 24 2d fb 92 b8 de e8 91 f7 36 387 8c 40 58 39 9b 8d b9 07 5f 2d cc 82 16 19 4e 50 3b 66 52 d8 7d 388 2c b4 1f 99 ad fd cc 5b e5 ec 7e 1e 63 26 ac 22 d7 0b d3 ba 65 389 28 27 53 2d 66 9a ff 00 51 73 59 7f 80 39 c3 ea 49 22 d3 ec 75 390 76 70 22 2f 6a c2 9b 93 e9 0d 7a d3 f6 dd 96 32 8e 42 9c fc fd 391 5c ca 22 70 7f e2 d8 6a d1 dc b0 be 75 6e 8e 393 {server} derive secret "tls13 c ap traffic": 395 PRK (32 octets): 5c 79 d1 69 42 4e 26 2b 56 32 03 62 7b e4 eb 51 396 03 3f 58 8c 43 c9 ce 03 73 37 2d bc bc 01 85 a7 398 hash (32 octets): f8 c1 9e 8c 77 c0 38 79 bb c8 eb 6d 56 e0 0d d5 399 d8 6e f5 59 27 ee fc 08 e1 b0 02 b6 ec e0 5d bf 401 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 402 61 66 66 69 63 20 f8 c1 9e 8c 77 c0 38 79 bb c8 eb 6d 56 e0 0d 403 d5 d8 6e f5 59 27 ee fc 08 e1 b0 02 b6 ec e0 5d bf 405 output (32 octets): e2 f0 db 6a 82 e8 82 80 fc 26 f7 3c 89 85 4e 406 e8 61 5e 25 df 28 b2 20 79 62 fa 78 22 26 b2 36 26 408 {server} derive secret "tls13 s ap traffic": 410 PRK (32 octets): 5c 79 d1 69 42 4e 26 2b 56 32 03 62 7b e4 eb 51 411 03 3f 58 8c 43 c9 ce 03 73 37 2d bc bc 01 85 a7 413 hash (32 octets): f8 c1 9e 8c 77 c0 38 79 bb c8 eb 6d 56 e0 0d d5 414 d8 6e f5 59 27 ee fc 08 e1 b0 02 b6 ec e0 5d bf 416 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 417 61 66 66 69 63 20 f8 c1 9e 8c 77 c0 38 79 bb c8 eb 6d 56 e0 0d 418 d5 d8 6e f5 59 27 ee fc 08 e1 b0 02 b6 ec e0 5d bf 420 output (32 octets): 5b 73 b1 08 d9 ac 1b 9b 0c 82 48 ca 39 26 ec 421 6e 7b c4 7e 41 17 06 96 39 87 ec 11 43 5d 30 57 19 423 {server} derive secret "tls13 exp master": 425 PRK (32 octets): 5c 79 d1 69 42 4e 26 2b 56 32 03 62 7b e4 eb 51 426 03 3f 58 8c 43 c9 ce 03 73 37 2d bc bc 01 85 a7 428 hash (32 octets): f8 c1 9e 8c 77 c0 38 79 bb c8 eb 6d 56 e0 0d d5 429 d8 6e f5 59 27 ee fc 08 e1 b0 02 b6 ec e0 5d bf 431 info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 432 74 65 72 20 f8 c1 9e 8c 77 c0 38 79 bb c8 eb 6d 56 e0 0d d5 d8 433 6e f5 59 27 ee fc 08 e1 b0 02 b6 ec e0 5d bf 435 output (32 octets): b7 73 34 8a 35 a0 41 f1 19 96 89 f8 df 30 09 436 7b 1d 25 7a bf 5c 0a aa 16 c8 65 10 56 b9 06 d6 c6 438 {server} derive write traffic keys for application data: 440 PRK (32 octets): 5b 73 b1 08 d9 ac 1b 9b 0c 82 48 ca 39 26 ec 6e 441 7b c4 7e 41 17 06 96 39 87 ec 11 43 5d 30 57 19 443 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 445 key output (16 octets): a6 88 eb b5 ac 82 6d 6f 42 d4 5c 0c c4 4b 446 9b 7d 448 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 450 iv output (12 octets): c1 ca d4 42 5a 43 8b 5d e7 14 83 0a 452 {server} derive read traffic keys for handshake data: 454 PRK (32 octets): e2 e2 32 07 bd 93 fb 7f e4 fc 2e 29 7a fe ab 16 455 0e 52 2b 5a b7 5d 64 a8 6e 75 bc ac 3f 3e 51 03 457 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 459 key output (16 octets): 26 79 a4 3e 1d 76 78 40 34 ea 17 97 d5 ad 460 26 49 462 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 464 iv output (12 octets): 54 82 40 52 90 dd 0d 2f 81 c0 d9 42 466 {client} extract secret "early": 468 salt: (absent) 470 IKM (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 471 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 473 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 474 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 476 {client} derive secret for handshake "tls13 derived": 478 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 479 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 481 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 482 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 484 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 485 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 486 64 9b 93 4c a4 95 99 1b 78 52 b8 55 488 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 489 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 491 {client} extract secret "handshake": 493 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 494 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 496 IKM (32 octets): 81 51 d1 46 4c 1b 55 53 36 23 b9 c2 24 6a 6a 0e 497 6e 7e 18 50 63 e1 4a fd af f0 b6 e1 c6 1a 86 42 499 secret (32 octets): 5b 4f 96 5d f0 3c 68 2c 46 e6 ee 86 c3 11 63 500 66 15 a1 d2 bb b2 43 45 c2 52 05 95 3c 87 9e 8d 06 502 {client} derive secret "tls13 c hs traffic" (same as server) 504 {client} derive secret "tls13 s hs traffic" (same as server) 506 {client} derive secret for master "tls13 derived" (same as server) 508 {client} extract secret "master" (same as server) 510 {client} derive read traffic keys for handshake data: 512 PRK (32 octets): 3b 7a 83 9c 23 9e f2 bf 0b 73 05 a0 e0 c4 e5 a8 513 c6 c6 93 30 a7 53 b3 08 f5 e3 a8 3a a2 ef 69 79 515 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 517 key output (16 octets): c6 6c b1 ae c5 19 df 44 c9 1e 10 99 55 11 518 ac 8b 520 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 522 iv output (12 octets): f7 f6 88 4c 49 81 71 6c 2d 0d 29 a4 524 {client} calculate finished "tls13 finished" (same as server) 526 {client} derive secret "tls13 c ap traffic" (same as server) 528 {client} derive secret "tls13 s ap traffic" (same as server) 530 {client} derive secret "tls13 exp master" (same as server) 531 {client} derive write traffic keys for handshake data (same as 532 server read traffic keys) 534 {client} derive read traffic keys for application data (same as 535 server write traffic keys) 537 {client} calculate finished "tls13 finished": 539 PRK (32 octets): e2 e2 32 07 bd 93 fb 7f e4 fc 2e 29 7a fe ab 16 540 0e 52 2b 5a b7 5d 64 a8 6e 75 bc ac 3f 3e 51 03 542 hash (0 octets): (empty) 544 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 545 64 00 547 output (32 octets): 12 1b f5 86 01 b2 ed 13 bf 14 b3 ee ac bd 9d 548 a4 ba ba 1e 14 3e db 66 a1 07 79 59 60 fb d9 e2 1f 550 {client} send a Finished handshake message 552 {client} send handshake record: 554 payload (36 octets): 14 00 00 20 b9 02 7a 02 04 b9 72 b5 2c de fa 555 58 95 0f a1 58 0d 68 c9 cb 12 4d be 69 1a 71 78 f2 5c 55 4b 23 557 ciphertext (58 octets): 17 03 03 00 35 95 39 b4 ae 2f 87 fd 8e 61 558 6b 29 56 28 ea 95 3d 9e 38 58 db 27 49 70 d1 98 13 ec 13 6c ae 559 7d 96 e0 41 77 75 fc ab d3 d8 85 8f dc 60 24 09 12 d2 18 f5 af 560 b2 1c 562 {client} derive write traffic keys for application data: 564 PRK (32 octets): e2 f0 db 6a 82 e8 82 80 fc 26 f7 3c 89 85 4e e8 565 61 5e 25 df 28 b2 20 79 62 fa 78 22 26 b2 36 26 567 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 569 key output (16 octets): 88 b9 6a d6 86 c8 4b e5 5a ce 18 a5 9c ce 570 5c 87 572 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 574 iv output (12 octets): b9 9d c5 8c d5 ff 5a b0 82 fd ad 19 576 {client} derive secret "tls13 res master": 578 PRK (32 octets): 5c 79 d1 69 42 4e 26 2b 56 32 03 62 7b e4 eb 51 579 03 3f 58 8c 43 c9 ce 03 73 37 2d bc bc 01 85 a7 581 hash (32 octets): 50 2f 86 b9 57 9e c0 53 d3 28 24 e2 78 0e f6 5c 582 c4 37 a3 56 43 45 35 6b df 79 13 ec 3b 87 96 14 584 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 585 74 65 72 20 50 2f 86 b9 57 9e c0 53 d3 28 24 e2 78 0e f6 5c c4 586 37 a3 56 43 45 35 6b df 79 13 ec 3b 87 96 14 588 output (32 octets): f7 84 42 e1 c4 b9 d4 40 ad b6 3b e6 8f 74 a5 589 f3 01 94 6a 2b 2b db 36 c0 45 bb 7c f5 a9 e3 02 f5 591 {server} calculate finished "tls13 finished" (same as client) 593 {server} derive read traffic keys for application data (same as 594 client write traffic keys) 596 {server} derive secret "tls13 res master" (same as client) 598 {server} generate resumption secret "tls13 resumption": 600 PRK (32 octets): f7 84 42 e1 c4 b9 d4 40 ad b6 3b e6 8f 74 a5 f3 601 01 94 6a 2b 2b db 36 c0 45 bb 7c f5 a9 e3 02 f5 603 hash (2 octets): 00 00 605 info (22 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 75 6d 70 74 606 69 6f 6e 02 00 00 608 output (32 octets): e3 4f 01 59 72 7d 1b 8e 4c 9c 17 68 59 45 a2 609 86 1f 70 dc 21 05 cb 22 4b 6d bd b3 83 28 2e f5 cf 611 {server} send a NewSessionTicket handshake message 613 {server} send handshake record: 615 payload (205 octets): 04 00 00 c9 00 00 00 1e 2f d3 99 2f 02 00 616 00 00 b2 ff 09 9f 96 76 cd ff 8b 0b f8 82 5d 00 00 00 00 79 05 617 a9 d2 8e fe ef 4a 47 c6 f9 b0 6a 0c ec db 00 70 d9 20 b8 98 99 618 7c 75 b7 96 36 94 3e d4 20 46 a9 61 42 bd 08 4a 04 ac fa 0c 49 619 0f 45 2d 75 6d ea 02 c0 f9 27 25 9f 1f 32 31 ac 0d 54 1a 76 91 620 29 b7 40 ce 38 09 08 42 b8 28 c2 7f d7 29 f5 97 37 ba 98 aa 7b 621 42 e0 43 c5 da 28 f8 dc a8 59 0b 2d f4 10 d5 13 4f d6 c4 ca ca 622 d8 b3 03 70 60 2a fa 35 d2 65 bf 4d 12 79 76 bb 36 db da 6a 62 623 6f 02 70 e2 0e eb c7 3d 6f ca e2 b1 a0 da 12 2e e9 04 2f 76 be 624 56 eb f4 1a a4 69 c3 d2 c9 da 91 97 d8 00 08 00 2a 00 04 00 00 625 04 00 627 ciphertext (227 octets): 17 03 03 00 de 36 80 c2 b2 10 9d 25 ca 628 a2 6c 3b 06 ee a9 fd c5 cb 31 61 3b a7 02 17 65 96 da 2e 88 6b 629 f6 af 93 50 7b d6 81 61 ad 9c b4 78 06 53 84 2e 10 41 ec bf 00 630 88 a6 5a c4 ef 43 84 19 dd 1d 95 dd d9 bd 2a d4 48 4e 7e 16 7d 631 0e 6c 00 84 48 ae 58 a0 41 87 13 b6 fc 6c 51 e4 bb 23 a5 37 fb 632 75 a7 4f 73 de 31 fe 6a a0 bc 52 25 15 f8 b2 5f 89 55 42 8b 5d 633 e5 ac 06 76 2c ec 22 b0 aa 78 c9 43 85 ef 8e 70 fa 24 94 5b 7c 634 1f 26 85 10 87 16 89 bb bb fa f2 e7 f4 a1 92 77 02 4f 95 f1 14 635 3a b1 2a 31 ec 63 ad b1 28 cb 39 07 11 fd 6d 06 a4 98 df 3e 98 636 61 5d 8e b1 02 e2 33 53 b4 80 ef cc a5 e8 e0 26 7a 6d 0f e2 44 637 1f 14 c8 c9 66 4a ef b2 cf ff 6a e9 e0 44 27 28 b6 a0 94 0c 1e 638 82 4f da 06 640 {client} generate resumption secret "tls13 resumption" (same as 641 server) 643 {client} send application_data record: 645 payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 646 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 647 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 649 ciphertext (72 octets): 17 03 03 00 43 8c 34 97 da 00 ae 02 3e 53 650 c0 1b 43 24 b6 65 40 4c 1b 49 e7 8f e2 bf 4d 17 f6 34 8a e8 34 651 05 51 e3 63 a0 cd 05 f2 17 9c 4f ef 5a d6 89 b5 ca e0 ba e9 4a 652 dc 63 63 2e 57 1f b7 9a a9 15 44 c6 39 4d 28 a1 654 {server} send application_data record: 656 payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 657 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 658 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 660 ciphertext (72 octets): 17 03 03 00 43 f6 5f 49 fd 2d f6 cd 23 47 661 c3 d3 01 66 e3 cf dd b6 30 8a 59 06 c0 76 11 2c 6a 37 ff 1d bd 662 40 6b 58 13 c0 ab d7 34 88 30 17 a6 b2 83 31 86 b1 3c 14 da 5d 663 75 f3 3d 87 60 78 99 94 e2 7d 82 04 3a b8 8d 65 665 {client} send alert record: 667 payload (2 octets): 01 00 669 ciphertext (24 octets): 17 03 03 00 13 2c 21 48 16 3d 79 38 a3 5f 670 6a cf 2a 66 06 f8 cb d1 d9 f2 672 {server} send alert record: 674 payload (2 octets): 01 00 675 ciphertext (24 octets): 17 03 03 00 13 f8 14 1e bd b5 ed a5 11 e0 676 bc e6 39 a5 6f f9 ea 82 5a 21 678 4. Resumed 0-RTT Handshake 680 This handshake resumes from the handshake in Section 3. Since the 681 server provided a session ticket that permitted 0-RTT, and the client 682 is configured for 0-RTT, the client is able to send 0-RTT data. 684 {client} create an ephemeral x25519 key pair: 686 private key (32 octets): 53 9d 7e bf a9 6c 5c eb 7d 86 f0 b9 68 687 2a 1d d7 b7 b6 0d 81 c2 73 50 74 35 cd d1 b7 aa 80 05 1f 689 public key (32 octets): b0 31 99 c3 4d 68 2d 91 db 5f 58 96 10 f6 690 c0 9b ec e9 9c 23 c7 7c c6 0d 1e dd 0d 25 ed 5d be 70 692 {client} extract secret "early": 694 salt: (absent) 696 IKM (32 octets): e3 4f 01 59 72 7d 1b 8e 4c 9c 17 68 59 45 a2 86 697 1f 70 dc 21 05 cb 22 4b 6d bd b3 83 28 2e f5 cf 699 secret (32 octets): 04 8b 40 aa 09 ff d4 c6 76 9c 54 1a 2f 46 e2 700 84 66 06 f7 0d 62 a6 15 97 77 29 c5 b2 81 c7 e7 15 702 {client} send a ClientHello handshake message 704 {client} calculate finished "tls13 finished": 706 PRK (32 octets): 20 63 8e c4 e9 90 45 a8 bb 12 1e 86 fe 65 54 82 707 db b3 74 0d db f6 2d 0c bc c2 04 9c 10 c7 01 34 709 hash (0 octets): (empty) 711 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 712 64 00 714 output (32 octets): a8 19 28 e3 08 5c 3a 85 63 ed 82 2d a9 af 7a 715 b7 1a c5 43 2a 5f 9d 1e 6f 71 32 f1 8b 36 e2 c7 05 717 {client} send handshake record: 719 payload (512 octets): 01 00 01 fc 03 03 88 09 d2 a3 9b f9 ae b3 720 83 1d 2b 32 e4 ff f9 32 15 e4 fc 4f 25 71 79 71 bd 79 e8 19 41 721 e3 dd 9b 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00 722 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 723 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00 724 26 00 24 00 1d 00 20 b0 31 99 c3 4d 68 2d 91 db 5f 58 96 10 f6 725 c0 9b ec e9 9c 23 c7 7c c6 0d 1e dd 0d 25 ed 5d be 70 00 2a 00 726 00 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03 02 727 