summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc8448.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc8448.txt')
-rw-r--r--doc/rfc/rfc8448.txt3811
1 files changed, 3811 insertions, 0 deletions
diff --git a/doc/rfc/rfc8448.txt b/doc/rfc/rfc8448.txt
new file mode 100644
index 0000000..a68b290
--- /dev/null
+++ b/doc/rfc/rfc8448.txt
@@ -0,0 +1,3811 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) M. Thomson
+Request for Comments: 8448 Mozilla
+Category: Informational January 2019
+ISSN: 2070-1721
+
+
+ Example Handshake Traces for TLS 1.3
+
+Abstract
+
+ This document includes examples of TLS 1.3 handshakes. Private keys
+ and inputs are provided so that these handshakes might be reproduced.
+ Intermediate values, including secrets, traffic keys, and IVs, are
+ shown so that implementations might be checked incrementally against
+ these values.
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for informational purposes.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Not all documents
+ approved by the IESG are candidates for any level of Internet
+ Standard; see Section 2 of RFC 7841.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ https://www.rfc-editor.org/info/rfc8448.
+
+Copyright Notice
+
+ Copyright (c) 2019 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+
+
+
+
+Thomson Informational [Page 1]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
+ 2. Private Keys . . . . . . . . . . . . . . . . . . . . . . . . 2
+ 3. Simple 1-RTT Handshake . . . . . . . . . . . . . . . . . . . 3
+ 4. Resumed 0-RTT Handshake . . . . . . . . . . . . . . . . . . . 16
+ 5. HelloRetryRequest . . . . . . . . . . . . . . . . . . . . . . 29
+ 6. Client Authentication . . . . . . . . . . . . . . . . . . . . 43
+ 7. Compatibility Mode . . . . . . . . . . . . . . . . . . . . . 55
+ 8. Security Considerations . . . . . . . . . . . . . . . . . . . 67
+ 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 67
+ 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 67
+ 10.1. Normative References . . . . . . . . . . . . . . . . . . 67
+ 10.2. Informative References . . . . . . . . . . . . . . . . . 67
+ Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 68
+ Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 68
+
+1. Introduction
+
+ TLS 1.3 [TLS13] defines a new key schedule and a number of new
+ cryptographic operations. This document includes sample handshakes
+ that show all intermediate values. This allows an implementation to
+ be verified incrementally, examining inputs and outputs of each
+ cryptographic computation independently.
+
+ A private key is included with the traces so that implementations can
+ be checked by importing these values and verifying that the same
+ outputs are produced.
+
+ Note: Invocations of HMAC-based Extract-and-Expand Key Derivation
+ Function (HKDF) [RFC5869] are not labeled, but they can be
+ identified through the use of the labels used by HKDF.
+
+2. Private Keys
+
+ Ephemeral private keys are shown as they are generated in the traces.
+
+ The server in most examples uses an RSA certificate with a private
+ key of:
+
+ modulus (public): b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c
+ 0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab
+ bc 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87
+ a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f
+ da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0
+ 3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e
+ 3f
+
+
+
+
+Thomson Informational [Page 2]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ public exponent: 01 00 01
+
+ private exponent: 04 de a7 05 d4 3a 6e a7 20 9d d8 07 21 11 a8 3c 81
+ e3 22 a5 92 78 b3 34 80 64 1e af 7c 0a 69 85 b8 e3 1c 44 f6 de 62
+ e1 b4 c2 30 9f 61 26 e7 7b 7c 41 e9 23 31 4b bf a3 88 13 05 dc 12
+ 17 f1 6c 81 9c e5 38 e9 22 f3 69 82 8d 0e 57 19 5d 8c 84 88 46 02
+ 07 b2 fa a7 26 bc f7 08 bb d7 db 7f 67 9f 89 34 92 fc 2a 62 2e 08
+ 97 0a ac 44 1c e4 e0 c3 08 8d f2 5a e6 79 23 3d f8 a3 bd a2 ff 99
+ 41
+
+ prime1: e4 35 fb 7c c8 37 37 75 6d ac ea 96 ab 7f 59 a2 cc 10 69 db
+ 7d eb 19 0e 17 e3 3a 53 2b 27 3f 30 a3 27 aa 0a aa bc 58 cd 67 46
+ 6a f9 84 5f ad c6 75 fe 09 4a f9 2c 4b d1 f2 c1 bc 33 dd 2e 05 15
+
+ prime2: ca bd 3b c0 e0 43 86 64 c8 d4 cc 9f 99 97 7a 94 d9 bb fe ad
+ 8e 43 87 0a ba e3 f7 eb 8b 4e 0e ee 8a f1 d9 b4 71 9b a6 19 6c f2
+ cb ba ee eb f8 b3 49 0a fe 9e 9f fa 74 a8 8a a5 1f c6 45 62 93 03
+
+ exponent1: 3f 57 34 5c 27 fe 1b 68 7e 6e 76 16 27 b7 8b 1b 82 64 33
+ dd 76 0f a0 be a6 a6 ac f3 94 90 aa 1b 47 cd a4 86 9d 68 f5 84 dd
+ 5b 50 29 bd 32 09 3b 82 58 66 1f e7 15 02 5e 5d 70 a4 5a 08 d3 d3
+ 19
+
+ exponent2: 18 3d a0 13 63 bd 2f 28 85 ca cb dc 99 64 bf 47 64 f1 51
+ 76 36 f8 64 01 28 6f 71 89 3c 52 cc fe 40 a6 c2 3d 0d 08 6b 47 c6
+ fb 10 d8 fd 10 41 e0 4d ef 7e 9a 40 ce 95 7c 41 77 94 e1 04 12 d1
+ 39
+
+ coefficient: 83 9c a9 a0 85 e4 28 6b 2c 90 e4 66 99 7a 2c 68 1f 21
+ 33 9a a3 47 78 14 e4 de c1 18 33 05 0e d5 0d d1 3c c0 38 04 8a 43
+ c5 9b 2a cc 41 68 89 c0 37 66 5f e5 af a6 05 96 9f 8c 01 df a5 ca
+ 96 9d
+
+3. Simple 1-RTT Handshake
+
+ In this example, the simplest possible handshake is completed. The
+ server is authenticated, but the client remains anonymous. After
+ connecting, a few application data octets are exchanged. The server
+ sends a session ticket that permits the use of 0-RTT data in any
+ resumed session.