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 728 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01 00 15 00 57 00 00 00 729 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 730 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 731 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 732 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 733 00 29 00 dd 00 b8 00 b2 ff 09 9f 96 76 cd ff 8b 0b f8 82 5d 00 734 00 00 00 79 05 a9 d2 8e fe ef 4a 47 c6 f9 b0 6a 0c ec db 00 70 735 d9 20 b8 98 99 7c 75 b7 96 36 94 3e d4 20 46 a9 61 42 bd 08 4a 736 04 ac fa 0c 49 0f 45 2d 75 6d ea 02 c0 f9 27 25 9f 1f 32 31 ac 737 0d 54 1a 76 91 29 b7 40 ce 38 09 08 42 b8 28 c2 7f d7 29 f5 97 738 37 ba 98 aa 7b 42 e0 43 c5 da 28 f8 dc a8 59 0b 2d f4 10 d5 13 739 4f d6 c4 ca ca d8 b3 03 70 60 2a fa 35 d2 65 bf 4d 12 79 76 bb 740 36 db da 6a 62 6f 02 70 e2 0e eb c7 3d 6f ca e2 b1 a0 da 12 2e 741 e9 04 2f 76 be 56 eb f4 1a a4 69 c3 d2 c9 da 91 97 d8 2f d3 99 742 32 00 21 20 3c e6 69 de de c4 4e 5e 75 53 8f cc ab 3d b0 45 fb 743 5d 21 01 19 99 e1 45 12 ee 3a b3 5f 2a f4 e9 745 ciphertext (517 octets): 16 03 01 02 00 01 00 01 fc 03 03 88 09 746 d2 a3 9b f9 ae b3 83 1d 2b 32 e4 ff f9 32 15 e4 fc 4f 25 71 79 747 71 bd 79 e8 19 41 e3 dd 9b 00 00 06 13 01 13 03 13 02 01 00 01 748 cd 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 749 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 750 03 01 04 00 33 00 26 00 24 00 1d 00 20 b0 31 99 c3 4d 68 2d 91 751 db 5f 58 96 10 f6 c0 9b ec e9 9c 23 c7 7c c6 0d 1e dd 0d 25 ed 752 5d be 70 00 2a 00 00 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 753 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 754 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01 00 755 15 00 57 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 756 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 757 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 758 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 759 00 00 00 00 00 00 00 29 00 dd 00 b8 00 b2 ff 09 9f 96 76 cd ff 760 8b 0b f8 82 5d 00 00 00 00 79 05 a9 d2 8e fe ef 4a 47 c6 f9 b0 761 6a 0c ec db 00 70 d9 20 b8 98 99 7c 75 b7 96 36 94 3e d4 20 46 762 a9 61 42 bd 08 4a 04 ac fa 0c 49 0f 45 2d 75 6d ea 02 c0 f9 27 763 25 9f 1f 32 31 ac 0d 54 1a 76 91 29 b7 40 ce 38 09 08 42 b8 28 764 c2 7f d7 29 f5 97 37 ba 98 aa 7b 42 e0 43 c5 da 28 f8 dc a8 59 765 0b 2d f4 10 d5 13 4f d6 c4 ca ca d8 b3 03 70 60 2a fa 35 d2 65 766 bf 4d 12 79 76 bb 36 db da 6a 62 6f 02 70 e2 0e eb c7 3d 6f ca 767 e2 b1 a0 da 12 2e e9 04 2f 76 be 56 eb f4 1a a4 69 c3 d2 c9 da 768 91 97 d8 2f d3 99 32 00 21 20 3c e6 69 de de c4 4e 5e 75 53 8f 769 cc ab 3d b0 45 fb 5d 21 01 19 99 e1 45 12 ee 3a b3 5f 2a f4 e9 771 {client} derive secret "tls13 c e traffic": 773 PRK (32 octets): 04 8b 40 aa 09 ff d4 c6 76 9c 54 1a 2f 46 e2 84 774 66 06 f7 0d 62 a6 15 97 77 29 c5 b2 81 c7 e7 15 776 hash (32 octets): 34 b6 f2 ae b0 97 8e 4d f4 3a a9 0f b0 c2 8c 75 777 c2 f8 0a f8 e6 3a 5b 22 3b c4 a1 83 04 9b 89 b9 779 info (53 octets): 00 20 11 74 6c 73 31 33 20 63 20 65 20 74 72 61 780 66 66 69 63 20 34 b6 f2 ae b0 97 8e 4d f4 3a a9 0f b0 c2 8c 75 781 c2 f8 0a f8 e6 3a 5b 22 3b c4 a1 83 04 9b 89 b9 783 output (32 octets): cb 08 b7 85 96 5c 90 ca 74 0d 54 30 7f 9b bc 784 69 88 fe e7 eb 03 98 08 ed 93 da 96 36 47 d9 1c 87 786 {client} derive secret "tls13 e exp master": 788 PRK (32 octets): 04 8b 40 aa 09 ff d4 c6 76 9c 54 1a 2f 46 e2 84 789 66 06 f7 0d 62 a6 15 97 77 29 c5 b2 81 c7 e7 15 791 hash (32 octets): 34 b6 f2 ae b0 97 8e 4d f4 3a a9 0f b0 c2 8c 75 792 c2 f8 0a f8 e6 3a 5b 22 3b c4 a1 83 04 9b 89 b9 794 info (54 octets): 00 20 12 74 6c 73 31 33 20 65 20 65 78 70 20 6d 795 61 73 74 65 72 20 34 b6 f2 ae b0 97 8e 4d f4 3a a9 0f b0 c2 8c 796 75 c2 f8 0a f8 e6 3a 5b 22 3b c4 a1 83 04 9b 89 b9 798 output (32 octets): d9 dd b0 a3 b4 b9 0c 6a 34 7e fb d3 02 e6 6b 799 f1 e8 f7 34 f0 e2 43 f2 b5 bb b2 a1 66 07 ac 18 b7 801 {client} derive write traffic keys for early application data: 803 PRK (32 octets): cb 08 b7 85 96 5c 90 ca 74 0d 54 30 7f 9b bc 69 804 88 fe e7 eb 03 98 08 ed 93 da 96 36 47 d9 1c 87 806 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 808 key output (16 octets): e8 56 97 a3 12 b9 ba e5 f9 3c 30 9b 2b ad 809 e4 85 811 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 813 iv output (12 octets): 62 12 30 34 1c c0 fb fe db 55 f6 75 815 {client} send application_data record: 817 payload (6 octets): 41 42 43 44 45 46 818 ciphertext (28 octets): 17 03 03 00 17 7c b2 38 bd c6 0b 71 2f b1 819 40 ca 0f 9b 9b 8b ef c9 ff 31 31 45 75 12 821 {server} extract secret "early" (same as client) 823 {server} calculate finished "tls13 finished" (same as client) 825 {server} create an ephemeral x25519 key pair: 827 private key (32 octets): 34 68 86 bf 49 a0 43 10 79 99 c8 5a e2 828 71 48 e2 c1 ac a0 04 38 a6 87 df c9 bb 2c f1 17 cc cc fe 830 public key (32 octets): 27 e0 06 8f 6e fd 82 54 08 eb 88 c7 4e e8 831 8d ba 83 e3 51 ed 5a 37 49 ae 94 50 5c fb d4 e7 89 28 833 {server} derive secret "tls13 c e traffic" (same as client) 835 {server} derive secret "tls13 e exp master" (same as client) 837 {server} send a ServerHello handshake message 839 {server} derive secret for handshake "tls13 derived": 841 PRK (32 octets): 04 8b 40 aa 09 ff d4 c6 76 9c 54 1a 2f 46 e2 84 842 66 06 f7 0d 62 a6 15 97 77 29 c5 b2 81 c7 e7 15 844 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 845 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 847 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 848 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 849 64 9b 93 4c a4 95 99 1b 78 52 b8 55 851 output (32 octets): 9e fc 79 87 0b 08 c4 c6 51 20 52 50 af 9b 83 852 04 79 11 b7 83 d5 d7 67 8d 7c cc e7 18 18 9e a2 ec 854 {server} extract secret "handshake": 856 salt (32 octets): 9e fc 79 87 0b 08 c4 c6 51 20 52 50 af 9b 83 04 857 79 11 b7 83 d5 d7 67 8d 7c cc e7 18 18 9e a2 ec 859 IKM (32 octets): b0 66 a1 5b c1 aa ee f8 79 0e 0b 02 e6 2f 82 dc 860 44 64 46 e3 7d 6d 61 22 b0 d3 b9 94 ef 11 dd 3c 862 secret (32 octets): ea d8 b8 c5 9a 15 df 29 d7 9f a4 ac 31 d5 f7 863 c9 0e 2e 5c 87 d9 ea fe d1 fe 69 16 cf 2f 29 37 34 865 {server} derive secret "tls13 c hs traffic": 867 PRK (32 octets): ea d8 b8 c5 9a 15 df 29 d7 9f a4 ac 31 d5 f7 c9 868 0e 2e 5c 87 d9 ea fe d1 fe 69 16 cf 2f 29 37 34 870 hash (32 octets): 57 f0 ae 2e 58 8f c2 e6 e9 a1 eb d1 a6 1e 58 f9 871 0c 8b 8d a1 fc 38 f0 cc 9e 9f 33 d2 21 bb ca 92 873 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 874 61 66 66 69 63 20 57 f0 ae 2e 58 8f c2 e6 e9 a1 eb d1 a6 1e 58 875 f9 0c 8b 8d a1 fc 38 f0 cc 9e 9f 33 d2 21 bb ca 92 877 output (32 octets): 1f c4 90 4b fb a8 99 0c 23 53 45 e7 a7 6c fc 878 78 81 a2 40 af 54 10 78 44 ce c0 51 b4 06 5b f4 c2 880 {server} derive secret "tls13 s hs traffic": 882 PRK (32 octets): ea d8 b8 c5 9a 15 df 29 d7 9f a4 ac 31 d5 f7 c9 883 0e 2e 5c 87 d9 ea fe d1 fe 69 16 cf 2f 29 37 34 885 hash (32 octets): 57 f0 ae 2e 58 8f c2 e6 e9 a1 eb d1 a6 1e 58 f9 886 0c 8b 8d a1 fc 38 f0 cc 9e 9f 33 d2 21 bb ca 92 888 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 889 61 66 66 69 63 20 57 f0 ae 2e 58 8f c2 e6 e9 a1 eb d1 a6 1e 58 890 f9 0c 8b 8d a1 fc 38 f0 cc 9e 9f 33 d2 21 bb ca 92 892 output (32 octets): 9f a7 18 12 f7 2e 9b cc b4 2b 4b 06 18 95 39 893 88 3d d5 8f 98 38 78 ef 87 29 12 3b 63 ff 18 fb 06 895 {server} derive secret for master "tls13 derived": 897 PRK (32 octets): ea d8 b8 c5 9a 15 df 29 d7 9f a4 ac 31 d5 f7 c9 898 0e 2e 5c 87 d9 ea fe d1 fe 69 16 cf 2f 29 37 34 900 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 901 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 903 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 904 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 905 64 9b 93 4c a4 95 99 1b 78 52 b8 55 907 output (32 octets): d0 83 52 8c fc 36 56 8e 69 05 c2 4b f7 3a df 908 9f ac a9 90 e3 57 0d e0 35 5f f4 35 f9 53 09 b1 26 910 {server} extract secret "master": 912 salt (32 octets): d0 83 52 8c fc 36 56 8e 69 05 c2 4b f7 3a df 9f 913 ac a9 90 e3 57 0d e0 35 5f f4 35 f9 53 09 b1 26 915 IKM (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 916 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 918 secret (32 octets): 8d f1 2b 80 e8 2e f5 9b da 63 dc 17 f1 3b 4f 919 a6 b8 05 5a 97 dd 2a 5a e4 57 5e c9 08 b2 7b be 29 921 {server} send handshake record: 923 payload (96 octets): 02 00 00 5c 03 03 22 ac 26 b0 26 b9 d5 71 70 924 2d ad 44 7e 2d 5a 54 d1 5a e1 e0 6f af 78 35 8a 3e 17 7b e8 3a 925 ce 94 00 13 01 00 00 34 00 29 00 02 00 00 00 33 00 24 00 1d 00 926 20 27 e0 06 8f 6e fd 82 54 08 eb 88 c7 4e e8 8d ba 83 e3 51 ed 927 5a 37 49 ae 94 50 5c fb d4 e7 89 28 00 2b 00 02 03 04 929 ciphertext (101 octets): 16 03 03 00 60 02 00 00 5c 03 03 22 ac 930 26 b0 26 b9 d5 71 70 2d ad 44 7e 2d 5a 54 d1 5a e1 e0 6f af 78 931 35 8a 3e 17 7b e8 3a ce 94 00 13 01 00 00 34 00 29 00 02 00 00 932 00 33 00 24 00 1d 00 20 27 e0 06 8f 6e fd 82 54 08 eb 88 c7 4e 933 e8 8d ba 83 e3 51 ed 5a 37 49 ae 94 50 5c fb d4 e7 89 28 00 2b 934 00 02 03 04 936 {server} derive write traffic keys for handshake data: 938 PRK (32 octets): 9f a7 18 12 f7 2e 9b cc b4 2b 4b 06 18 95 39 88 939 3d d5 8f 98 38 78 ef 87 29 12 3b 63 ff 18 fb 06 941 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 943 key output (16 octets): ae 83 82 f6 52 62 a0 36 0e b6 8f fb 45 15 944 52 6c 946 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 948 iv output (12 octets): 5b 5d 18 b7 ee c7 ed 46 c3 0f c1 3a 950 {server} send a EncryptedExtensions handshake message 952 {server} calculate finished "tls13 finished": 954 PRK (32 octets): 9f a7 18 12 f7 2e 9b cc b4 2b 4b 06 18 95 39 88 955 3d d5 8f 98 38 78 ef 87 29 12 3b 63 ff 18 fb 06 957 hash (0 octets): (empty) 959 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 960 64 00 962 output (32 octets): 4d 48 4e ab 01 74 3f 01 91 fd 0d c5 10 42 26 963 64 f8 67 b6 04 68 8b 5a 2f 47 12 9c 75 a0 c1 a3 63 965 {server} send a Finished handshake message 967 {server} send handshake record: 969 payload (80 octets): 08 00 00 28 00 26 00 0a 00 14 00 12 00 1d 00 970 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c 00 02 40 01 971 00 00 00 00 00 2a 00 00 14 00 00 20 ef 49 51 b0 98 8b 89 1a 6b 972 9d 71 3b f2 25 a6 7a 7b 37 c2 8e ab bd 52 30 74 bc 01 aa c3 62 973 f8 e2 975 ciphertext (102 octets): 17 03 03 00 61 44 c1 e3 83 6b a6 a7 ba 976 0d ed 9d 4c f8 17 f3 29 79 d8 5c 8b 41 da 53 b2 09 55 80 3d 9e 977 a2 e3 42 ef 1a ff d6 6a 02 87 85 e2 19 6a d6 a0 db dd 27 44 3d 978 36 87 26 53 c1 96 8b 0f 9c 01 bd cf de 83 cf c1 b8 43 b7 81 90 979 ab ad 0d c3 ea 30 d1 be 40 e3 ce c8 96 19 88 ce f4 95 8f d1 6b 980 7f 1f 9e 47 41 982 {server} derive secret "tls13 c ap traffic": 984 PRK (32 octets): 8d f1 2b 80 e8 2e f5 9b da 63 dc 17 f1 3b 4f a6 985 b8 05 5a 97 dd 2a 5a e4 57 5e c9 08 b2 7b be 29 987 hash (32 octets): d9 66 db 0c cf bd 43 bc 19 68 47 fe 1a 60 3f cd 988 93 78 65 68 9c a8 76 03 6f 28 ea 20 60 a7 77 55 990 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 991 61 66 66 69 63 20 d9 66 db 0c cf bd 43 bc 19 68 47 fe 1a 60 3f 992 cd 93 78 65 68 9c a8 76 03 6f 28 ea 20 60 a7 77 55 994 output (32 octets): a8 ff a2 6f e0 c9 d1 49 3c 3d 3c 3b 32 bc a1 995 80 f5 9b ba be 25 96 df f8 b2 b0 a1 46 74 0f 8b 00 997 {server} derive secret "tls13 s ap traffic": 999 PRK (32 octets): 8d f1 2b 80 e8 2e f5 9b da 63 dc 17 f1 3b 4f a6 1000 b8 05 5a 97 dd 2a 5a e4 57 5e c9 08 b2 7b be 29 1002 hash (32 octets): d9 66 db 0c cf bd 43 bc 19 68 47 fe 1a 60 3f cd 1003 93 78 65 68 9c a8 76 03 6f 28 ea 20 60 a7 77 55 1005 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 1006 61 66 66 69 63 20 d9 66 db 0c cf bd 43 bc 19 68 47 fe 1a 60 3f 1007 cd 93 78 65 68 9c a8 76 03 6f 28 ea 20 60 a7 77 55 1009 output (32 octets): 51 a3 db 37 0b d9 f1 ae 7d e1 88 85 09 6b cb 1010 c6 1f ea 9b ce 6c cb c2 a2 76 76 4f 62 26 5a 70 9f 1012 {server} derive secret "tls13 exp master": 1014 PRK (32 octets): 8d f1 2b 80 e8 2e f5 9b da 63 dc 17 f1 3b 4f a6 1015 b8 05 5a 97 dd 2a 5a e4 57 5e c9 08 b2 7b be 29 1017 hash (32 octets): d9 66 db 0c cf bd 43 bc 19 68 47 fe 1a 60 3f cd 1018 93 78 65 68 9c a8 76 03 6f 28 ea 20 60 a7 77 55 1020 info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 1021 74 65 72 20 d9 66 db 0c cf bd 43 bc 19 68 47 fe 1a 60 3f cd 93 1022 78 65 68 9c a8 76 03 6f 28 ea 20 60 a7 77 55 1024 output (32 octets): a1 13 c3 cd ff b5 f6 5d 28 21 54 d1 09 93 54 1025 90 a0 e3 7d bd c9 e9 ca 30 8d 36 21 e4 15 e9 7a fd 1027 {server} derive write traffic keys for application data: 1029 PRK (32 octets): 51 a3 db 37 0b d9 f1 ae 7d e1 88 85 09 6b cb c6 1030 1f ea 9b ce 6c cb c2 a2 76 76 4f 62 26 5a 70 9f 1032 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1034 key output (16 octets): 27 c1 35 48 44 71 94 18 ec 91 eb 0b 14 f6 1035 75 3a 1037 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1039 iv output (12 octets): ee b3 48 83 53 db a7 3d 3a fa cd 9e 1041 {server} derive read traffic keys for early application data (same 1042 as client write traffic keys) 1044 {client} derive secret for handshake "tls13 derived": 1046 PRK (32 octets): 04 8b 40 aa 09 ff d4 c6 76 9c 54 1a 2f 46 e2 84 1047 66 06 f7 0d 62 a6 15 97 77 29 c5 b2 81 c7 e7 15 1049 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 1050 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1052 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 1053 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 1054 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1056 output (32 octets): 9e fc 79 87 0b 08 c4 c6 51 20 52 50 af 9b 83 1057 04 79 11 b7 83 d5 d7 67 8d 7c cc e7 18 18 9e a2 ec 1059 {client} extract secret "handshake": 1061 salt (32 octets): 9e fc 79 87 0b 08 c4 c6 51 20 52 50 af 9b 83 04 1062 79 11 b7 83 d5 d7 67 8d 7c cc e7 18 18 9e a2 ec 1064 IKM (32 octets): b0 66 a1 5b c1 aa ee f8 79 0e 0b 02 e6 2f 82 dc 1065 44 64 46 e3 7d 6d 61 22 b0 d3 b9 94 ef 11 dd 3c 1067 secret (32 octets): ea d8 b8 c5 9a 15 df 29 d7 9f a4 ac 31 d5 f7 1068 c9 0e 2e 5c 87 d9 ea fe d1 fe 69 16 cf 2f 29 37 34 1070 {client} derive secret "tls13 c hs traffic" (same as server) 1072 {client} derive secret "tls13 s hs traffic" (same as server) 1074 {client} derive secret for master "tls13 derived" (same as server) 1076 {client} extract secret "master" (same as server) 1078 {client} derive read traffic keys for handshake data: 1080 PRK (32 octets): 9f a7 18 12 f7 2e 9b cc b4 2b 4b 06 18 95 39 88 1081 3d d5 8f 98 38 78 ef 87 29 12 3b 63 ff 18 fb 06 1083 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1085 key output (16 octets): ae 83 82 f6 52 62 a0 36 0e b6 8f fb 45 15 1086 52 6c 1088 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1090 iv output (12 octets): 5b 5d 18 b7 ee c7 ed 46 c3 0f c1 3a 1092 {client} calculate finished "tls13 finished" (same as server) 1094 {client} derive secret "tls13 c ap traffic" (same as server) 1096 {client} derive secret "tls13 s ap traffic" (same as server) 1098 {client} derive secret "tls13 exp master" (same as server) 1100 {client} send a EndOfEarlyData handshake message 1102 {client} send handshake record: 1104 payload (4 octets): 05 00 00 00 1106 ciphertext (26 octets): 17 03 03 00 15 77 bf ce 7f c1 91 0c fa e9 1107 65 7a 05 f3 15 9c de f8 68 5a 30 cb 1109 {client} derive write traffic keys for handshake data: 1111 PRK (32 octets): 1f c4 90 4b fb a8 99 0c 23 53 45 e7 a7 6c fc 78 1112 81 a2 40 af 54 10 78 44 ce c0 51 b4 06 5b f4 c2 1114 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1116 key output (16 octets): e7 d4 94 88 a4 5c 1f 1d b4 ab 7d 7f e5 46 1117 c9 fa 1119 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1121 iv output (12 octets): a2 d1 32 5b eb 51 1a 7b 4a 20 c1 0c 1123 {client} derive read traffic keys for application data (same as 1124 server write traffic keys) 1126 {client} calculate finished "tls13 finished": 1128 PRK (32 octets): 1f c4 90 4b fb a8 99 0c 23 53 45 e7 a7 6c fc 78 1129 81 a2 40 af 54 10 78 44 ce c0 51 b4 06 5b f4 c2 1131 hash (0 octets): (empty) 1133 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 1134 64 00 1136 output (32 octets): b5 97 08 27 aa 42 a8 db ab 2b da 4c d7 67 89 1137 5a e6 9a a1 dc f1 b3 d9 78 a0 55 d0 79 80 74 50 11 1139 {client} send a Finished handshake message 1141 {client} send handshake record: 1143 payload (36 octets): 14 00 00 20 e1 75 18 96 9c 9f 46 dc 62 94 55 1144 ae cf e2 36 db a5 48 77 fc 3d a0 7a d5 9d 13 45 77 fd 51 6e 18 1146 ciphertext (58 octets): 17 03 03 00 35 d0 af c0 f5 b5 5b 5c 88 3c 1147 cf 4a 46 1f 7a a1 28 47 17 89 eb 7c e4 1b b6 f0 cd 67 a9 64 16 1148 da 6c 19 ea b0 26 b0 1d f6 89 18 58 81 46 1f 38 2f 7a 7d 63 da 1149 fa 39 1151 {client} derive write traffic keys for application data: 1153 PRK (32 octets): a8 ff a2 6f e0 c9 d1 49 3c 3d 3c 3b 32 bc a1 80 1154 f5 9b ba be 25 96 df f8 b2 b0 a1 46 74 0f 8b 00 1156 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1158 key output (16 octets): 29 ca d2 48 96 e7 df 25 ff e0 6f cd 6c 03 1159 69 09 1161 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1163 iv output (12 octets): dc 81 fc 39 54 43 9c ca e1 63 96 70 1165 {client} derive secret "tls13 res master": 1167 PRK (32 octets): 8d f1 2b 80 e8 2e f5 9b da 63 dc 17 f1 3b 4f a6 1168 b8 05 5a 97 dd 2a 5a e4 57 5e c9 08 b2 7b be 29 1170 hash (32 octets): a7 87 12 0b d8 96 6c d7 5a 05 ce 0b 9c 5b 26 da 1171 b9 6b 91 9d c3 61 a3 9e 5f d1 0a 3e 05 18 48 e4 1173 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 1174 74 65 72 20 a7 87 12 0b d8 96 6c d7 5a 05 ce 0b 9c 5b 26 da b9 1175 6b 91 9d c3 61 a3 9e 5f d1 0a 3e 05 18 48 e4 1177 output (32 octets): b0 72 82 ae e5 10 c3 e3 83 02 f4 18 a7 fa fa 1178 9e 44 11 34 69 ae ba 27 1a a1 b6 61 ce 41 52 1c ca 1180 {server} derive read traffic keys for handshake data: 1182 PRK (32 octets): 1f c4 90 4b fb a8 99 0c 23 53 45 e7 a7 6c fc 78 1183 81 a2 40 af 54 10 78 44 ce c0 51 b4 06 5b f4 c2 1185 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1187 key output (16 octets): e7 d4 94 88 a4 5c 1f 1d b4 ab 7d 7f e5 46 1188 c9 fa 1190 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1192 iv output (12 octets): a2 d1 32 5b eb 51 1a 7b 4a 20 c1 0c 1194 {server} calculate finished "tls13 finished" (same as client) 1196 {server} derive read traffic keys for application data (same as 1197 client write traffic keys) 1199 {server} derive secret "tls13 res master" (same as client) 1200 {client} send application_data record: 1202 payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 1203 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 1204 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 1206 ciphertext (72 octets): 17 03 03 00 43 c4 83 d1 89 af 82 8c ee 40 1207 4d cb 5a 16 64 93 50 2e d9 d0 c9 18 e7 0f d8 25 0c 5f b2 13 44 1208 79 6d 3a 72 bb 0a 4b 5c 59 03 c2 a7 05 6b 82 fc 17 37 7f 72 e7 1209 b4 6a 26 a6 97 5b 7e e3 b9 0b 2a b8 65 d4 0c 3c 1211 {server} send application_data record: 1213 payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 1214 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 1215 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 1217 ciphertext (72 octets): 17 03 03 00 43 35 da 03 f1 bd 93 ac 09 82 1218 d8 8e 1a 9f 6e 0e 86 81 c1 a3 4c 6e 95 ee cf ba 10 54 c5 a2 11 1219 00 e8 7f 2b 78 ab 1f e5 a4 3f 39 a5 8e e8 40 bf 97 f5 c9 1f 97 1220 3a ce 78 eb 92 f8 27 91 2f 42 31 6d a1 7b 22 b9 1222 {client} send alert record: 1224 payload (2 octets): 01 00 1226 ciphertext (24 octets): 17 03 03 00 13 95 2b 05 3c 66 06 d8 96 08 1227 89 e1 77 51 23 0e d7 8f a0 80 1229 {server} send alert record: 1231 payload (2 octets): 01 00 1233 ciphertext (24 octets): 17 03 03 00 13 46 95 47 73 f0 bf 82 91 68 1234 34 7b 99 0b 68 bf 73 3a f5 75 1236 5. HelloRetryRequest 1238 In this example, the client initiates a handshake with an X25519 1239 [RFC7748] share. The server however prefers P-256 [FIPS186] and 1240 sends a HelloRetryRequest that requires the client to generate a key 1241 share on the P-256 curve. 1243 {client} create an ephemeral x25519 key pair: 1245 private key (32 octets): a8 f7 4c 62 7c 09 56 a7 89 81 aa 60 39 1246 e1 58 56 80 f4 af 93 c6 0b 4a 9c cc 35 1f 3c 1a c9 05 c8 1248 public key (32 octets): 28 90 65 44 eb 46 f9 bc c3 63 92 0e 28 a6 1249 4c 72 a5 ff d1 fb f5 71 06 36 c0 5b 88 ab a0 35 38 0c 1251 {client} send a ClientHello handshake message 1253 {client} send handshake record: 1255 payload (180 octets): 01 00 00 b0 03 03 8f bb 74 7c 54 ca 32 cd 1256 2b a9 d9 26 76 15 ca 2d 28 56 8c 44 0d ce 64 e3 4a 3e f6 bc 7e 1257 98 e9 d3 00 00 06 13 01 13 03 13 02 01 00 00 81 00 00 00 0b 00 1258 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06 1259 00 1d 00 17 00 18 00 33 00 26 00 24 00 1d 00 20 28 90 65 44 eb 1260 46 f9 bc c3 63 92 0e 28 a6 4c 72 a5 ff d1 fb f5 71 06 36 c0 5b 1261 88 ab a0 35 38 0c 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03 1262 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 1263 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01 1265 ciphertext (185 octets): 16 03 01 00 b4 01 00 00 b0 03 03 8f bb 1266 74 7c 54 ca 32 cd 2b a9 d9 26 76 15 ca 2d 28 56 8c 44 0d ce 64 1267 e3 4a 3e f6 bc 7e 98 e9 d3 00 00 06 13 01 13 03 13 02 01 00 00 1268 81 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 1269 00 0a 00 08 00 06 00 1d 00 17 00 18 00 33 00 26 00 24 00 1d 00 1270 20 28 90 65 44 eb 46 f9 bc c3 63 92 0e 28 a6 4c 72 a5 ff d1 fb 1271 f5 71 06 36 c0 5b 88 ab a0 35 38 0c 00 2b 00 03 02 03 04 00 0d 1272 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 1273 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 1c 1274 00 02 40 01 1276 {server} send a ServerHello handshake message 1278 {server} send handshake record: 1280 payload (176 octets): 02 00 00 ac 03 03 cf 21 ad 74 e5 9a 61 11 1281 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c 5e 07 9e 09 e2 c8 1282 a8 33 9c 00 13 01 00 00 84 00 33 00 02 00 17 00 2c 00 74 00 72 1283 f7 b8 f7 e4 4a 25 b1 e4 15 e3 a1 d4 00 00 00 00 65 a4 46 6b 5a 1284 a7 aa eb be d0 bc 0b 6d 96 5a 58 00 30 df ac fb a2 00 23 21 e1 1285 2a ec 00 07 b4 da c5 d1 65 20 c4 46 f0 18 49 37 ea 29 a3 07 01 1286 78 a7 fc 5b 0f f8 3d b3 f6 7d 0c 13 a6 a5 df e6 b9 09 87 8b 44 1287 ec 76 80 e7 86 75 60 fe bf ed c9 1f af 1a 87 19 1b a8 c3 c8 cd 1288 96 2f 88 13 ff 3f 47 96 ae 00 2b 00 02 03 04 1290 ciphertext (181 octets): 16 03 03 00 b0 02 00 00 ac 03 03 cf 21 1291 ad 74 e5 9a 61 11 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c 1292 5e 07 9e 09 e2 c8 a8 33 9c 00 13 01 00 00 84 00 33 00 02 00 17 1293 00 2c 00 74 00 72 f7 b8 f7 e4 4a 25 b1 e4 15 e3 a1 d4 00 00 00 1294 00 65 a4 46 6b 5a a7 aa eb be d0 bc 0b 6d 96 5a 58 00 30 df ac 1295 fb a2 00 23 21 e1 2a ec 00 07 b4 da c5 d1 65 20 c4 46 f0 18 49 1296 37 ea 29 a3 07 01 78 a7 fc 5b 0f f8 3d b3 f6 7d 0c 13 a6 a5 df 1297 e6 b9 09 87 8b 44 ec 76 80 e7 86 75 60 fe bf ed c9 1f af 1a 87 1298 19 1b a8 c3 c8 cd 96 2f 88 13 ff 3f 47 96 ae 00 2b 00 02 03 04 1300 {client} create an ephemeral P-256 key pair: 1302 private key (32 octets): 73 eb 34 d9 e6 f4 90 00 0d 35 bc 12 94 1303 f1 ea 1c 3f 2b f9 95 56 0a 1f 35 a2 b9 cb 21 13 d5 48 b1 1305 public key (65 octets): 04 35 8d 1d 9c a8 f6 79 5d fa fd 0d d3 88 1306 14 65 67 20 14 9b bc 1b 39 8a a1 46 a2 0f 60 d6 17 db 9f 02 68 1307 3d ac 20 ac 2c 06 a3 a5 ef a3 e2 12 49 03 d6 d2 eb a7 65 b4 42 1308 90 1f 15 51 28 f7 e7 0e 06 1310 {client} send a ClientHello handshake message 1312 {client} send handshake record: 1314 payload (512 octets): 01 00 01 fc 03 03 8f bb 74 7c 54 ca 32 cd 1315 2b a9 d9 26 76 15 ca 2d 28 56 8c 44 0d ce 64 e3 4a 3e f6 bc 7e 1316 98 e9 d3 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00 1317 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06 1318 00 1d 00 17 00 18 00 33 00 47 00 45 00 17 00 41 04 35 8d 1d 9c 1319 a8 f6 79 5d fa fd 0d d3 88 14 65 67 20 14 9b bc 1b 39 8a a1 46 1320 a2 0f 60 d6 17 db 9f 02 68 3d ac 20 ac 2c 06 a3 a5 ef a3 e2 12 1321 49 03 d6 d2 eb a7 65 b4 42 90 1f 15 51 28 f7 e7 0e 06 00 2b 00 1322 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 1323 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2c 1324 00 74 00 72 f7 b8 f7 e4 4a 25 b1 e4 15 e3 a1 d4 00 00 00 00 65 1325 a4 46 6b 5a a7 aa eb be d0 bc 0b 6d 96 5a 58 00 30 df ac fb a2 1326 00 23 21 e1 2a ec 00 07 b4 da c5 d1 65 20 c4 46 f0 18 49 37 ea 1327 29 a3 07 01 78 a7 fc 5b 0f f8 3d b3 f6 7d 0c 13 a6 a5 df e6 b9 1328 09 87 8b 44 ec 76 80 e7 86 75 60 fe bf ed c9 1f af 1a 87 19 1b 1329 a8 c3 c8 cd 96 2f 88 13 ff 3f 47 96 ae 00 2d 00 02 01 01 00 1c 1330 00 02 40 01 00 15 00 af 00 00 00 00 00 00 00 00 00 00 00 00 00 1331 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1332 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1333 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1334 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1335 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1336 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1337 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1338 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1340 ciphertext (517 octets): 16 03 03 02 00 01 00 01 fc 03 03 8f bb 1341 74 7c 54 ca 32 cd 2b a9 d9 26 76 15 ca 2d 28 56 8c 44 0d ce 64 1342 e3 4a 3e f6 bc 7e 98 e9 d3 00 00 06 13 01 13 03 13 02 01 00 01 1343 cd 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 1344 00 0a 00 08 00 06 00 1d 00 17 00 18 00 33 00 47 00 45 00 17 00 1345 41 04 35 8d 1d 9c a8 f6 79 5d fa fd 0d d3 88 14 65 67 20 14 9b 