+
+ {client} create an ephemeral x25519 key pair:
+
+ private key (32 octets): 49 af 42 ba 7f 79 94 85 2d 71 3e f2 78
+ 4b cb ca a7 91 1d e2 6a dc 56 42 cb 63 45 40 e7 ea 50 05
+
+ public key (32 octets): 99 38 1d e5 60 e4 bd 43 d2 3d 8e 43 5a 7d
+ ba fe b3 c0 6e 51 c1 3c ae 4d 54 13 69 1e 52 9a af 2c
+
+
+
+Thomson Informational [Page 3]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ {client} construct a ClientHello handshake message:
+
+ ClientHello (196 octets): 01 00 00 c0 03 03 cb 34 ec b1 e7 81 63
+ ba 1c 38 c6 da cb 19 6a 6d ff a2 1a 8d 99 12 ec 18 a2 ef 62 83
+ 02 4d ec e7 00 00 06 13 01 13 03 13 02 01 00 00 91 00 00 00 0b
+ 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00
+ 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 23
+ 00 00 00 33 00 26 00 24 00 1d 00 20 99 38 1d e5 60 e4 bd 43 d2
+ 3d 8e 43 5a 7d ba fe b3 c0 6e 51 c1 3c ae 4d 54 13 69 1e 52 9a
+ af 2c 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03
+ 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06
+ 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01
+
+ {client} send handshake record:
+
+ payload (196 octets): 01 00 00 c0 03 03 cb 34 ec b1 e7 81 63 ba
+ 1c 38 c6 da cb 19 6a 6d ff a2 1a 8d 99 12 ec 18 a2 ef 62 83 02
+ 4d ec e7 00 00 06 13 01 13 03 13 02 01 00 00 91 00 00 00 0b 00
+ 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12
+ 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 23 00
+ 00 00 33 00 26 00 24 00 1d 00 20 99 38 1d e5 60 e4 bd 43 d2 3d
+ 8e 43 5a 7d ba fe b3 c0 6e 51 c1 3c ae 4d 54 13 69 1e 52 9a af
+ 2c 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03 02
+ 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02
+ 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01
+
+ complete record (201 octets): 16 03 01 00 c4 01 00 00 c0 03 03 cb
+ 34 ec b1 e7 81 63 ba 1c 38 c6 da cb 19 6a 6d ff a2 1a 8d 99 12
+ ec 18 a2 ef 62 83 02 4d ec e7 00 00 06 13 01 13 03 13 02 01 00
+ 00 91 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01
+ 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02
+ 01 03 01 04 00 23 00 00 00 33 00 26 00 24 00 1d 00 20 99 38 1d
+ e5 60 e4 bd 43 d2 3d 8e 43 5a 7d ba fe b3 c0 6e 51 c1 3c ae 4d
+ 54 13 69 1e 52 9a af 2c 00 2b 00 03 02 03 04 00 0d 00 20 00 1e
+ 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02
+ 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01
+
+ {server} extract secret "early":
+
+ salt: 0 (all zero octets)
+
+ IKM (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+ secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c
+ e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a
+
+
+
+
+
+Thomson Informational [Page 4]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ {server} create an ephemeral x25519 key pair:
+
+ private key (32 octets): b1 58 0e ea df 6d d5 89 b8 ef 4f 2d 56
+ 52 57 8c c8 10 e9 98 01 91 ec 8d 05 83 08 ce a2 16 a2 1e
+
+ public key (32 octets): c9 82 88 76 11 20 95 fe 66 76 2b db f7 c6
+ 72 e1 56 d6 cc 25 3b 83 3d f1 dd 69 b1 b0 4e 75 1f 0f
+
+ {server} construct a ServerHello handshake message:
+
+ ServerHello (90 octets): 02 00 00 56 03 03 a6 af 06 a4 12 18 60
+ dc 5e 6e 60 24 9c d3 4c 95 93 0c 8a c5 cb 14 34 da c1 55 77 2e
+ d3 e2 69 28 00 13 01 00 00 2e 00 33 00 24 00 1d 00 20 c9 82 88
+ 76 11 20 95 fe 66 76 2b db f7 c6 72 e1 56 d6 cc 25 3b 83 3d f1
+ dd 69 b1 b0 4e 75 1f 0f 00 2b 00 02 03 04
+
+ {server} derive secret for handshake "tls13 derived":
+
+ PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
+ 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a
+
+ hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
+ 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+ info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
+ 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
+ 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+ expanded (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba
+ b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba
+
+ {server} extract secret "handshake":
+
+ salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
+ 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba
+
+ IKM (32 octets): 8b d4 05 4f b5 5b 9d 63 fd fb ac f9 f0 4b 9f 0d
+ 35 e6 d6 3f 53 75 63 ef d4 62 72 90 0f 89 49 2d
+
+ secret (32 octets): 1d c8 26 e9 36 06 aa 6f dc 0a ad c1 2f 74 1b
+ 01 04 6a a6 b9 9f 69 1e d2 21 a9 f0 ca 04 3f be ac
+
+ {server} derive secret "tls13 c hs traffic":
+
+ PRK (32 octets): 1d c8 26 e9 36 06 aa 6f dc 0a ad c1 2f 74 1b 01
+ 04 6a a6 b9 9f 69 1e d2 21 a9 f0 ca 04 3f be ac
+
+
+
+
+
+Thomson Informational [Page 5]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ hash (32 octets): 86 0c 06 ed c0 78 58 ee 8e 78 f0 e7 42 8c 58 ed