1346 bc 1b 39 8a a1 46 a2 0f 60 d6 17 db 9f 02 68 3d ac 20 ac 2c 06 1347 a3 a5 ef a3 e2 12 49 03 d6 d2 eb a7 65 b4 42 90 1f 15 51 28 f7 1348 e7 0e 06 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 1349 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 1350 06 02 02 02 00 2c 00 74 00 72 f7 b8 f7 e4 4a 25 b1 e4 15 e3 a1 1351 d4 00 00 00 00 65 a4 46 6b 5a a7 aa eb be d0 bc 0b 6d 96 5a 58 1352 00 30 df ac fb a2 00 23 21 e1 2a ec 00 07 b4 da c5 d1 65 20 c4 1353 46 f0 18 49 37 ea 29 a3 07 01 78 a7 fc 5b 0f f8 3d b3 f6 7d 0c 1354 13 a6 a5 df e6 b9 09 87 8b 44 ec 76 80 e7 86 75 60 fe bf ed c9 1355 1f af 1a 87 19 1b a8 c3 c8 cd 96 2f 88 13 ff 3f 47 96 ae 00 2d 1356 00 02 01 01 00 1c 00 02 40 01 00 15 00 af 00 00 00 00 00 00 00 1357 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1358 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1359 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1361 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1362 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1363 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1364 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1366 {server} extract secret "early": 1368 salt: (absent) 1370 IKM (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1371 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1373 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 1374 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 1376 {server} create an ephemeral P-256 key pair: 1378 private key (32 octets): 22 da f5 8e bd 87 da df 82 8e 6f 8c 5d 1379 c0 43 df 88 be 8b 63 45 02 44 5c 5c 46 3f 4f f4 2d 37 7b 1381 public key (65 octets): 04 3c ff 48 7b 22 65 d1 42 f8 08 c0 65 ff 1382 32 b1 2c b3 a6 08 58 25 6f 15 cd de 4e 94 6a 3c b6 67 1a a9 65 1383 2c 31 8d 06 ec d6 5c 84 60 04 58 4a d9 79 d5 47 5c 7e 6b 9d 22 1384 7a 14 2c 16 da 45 ac 8b d4 1386 {server} send a ServerHello handshake message 1388 {server} derive secret for handshake "tls13 derived": 1390 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 1391 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 1393 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 1394 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1396 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 1397 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 1398 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1400 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 1401 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 1403 {server} extract secret "handshake": 1405 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 1406 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 1408 IKM (32 octets): 65 ab 95 4f 48 f4 18 7d bd 5f 83 6f 63 95 86 5b 1409 87 a4 39 98 ef ae 26 ad 24 4c ba d2 aa 2c e4 69 1411 secret (32 octets): 86 69 c5 a3 9b 4a fb fb 02 93 d4 a7 20 0f aa 1412 b7 a4 95 e9 3a 7a c3 3f 8a c5 16 24 20 04 df 28 7a 1414 {server} derive secret "tls13 c hs traffic": 1416 PRK (32 octets): 86 69 c5 a3 9b 4a fb fb 02 93 d4 a7 20 0f aa b7 1417 a4 95 e9 3a 7a c3 3f 8a c5 16 24 20 04 df 28 7a 1419 hash (32 octets): b3 c1 a8 be 98 f4 11 09 a0 ec 84 d6 0a d0 f8 03 1420 cc 0e 3c d8 7a b2 9a 67 fc 17 2e 76 ee 96 69 f5 1422 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 1423 61 66 66 69 63 20 b3 c1 a8 be 98 f4 11 09 a0 ec 84 d6 0a d0 f8 1424 03 cc 0e 3c d8 7a b2 9a 67 fc 17 2e 76 ee 96 69 f5 1426 output (32 octets): 37 7b ec 72 bf e0 e9 93 89 e5 e9 13 e2 b2 95 1427 9b f6 22 13 87 0f fb da 69 25 ae 17 ce de 4b 0c 01 1429 {server} derive secret "tls13 s hs traffic": 1431 PRK (32 octets): 86 69 c5 a3 9b 4a fb fb 02 93 d4 a7 20 0f aa b7 1432 a4 95 e9 3a 7a c3 3f 8a c5 16 24 20 04 df 28 7a 1434 hash (32 octets): b3 c1 a8 be 98 f4 11 09 a0 ec 84 d6 0a d0 f8 03 1435 cc 0e 3c d8 7a b2 9a 67 fc 17 2e 76 ee 96 69 f5 1437 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 1438 61 66 66 69 63 20 b3 c1 a8 be 98 f4 11 09 a0 ec 84 d6 0a d0 f8 1439 03 cc 0e 3c d8 7a b2 9a 67 fc 17 2e 76 ee 96 69 f5 1441 output (32 octets): 19 93 fc e3 6b d1 f0 4e c1 0d 14 b6 9d 3e 12 1442 8e 61 35 d5 1f 62 5e 14 b7 a6 c2 15 4c 63 80 21 a7 1444 {server} derive secret for master "tls13 derived": 1446 PRK (32 octets): 86 69 c5 a3 9b 4a fb fb 02 93 d4 a7 20 0f aa b7 1447 a4 95 e9 3a 7a c3 3f 8a c5 16 24 20 04 df 28 7a 1449 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 1450 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1452 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 1453 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 1454 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1456 output (32 octets): 32 25 e8 e6 82 c8 0f 84 51 c2 69 99 ca 10 99 1457 36 69 68 8d 8c 6f 82 82 e6 94 18 37 5b 7e 10 6d 51 1459 {server} extract secret "master": 1461 salt (32 octets): 32 25 e8 e6 82 c8 0f 84 51 c2 69 99 ca 10 99 36 1462 69 68 8d 8c 6f 82 82 e6 94 18 37 5b 7e 10 6d 51 1464 IKM (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1465 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1467 secret (32 octets): a6 57 77 cf ab f2 b2 7d fc 68 75 6f 4e fd 2d 1468 f9 a3 ff 0d c3 2e c3 0e 62 5f 2e 7e 18 14 a4 d2 b9 1470 {server} send handshake record: 1472 payload (123 octets): 02 00 00 77 03 03 3f 2c 62 94 55 ca 56 6e 1473 8e a2 43 7d f8 73 e2 c4 06 bc a6 1a 51 da 4d b6 cb 7e 95 63 7d 1474 51 42 7e 00 13 01 00 00 4f 00 33 00 45 00 17 00 41 04 3c ff 48 1475 7b 22 65 d1 42 f8 08 c0 65 ff 32 b1 2c b3 a6 08 58 25 6f 15 cd 1476 de 4e 94 6a 3c b6 67 1a a9 65 2c 31 8d 06 ec d6 5c 84 60 04 58 1477 4a d9 79 d5 47 5c 7e 6b 9d 22 7a 14 2c 16 da 45 ac 8b d4 00 2b 1478 00 02 03 04 1480 ciphertext (128 octets): 16 03 03 00 7b 02 00 00 77 03 03 3f 2c 1481 62 94 55 ca 56 6e 8e a2 43 7d f8 73 e2 c4 06 bc a6 1a 51 da 4d 1482 b6 cb 7e 95 63 7d 51 42 7e 00 13 01 00 00 4f 00 33 00 45 00 17 1483 00 41 04 3c ff 48 7b 22 65 d1 42 f8 08 c0 65 ff 32 b1 2c b3 a6 1484 08 58 25 6f 15 cd de 4e 94 6a 3c b6 67 1a a9 65 2c 31 8d 06 ec 1485 d6 5c 84 60 04 58 4a d9 79 d5 47 5c 7e 6b 9d 22 7a 14 2c 16 da 1486 45 ac 8b d4 00 2b 00 02 03 04 1488 {server} derive write traffic keys for handshake data: 1490 PRK (32 octets): 19 93 fc e3 6b d1 f0 4e c1 0d 14 b6 9d 3e 12 8e 1491 61 35 d5 1f 62 5e 14 b7 a6 c2 15 4c 63 80 21 a7 1493 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1495 key output (16 octets): 0d d2 f3 46 9c de 17 30 9f c3 0c 61 64 8d 1496 13 b4 1498 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1500 iv output (12 octets): 9e 33 da a8 b6 e9 71 d3 ad 89 ce 2c 1502 {server} send a EncryptedExtensions handshake message 1504 {server} send a Certificate handshake message 1506 {server} send a CertificateVerify handshake message 1508 {server} calculate finished "tls13 finished": 1510 PRK (32 octets): 19 93 fc e3 6b d1 f0 4e c1 0d 14 b6 9d 3e 12 8e 1511 61 35 d5 1f 62 5e 14 b7 a6 c2 15 4c 63 80 21 a7 1513 hash (0 octets): (empty) 1515 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 1516 64 00 1518 output (32 octets): e2 03 13 64 a4 a5 64 fc 3f f0 da 32 3b 2b 95 1519 c3 9b 9a be 54 8a c7 19 e8 16 3d 7c c6 9f b6 6b 4c 1521 {server} send a Finished handshake message 1523 {server} send handshake record: 1525 payload (645 octets): 08 00 00 18 00 16 00 0a 00 08 00 06 00 17 1526 00 18 00 1d 00 1c 00 02 40 01 00 00 00 00 0b 00 01 b9 00 00 01 1527 b5 00 01 b0 30 82 01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30 1528 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06 1529 03 55 04 03 13 03 72 73 61 30 1e 17 0d 31 36 30 37 33 30 30 31 1530 32 33 35 39 5a 17 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 1531 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 30 81 9f 30 0d 06 1532 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 1533 81 00 b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 1534 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 1535 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 1536 a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 1537 5f da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 1538 d1 d0 3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 1539 9f 7f 1e 3f 02 03 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 1540 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 05 a0 30 0d 06 09 2a 1541 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 85 aa d2 a0 e5 b9 27 1542 6b 90 8c 65 f7 3a 72 67 17 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 1543 94 36 54 17 f2 ea e8 f8 a5 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 1544 5b 80 f2 1a 03 01 51 56 72 60 96 fd 33 5e 5e 67 f2 db f1 02 70 1545 2e 60 8c ca e6 be c1 fc 63 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 1546 b9 eb 2b d5 20 3b 1c 3b 84 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 1547 40 2d cc 0c c8 f8 96 12 29 ac 91 87 b4 2b 4d e1 00 00 0f 00 00 1548 84 08 04 00 80 6b b7 6f a4 24 aa d9 99 c2 72 49 23 c1 6c 5e 44 1549 6d 47 2e d4 2c e2 0b 66 f6 e3 3c c0 9a b6 84 09 24 30 17 45 f4 1550 48 f8 22 e8 cd b1 e7 1e 74 2f 41 91 8e df a3 37 54 42 11 11 6c 1551 33 3a 36 9f a8 97 61 07 6d d6 71 3a 28 e0 7a 22 4f c6 4d 1f dc 1552 8d 6f 23 01 90 05 36 f4 a9 2c 00 8d 09 9a cb 68 d8 15 9c ff f0 1553 ac c3 71 f8 9e 4a f0 19 b2 35 f0 c5 1d 71 a4 21 b8 ca 8d 03 36 1554 87 00 74 ce 7b 05 8a 14 00 00 20 d2 0d 7e 67 8b 35 c0 03 2e 96 1555 37 6f 7a 49 40 bc f3 20 4b 90 3e cf 90 ed af ec eb 95 f3 02 3d 1556 32 1558 ciphertext (667 octets): 17 03 03 02 96 68 9c 22 eb eb c7 1d df 1559 1b 02 14 96 5a 39 a0 61 bf 12 af 84 c2 ee 0e 12 13 ae 3e 1c ab 1560 c0 ce ca c6 06 37 3e 81 eb 3f 61 55 5e e5 a4 58 bf d4 3e db e1 1561 f2 eb 0c b8 28 01 27 9e 02 15 8c 7b 50 3b 86 a1 42 a7 56 c4 1e 1562 d2 40 b8 0f e8 c4 b1 93 66 ec f1 ac 3a b7 64 f0 c5 37 7a ef 35 1563 6f 27 d6 01 3e af 26 ad bc 72 fc 49 4b 6e bc 9d c2 55 75 44 18 1564 38 cf 02 9e 73 05 72 7e f8 0d 7b 7d 51 21 2e d4 d8 8a f5 bc 1a 1565 80 37 8e 1c 6a 28 8e e5 14 75 7b ea b7 8a 48 af fc 89 7c 49 20 1566 2c fd ed 99 a7 81 05 cf 87 69 a4 c3 00 1b 81 82 66 67 03 ce c8 1567 0b 15 a2 c4 61 68 f8 cb 44 23 70 e6 1c 4d cd f5 bc c0 25 53 f7 1568 50 31 10 11 9f 15 0e 05 94 d5 a3 63 b2 7e 27 72 dc 96 79 24 d3 1569 d6 ce b8 6e 7d d0 01 6b 8f 33 92 51 36 e4 69 6c 6d 43 38 4b 31 1570 12 ec 7c 15 8a f6 88 ce 18 83 26 67 b4 ff fe 2a c4 17 4a 98 eb 1571 fd c9 17 45 1c 96 76 a4 f3 21 f1 65 64 ec 23 90 ba 37 c3 00 b1 1572 e7 a9 da 6c ce b2 ac 0c 45 13 5b 66 84 32 2b b2 34 f9 46 70 2a 1573 c2 42 c7 55 7c 71 f0 ee 65 a6 c9 a7 93 24 d6 94 fe 1f 7f b2 67 1574 ce 6e 83 22 5c 9f 10 b5 b8 8d db 25 53 5b f6 cc 73 2f c7 da 79 1575 b8 09 28 90 82 7a 00 97 11 74 a5 f0 90 30 d0 b9 bb 5f 22 8b 08 1576 f7 aa 2f 7c 2c 57 ac 9b 7d 69 c8 1d 56 f0 db 07 98 9e 87 4c 4e 1577 42 0e d8 32 aa 87 4d 72 c3 c9 36 c0 85 00 f5 aa 3a 9a 9c 8f 76 1578 f7 41 b7 dc 20 82 ab 8b 8f f4 e7 4e 8b 47 e6 6b 26 fc c6 ff bc 1579 9a 68 b0 5b 1a db 37 bf 6e da 22 99 23 ee 4b 40 f6 3c 34 90 c6 1580 63 f6 82 f4 12 58 25 5e 94 2a 36 7a cd 0c 7d f9 c8 7e 6a 75 5e 1581 53 7e 7e 1a cb ba b7 b1 a4 30 b9 26 75 e4 5c 97 58 14 ed 91 7e 1582 78 30 7a 5f 99 6b 87 47 f4 41 ca 36 93 2d 45 d5 2a 0b b1 48 6a 1583 6f 53 75 0d 01 23 f0 8a d7 70 ca c6 8c 00 d2 84 e3 ac 09 05 80 1584 68 ca af d4 f9 ae 46 92 04 01 cb 57 9c c4 67 ad f7 67 80 08 c5 1585 95 32 06 51 e5 8c 92 cc 99 a6 62 9d 5f bd 57 34 ac 3f cc 34 21 1586 5d 31 b6 09 d2 c7 86 11 00 f4 70 12 ae 8d dc 40 bd ba b9 fa 72 1587 2a e6 cc 2a bb b8 93 14 fb 06 be 8f 2f 2b cb 65 af 5b 1e ba 49 1588 c5 9e af 94 a1 a0 f9 33 53 f6 e2 fb 84 c9 48 0c cb 35 be 46 cb 1589 cd 3f b4 12 64 87 f0 72 eb d8 e5 62 5d c9 aa e7 b0 7b 93 e8 de 1590 34 21 6f 1592 {server} derive secret "tls13 c ap traffic": 1594 PRK (32 octets): a6 57 77 cf ab f2 b2 7d fc 68 75 6f 4e fd 2d f9 1595 a3 ff 0d c3 2e c3 0e 62 5f 2e 7e 18 14 a4 d2 b9 1597 hash (32 octets): 6c 45 a9 b1 b6 a9 d8 18 94 52 79 25 8e cc 16 fa 1598 33 9c e6 c6 37 17 56 1c 67 ee b2 ca 27 dc d0 0e 1600 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 1601 61 66 66 69 63 20 6c 45 a9 b1 b6 a9 d8 18 94 52 79 25 8e cc 16 1602 fa 33 9c e6 c6 37 17 56 1c 67 ee b2 ca 27 dc d0 0e 1604 output (32 octets): f3 72 b2 bf 29 76 71 90 a8 e0 fd 31 33 47 d8 1605 15 14 2c 37 76 3d c1 00 78 71 91 1f 7b 5c 31 0d 40 1607 {server} derive secret "tls13 s ap traffic": 1609 PRK (32 octets): a6 57 77 cf ab f2 b2 7d fc 68 75 6f 4e fd 2d f9 1610 a3 ff 0d c3 2e c3 0e 62 5f 2e 7e 18 14 a4 d2 b9 1612 hash (32 octets): 6c 45 a9 b1 b6 a9 d8 18 94 52 79 25 8e cc 16 fa 1613 33 9c e6 c6 37 17 56 1c 67 ee b2 ca 27 dc d0 0e 1615 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 1616 61 66 66 69 63 20 6c 45 a9 b1 b6 a9 d8 18 94 52 79 25 8e cc 16 1617 fa 33 9c e6 c6 37 17 56 1c 67 ee b2 ca 27 dc d0 0e 1619 output (32 octets): a8 b8 89 78 fb a9 0f 05 7c 52 c6 77 6a 01 1a 1620 d5 64 bc 4d 38 ee 6c d7 45 4b a2 21 c2 89 10 08 7a 1622 {server} derive secret "tls13 exp master": 1624 PRK (32 octets): a6 57 77 cf ab f2 b2 7d fc 68 75 6f 4e fd 2d f9 1625 a3 ff 0d c3 2e c3 0e 62 5f 2e 7e 18 14 a4 d2 b9 1627 hash (32 octets): 6c 45 a9 b1 b6 a9 d8 18 94 52 79 25 8e cc 16 fa 1628 33 9c e6 c6 37 17 56 1c 67 ee b2 ca 27 dc d0 0e 1630 info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 1631 74 65 72 20 6c 45 a9 b1 b6 a9 d8 18 94 52 79 25 8e cc 16 fa 33 1632 9c e6 c6 37 17 56 1c 67 ee b2 ca 27 dc d0 0e 1634 output (32 octets): de e8 d9 7e ec e8 97 93 e4 5d 63 b4 10 18 88 1635 df 06 a4 d3 63 c9 d8 ff af ef 2e bd 10 64 4d bc 42 1637 {server} derive write traffic keys for application data: 1639 PRK (32 octets): a8 b8 89 78 fb a9 0f 05 7c 52 c6 77 6a 01 1a d5 1640 64 bc 4d 38 ee 6c d7 45 4b a2 21 c2 89 10 08 7a 1642 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1644 key output (16 octets): df 25 5c 0d f2 0f 01 26 2c 77 1c b8 74 67 1645 7b 4a 1647 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1649 iv output (12 octets): 90 89 9d 4b ab a4 31 d1 e3 1b f7 02 1651 {server} derive read traffic keys for handshake data: 1653 PRK (32 octets): 37 7b ec 72 bf e0 e9 93 89 e5 e9 13 e2 b2 95 9b 1654 f6 22 13 87 0f fb da 69 25 ae 17 ce de 4b 0c 01 1656 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1658 key output (16 octets): 67 b6 7b 0d c0 12 44 92 42 dd ad ff c0 b1 1659 7c 7e 1661 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1663 iv output (12 octets): 52 ac 28 15 2f f3 e1 26 02 60 08 cb 1665 {client} extract secret "early": 1667 salt: (absent) 1669 IKM (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1670 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1672 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 1673 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 1675 {client} derive secret for handshake "tls13 derived": 1677 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 1678 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 1680 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 1681 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1683 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 1684 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 1685 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1687 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 1688 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 1690 {client} extract secret "handshake": 1692 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 1693 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 1695 IKM (32 octets): 65 ab 95 4f 48 f4 18 7d bd 5f 83 6f 63 95 86 5b 1696 87 a4 39 98 ef ae 26 ad 24 4c ba d2 aa 2c e4 69 1698 secret (32 octets): 86 69 c5 a3 9b 4a fb fb 02 93 d4 a7 20 0f aa 1699 b7 a4 95 e9 3a 7a c3 3f 8a c5 16 24 20 04 df 28 7a 1701 {client} derive secret "tls13 c hs traffic" (same as server) 1703 {client} derive secret "tls13 s hs traffic" (same as server) 1705 {client} derive secret for master "tls13 derived" (same as server) 1707 {client} extract secret "master" (same as server) 1709 {client} derive read traffic keys for handshake data: 1711 PRK (32 octets): 19 93 fc e3 6b d1 f0 4e c1 0d 14 b6 9d 3e 12 8e 1712 61 35 d5 1f 62 5e 14 b7 a6 c2 15 4c 63 80 21 a7 1714 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1716 key output (16 octets): 0d d2 f3 46 9c de 17 30 9f c3 0c 61 64 8d 1717 13 b4 1719 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1721 iv output (12 octets): 9e 33 da a8 b6 e9 71 d3 ad 89 ce 2c 1723 {client} calculate finished "tls13 finished" (same as server) 1725 {client} derive secret "tls13 c ap traffic" (same as server) 1727 {client} derive secret "tls13 s ap traffic" (same as server) 1729 {client} derive secret "tls13 exp master" (same as server) 1730 {client} derive write traffic keys for handshake data (same as 1731 server read traffic keys) 1733 {client} derive read traffic keys for application data (same as 1734 server write traffic keys) 1736 {client} calculate finished "tls13 finished": 1738 PRK (32 octets): 37 7b ec 72 bf e0 e9 93 89 e5 e9 13 e2 b2 95 9b 1739 f6 22 13 87 0f fb da 69 25 ae 17 ce de 4b 0c 01 1741 hash (0 octets): (empty) 1743 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 1744 64 00 1746 output (32 octets): 19 4b 6b 62 26 c8 11 3f e1 24 2a 2b 08 9d 39 1747 9a 26 83 ee 49 68 d9 ff 9b de c3 dd df 25 83 a0 a6 1749 {client} send a Finished handshake message 1751 {client} send handshake record: 1753 payload (36 octets): 14 00 00 20 a7 da 09 8b 9b 26 83 71 64 64 1f 1754 9d 0d 1b de c6 e8 eb 48 35 6b e7 c0 b1 7b 6d 19 4b 4b 8f a1 fd 1756 ciphertext (58 octets): 17 03 03 00 35 87 b5 65 69 20 5c c2 cc c4 1757 53 67 58 88 e4 d8 79 1c 5d cf f4 26 cf 1a 88 57 84 50 54 bf 28 1758 37 3b 9a 8e d0 99 e1 e8 31 77 fb da 25 b3 78 7a ae 3c e1 f1 a0 1759 a7 af 1761 {client} derive write traffic keys for application data: 1763 PRK (32 octets): f3 72 b2 bf 29 76 71 90 a8 e0 fd 31 33 47 d8 15 1764 14 2c 37 76 3d c1 00 78 71 91 1f 7b 5c 31 0d 40 1766 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1768 key output (16 octets): 06 ea a9 34 99 1d 0b 76 0d 56 9f 8e bb 79 1769 22 8b 1771 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1773 iv output (12 octets): 87 c0 5d f1 e8 a1 87 ba 4f e3 28 b3 1775 {client} derive secret "tls13 res master": 1777 PRK (32 octets): a6 57 77 cf ab f2 b2 7d fc 68 75 6f 4e fd 2d f9 1778 a3 ff 0d c3 2e c3 0e 62 5f 2e 7e 18 14 a4 d2 b9 1780 hash (32 octets): f6 d2 e9 99 c9 ce 6e 62 67 b3 83 3d d9 10 cd 91 1781 92 4a f6 89 00 66 d8 51 bd 9e f2 01 65 6c d6 c8 1783 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 1784 74 65 72 20 f6 d2 e9 99 c9 ce 6e 62 67 b3 83 3d d9 10 cd 91 92 1785 4a f6 89 00 66 d8 51 bd 9e f2 01 65 6c d6 c8 1787 output (32 octets): 1f 63 61 ef 0f 9d fe 19 ac 0f eb 5d 87 51 5f 1788 ad 41 92 67 6b 79 61 ea 85 fc 2b 31 ba a0 c1 1f fa 1790 {server} calculate finished "tls13 finished" (same as client) 1792 {server} derive read traffic keys for application data (same as 1793 client write traffic keys) 1795 {server} derive secret "tls13 res master" (same as client) 1797 {client} send alert record: 1799 payload (2 octets): 01 00 1801 ciphertext (24 octets): 17 03 03 00 13 a1 93 82 ba 6a cc c4 d0 df 1802 e3 46 c6 5b b3 ff 01 95 6f 26 1804 {server} send alert record: 1806 payload (2 octets): 01 00 1808 ciphertext (24 octets): 17 03 03 00 13 6a c7 95 b6 5c a3 13 33 30 1809 22 5c c3 a8 0b 28 f2 39 d2 e9 1811 6. Client Authentication 1813 In this example, the server requests client authentication. The 1814 client uses a certificate with an RSA key, the server uses an ECDSA 1815 certificate with a P-256 key. Note that private keys for this 1816 example are not included in the draft. 1818 {client} create an ephemeral x25519 key pair: 1820 private key (32 octets): 51 51 41 c1 11 7c f2 f1 81 f0 63 41 08 1821 da 12 41 26 df 69 36 21 2b b4 8c 0a 48 b6 86 4d 14 8a 35 1823 public key (32 octets): 8e 61 95 b8 3b ea 47 57 fc 4f c5 c9 cc 73 1824 2b 87 10 c0 fe 12 1f dc 3b 46 53 85 0e c0 68 bd 6a 03 1826 {client} send a ClientHello handshake message 1828 {client} send handshake record: 1830 payload (192 octets): 01 00 00 bc 03 03 72 be 9e 03 79 d1 64 11 1831 d3 5d a6 b5 56 16 bc 37 5d a6 40 55 2b ca 71 9d ae 41 90 f3 94 1832 39 d8 5a 00 00 06 13 01 13 03 13 02 01 00 00 8d 00 00 00 0b 00 1833 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 1834 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00 1835 26 00 24 00 1d 00 20 8e 61 95 b8 3b ea 47 57 fc 4f c5 c9 cc 73 1836 2b 87 10 c0 fe 12 1f dc 3b 46 53 85 0e c0 68 bd 6a 03 00 2b 00 1837 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 1838 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 1839 00 02 01 01 00 1c 00 02 40 01 1841 ciphertext (197 octets): 16 03 01 00 c0 01 00 00 bc 03 03 72 be 1842 9e 03 79 d1 64 11 d3 5d a6 b5 56 16 bc 37 5d a6 40 55 2b ca 71 1843 9d ae 41 90 f3 94 39 d8 5a 00 00 06 13 01 13 03 13 02 01 00 00 1844 8d 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 1845 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 1846 03 01 04 00 33 00 26 00 24 00 1d 00 20 8e 61 95 b8 3b ea 47 57 1847 fc 4f c5 c9 cc 73 2b 87 10 c0 fe 12 1f dc 3b 46 53 85 0e c0 68 1848 bd 6a 03 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 1849 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 1850 06 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01 1852 {server} extract secret "early": 1854 salt: (absent) 1856 IKM (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1857 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1859 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 1860 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 1862 {server} create an ephemeral x25519 key pair: 1864 private key (32 octets): 82 0f ba 6b 13 3f a3 bb 45 4e a0 fe 61 1865 7e 50 3a 74 c3 09 b3 82 28 07 71 7d e1 ee 3f ee 17 27 57 1867 public key (32 octets): 23 dc 3e 49 2e c4 56 63 c3 ad b5 17 ec 8e 1868 ef a6 5b 76 c0 cf 21 21 f4 af f5 09 50 0c 05 19 7f 0a 1870 {server} send a ServerHello handshake message 1872 {server} derive secret for handshake "tls13 derived": 1874 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 1875 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 1877 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 1878 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1880 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 1881 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 1882 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1884 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 1885 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 1887 {server} extract secret "handshake": 1889 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 1890 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 1892 IKM (32 octets): b2 0d 9a cb a0 e0 38 1d 9f f5 1e 9d 7c b8 ba 18 1893 a9 ba 63 7e e5 93 08 13 da 7f f8 62 e6 62 44 45 1895 secret (32 octets): ba c8 e6 23 e4 82 31 e5 f0 96 4f fc 3b f3 5a 1896 e4 bc 65 59 1a 9e 1a cf f3 6d 18 3f d6 0a 26 bc e6 1898 {server} derive secret "tls13 c hs traffic": 1900 PRK (32 octets): ba c8 e6 23 e4 82 31 e5 f0 96 4f fc 3b f3 5a e4 1901 bc 65 59 1a 9e 1a cf f3 6d 18 3f d6 0a 26 bc e6 1903 hash (32 octets): 58 7e dd f9 47 f8 d1 4f e6 32 6b 07 c3 11 0c b7 1904 33 89 d7 ba ed de 2f e3 04 7d 77 20 19 90 2e 4c 1906 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 1907 61 66 66 69 63 20 58 7e dd f9 47 f8 d1 4f e6 32 6b 07 c3 11 0c 1908 b7 33 89 d7 ba ed de 2f e3 04 7d 77 20 19 90 2e 4c 1910 output (32 octets): 23 03 a8 1a 55 a9 e2 92 d3 23 cd c8 9a b2 dd 1911 a1 63 40 f8 4f d9 dd 99 5c 72 50 c3 3e d3 82 b2 db 1913 {server} derive secret "tls13 s hs traffic": 1915 PRK (32 octets): ba c8 e6 23 e4 82 31 e5 f0 96 4f fc 3b f3 5a e4 1916 bc 65 59 1a 9e 1a cf f3 6d 18 3f d6 0a 26 bc e6 1918 hash (32 octets): 58 7e dd f9 47 f8 d1 4f e6 32 6b 07 c3 11 0c b7 1919 33 89 d7 ba ed de 2f e3 04 7d 77 20 19 90 2e 4c 1921 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 1922 61 66 66 69 63 20 58 7e dd f9 47 f8 d1 4f e6 32 6b 07 c3 11 0c 1923 b7 33 89 d7 ba ed de 2f e3 04 7d 77 20 19 90 2e 4c 1925 output (32 octets): e9 9c 61 c4 f3 08 86 7b f9 7f 1d 30 56 ff 11 1926 35 ad 33 f5 44 b5 c2 c6 79 9c a2 c7 bd d8 bb 56 d5 1928 {server} derive secret for master "tls13 derived": 1930 PRK (32 octets): ba c8 e6 23 e4 82 31 e5 f0 96 4f fc 3b f3 5a e4 1931 bc 65 59 1a 9e 1a cf f3 6d 18 3f d6 0a 26 bc e6 1933 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 1934 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1936 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 1937 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 1938 64 9b 93 4c a4 95 99 1b 78 52 b8 55 1940 output (32 octets): cc c4 24 b2 2c e3 72 2a 86 5e 45 b8 fc 1c 98 1941 a6 36 9a 61 15 15 15 bb c8 4d f5 f7 3f e1 c5 e7 fe 1943 {server} extract secret "master": 1945 salt (32 octets): cc c4 24 b2 2c e3 72 2a 86 5e 45 b8 fc 1c 98 a6 1946 36 9a 61 15 15 15 bb c8 4d f5 f7 3f e1 c5 e7 fe 1948 IKM (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1949 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1951 secret (32 octets): 7a 50 b7 21 1f a2 3c 29 37 31 72 ad f8 50 39 1952 53 dc 76 53 af 95 0b 6b 61 9b 42 ce 1c a9 38 22 f1 1954 {server} send handshake record: 1956 payload (90 octets): 02 00 00 56 03 03 ed 3b 39 8e d9 27 26 f8 9e 1957 ac 52 ea 27 89 c1 00 9d d6 e2 5f 9f 3e c0 f4 00 3d a5 20 93 e4 1958 c9 34 00 13 01 00 00 2e 00 33 00 24 00 1d 00 20 23 dc 3e 49 2e 1959 c4 56 63 c3 ad b5 17 ec 8e ef a6 5b 76 c0 cf 21 21 f4 af f5 09 1960 50 0c 05 19 7f 0a 00 2b 00 02 03 04 1962 ciphertext (95 octets): 16 03 03 00 5a 02 00 