+ d6 b4 3f 2c a3 e6 e9 5f 02 ed 06 3c f0 e1 ca d8
+
+ info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72
+ 61 66 66 69 63 20 86 0c 06 ed c0 78 58 ee 8e 78 f0 e7 42 8c 58
+ ed d6 b4 3f 2c a3 e6 e9 5f 02 ed 06 3c f0 e1 ca d8
+
+ expanded (32 octets): b3 ed db 12 6e 06 7f 35 a7 80 b3 ab f4 5e
+ 2d 8f 3b 1a 95 07 38 f5 2e 96 00 74 6a 0e 27 a5 5a 21
+
+ {server} derive secret "tls13 s hs traffic":
+
+ PRK (32 octets): 1d c8 26 e9 36 06 aa 6f dc 0a ad c1 2f 74 1b 01
+ 04 6a a6 b9 9f 69 1e d2 21 a9 f0 ca 04 3f be ac
+
+ hash (32 octets): 86 0c 06 ed c0 78 58 ee 8e 78 f0 e7 42 8c 58 ed
+ d6 b4 3f 2c a3 e6 e9 5f 02 ed 06 3c f0 e1 ca d8
+
+ info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72
+ 61 66 66 69 63 20 86 0c 06 ed c0 78 58 ee 8e 78 f0 e7 42 8c 58
+ ed d6 b4 3f 2c a3 e6 e9 5f 02 ed 06 3c f0 e1 ca d8
+
+ expanded (32 octets): b6 7b 7d 69 0c c1 6c 4e 75 e5 42 13 cb 2d
+ 37 b4 e9 c9 12 bc de d9 10 5d 42 be fd 59 d3 91 ad 38
+
+ {server} derive secret for master "tls13 derived":
+
+ PRK (32 octets): 1d c8 26 e9 36 06 aa 6f dc 0a ad c1 2f 74 1b 01
+ 04 6a a6 b9 9f 69 1e d2 21 a9 f0 ca 04 3f be ac
+
+ hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
+ 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+ info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
+ 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
+ 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+ expanded (32 octets): 43 de 77 e0 c7 77 13 85 9a 94 4d b9 db 25
+ 90 b5 31 90 a6 5b 3e e2 e4 f1 2d d7 a0 bb 7c e2 54 b4
+
+ {server} extract secret "master":
+
+ salt (32 octets): 43 de 77 e0 c7 77 13 85 9a 94 4d b9 db 25 90 b5
+ 31 90 a6 5b 3e e2 e4 f1 2d d7 a0 bb 7c e2 54 b4
+
+ IKM (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+
+
+
+Thomson Informational [Page 6]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ secret (32 octets): 18 df 06 84 3d 13 a0 8b f2 a4 49 84 4c 5f 8a
+ 47 80 01 bc 4d 4c 62 79 84 d5 a4 1d a8 d0 40 29 19
+
+ {server} send handshake record:
+
+ payload (90 octets): 02 00 00 56 03 03 a6 af 06 a4 12 18 60 dc 5e
+ 6e 60 24 9c d3 4c 95 93 0c 8a c5 cb 14 34 da c1 55 77 2e d3 e2
+ 69 28 00 13 01 00 00 2e 00 33 00 24 00 1d 00 20 c9 82 88 76 11
+ 20 95 fe 66 76 2b db f7 c6 72 e1 56 d6 cc 25 3b 83 3d f1 dd 69
+ b1 b0 4e 75 1f 0f 00 2b 00 02 03 04
+
+ complete record (95 octets): 16 03 03 00 5a 02 00 00 56 03 03 a6
+ af 06 a4 12 18 60 dc 5e 6e 60 24 9c d3 4c 95 93 0c 8a c5 cb 14
+ 34 da c1 55 77 2e d3 e2 69 28 00 13 01 00 00 2e 00 33 00 24 00
+ 1d 00 20 c9 82 88 76 11 20 95 fe 66 76 2b db f7 c6 72 e1 56 d6
+ cc 25 3b 83 3d f1 dd 69 b1 b0 4e 75 1f 0f 00 2b 00 02 03 04
+
+ {server} derive write traffic keys for handshake data:
+
+ PRK (32 octets): b6 7b 7d 69 0c c1 6c 4e 75 e5 42 13 cb 2d 37 b4
+ e9 c9 12 bc de d9 10 5d 42 be fd 59 d3 91 ad 38
+
+ key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
+
+ key expanded (16 octets): 3f ce 51 60 09 c2 17 27 d0 f2 e4 e8 6e
+ e4 03 bc
+
+ iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
+
+ iv expanded (12 octets): 5d 31 3e b2 67 12 76 ee 13 00 0b 30
+
+ {server} construct an EncryptedExtensions handshake message:
+
+ EncryptedExtensions (40 octets): 08 00 00 24 00 22 00 0a 00 14 00
+ 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c
+ 00 02 40 01 00 00 00 00
+
+ {server} construct a Certificate handshake message:
+
+ Certificate (445 octets): 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82
+ 01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48
+ 86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03
+ 72 73 61 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17
+ 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06
+ 03 55 04 03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7
+ 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f
+ 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26
+ d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c
+
+
+
+Thomson Informational [Page 7]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52
+ 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74
+ 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93
+ ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03
+ 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06
+ 03 55 1d 0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01
+ 01 0b 05 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a
+ 72 67 17 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea
+ e8 f8 a5 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01
+ 51 56 72 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be
+ c1 fc 63 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b
+ 1c 3b 84 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8