00 56 03 03 ed 3b 39 1963 8e d9 27 26 f8 9e ac 52 ea 27 89 c1 00 9d d6 e2 5f 9f 3e c0 f4 1964 00 3d a5 20 93 e4 c9 34 00 13 01 00 00 2e 00 33 00 24 00 1d 00 1965 20 23 dc 3e 49 2e c4 56 63 c3 ad b5 17 ec 8e ef a6 5b 76 c0 cf 1966 21 21 f4 af f5 09 50 0c 05 19 7f 0a 00 2b 00 02 03 04 1968 {server} derive write traffic keys for handshake data: 1970 PRK (32 octets): e9 9c 61 c4 f3 08 86 7b f9 7f 1d 30 56 ff 11 35 1971 ad 33 f5 44 b5 c2 c6 79 9c a2 c7 bd d8 bb 56 d5 1973 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 1975 key output (16 octets): 61 a2 08 f9 c7 7f 35 96 9e 7f 1e 0e a2 75 1976 4c 92 1978 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 1980 iv output (12 octets): 08 a7 d2 9a d2 4b bf 51 1e a2 dd 45 1982 {server} send a EncryptedExtensions handshake message 1984 {server} send a CertificateRequest handshake message 1986 {server} send a Certificate handshake message 1988 {server} send a CertificateVerify handshake message 1990 {server} calculate finished "tls13 finished": 1992 PRK (32 octets): e9 9c 61 c4 f3 08 86 7b f9 7f 1d 30 56 ff 11 35 1993 ad 33 f5 44 b5 c2 c6 79 9c a2 c7 bd d8 bb 56 d5 1995 hash (0 octets): (empty) 1997 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 1998 64 00 2000 output (32 octets): 9f 46 ac 32 80 c8 66 da b9 27 45 b6 af ec 7c 2001 b3 5a 58 1a 4a 6c 8e 5e 09 a4 9c 96 d0 ad 30 2e 34 2003 {server} send a Finished handshake message 2005 {server} send handshake record: 2007 payload (516 octets): 08 00 00 24 00 22 00 0a 00 14 00 12 00 1d 2008 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c 00 02 40 2009 01 00 00 00 00 0d 00 00 27 00 00 24 00 0d 00 20 00 1e 04 03 05 2010 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 2011 05 02 06 02 02 02 0b 00 01 3b 00 00 01 37 00 01 32 30 82 01 2e 2012 30 81 d5 a0 03 02 01 02 02 01 07 30 0a 06 08 2a 86 48 ce 3d 04 2013 03 02 30 13 31 11 30 0f 06 03 55 04 03 13 08 65 63 64 73 61 32 2014 35 36 30 1e 17 0d 31 36 30 37 33 30 30 31 32 34 30 30 5a 17 0d 2015 32 36 30 37 33 30 30 31 32 34 30 30 5a 30 13 31 11 30 0f 06 03 2016 55 04 03 13 08 65 63 64 73 61 32 35 36 30 59 30 13 06 07 2a 86 2017 48 ce 3d 02 01 06 08 2a 86 48 ce 3d 03 01 07 03 42 00 04 08 d5 2018 30 16 15 75 f4 cf e7 f1 54 ee 34 48 18 00 86 00 1e 88 43 1a 79 2019 ee 62 ee 6e 2f 83 ef 38 ba 61 e9 fb 37 f3 4e 00 7a 7d f4 d2 f5 2020 b5 6d 1f 04 ec e4 5d 62 1f 46 84 06 f5 c3 a1 51 58 94 8d d0 a3 2021 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 2022 04 04 03 02 07 80 30 0a 06 08 2a 86 48 ce 3d 04 03 02 03 48 00 2023 30 45 02 21 00 df 30 fd 45 07 f5 ed d2 2c 1a 6f f8 6d b4 79 ca 2024 69 3f ee ca 3b 71 b3 f9 ef 55 6b 29 37 c0 59 4d 02 20 62 e2 a4 2025 72 50 d3 20 fe a8 3c 7e 2d cb 5b 76 a5 0e 02 00 c0 9a db d1 3f 2026 ee 94 6e 51 3e 01 1d 11 00 00 0f 00 00 4a 04 03 00 46 30 44 02 2027 20 4e c5 5a 94 22 b9 26 82 ac f6 01 da 8e ad dc a8 43 17 0c 52 2028 94 cb b0 92 64 60 09 a2 22 8f c6 3d 02 20 33 61 b0 78 aa 93 db 2029 6e 9c 22 ad f1 88 5b 9e 0a 3e d4 ec dd 5c ef dc ce 63 f9 99 84 2030 82 0b 23 ee 14 00 00 20 65 0d bb 4b 5a 6a ce 4e 23 5c 3a 3a 39 2031 06 09 41 fc 25 37 58 6e 9b 56 27 2e 5f d1 31 ca 1f d2 74 2033 ciphertext (538 octets): 17 03 03 02 15 3a cf 25 29 62 4c 10 c3 2034 30 42 26 01 83 6e f0 93 ef ff c9 21 c2 60 9e 77 58 42 c4 65 ea 2035 a3 2c ca 23 34 06 4c 8d d8 53 96 ba 07 a8 6b d0 83 28 bc 07 e1 2036 f8 96 9d 93 09 68 79 a8 ee d4 af 92 e3 e3 ea 74 63 28 d6 40 22 2037 04 a5 9c a9 9c a8 2d 42 18 f0 85 10 60 ab ca 1e d6 c9 24 d6 49 2038 a1 6f 4c 5f 59 37 a6 de dd 36 de aa b7 25 ff 5c ab 8d 05 10 cc 2039 4d a2 c4 b7 57 7a 06 2a f1 5a 89 f7 ca 9f 8e ae 62 cf ea 55 6c 2040 c0 51 be ed c6 db ac 7f b2 1d a9 10 e7 07 5b 39 7c 32 f7 a5 a5 2041 0c e7 e8 22 9a 7c f5 db 31 8e f9 be 2a af 45 04 0d 15 96 aa 72 2042 d7 99 81 3b 79 37 db 78 dc cc df 5c 1a b0 bb ad 95 29 34 f2 a8 2043 e3 0f e2 60 2b 72 d0 11 8e fb 24 02 0c 0f 35 b1 4c bd af 1a b6 2044 9e 3e 6b a9 f5 1c db 02 9a 88 11 0d 97 59 26 af f0 ba 32 b2 15 2045 1b a6 52 db 21 ed eb a4 6e ba 90 f0 d5 51 8c e1 1c 9e 48 61 34 2046 ee 18 6e 98 f2 0c 06 67 93 19 5a 16 7a 38 f9 ae 57 2d 66 4b 84 2047 46 09 36 ca f7 fd 83 58 33 0a 99 a0 41 b5 d6 3d db 52 2a e4 20 2048 bd 46 e0 7a b1 da 63 4f 43 d3 c2 d6 46 cf df 0d 07 cc e4 1e ed 2049 c7 98 a0 ad 3d 98 51 52 40 48 0c 02 13 b1 87 37 2d 8d a1 d3 aa 2050 42 9f f8 20 94 34 b0 a5 a1 44 8c d6 30 1e c6 37 5e 5f f6 d9 26 2051 55 d1 ae 13 49 97 ef 3b 97 34 f3 89 6e 5d 2f b4 ce 0c 90 d8 d9 2052 ea b9 67 da f2 0f 95 05 71 2e e3 6a 33 48 6f 05 72 2a 0b 9f a7 2053 d8 f6 77 bd 9b 2a b2 45 97 ff 68 0b 2d 51 e7 20 f1 99 6a 58 fa 2054 7f 46 0a 1d 60 6d fb 7a e6 b1 22 e7 a0 9d a4 cc 92 55 dc 82 99 2055 15 b4 be db f1 66 2d 0f f4 56 22 a4 cf 75 0e 41 cd c6 32 a1 e0 2056 4c 07 2f e9 2d 32 9a 26 3f 67 62 be ad 32 31 65 92 b5 01 2d 28 2057 07 a2 12 17 ae 83 34 59 00 f1 f4 cb 1c 7a 77 05 27 20 60 fb 35 2058 12 86 16 8a ce d6 be 48 23 6a 6b c6 e6 88 f6 9d 3a 09 3d d4 89 2060 {server} derive secret "tls13 c ap traffic": 2062 PRK (32 octets): 7a 50 b7 21 1f a2 3c 29 37 31 72 ad f8 50 39 53 2063 dc 76 53 af 95 0b 6b 61 9b 42 ce 1c a9 38 22 f1 2065 hash (32 octets): 95 7f 54 ae 99 e3 22 ae 51 0d 51 4d 30 73 1b 0e 2066 7f f1 71 0f 69 0a 0b 0c 28 6a 66 0e c4 86 69 d7 2068 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 2069 61 66 66 69 63 20 95 7f 54 ae 99 e3 22 ae 51 0d 51 4d 30 73 1b 2070 0e 7f f1 71 0f 69 0a 0b 0c 28 6a 66 0e c4 86 69 d7 2072 output (32 octets): e6 47 85 57 d7 f3 3b b2 77 01 be 74 7f 2f bf 2073 00 72 e4 91 4f 96 7a 8a b7 20 c9 36 7f f6 61 49 2a 2075 {server} derive secret "tls13 s ap traffic": 2077 PRK (32 octets): 7a 50 b7 21 1f a2 3c 29 37 31 72 ad f8 50 39 53 2078 dc 76 53 af 95 0b 6b 61 9b 42 ce 1c a9 38 22 f1 2080 hash (32 octets): 95 7f 54 ae 99 e3 22 ae 51 0d 51 4d 30 73 1b 0e 2081 7f f1 71 0f 69 0a 0b 0c 28 6a 66 0e c4 86 69 d7 2083 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 2084 61 66 66 69 63 20 95 7f 54 ae 99 e3 22 ae 51 0d 51 4d 30 73 1b 2085 0e 7f f1 71 0f 69 0a 0b 0c 28 6a 66 0e c4 86 69 d7 2087 output (32 octets): 2e 5d c3 82 75 26 7f 49 ae bd 06 3b 4c 22 70 2088 5d 41 7f 79 b0 4e 63 7c 93 d3 e3 2a 7d 54 6e 2e b3 2090 {server} derive secret "tls13 exp master": 2092 PRK (32 octets): 7a 50 b7 21 1f a2 3c 29 37 31 72 ad f8 50 39 53 2093 dc 76 53 af 95 0b 6b 61 9b 42 ce 1c a9 38 22 f1 2095 hash (32 octets): 95 7f 54 ae 99 e3 22 ae 51 0d 51 4d 30 73 1b 0e 2096 7f f1 71 0f 69 0a 0b 0c 28 6a 66 0e c4 86 69 d7 2098 info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 2099 74 65 72 20 95 7f 54 ae 99 e3 22 ae 51 0d 51 4d 30 73 1b 0e 7f 2100 f1 71 0f 69 0a 0b 0c 28 6a 66 0e c4 86 69 d7 2102 output (32 octets): c5 10 a7 cd 37 4a 95 c4 47 ba 18 53 71 7b a6 2103 02 25 11 6c 89 2f 2b 62 86 26 28 a5 72 df 54 68 92 2105 {server} derive write traffic keys for application data: 2107 PRK (32 octets): 2e 5d c3 82 75 26 7f 49 ae bd 06 3b 4c 22 70 5d 2108 41 7f 79 b0 4e 63 7c 93 d3 e3 2a 7d 54 6e 2e b3 2110 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 2111 key output (16 octets): 3f d4 15 17 e6 ab 77 a2 e8 2d 51 f0 34 fc 2112 8c 21 2114 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 2116 iv output (12 octets): 8f 51 67 7a 4e 55 3e ce e0 2c c3 48 2118 {server} derive read traffic keys for handshake data: 2120 PRK (32 octets): 23 03 a8 1a 55 a9 e2 92 d3 23 cd c8 9a b2 dd a1 2121 63 40 f8 4f d9 dd 99 5c 72 50 c3 3e d3 82 b2 db 2123 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 2125 key output (16 octets): 2f b3 45 4b aa 32 08 04 f1 46 3b 6d 86 9e 2126 5c 6e 2128 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 2130 iv output (12 octets): 8d 74 fa ab ae 3d cf 20 6d 04 dc f8 2132 {client} extract secret "early": 2134 salt: (absent) 2136 IKM (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2137 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2139 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 2140 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 2142 {client} derive secret for handshake "tls13 derived": 2144 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 2145 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 2147 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 2148 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 2150 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 2151 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 2152 64 9b 93 4c a4 95 99 1b 78 52 b8 55 2154 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 2155 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 2157 {client} extract secret "handshake": 2159 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 2160 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 2162 IKM (32 octets): b2 0d 9a cb a0 e0 38 1d 9f f5 1e 9d 7c b8 ba 18 2163 a9 ba 63 7e e5 93 08 13 da 7f f8 62 e6 62 44 45 2165 secret (32 octets): ba c8 e6 23 e4 82 31 e5 f0 96 4f fc 3b f3 5a 2166 e4 bc 65 59 1a 9e 1a cf f3 6d 18 3f d6 0a 26 bc e6 2168 {client} derive secret "tls13 c hs traffic" (same as server) 2170 {client} derive secret "tls13 s hs traffic" (same as server) 2172 {client} derive secret for master "tls13 derived" (same as server) 2174 {client} extract secret "master" (same as server) 2176 {client} derive read traffic keys for handshake data: 2178 PRK (32 octets): e9 9c 61 c4 f3 08 86 7b f9 7f 1d 30 56 ff 11 35 2179 ad 33 f5 44 b5 c2 c6 79 9c a2 c7 bd d8 bb 56 d5 2181 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 2183 key output (16 octets): 61 a2 08 f9 c7 7f 35 96 9e 7f 1e 0e a2 75 2184 4c 92 2186 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 2188 iv output (12 octets): 08 a7 d2 9a d2 4b bf 51 1e a2 dd 45 2190 {client} calculate finished "tls13 finished" (same as server) 2192 {client} derive secret "tls13 c ap traffic" (same as server) 2194 {client} derive secret "tls13 s ap traffic" (same as server) 2196 {client} derive secret "tls13 exp master" (same as server) 2198 {client} derive write traffic keys for handshake data (same as 2199 server read traffic keys) 2201 {client} derive read traffic keys for application data (same as 2202 server write traffic keys) 2204 {client} send a Certificate handshake message 2206 {client} send a CertificateVerify handshake message 2207 {client} calculate finished "tls13 finished": 2209 PRK (32 octets): 23 03 a8 1a 55 a9 e2 92 d3 23 cd c8 9a b2 dd a1 2210 63 40 f8 4f d9 dd 99 5c 72 50 c3 3e d3 82 b2 db 2212 hash (0 octets): (empty) 2214 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 2215 64 00 2217 output (32 octets): 9e 53 42 bd 39 7f ac 99 c3 40 bd 4a 58 0f 63 2218 20 49 8a 4f 63 6a 61 da 92 7a a2 ef 20 75 e9 74 86 2220 {client} send a Finished handshake message 2222 {client} send handshake record: 2224 payload (623 octets): 0b 00 01 bf 00 00 01 bb 00 01 b6 30 82 01 2225 b2 30 82 01 1b a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86 2226 f7 0d 01 01 0b 05 00 30 11 31 0f 30 0d 06 03 55 04 03 13 06 63 2227 6c 69 65 6e 74 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 2228 5a 17 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 11 31 0f 30 2229 0d 06 03 55 04 03 13 06 63 6c 69 65 6e 74 30 81 9f 30 0d 06 09 2230 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 2231 00 c3 81 75 e0 04 a6 8d 09 3f 82 3b 9c 37 9d 20 1f bc 0b b7 a1 2232 c7 91 90 5e 3f bf 76 84 7e 44 e7 51 eb bc d3 60 bd 94 5c 81 e5 2233 22 2b cc 88 46 d3 a8 a0 f9 3e 9b f5 be ba bd 92 ed f1 de 1f f1 2234 90 21 70 3e 7a b6 c0 90 15 13 f9 7e 39 b1 11 f0 9c 93 48 97 1c 2235 7b 21 19 84 a7 54 cd 45 fe 09 5a f0 ea 42 36 82 9b cc f7 a7 fe 2236 9b 28 88 e7 8a b4 77 69 0a 5b 9e 1c cb e9 1c 6a 4a 0f 97 a7 e0 2237 28 42 01 02 03 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 2238 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 0d 06 09 2a 86 2239 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 1a 7a 5a 01 85 32 b0 22 2240 af 07 67 d4 86 16 0c ff 2d 16 7a 19 15 d2 38 35 b5 45 94 91 6d 2241 c6 80 be 5d 2e 62 60 76 c5 d5 27 22 eb cc 77 5d 7d 99 f9 80 be 2242 2f c9 4d 34 ac f6 cc 00 ba 90 cb cf b0 60 8a a1 e7 e3 97 1e f0 2243 c0 7a 41 d4 7a d8 34 5d 1f 81 fe 41 8a 1c f4 10 54 42 9f d2 17 2244 bd 77 7d c1 cf 08 f0 5d f9 07 99 c6 59 36 1e 0f 1a 8e e4 ac 0f 2245 78 97 42 0b db c8 23 da 80 a2 f2 ba 23 08 1c 00 00 0f 00 00 84 2246 08 04 00 80 bc cd 87 0a 6d 51 75 ab 6a 97 3f 99 0f 44 33 b9 f4 2247 ed ea 6a a9 4c e5 c4 a9 0a 07 0f eb b8 9e 1c f5 24 62 d6 a0 5e 2248 62 1b 81 96 24 eb 9b f7 57 3a 08 bb 75 3d 4a 19 43 34 59 62 19 2249 68 75 04 54 05 6f 3d 7c e1 22 7f c2 9e 12 31 36 3e 4e ed 5f e0 2250 f4 93 83 7e f6 fe 4a 63 19 52 0b 63 9a ff e7 75 ae 41 76 bb bf 2251 69 13 b3 a1 a6 77 a0 35 6f 3c 0f 95 3d 35 77 fb 53 76 13 eb af 2252 84 8e 6a ee b2 1e 14 00 00 20 97 96 f8 14 93 a1 49 f5 37 f9 9b 2253 3c 4c f8 55 a0 88 5c 64 10 ff a1 db 0e 25 f3 43 a5 ff b5 1d 60 2255 ciphertext (645 octets): 17 03 03 02 80 38 0f e4 54 42 85 14 4f 2256 66 58 7c 3f ee 90 97 e2 e5 f4 cf ad 97 31 dc 59 62 36 7e 0f 73 2257 ea a8 c3 16 51 cf fc da 0c 7f 2a 85 d7 46 36 85 7e 61 91 9e 7a 2258 3e 1a dd 24 b1 d0 8f 37 35 04 36 f5 d2 96 78 43 6f 6a df 4e 4e 2259 46 f9 fb 0c 79 da 40 cb 43 dd 82 50 a5 fa bc 61 cd b3 9a 4c 3d 2260 31 59 6c e3 1b 4c a9 4c 77 16 f6 f8 0d 09 26 80 d6 ce bf e5 c5 2261 cc 0e 51 15 ff 10 a6 80 1d 82 07 f4 ec ea a8 82 02 e1 bd 55 ab 2262 b0 ec aa 4f 0e 41 af 70 54 e0 ff df 76 4a 84 cd 01 be a2 0f d7 2263 b4 91 e5 c1 20 d9 93 31 4c bd 43 55 65 25 3f b2 4b 6e 67 85 ea 2264 79 8f 86 2c fe 0d 01 de 13 d5 f0 d8 f3 f8 d2 75 5c 1b 4d 46 d1 2265 d6 a3 b2 43 ea 8b 45 12 51 2e aa 64 27 3a 84 36 3c cc 93 69 a5 2266 3a 0b 60 09 d4 47 23 a8 f5 aa 9d 8b c9 37 1f b0 da dc 45 16 fc 2267 9f 84 2d 2e 3d 89 15 39 3d 2b fa db 11 82 0f 74 2d 94 6a 2a fa 2268 01 4f df d7 da 08 1b 86 26 7c 3c 62 95 7e 91 83 13 3e d8 7f fe 2269 9e 88 3e 7b 69 8e f9 09 30 ad 93 b4 e6 b3 72 bd ca 6d 77 e1 ed 2270 20 71 40 2b eb d8 3f 4b 74 94 a8 02 df f2 ab d1 84 d8 c3 9e 6f 2271 c6 4a 94 85 a3 18 f6 8b cb a3 7d 9a f9 8b 61 e7 b5 4b 2a 48 71 2272 9d 41 41 9e 5b b7 03 98 49 3a e4 a4 7f 45 f1 61 22 53 15 4d da 2273 bd b8 c6 a3 f7 1d d6 93 69 bd fe a1 af 5c b6 35 d1 8b 97 38 24 2274 8b cb 9c fc 61 08 e0 90 2b 86 f6 26 03 19 43 15 ae 51 d3 ac b1 2275 2d 06 b7 d9 86 14 bf 8e 93 f2 d4 d4 a5 6f e8 2d 09 12 e1 57 bc 2276 c5 28 7b 5f 1e f9 a9 db d8 a0 80 19 5f 6b 15 5a f9 16 7c ca 41 2277 45 35 4c 03 19 51 ab e3 73 4a 49 84 01 37 70 64 a0 d0 08 76 4d 2278 75 9f d1 c8 ea 7b d3 6b ec a2 23 e4 86 fc e9 89 9c de fe a6 95 2279 ba 7d da f2 3f 80 6b 09 ff ef 81 47 87 c7 71 ba 60 90 08 13 4d 2280 d4 51 1e 26 5f 78 b6 25 91 74 76 42 7b ed b7 9a 50 c3 b7 58 01 2281 07 5d 13 3f 2e 07 15 e7 1f c0 07 89 eb dc ce f6 b8 cd f2 5d a4 2282 19 bc 00 28 74 4a 75 ba ab 09 25 4a 2b b2 19 81 d1 15 64 64 22 2283 98 4f 79 eb c7 0a f1 39 0a b1 a2 ac 38 5c 6a d1 28 fd 9d e3 bf 2284 7d be e6 0f 7f e6 d0 09 e7 ce d6 8b d3 7a 06 fd db 83 5f 8e 56 2285 fc eb 59 4f 74 8a 1d a1 e7 7b ea 51 fb 3e 40 b7 b4 70 12 89 ef 2286 7b 37 2288 {client} derive write traffic keys for application data: 2290 PRK (32 octets): e6 47 85 57 d7 f3 3b b2 77 01 be 74 7f 2f bf 00 2291 72 e4 91 4f 96 7a 8a b7 20 c9 36 7f f6 61 49 2a 2293 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 2295 key output (16 octets): db 34 ce df e4 fc db 0e d7 00 41 8f dd 96 2296 b2 c7 2298 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 2300 iv output (12 octets): e1 7e 53 1a ba 3c fa 7f 0f ec 8b f5 2302 {client} derive secret "tls13 res master": 2304 PRK (32 octets): 7a 50 b7 21 1f a2 3c 29 37 31 72 ad f8 50 39 53 2305 dc 76 53 af 95 0b 6b 61 9b 42 ce 1c a9 38 22 f1 2307 hash (32 octets): 41 bf 98 c7 24 79 cf cf 1d 49 9d c2 d6 a8 44 c1 2308 7f 49 1e b9 a0 78 21 08 78 b5 5a e5 26 29 94 60 2310 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 2311 74 65 72 20 41 bf 98 c7 24 79 cf cf 1d 49 9d c2 d6 a8 44 c1 7f 2312 49 1e b9 a0 78 21 08 78 b5 5a e5 26 29 94 60 2314 output (32 octets): c4 11 50 3f ea fa f0 d7 0a 77 c6 81 3d b0 42 2315 4e f5 f4 ce f4 b5 e2 4d b7 65 f8 79 d3 7f c5 b6 af 2317 {server} calculate finished "tls13 finished" (same as client) 2319 {server} derive read traffic keys for application data (same as 2320 client write traffic keys) 2322 {server} derive secret "tls13 res master" (same as client) 2324 {client} send alert record: 2326 payload (2 octets): 01 00 2328 ciphertext (24 octets): 17 03 03 00 13 d1 3c 7f 7d 16 11 b4 09 df 2329 45 77 ca 2b e5 a8 a2 8f 33 30 2331 {server} send alert record: 2333 payload (2 octets): 01 00 2335 ciphertext (24 octets): 17 03 03 00 13 37 bb 98 68 73 81 3c 79 25 2336 aa 29 51 e1 21 b0 58 57 f7 8f 2338 7. Compatibility Mode 2340 This example shows use of the handshake with the client requesting 2341 that the server use compatibility mode as defined in Appendix D.4 of 2342 [TLS13]. 2344 {client} create an ephemeral x25519 key pair: 2346 private key (32 octets): ea e2 7f 11 4d a0 68 f8 b3 47 2e 62 88 2347 00 e8 b9 c2 58 13 58 13 6e bb e7 74 38 cb 4f 4b e2 d1 b4 2349 public key (32 octets): d5 15 42 62 5f 25 a9 2d 44 a3 aa de f5 9c 2350 a8 49 ad 2f 8e fa 9f 04 b8 f5 da b4 02 ac bc 57 1f 16 2352 {client} send a ClientHello handshake message 2354 {client} send handshake record: 2356 payload (224 octets): 01 00 00 dc 03 03 37 b0 76 d2 fa 50 94 39 2357 5e 99 71 d7 53 c3 c4 cf 07 56 b9 40 70 13 cb ca c7 f4 4a c3 28 2358 13 f6 0f 20 91 41 b7 89 83 d3 67 a0 fe 97 08 df 32 f5 b9 88 8f 2359 e5 9e de 4e 61 2c f6 bd b1 fb be e6 f9 ef fe 00 06 13 01 13 03 2360 13 02 01 00 00 8d 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 2361 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 2362 01 01 01 02 01 03 01 04 00 33 00 26 00 24 00 1d 00 20 d5 15 42 2363 62 5f 25 a9 2d 44 a3 aa de f5 9c a8 49 ad 2f 8e fa 9f 04 b8 f5 2364 da b4 02 ac bc 57 1f 16 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 2365 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 2366 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01 2368 ciphertext (229 octets): 16 03 01 00 e0 01 00 00 dc 03 03 37 b0 2369 76 d2 fa 50 94 39 5e 99 71 d7 53 c3 c4 cf 07 56 b9 40 70 13 cb 2370 ca c7 f4 4a c3 28 13 f6 0f 20 91 41 b7 89 83 d3 67 a0 fe 97 08 2371 df 32 f5 b9 88 8f e5 9e de 4e 61 2c f6 bd b1 fb be e6 f9 ef fe 2372 00 06 13 01 13 03 13 02 01 00 00 8d 00 00 00 0b 00 09 00 00 06 2373 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 2374 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00 26 00 24 00 2375 1d 00 20 d5 15 42 62 5f 25 a9 2d 44 a3 aa de f5 9c a8 49 ad 2f 2376 8e fa 9f 04 b8 f5 da b4 02 ac bc 57 1f 16 00 2b 00 03 02 03 04 2377 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 2378 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 2379 00 1c 00 02 40 01 2381 {server} extract secret "early": 2383 salt: (absent) 2385 IKM (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2386 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2388 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 2389 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 2391 {server} create an ephemeral x25519 key pair: 2393 private key (32 octets): 6f fc 0f 52 08 bb f6 73 4b 5f 95 23 7d 2394 3d 48 0a 08 fc e9 89 e6 1c 2f 4d 71 6b 5b e4 4d 66 90 7e 2396 public key (32 octets): ab 16 0e 03 51 0f a0 3f d5 bd 6e 7a 94 f4 2397 00 31 16 35 cd 69 87 2e a6 e4 8a 08 71 5e e3 f0 24 2e 2399 {server} send a ServerHello handshake message 2400 {server} send handshake record: 2402 payload (122 octets): 02 00 00 76 03 03 32 a4 2f 56 c8 b8 59 cc 2403 5d 80 f2 7f 48 d0 f2 96 d3 a5 bb 8e 05 28 08 11 14 de 8c e3 84 2404 d7 e0 df 20 91 41 b7 89 83 d3 67 a0 fe 97 08 df 32 f5 b9 88 8f 2405 e5 9e de 4e 61 2c f6 bd b1 fb be e6 f9 ef fe 13 01 00 00 2e 00 2406 33 00 24 00 1d 00 20 ab 16 0e 03 51 0f a0 3f d5 bd 6e 7a 94 f4 2407 00 31 16 35 cd 69 87 2e a6 e4 8a 08 71 5e e3 f0 24 2e 00 2b 00 2408 02 03 04 2410 ciphertext (127 octets): 16 03 03 00 7a 02 00 00 76 03 03 32 a4 2411 2f 56 c8 b8 59 cc 5d 80 f2 7f 48 d0 f2 96 d3 a5 bb 8e 05 28 08 2412 11 14 de 8c e3 84 d7 e0 df 20 91 41 b7 89 83 d3 67 a0 fe 97 08 2413 df 32 f5 b9 88 8f e5 9e de 4e 61 2c f6 bd b1 fb be e6 f9 ef fe 2414 13 01 00 00 2e 00 33 00 24 00 1d 00 20 ab 16 0e 03 51 0f a0 3f 2415 d5 bd 6e 7a 94 f4 00 31 16 35 cd 69 87 2e a6 e4 8a 08 71 5e e3 2416 f0 24 2e 00 2b 00 02 03 04 2418 {server} send change_cipher_spec record: 2420 payload (1 octets): 01 2422 ciphertext (6 octets): 14 03 03 00 01 01 2424 {server} derive secret for handshake "tls13 derived": 2426 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 2427 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 2429 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 2430 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 2432 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 2433 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 2434 64 9b 93 4c a4 95 99 1b 78 52 b8 55 2436 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 2437 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 2439 {server} extract secret "handshake": 2441 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 2442 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 2444 IKM (32 octets): d6 ee 52 33 ce 08 89 3e a5 eb d5 0f 0d 8a 25 bf 2445 ed 5f fd 57 82 32 31 19 46 91 bd 89 2b 8f 9a 50 2447 secret (32 octets): 2e 91 52 b1 5c ec 8f 81 92 f3 d5 a0 72 08 ad 2448 48 a9 7b 4e 06 f2 b8 22 9d f6 7b 7d 47 3e a8 42 d3 2450 {server} derive secret "tls13 c hs traffic": 2452 PRK (32 octets): 2e 91 52 b1 5c ec 8f 81 92 f3 d5 a0 72 08 ad 48 2453 a9 7b 4e 06 f2 b8 22 9d f6 7b 7d 47 3e a8 42 d3 2455 hash (32 octets): ef ee 6c 01 8a 0f a3 ac 4c 61 ac 11 9c c8 fd da 2456 17 5e b8 c4 bd 4d 11 98 53 59 ca 1a f3 33 87 0b 2458 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72 2459 61 66 66 69 63 20 ef ee 6c 01 8a 0f a3 ac 4c 61 ac 11 9c c8 fd 2460 da 17 5e b8 c4 bd 4d 11 98 53 59 ca 1a f3 33 87 0b 2462 output (32 octets): 1b 92 72 16 81 91 bc c8 5e 46 45 96 e1 0b 79 2463 b8 09 a4 f6 36 02 e4 ad a5 b4 f2 c9 c0 b2 4d 27 37 2465 {server} derive secret "tls13 s hs traffic": 2467 PRK (32 octets): 2e 91 52 b1 5c ec 8f 81 92 f3 d5 a0 72 08 ad 48 2468 a9 7b 4e 06 f2 b8 22 9d f6 7b 7d 47 3e a8 42 d3 2470 hash (32 octets): ef ee 6c 01 8a 0f a3 ac 4c 61 ac 11 9c c8 fd da 2471 17 5e b8 c4 bd 4d 11 98 53 59 ca 1a f3 33 87 0b 2473 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72 2474 61 66 66 69 63 20 ef ee 6c 01 8a 0f a3 ac 4c 61 ac 11 9c c8 fd 2475 da 17 5e b8 c4 bd 4d 11 98 53 59 ca 1a f3 33 87 0b 2477 output (32 octets): 50 56 0b ed 1e 47 38 91 2d 43 d3 15 99 e0 7d 2478 5e ad ea f2 6b 18 9e 7b 75 e9 87 6f 42 07 2f b0 33 2480 {server} derive secret for master "tls13 derived": 2482 PRK (32 octets): 2e 91 52 b1 5c ec 8f 81 92 f3 d5 a0 72 08 ad 48 2483 a9 7b 4e 06 f2 b8 22 9d f6 7b 7d 47 3e a8 42 d3 2485 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 2486 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 2488 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 2489 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 2490 64 9b 93 4c a4 95 99 1b 78 52 b8 55 2492 output (32 octets): ef 79 6e a9 37 7c f8 94 b0 52 52 2b 22 9f cd 2493 70 a1 d7 c3 a3 2d ca 6c f5 1d 62 95 04 ef 1e e1 25 2495 {server} extract secret "master": 2497 salt (32 octets): ef 79 6e a9 37 7c f8 94 b0 52 52 2b 22 9f cd 70 2498 a1 d7 c3 a3 2d ca 6c f5 1d 62 95 04 ef 1e e1 25 2500 IKM (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2501 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2503 secret (32 octets): 63 7d 72 8c c3 81 21 92 85 68 0b 8a bd 98 9c 2504 a3 7a c7 36 68 0c cb 47 8a 0f 28 11 07 2a 89 88 19 2506 {server} derive write traffic keys for handshake data: 2508 PRK (32 octets): 50 56 0b ed 1e 47 38 91 2d 43 d3 15 99 e0 7d 5e 2509 ad ea f2 6b 18 9e 7b 75 e9 87 6f 42 07 2f b0 33 2511 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 2513 key output (16 octets): 7d cd 41 e1 40 51 3f be 6a f5 22 a4 da 7f 2514 57 5b 2516 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 2518 iv output (12 octets): 77 ee 98 da ae 5c 82 24 7d 30 40 7f 2520 {server} send a EncryptedExtensions handshake message 2522 {server} send a Certificate handshake message 2524 {server} send a CertificateVerify handshake message 2526 {server} calculate finished "tls13 finished": 2528 PRK (32 octets): 50 56 0b ed 1e 47 38 91 2d 43 d3 15 99 e0 7d 5e 2529 ad ea f2 6b 18 9e 7b 75 e9 87 6f 42 07 2f b0 33 2531 hash (0 octets): (empty) 2533 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 2534 64 00 2536 output (32 octets): d1 61 e3 34 21 df d7 05 aa 4c c8 bf a6 e4 4d 2537 42 c8 b2 5b f1 c6 e4 e7 b4 dc c6 cb de a9 c2 a3 a1 2539 {server} send a Finished handshake message 2541 {server} send handshake record: 2543 payload (657 octets): 08 00 00 24 00 22 00 0a 00 14 00 12 00 1d 2544 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c 00 02 40 2545 01 00 00 00 00 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82 01 ac 30 2546 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d 2547 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 2548 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17 0d 32 36 2549 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06 03 55 04 2550 03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 2551 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f 82 79 30 2552 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 d3 90 1a 2553 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1a f1 9e 2554 aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52 4b 1b 01 2555 