+ 96 12 29 ac 91 87 b4 2b 4d e1 00 00
+
+ {server} construct a CertificateVerify handshake message:
+
+ CertificateVerify (136 octets): 0f 00 00 84 08 04 00 80 5a 74 7c
+ 5d 88 fa 9b d2 e5 5a b0 85 a6 10 15 b7 21 1f 82 4c d4 84 14 5a
+ b3 ff 52 f1 fd a8 47 7b 0b 7a bc 90 db 78 e2 d3 3a 5c 14 1a 07
+ 86 53 fa 6b ef 78 0c 5e a2 48 ee aa a7 85 c4 f3 94 ca b6 d3 0b
+ be 8d 48 59 ee 51 1f 60 29 57 b1 54 11 ac 02 76 71 45 9e 46 44
+ 5c 9e a5 8c 18 1e 81 8e 95 b8 c3 fb 0b f3 27 84 09 d3 be 15 2a
+ 3d a5 04 3e 06 3d da 65 cd f5 ae a2 0d 53 df ac d4 2f 74 f3
+
+ {server} calculate finished "tls13 finished":
+
+ PRK (32 octets): b6 7b 7d 69 0c c1 6c 4e 75 e5 42 13 cb 2d 37 b4
+ e9 c9 12 bc de d9 10 5d 42 be fd 59 d3 91 ad 38
+
+ hash (0 octets): (empty)
+
+ info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
+ 64 00
+
+ expanded (32 octets): 00 8d 3b 66 f8 16 ea 55 9f 96 b5 37 e8 85
+ c3 1f c0 68 bf 49 2c 65 2f 01 f2 88 a1 d8 cd c1 9f c8
+
+ finished (32 octets): 9b 9b 14 1d 90 63 37 fb d2 cb dc e7 1d f4
+ de da 4a b4 2c 30 95 72 cb 7f ff ee 54 54 b7 8f 07 18
+
+ {server} construct a Finished handshake message:
+
+ Finished (36 octets): 14 00 00 20 9b 9b 14 1d 90 63 37 fb d2 cb
+ dc e7 1d f4 de da 4a b4 2c 30 95 72 cb 7f ff ee 54 54 b7 8f 07
+ 18
+
+
+
+
+
+
+Thomson Informational [Page 8]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ {server} send handshake record:
+
+ payload (657 octets): 08 00 00 24 00 22 00 0a 00 14 00 12 00 1d
+ 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c 00 02 40
+ 01 00 00 00 00 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82 01 ac 30
+ 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d
+ 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61
+ 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17 0d 32 36
+ 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06 03 55 04
+ 03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01
+ 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f 82 79 30
+ 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 d3 90 1a
+ 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1a f1 9e
+ aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52 4b 1b 01
+ 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74 80 30 53
+ 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 ef f0 ab
+ 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03 01 00 01
+ a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d
+ 0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05
+ 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 72 67 17
+ 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea e8 f8 a5
+ 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 51 56 72
+ 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be c1 fc 63
+ a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b 1c 3b 84
+ e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 96 12 29
+ ac 91 87 b4 2b 4d e1 00 00 0f 00 00 84 08 04 00 80 5a 74 7c 5d
+ 88 fa 9b d2 e5 5a b0 85 a6 10 15 b7 21 1f 82 4c d4 84 14 5a b3
+ ff 52 f1 fd a8 47 7b 0b 7a bc 90 db 78 e2 d3 3a 5c 14 1a 07 86
+ 53 fa 6b ef 78 0c 5e a2 48 ee aa a7 85 c4 f3 94 ca b6 d3 0b be
+ 8d 48 59 ee 51 1f 60 29 57 b1 54 11 ac 02 76 71 45 9e 46 44 5c
+ 9e a5 8c 18 1e 81 8e 95 b8 c3 fb 0b f3 27 84 09 d3 be 15 2a 3d
+ a5 04 3e 06 3d da 65 cd f5 ae a2 0d 53 df ac d4 2f 74 f3 14 00
+ 00 20 9b 9b 14 1d 90 63 37 fb d2 cb dc e7 1d f4 de da 4a b4 2c
+ 30 95 72 cb 7f ff ee 54 54 b7 8f 07 18
+
+ complete record (679 octets): 17 03 03 02 a2 d1 ff 33 4a 56 f5 bf
+ f6 59 4a 07 cc 87 b5 80 23 3f 50 0f 45 e4 89 e7 f3 3a f3 5e df
+ 78 69 fc f4 0a a4 0a a2 b8 ea 73 f8 48 a7 ca 07 61 2e f9 f9 45
+ cb 96 0b 40 68 90 51 23 ea 78 b1 11 b4 29 ba 91 91 cd 05 d2 a3
+ 89 28 0f 52 61 34 aa dc 7f c7 8c 4b 72 9d f8 28 b5 ec f7 b1 3b
+ d9 ae fb 0e 57 f2 71 58 5b 8e a9 bb 35 5c 7c 79 02 07 16 cf b9
+ b1 18 3e f3 ab 20 e3 7d 57 a6 b9 d7 47 76 09 ae e6 e1 22 a4 cf
+ 51 42 73 25 25 0c 7d 0e 50 92 89 44 4c 9b 3a 64 8f 1d 71 03 5d
+ 2e d6 5b 0e 3c dd 0c ba e8 bf 2d 0b 22 78 12 cb b3 60 98 72 55
+ cc 74 41 10 c4 53 ba a4 fc d6 10 92 8d 80 98 10 e4 b7 ed 1a 8f
+ d9 91 f0 6a a6 24 82 04 79 7e 36 a6 a7 3b 70 a2 55 9c 09 ea d6
+ 86 94 5b a2 46 ab 66 e5 ed d8 04 4b 4c 6d e3 fc f2 a8 94 41 ac
+ 66 27 2f d8 fb 33 0e f8 19 05 79 b3 68 45 96 c9 60 bd 59 6e ea
+
+
+
+Thomson Informational [Page 9]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ 52 0a 56 a8 d6 50 f5 63 aa d2 74 09 96 0d ca 63 d3 e6 88 61 1e
+ a5 e2 2f 44 15 cf 95 38 d5 1a 20 0c 27 03 42 72 96 8a 26 4e d6
+ 54 0c 84 83 8d 89 f7 2c 24 46 1a ad 6d 26 f5 9e ca ba 9a cb bb
+ 31 7b 66 d9 02 f4 f2 92 a3 6a c1 b6 39 c6 37 ce 34 31 17 b6 59
+ 62 22 45 31 7b 49 ee da 0c 62 58 f1 00 d7 d9 61 ff b1 38 64 7e
+ 92 ea 33 0f ae ea 6d fa 31 c7 a8 4d c3 bd 7e 1b 7a 6c 71 78 af
+ 36 87 90 18 e3 f2 52 10 7f 24 3d 24 3d c7 33 9d 56 84 c8 b0 37
+ 8b f3 02 44 da 8c 87 c8 43 f5 e5 6e b4 c5 e8 28 0a 2b 48 05 2c
+ f9 3b 16 49 9a 66 db 7c ca 71 e4 59 94 26 f7 d4 61 e6 6f 99 88
+ 2b d8 9f c5 08 00 be cc a6 2d 6c 74 11 6d bd 29 72 fd a1 fa 80
+ f8 5d f8 81 ed be 5a 37 66 89 36 b3 35 58 3b 59 91 86 dc 5c 69
+ 18 a3 96 fa 48 a1 81 d6 b6 fa 4f 9d 62 d5 13 af bb 99 2f 2b 99
+ 2f 67 f8 af e6 7f 76 91 3f a3 88 cb 56 30 c8 ca 01 e0 c6 5d 11
+ c6 6a 1e 2a c4 c8 59 77 b7 c7 a6 99 9b bf 10 dc 35 ae 69 f5 51
+ 56 14 63 6c 0b 9b 68 c1 9e d2 e3 1c 0b 3b 66 76 30 38 eb ba 42
+ f3 b3 8e dc 03 99 f3 a9 f2 3f aa 63 97 8c 31 7f c9 fa 66 a7 3f
+ 60 f0 50 4d e9 3b 5b 84 5e 27 55 92 c1 23 35 ee 34 0b bc 4f dd
+ d5 02 78 40 16 e4 b3 be 7e f0 4d da 49 f4 b4 40 a3 0c b5 d2 af
+ 93 98 28 fd 4a e3 79 4e 44 f9 4d f5 a6 31 ed e4 2c 17 19 bf da
+ bf 02 53 fe 51 75 be 89 8e 75 0e dc 53 37 0d 2b
+
+ {server} derive secret "tls13 c ap traffic":
+
+ PRK (32 octets): 18 df 06 84 3d 13 a0 8b f2 a4 49 84 4c 5f 8a 47
+ 80 01 bc 4d 4c 62 79 84 d5 a4 1d a8 d0 40 29 19
+
+ hash (32 octets): 96 08 10 2a 0f 1c cc 6d b6 25 0b 7b 7e 41 7b 1a
+ 00 0e aa da 3d aa e4 77 7a 76 86 c9 ff 83 df 13
+
+ info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72
+ 61 66 66 69 63 20 96 08 10 2a 0f 1c cc 6d b6 25 0b 7b 7e 41 7b
+ 1a 00 0e aa da 3d aa e4 77 7a 76 86 c9 ff 83 df 13
+
+ expanded (32 octets): 9e 40 64 6c e7 9a 7f 9d c0 5a f8 88 9b ce
+ 65 52 87 5a fa 0b 06 df 00 87 f7 92 eb b7 c1 75 04 a5
+
+ {server} derive secret "tls13 s ap traffic":
+
+ PRK (32 octets): 18 df 06 84 3d 13 a0 8b f2 a4 49 84 4c 5f 8a 47
+ 80 01 bc 4d 4c 62 79 84 d5 a4 1d a8 d0 40 29 19
+
+ hash (32 octets): 96 08 10 2a 0f 1c cc 6d b6 25 0b 7b 7e 41 7b 1a
+ 00 0e aa da 3d aa e4 77 7a 76 86 c9 ff 83 df 13
+
+ info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72
+ 61 66 66 69 63 20 96 08 10 2a 0f 1c cc 6d b6 25 0b 7b 7e 41 7b
+ 1a 00 0e aa da 3d aa e4 77 7a 76 86 c9 ff 83 df 13
+
+
+
+
+Thomson Informational [Page 10]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ expanded (32 octets): a1 1a f9 f0 55 31 f8 56 ad 47 11 6b 45 a9
+ 50 32 82 04 b4 f4 4b fb 6b 3a 4b 4f 1f 3f cb 63 16 43
+
+ {server} derive secret "tls13 exp master":
+
+ PRK (32 octets): 18 df 06 84 3d 13 a0 8b f2 a4 49 84 4c 5f 8a 47
+ 80 01 bc 4d 4c 62 79 84 d5 a4 1d a8 d0 40 29 19
+
+ hash (32 octets): 96 08 10 2a 0f 1c cc 6d b6 25 0b 7b 7e 41 7b 1a
+ 00 0e aa da 3d aa e4 77 7a 76 86 c9 ff 83 df 13
+
+ info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73
+ 74 65 72 20 96 08 10 2a 0f 1c cc 6d b6 25 0b 7b 7e 41 7b 1a 00
+ 0e aa da 3d aa e4 77 7a 76 86 c9 ff 83 df 13
+
+ expanded (32 octets): fe 22 f8 81 17 6e da 18 eb 8f 44 52 9e 67
+ 92 c5 0c 9a 3f 89 45 2f 68 d8 ae 31 1b 43 09 d3 cf 50
+
+ {server} derive write traffic keys for application data:
+
+ PRK (32 octets): a1 1a f9 f0 55 31 f8 56 ad 47 11 6b 45 a9 50 32
+ 82 04 b4 f4 4b fb 6b 3a 4b 4f 1f 3f cb 63 16 43
+
+ key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
+
+ key expanded (16 octets): 9f 02 28 3b 6c 9c 07 ef c2 6b b9 f2 ac
+ 92 e3 56
+
+ iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
+
+ iv expanded (12 octets): cf 78 2b 88 dd 83 54 9a ad f1 e9 84
+
+ {server} derive read traffic keys for handshake data:
+
+ PRK (32 octets): b3 ed db 12 6e 06 7f 35 a7 80 b3 ab f4 5e 2d 8f
+ 3b 1a 95 07 38 f5 2e 96 00 74 6a 0e 27 a5 5a 21
+
+ key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
+
+ key expanded (16 octets): db fa a6 93 d1 76 2c 5b 66 6a f5 d9 50
+ 25 8d 01
+
+ iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
+
+ iv expanded (12 octets): 5b d3 c7 1b 83 6e 0b 76 bb 73 26 5f
+
+ {client} extract secret "early" (same as server early secret)
+
+
+
+
+Thomson Informational [Page 11]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ {client} derive secret for handshake "tls13 derived":
+
+ PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
+ 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a
+
+ hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
+ 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+ info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
+ 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
+ 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+ expanded (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba
+ b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba
+
+ {client} extract secret "handshake" (same as server handshake
+ secret)
+
+ {client} derive secret "tls13 c hs traffic" (same as server)
+
+ {client} derive secret "tls13 s hs traffic" (same as server)
+
+ {client} derive secret for master "tls13 derived" (same as server)