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74 80 30 53 2556 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 ef f0 ab 2557 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03 01 00 01 2558 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 2559 0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 2560 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 72 67 17 2561 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea e8 f8 a5 2562 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 51 56 72 2563 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be c1 fc 63 2564 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b 1c 3b 84 2565 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 96 12 29 2566 ac 91 87 b4 2b 4d e1 00 00 0f 00 00 84 08 04 00 80 84 d9 e6 bb 2567 5f 60 86 63 13 c5 02 3b 34 5b b6 68 4a 63 6c 67 82 34 01 5d c8 2568 3b 80 3d 81 30 68 ba 48 03 e2 cc 26 7f f0 86 70 35 d4 b4 46 28 2569 64 4c 1e fb 90 82 0c 47 ce c2 14 23 98 c3 aa d3 cf 9d a6 2d d4 2570 c5 de 51 ac 82 0c 84 af 40 72 1b dd 67 bc 8b bd db 28 3b 75 14 2571 25 62 0c f5 b2 76 f2 32 c2 a0 5e 53 f1 6b 6a d6 cd cd a6 04 da 2572 f9 95 e6 f8 42 4a 1d fd 37 0c 58 d0 f7 b4 60 5f 1a 21 a9 14 00 2573 00 20 5b 6a d9 10 bc 48 94 47 7b 48 da 86 11 eb c4 de 20 25 72 2574 63 5f 9c 4a ac 81 a4 81 2e 82 bf c2 fd 2576 ciphertext (679 octets): 17 03 03 02 a2 28 cc 1b 2f 47 22 95 79 2577 9f 34 2e 49 90 56 09 07 73 a4 57 20 6f 79 a5 4b b8 ca 78 dc 42 2578 e7 54 e1 95 6d dd 1a 78 6e 4c e9 6f 8d a4 12 57 ce 53 17 b7 37 2579 60 7a c3 b6 f8 6d 6f 6d 1d 71 06 01 af c5 61 0c d8 fb 16 7c 6a 2580 29 99 1e 50 a6 f4 83 7f ff 89 c2 d0 66 58 01 de 54 6e c2 8c bf 2581 f1 d7 d5 c3 30 b0 60 48 4a 44 0c 54 1c b1 1f 58 88 4a 50 31 dd 2582 ae ac ac af ea 6c 34 5a 93 8b 8e ee 6a 57 10 68 05 79 52 a2 60 2583 f9 e4 d6 51 bc e2 d8 57 1c ec aa da 2d 9b 37 15 60 3f f4 77 dd 2584 3c cf bf e6 8f 3c 0c b1 4b 0f c0 60 e6 dc 3b 10 f0 1b 43 8f 22 2585 12 71 3a 4b 87 fb b1 0d fd 9c 5c 29 e7 8d bc 7f a6 03 89 94 0f 2586 4e 3e 17 d9 79 f1 45 73 4d 67 66 12 ee 25 c1 15 fc da 0d f5 2c 2587 d2 35 95 77 fc b1 c2 47 e8 bf 90 0e 7a 59 0c 7e 33 f5 ff 1b 0e 2588 d0 d2 90 35 b5 f7 77 df d2 0f 02 41 40 61 7e e3 2d 6f 5a 7f 1b 2589 09 4e 60 d1 b1 78 2e 73 ca 22 ae c2 5d 1d 5f d7 ac c8 f5 58 17 2590 df 92 fe 17 da 29 13 77 10 e7 aa 2e bb 7c a8 45 6b de 8a dd e7 2591 88 24 19 c1 b1 8d ba d9 a9 70 54 30 bd 94 71 86 53 f3 d2 fb 78 2592 2c 62 f1 7b ef c3 24 73 f4 ec 5c 5d 73 39 e6 32 1c 65 d7 a0 c8 2593 f3 c5 d5 c5 1b bb c3 a5 3d 16 60 c5 89 eb e5 dd 39 bd 1e 53 6f 2594 f3 ed 09 84 41 36 76 4a b8 8d 51 71 db 6f bd 32 81 ec e9 e5 96 2595 07 85 56 0a 6f 51 fc f6 63 e8 fc 82 bb 13 d1 9b 49 c4 56 bc c1 2596 16 32 6a 70 1f 22 3a 19 d4 a4 5d cc f6 87 b3 95 9a a0 36 dd f3 2597 58 30 98 87 4c d6 da 79 6f e1 29 26 c1 2a 2d 49 79 1b 2d 88 1f 2598 13 be c3 ec de b5 fb 69 50 b8 5a 36 14 13 7e ad 5e 26 9e 14 84 2599 ee 26 2b ba d4 b1 c9 cd 35 09 69 85 75 f8 90 19 a9 28 05 81 5a 2600 ef 89 91 f8 63 6e a7 d4 87 c1 1c 9c 4c cb aa 91 1c 6c 57 b5 bb 2601 28 29 95 b7 f9 c9 c7 33 3d 7d 8f b7 40 cd 5f 0b 55 85 cb 87 d8 2602 7c 91 4d 02 c0 f5 6a 93 88 73 03 b2 93 38 6b 8e fb 26 48 b4 e1 2603 10 be 9e bc f5 c0 76 92 41 79 da b2 b1 bc a2 ad 05 21 44 fa 3b 2604 eb 38 5c 5c 28 f1 17 01 cc 78 3e 7c d8 f8 cc 92 b9 26 93 af 71 2605 28 2d ec 09 64 29 66 1d 75 f7 b8 3d 69 b4 39 be 1b f5 4e 74 da 2606 c8 3d e6 62 c5 93 15 15 bf ed 52 e4 cd 3c ce a8 de 9f b2 2a f9 2607 01 a3 40 af a3 3a 7b 06 d5 a5 fd e5 ce 1d 2b 7a 72 c7 e2 ee f5 2608 ff 46 25 d8 5b bb 99 5f 39 25 da d8 66 c6 5e 2610 {server} derive secret "tls13 c ap traffic": 2612 PRK (32 octets): 63 7d 72 8c c3 81 21 92 85 68 0b 8a bd 98 9c a3 2613 7a c7 36 68 0c cb 47 8a 0f 28 11 07 2a 89 88 19 2615 hash (32 octets): e4 72 ce 71 b4 9c c4 44 32 c4 09 f7 66 4b 84 a5 2616 9d 7a 68 3d 3d d2 da 22 7c 9b 98 42 3e a2 a1 45 2618 info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72 2619 61 66 66 69 63 20 e4 72 ce 71 b4 9c c4 44 32 c4 09 f7 66 4b 84 2620 a5 9d 7a 68 3d 3d d2 da 22 7c 9b 98 42 3e a2 a1 45 2622 output (32 octets): b3 59 c9 26 e6 22 56 e6 10 3e 70 fb bc f9 07 2623 cb 5e e7 56 20 f8 95 a8 b0 e8 c0 05 a4 df ff 75 6c 2625 {server} derive secret "tls13 s ap traffic": 2627 PRK (32 octets): 63 7d 72 8c c3 81 21 92 85 68 0b 8a bd 98 9c a3 2628 7a c7 36 68 0c cb 47 8a 0f 28 11 07 2a 89 88 19 2630 hash (32 octets): e4 72 ce 71 b4 9c c4 44 32 c4 09 f7 66 4b 84 a5 2631 9d 7a 68 3d 3d d2 da 22 7c 9b 98 42 3e a2 a1 45 2633 info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72 2634 61 66 66 69 63 20 e4 72 ce 71 b4 9c c4 44 32 c4 09 f7 66 4b 84 2635 a5 9d 7a 68 3d 3d d2 da 22 7c 9b 98 42 3e a2 a1 45 2637 output (32 octets): 7f 64 01 84 e5 99 d2 8e c8 18 84 1c ff 13 92 2638 30 d5 16 9f 16 3b 1f 52 70 12 a3 8e 5d b8 1f 7b 4e 2640 {server} derive secret "tls13 exp master": 2642 PRK (32 octets): 63 7d 72 8c c3 81 21 92 85 68 0b 8a bd 98 9c a3 2643 7a c7 36 68 0c cb 47 8a 0f 28 11 07 2a 89 88 19 2645 hash (32 octets): e4 72 ce 71 b4 9c c4 44 32 c4 09 f7 66 4b 84 a5 2646 9d 7a 68 3d 3d d2 da 22 7c 9b 98 42 3e a2 a1 45 2648 info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73 2649 74 65 72 20 e4 72 ce 71 b4 9c c4 44 32 c4 09 f7 66 4b 84 a5 9d 2650 7a 68 3d 3d d2 da 22 7c 9b 98 42 3e a2 a1 45 2652 output (32 octets): 92 a0 34 07 bc bd c9 8d 26 ae 38 80 8b d6 f1 2653 0c d0 47 14 2e c7 ef ac b8 f3 08 9a 7e 3e 52 87 d6 2655 {server} derive write traffic keys for application data: 2657 PRK (32 octets): 7f 64 01 84 e5 99 d2 8e c8 18 84 1c ff 13 92 30 2658 d5 16 9f 16 3b 1f 52 70 12 a3 8e 5d b8 1f 7b 4e 2660 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 2662 key output (16 octets): 9a 33 b7 ff 19 01 80 b3 05 47 fe 9f e3 12 2663 74 09 2665 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 2667 iv output (12 octets): a1 18 3b 47 0d 16 7f 63 62 8d 8b 32 2669 {server} derive read traffic keys for handshake data: 2671 PRK (32 octets): 1b 92 72 16 81 91 bc c8 5e 46 45 96 e1 0b 79 b8 2672 09 a4 f6 36 02 e4 ad a5 b4 f2 c9 c0 b2 4d 27 37 2674 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 2676 key output (16 octets): e7 37 b9 b1 2f 31 56 81 54 fd 6b f2 53 22 2677 ac 53 2679 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 2681 iv output (12 octets): 4a a7 80 6d 4f 81 d5 93 7b 99 3b 26 2683 {client} extract secret "early": 2685 salt: (absent) 2686 IKM (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2687 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2689 secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c 2690 e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 2692 {client} derive secret for handshake "tls13 derived": 2694 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 2695 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 2697 hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 2698 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 2700 info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64 2701 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4 2702 64 9b 93 4c a4 95 99 1b 78 52 b8 55 2704 output (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 2705 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 2707 {client} extract secret "handshake": 2709 salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 2710 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 2712 IKM (32 octets): d6 ee 52 33 ce 08 89 3e a5 eb d5 0f 0d 8a 25 bf 2713 ed 5f fd 57 82 32 31 19 46 91 bd 89 2b 8f 9a 50 2715 secret (32 octets): 2e 91 52 b1 5c ec 8f 81 92 f3 d5 a0 72 08 ad 2716 48 a9 7b 4e 06 f2 b8 22 9d f6 7b 7d 47 3e a8 42 d3 2718 {client} derive secret "tls13 c hs traffic" (same as server) 2720 {client} derive secret "tls13 s hs traffic" (same as server) 2722 {client} derive secret for master "tls13 derived" (same as server) 2724 {client} extract secret "master" (same as server) 2726 {client} derive read traffic keys for handshake data: 2728 PRK (32 octets): 50 56 0b ed 1e 47 38 91 2d 43 d3 15 99 e0 7d 5e 2729 ad ea f2 6b 18 9e 7b 75 e9 87 6f 42 07 2f b0 33 2731 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 2732 key output (16 octets): 7d cd 41 e1 40 51 3f be 6a f5 22 a4 da 7f 2733 57 5b 2735 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 2737 iv output (12 octets): 77 ee 98 da ae 5c 82 24 7d 30 40 7f 2739 {client} calculate finished "tls13 finished" (same as server) 2741 {client} derive secret "tls13 c ap traffic" (same as server) 2743 {client} derive secret "tls13 s ap traffic" (same as server) 2745 {client} derive secret "tls13 exp master" (same as server) 2747 {client} send change_cipher_spec record: 2749 payload (1 octets): 01 2751 ciphertext (6 octets): 14 03 03 00 01 01 2753 {client} derive write traffic keys for handshake data (same as 2754 server read traffic keys) 2756 {client} derive read traffic keys for application data (same as 2757 server write traffic keys) 2759 {client} calculate finished "tls13 finished": 2761 PRK (32 octets): 1b 92 72 16 81 91 bc c8 5e 46 45 96 e1 0b 79 b8 2762 09 a4 f6 36 02 e4 ad a5 b4 f2 c9 c0 b2 4d 27 37 2764 hash (0 octets): (empty) 2766 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 2767 64 00 2769 output (32 octets): 89 90 6b c2 96 20 2c dc 3c 10 2a 87 ff fe 99 2770 cc cd b9 2c b1 94 d2 7a 8b 2b 21 10 e6 8b 41 0c 78 2772 {client} send a Finished handshake message 2774 {client} send handshake record: 2776 payload (36 octets): 14 00 00 20 ed 87 35 55 93 d3 ef 08 33 0b 32 2777 69 13 0f e9 5f cd e6 3e 60 1d b1 85 88 35 e5 5b 45 c4 08 e5 c5 2779 ciphertext (58 octets): 17 03 03 00 35 9a b0 af 58 6e 95 81 22 3d 2780 c2 bb 71 4d 5b e3 9f c2 eb 04 31 35 84 82 25 23 6d 39 24 71 5e 2781 f9 10 bc 81 4c 59 f6 d8 5a d2 a9 22 d5 c4 18 ba bc 48 fb 6b 3a 2782 bc 5e 2784 {client} derive write traffic keys for application data: 2786 PRK (32 octets): b3 59 c9 26 e6 22 56 e6 10 3e 70 fb bc f9 07 cb 2787 5e e7 56 20 f8 95 a8 b0 e8 c0 05 a4 df ff 75 6c 2789 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 2791 key output (16 octets): de ef 7b 47 f8 c6 cd d2 dc 85 7a cf 80 a4 2792 67 5d 2794 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 2796 iv output (12 octets): af b0 ec 8b 9a d9 04 61 f1 ec 04 b2 2798 {client} derive secret "tls13 res master": 2800 PRK (32 octets): 63 7d 72 8c c3 81 21 92 85 68 0b 8a bd 98 9c a3 2801 7a c7 36 68 0c cb 47 8a 0f 28 11 07 2a 89 88 19 2803 hash (32 octets): e8 2a 79 f7 32 a4 90 44 12 3b 22 ce f3 54 68 fb 2804 db ab 49 f4 b3 a3 ae 5c 5d 34 e0 f1 12 a3 7c 01 2806 info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73 2807 74 65 72 20 e8 2a 79 f7 32 a4 90 44 12 3b 22 ce f3 54 68 fb db 2808 ab 49 f4 b3 a3 ae 5c 5d 34 e0 f1 12 a3 7c 01 2810 output (32 octets): 87 33 e8 d1 4e b4 de f0 0b bb e3 f1 65 92 68 2811 73 44 5f 2b c0 23 3d e0 98 2b 59 35 ec 89 ca 50 78 2813 {server} calculate finished "tls13 finished" (same as client) 2815 {server} derive read traffic keys for application data (same as 2816 client write traffic keys) 2818 {server} derive secret "tls13 res master" (same as client) 2820 {client} send alert record: 2822 payload (2 octets): 01 00 2824 ciphertext (24 octets): 17 03 03 00 13 5e 7e 60 d9 38 04 1b 9a fd 2825 34 c2 ad ef 72 cb 00 a8 63 43 2827 {server} send alert record: 2829 payload (2 octets): 01 00 2831 ciphertext (24 octets): 17 03 03 00 13 f8 11 03 38 e0 0b 60 4c f8 2832 82 5f 93 d6 10 ee af 43 91 f8 2834 8. Security Considerations 2836 It probably isn't a good idea to use the private key here. If it 2837 weren't for the fact that it is too small to provide any meaningful 2838 security, it is now very well known. 2840 9. IANA Considerations 2842 This document makes no requests of IANA. 2844 10. References 2846 10.1. Normative References 2848 [TLS13] Rescorla, E., "The Transport Layer Security (TLS) Protocol 2849 Version 1.3", draft-ietf-tls-tls13-28 (work in progress), 2850 March 2018. 2852 10.2. Informative References 2854 [FIPS186] National Institute of Standards and Technology (NIST), 2855 "Digital Signature Standard (DSS)", NIST PUB 186-4 , July 2856 2013. 2858 [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand 2859 Key Derivation Function (HKDF)", RFC 5869, 2860 DOI 10.17487/RFC5869, May 2010, 2861 . 2863 [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves 2864 for Security", RFC 7748, DOI 10.17487/RFC7748, January 2865 2016, . 2867 10.3. URIs 2869 [1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS 2871 Appendix A. Acknowledgements 2873 This draft is generated using tests that were written for NSS [1]. 2874 None of this would have been possible without Franziskus Kiefer, Eric 2875 Rescorla and Tim Taubert, who did a lot of the work in NSS. 2877 Author's Address 2879 Martin Thomson 2880 Mozilla 2882 Email: martin.thomson@gmail.com