+
+ {client} extract secret "master" (same as server master secret)
+
+ {client} derive read traffic keys for handshake data (same as server
+ handshake data write traffic keys)
+
+ {client} calculate finished "tls13 finished" (same as server)
+
+ {client} derive secret "tls13 c ap traffic" (same as server)
+
+ {client} derive secret "tls13 s ap traffic" (same as server)
+
+ {client} derive secret "tls13 exp master" (same as server)
+
+ {client} derive write traffic keys for handshake data (same as
+ server handshake data read traffic keys)
+
+ {client} derive read traffic keys for application data (same as
+ server application data write traffic keys)
+
+ {client} calculate finished "tls13 finished":
+
+ PRK (32 octets): b3 ed db 12 6e 06 7f 35 a7 80 b3 ab f4 5e 2d 8f
+ 3b 1a 95 07 38 f5 2e 96 00 74 6a 0e 27 a5 5a 21
+
+
+
+
+Thomson Informational [Page 12]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ hash (0 octets): (empty)
+
+ info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
+ 64 00
+
+ expanded (32 octets): b8 0a d0 10 15 fb 2f 0b d6 5f f7 d4 da 5d
+ 6b f8 3f 84 82 1d 1f 87 fd c7 d3 c7 5b 5a 7b 42 d9 c4
+
+ finished (32 octets): a8 ec 43 6d 67 76 34 ae 52 5a c1 fc eb e1
+ 1a 03 9e c1 76 94 fa c6 e9 85 27 b6 42 f2 ed d5 ce 61
+
+ {client} construct a Finished handshake message:
+
+ Finished (36 octets): 14 00 00 20 a8 ec 43 6d 67 76 34 ae 52 5a
+ c1 fc eb e1 1a 03 9e c1 76 94 fa c6 e9 85 27 b6 42 f2 ed d5 ce
+ 61
+
+ {client} send handshake record:
+
+ payload (36 octets): 14 00 00 20 a8 ec 43 6d 67 76 34 ae 52 5a c1
+ fc eb e1 1a 03 9e c1 76 94 fa c6 e9 85 27 b6 42 f2 ed d5 ce 61
+
+ complete record (58 octets): 17 03 03 00 35 75 ec 4d c2 38 cc e6
+ 0b 29 80 44 a7 1e 21 9c 56 cc 77 b0 51 7f e9 b9 3c 7a 4b fc 44
+ d8 7f 38 f8 03 38 ac 98 fc 46 de b3 84 bd 1c ae ac ab 68 67 d7
+ 26 c4 05 46
+
+ {client} derive write traffic keys for application data:
+
+ PRK (32 octets): 9e 40 64 6c e7 9a 7f 9d c0 5a f8 88 9b ce 65 52
+ 87 5a fa 0b 06 df 00 87 f7 92 eb b7 c1 75 04 a5
+
+ key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
+
+ key expanded (16 octets): 17 42 2d da 59 6e d5 d9 ac d8 90 e3 c6
+ 3f 50 51
+
+ iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
+
+ iv expanded (12 octets): 5b 78 92 3d ee 08 57 90 33 e5 23 d9
+
+ {client} derive secret "tls13 res master":
+
+ PRK (32 octets): 18 df 06 84 3d 13 a0 8b f2 a4 49 84 4c 5f 8a 47
+ 80 01 bc 4d 4c 62 79 84 d5 a4 1d a8 d0 40 29 19
+
+ hash (32 octets): 20 91 45 a9 6e e8 e2 a1 22 ff 81 00 47 cc 95 26
+ 84 65 8d 60 49 e8 64 29 42 6d b8 7c 54 ad 14 3d
+
+
+
+Thomson Informational [Page 13]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73
+ 74 65 72 20 20 91 45 a9 6e e8 e2 a1 22 ff 81 00 47 cc 95 26 84
+ 65 8d 60 49 e8 64 29 42 6d b8 7c 54 ad 14 3d
+
+ expanded (32 octets): 7d f2 35 f2 03 1d 2a 05 12 87 d0 2b 02 41
+ b0 bf da f8 6c c8 56 23 1f 2d 5a ba 46 c4 34 ec 19 6c
+
+ {server} calculate finished "tls13 finished" (same as client)
+
+ {server} derive read traffic keys for application data (same as
+ client application data write traffic keys)
+
+ {server} derive secret "tls13 res master" (same as client)
+
+ {server} generate resumption secret "tls13 resumption":
+
+ PRK (32 octets): 7d f2 35 f2 03 1d 2a 05 12 87 d0 2b 02 41 b0 bf
+ da f8 6c c8 56 23 1f 2d 5a ba 46 c4 34 ec 19 6c
+
+ hash (2 octets): 00 00
+
+ info (22 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 75 6d 70 74
+ 69 6f 6e 02 00 00
+
+ expanded (32 octets): 4e cd 0e b6 ec 3b 4d 87 f5 d6 02 8f 92 2c
+ a4 c5 85 1a 27 7f d4 13 11 c9 e6 2d 2c 94 92 e1 c4 f3
+
+ {server} construct a NewSessionTicket handshake message:
+
+ NewSessionTicket (205 octets): 04 00 00 c9 00 00 00 1e fa d6 aa
+ c5 02 00 00 00 b2 2c 03 5d 82 93 59 ee 5f f7 af 4e c9 00 00 00
+ 00 26 2a 64 94 dc 48 6d 2c 8a 34 cb 33 fa 90 bf 1b 00 70 ad 3c
+ 49 88 83 c9 36 7c 09 a2 be 78 5a bc 55 cd 22 60 97 a3 a9 82 11
+ 72 83 f8 2a 03 a1 43 ef d3 ff 5d d3 6d 64 e8 61 be 7f d6 1d 28
+ 27 db 27 9c ce 14 50 77 d4 54 a3 66 4d 4e 6d a4 d2 9e e0 37 25
+ a6 a4 da fc d0 fc 67 d2 ae a7 05 29 51 3e 3d a2 67 7f a5 90 6c
+ 5b 3f 7d 8f 92 f2 28 bd a4 0d da 72 14 70 f9 fb f2 97 b5 ae a6
+ 17 64 6f ac 5c 03 27 2e 97 07 27 c6 21 a7 91 41 ef 5f 7d e6 50
+ 5e 5b fb c3 88 e9 33 43 69 40 93 93 4a e4 d3 57 00 08 00 2a 00
+ 04 00 00 04 00
+
+ {server} send handshake record:
+
+ payload (205 octets): 04 00 00 c9 00 00 00 1e fa d6 aa c5 02 00
+ 00 00 b2 2c 03 5d 82 93 59 ee 5f f7 af 4e c9 00 00 00 00 26 2a
+ 64 94 dc 48 6d 2c 8a 34 cb 33 fa 90 bf 1b 00 70 ad 3c 49 88 83
+ c9 36 7c 09 a2 be 78 5a bc 55 cd 22 60 97 a3 a9 82 11 72 83 f8
+ 2a 03 a1 43 ef d3 ff 5d d3 6d 64 e8 61 be 7f d6 1d 28 27 db 27
+
+
+
+Thomson Informational [Page 14]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ 9c ce 14 50 77 d4 54 a3 66 4d 4e 6d a4 d2 9e e0 37 25 a6 a4 da
+ fc d0 fc 67 d2 ae a7 05 29 51 3e 3d a2 67 7f a5 90 6c 5b 3f 7d
+ 8f 92 f2 28 bd a4 0d da 72 14 70 f9 fb f2 97 b5 ae a6 17 64 6f
+ ac 5c 03 27 2e 97 07 27 c6 21 a7 91 41 ef 5f 7d e6 50 5e 5b fb
+ c3 88 e9 33 43 69 40 93 93 4a e4 d3 57 00 08 00 2a 00 04 00 00
+ 04 00
+
+ complete record (227 octets): 17 03 03 00 de 3a 6b 8f 90 41 4a 97
+ d6 95 9c 34 87 68 0d e5 13 4a 2b 24 0e 6c ff ac 11 6e 95 d4 1d
+ 6a f8 f6 b5 80 dc f3 d1 1d 63 c7 58 db 28 9a 01 59 40 25 2f 55
+ 71 3e 06 1d c1 3e 07 88 91 a3 8e fb cf 57 53 ad 8e f1 70 ad 3c
+ 73 53 d1 6d 9d a7 73 b9 ca 7f 2b 9f a1 b6 c0 d4 a3 d0 3f 75 e0
+ 9c 30 ba 1e 62 97 2a c4 6f 75 f7 b9 81 be 63 43 9b 29 99 ce 13
+ 06 46 15 13 98 91 d5 e4 c5 b4 06 f1 6e 3f c1 81 a7 7c a4 75 84
+ 00 25 db 2f 0a 77 f8 1b 5a b0 5b 94 c0 13 46 75 5f 69 23 2c 86
+ 51 9d 86 cb ee ac 87 aa c3 47 d1 43 f9 60 5d 64 f6 50 db 4d 02
+ 3e 70 e9 52 ca 49 fe 51 37 12 1c 74 bc 26 97 68 7e 24 87 46 d6
+ df 35 30 05 f3 bc e1 86 96 12 9c 81 53 55 6b 3b 6c 67 79 b3 7b
+ f1 59 85 68 4f
+
+ {client} generate resumption secret "tls13 resumption" (same as
+ server)
+
+ {client} send application_data record:
+
+ payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e
+ 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23
+ 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31
+
+ complete record (72 octets): 17 03 03 00 43 a2 3f 70 54 b6 2c 94
+ d0 af fa fe 82 28 ba 55 cb ef ac ea 42 f9 14 aa 66 bc ab 3f 2b
+ 98 19 a8 a5 b4 6b 39 5b d5 4a 9a 20 44 1e 2b 62 97 4e 1f 5a 62
+ 92 a2 97 70 14 bd 1e 3d ea e6 3a ee bb 21 69 49 15 e4
+
+ {server} send application_data record:
+
+ payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e
+ 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23
+ 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31
+
+ complete record (72 octets): 17 03 03 00 43 2e 93 7e 11 ef 4a c7
+ 40 e5 38 ad 36 00 5f c4 a4 69 32 fc 32 25 d0 5f 82 aa 1b 36 e3
+ 0e fa f9 7d 90 e6 df fc 60 2d cb 50 1a 59 a8 fc c4 9c 4b f2 e5
+ f0 a2 1c 00 47 c2 ab f3 32 54 0d d0 32 e1 67 c2 95 5d
+
+ {client} send alert record:
+
+ payload (2 octets): 01 00
+
+
+
+Thomson Informational [Page 15]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ complete record (24 octets): 17 03 03 00 13 c9 87 27 60 65 56 66
+ b7 4d 7f f1 15 3e fd 6d b6 d0 b0 e3
+
+ {server} send alert record:
+
+ payload (2 octets): 01 00
+
+ complete record (24 octets): 17 03 03 00 13 b5 8f d6 71 66 eb f5
+ 99 d2 47 20 cf be 7e fa 7a 88 64 a9
+
+4. Resumed 0-RTT Handshake
+
+ This handshake resumes from the handshake in Section 3. Since the
+ server provided a session ticket that permitted 0-RTT, and the client
+ is configured for 0-RTT, the client is able to send 0-RTT data.
+
+ Note: The PSK binder uses the same construction as Finished and so is
+ labeled as finished here.
+
+ {client} create an ephemeral x25519 key pair:
+
+ private key (32 octets): bf f9 11 88 28 38 46 dd 6a 21 34 ef 71
+ 80 ca 2b 0b 14 fb 10 dc e7 07 b5 09 8c 0d dd c8 13 b2 df
+
+ public key (32 octets): e4 ff b6 8a c0 5f 8d 96 c9 9d a2 66 98 34
+ 6c 6b e1 64 82 ba dd da fe 05 1a 66 b4 f1 8d 66 8f 0b
+
+ {client} extract secret "early":
+
+ salt: 0 (all zero octets)
+
+ IKM (32 octets): 4e cd 0e b6 ec 3b 4d 87 f5 d6 02 8f 92 2c a4 c5
+ 85 1a 27 7f d4 13 11 c9 e6 2d 2c 94 92 e1 c4 f3
+
+ secret (32 octets): 9b 21 88 e9 b2 fc 6d 64 d7 1d c3 29 90 0e 20
+ bb 41 91 50 00 f6 78 aa 83 9c bb 79 7c b7 d8 33 2c
+
+ {client} construct a ClientHello handshake message:
+
+ ClientHello (477 octets): 01 00 01 fc 03 03 1b c3 ce b6 bb e3 9c
+ ff 93 83 55 b5 a5 0a db 6d b2 1b 7a 6a f6 49 d7 b4 bc 41 9d 78
+ 76 48 7d 95 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b
+ 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00
+ 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33
+ 00 26 00 24 00 1d 00 20 e4 ff b6 8a c0 5f 8d 96 c9 9d a2 66 98
+ 34 6c 6b e1 64 82 ba dd da fe 05 1a 66 b4 f1 8d 66 8f 0b 00 2a
+ 00 00 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03
+ 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06
+
+
+
+Thomson Informational [Page 16]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01 00 15 00 57 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 29 00 dd 00 b8 00 b2 2c 03 5d 82 93 59 ee 5f f7 af 4e c9
+ 00 00 00 00 26 2a 64 94 dc 48 6d 2c 8a 34 cb 33 fa 90 bf 1b 00
+ 70 ad 3c 49 88 83 c9 36 7c 09 a2 be 78 5a bc 55 cd 22 60 97 a3
+ a9 82 11 72 83 f8 2a 03 a1 43 ef d3 ff 5d d3 6d 64 e8 61 be 7f
+ d6 1d 28 27 db 27 9c ce 14 50 77 d4 54 a3 66 4d 4e 6d a4 d2 9e
+ e0 37 25 a6 a4 da fc d0 fc 67 d2 ae a7 05 29 51 3e 3d a2 67 7f
+ a5 90 6c 5b 3f 7d 8f 92 f2 28 bd a4 0d da 72 14 70 f9 fb f2 97
+ b5 ae a6 17 64 6f ac 5c 03 27 2e 97 07 27 c6 21 a7 91 41 ef 5f
+ 7d e6 50 5e 5b fb c3 88 e9 33 43 69 40 93 93 4a e4 d3 57 fa d6
+ aa cb
+
+ {client} calculate PSK binder:
+
+ ClientHello prefix (477 octets): 01 00 01 fc 03 03 1b c3 ce b6 bb
+ e3 9c ff 93 83 55 b5 a5 0a db 6d b2 1b 7a 6a f6 49 d7 b4 bc 41
+ 9d 78 76 48 7d 95 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00
+ 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00
+ 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04
+ 00 33 00 26 00 24 00 1d 00 20 e4 ff b6 8a c0 5f 8d 96 c9 9d a2
+ 66 98 34 6c 6b e1 64 82 ba dd da fe 05 1a 66 b4 f1 8d 66 8f 0b
+ 00 2a 00 00 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03
+ 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05
+ 02 06 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01 00 15 00 57
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 29 00 dd 00 b8 00 b2 2c 03 5d 82 93 59 ee 5f f7 af
+ 4e c9 00 00 00 00 26 2a 64 94 dc 48 6d 2c 8a 34 cb 33 fa 90 bf
+ 1b 00 70 ad 3c 49 88 83 c9 36 7c 09 a2 be 78 5a bc 55 cd 22 60
+ 97 a3 a9 82 11 72 83 f8 2a 03 a1 43 ef d3 ff 5d d3 6d 64 e8 61
+ be 7f d6 1d 28 27 db 27 9c ce 14 50 77 d4 54 a3 66 4d 4e 6d a4
+ d2 9e e0 37 25 a6 a4 da fc d0 fc 67 d2 ae a7 05 29 51 3e 3d a2
+ 67 7f a5 90 6c 5b 3f 7d 8f 92 f2 28 bd a4 0d da 72 14 70 f9 fb
+ f2 97 b5 ae a6 17 64 6f ac 5c 03 27 2e 97 07 27 c6 21 a7 91 41
+ ef 5f 7d e6 50 5e 5b fb c3 88 e9 33 43 69 40 93 93 4a e4 d3 57
+ fa d6 aa cb
+
+ binder hash (32 octets): 63 22 4b 2e 45 73 f2 d3 45 4c a8 4b 9d
+ 00 9a 04 f6 be 9e 05 71 1a 83 96 47 3a ef a0 1e 92 4a 14
+
+ PRK (32 octets): 69 fe 13 1a 3b ba d5 d6 3c 64 ee bc c3 0e 39 5b
+ 9d 81 07 72 6a 13 d0 74 e3 89 db c8 a4 e4 72 56
+
+
+
+Thomson Informational [Page 17]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ hash (0 octets): (empty)
+
+ info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
+ 64 00
+
+ expanded (32 octets): 55 88 67 3e 72 cb 59 c8 7d 22 0c af fe 94
+ f2 de a9 a3 b1 60 9f 7d 50 e9 0a 48 22 7d b9 ed 7e aa
+
+ finished (32 octets): 3a dd 4f b2 d8 fd f8 22 a0 ca 3c f7 67 8e
+ f5 e8 8d ae 99 01 41 c5 92 4d 57 bb 6f a3 1b 9e 5f 9d
+
+ {client} send handshake record:
+
+ payload (512 octets): 01 00 01 fc 03 03 1b c3 ce b6 bb e3 9c ff
+ 93 83 55 b5 a5 0a db 6d b2 1b 7a 6a f6 49 d7 b4 bc 41 9d 78 76
+ 48 7d 95 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00
+ 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12
+ 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00
+ 26 00 24 00 1d 00 20 e4 ff b6 8a c0 5f 8d 96 c9 9d a2 66 98 34
+ 6c 6b e1 64 82 ba dd da fe 05 1a 66 b4 f1 8d 66 8f 0b 00 2a 00
+ 00 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03 02
+ 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02
+ 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01 00 15 00 57 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 29 00 dd 00 b8 00 b2 2c 03 5d 82 93 59 ee 5f f7 af 4e c9 00
+ 00 00 00 26 2a 64 94 dc 48 6d 2c 8a 34 cb 33 fa 90 bf 1b 00 70
+ ad 3c 49 88 83 c9 36 7c 09 a2 be 78 5a bc 55 cd 22 60 97 a3 a9
+ 82 11 72 83 f8 2a 03 a1 43 ef d3 ff 5d d3 6d 64 e8 61 be 7f d6
+ 1d 28 27 db 27 9c ce 14 50 77 d4 54 a3 66 4d 4e 6d a4 d2 9e e0
+ 37 25 a6 a4 da fc d0 fc 67 d2 ae a7 05 29 51 3e 3d a2 67 7f a5
+ 90 6c 5b 3f 7d 8f 92 f2 28 bd a4 0d da 72 14 70 f9 fb f2 97 b5
+ ae a6 17 64 6f ac 5c 03 27 2e 97 07 27 c6 21 a7 91 41 ef 5f 7d
+ e6 50 5e 5b fb c3 88 e9 33 43 69 40 93 93 4a e4 d3 57 fa d6 aa
+ cb 00 21 20 3a dd 4f b2 d8 fd f8 22 a0 ca 3c f7 67 8e f5 e8 8d
+ ae 99 01 41 c5 92 4d 57 bb 6f a3 1b 9e 5f 9d
+
+ complete record (517 octets): 16 03 01 02 00 01 00 01 fc 03 03 1b
+ c3 ce b6 bb e3 9c ff 93 83 55 b5 a5 0a db 6d b2 1b 7a 6a f6 49
+ d7 b4 bc 41 9d 78 76 48 7d 95 00 00 06 13 01 13 03 13 02 01 00
+ 01 cd 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01
+ 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02
+ 01 03 01 04 00 33 00 26 00 24 00 1d 00 20 e4 ff b6 8a c0 5f 8d
+ 96 c9 9d a2 66 98 34 6c 6b e1 64 82 ba dd da fe 05 1a 66 b4 f1
+ 8d 66 8f 0b 00 2a 00 00 00 2b 00 03 02 03 04 00 0d 00 20 00 1e
+ 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02
+
+
+
+Thomson Informational [Page 18]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01
+ 00 15 00 57 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 29 00 dd 00 b8 00 b2 2c 03 5d 82 93 59
+ ee 5f f7 af 4e c9 00 00 00 00 26 2a 64 94 dc 48 6d 2c 8a 34 cb
+ 33 fa 90 bf 1b 00 70 ad 3c 49 88 83 c9 36 7c 09 a2 be 78 5a bc
+ 55 cd 22 60 97 a3 a9 82 11 72 83 f8 2a 03 a1 43 ef d3 ff 5d d3
+ 6d 64 e8 61 be 7f d6 1d 28 27 db 27 9c ce 14 50 77 d4 54 a3 66
+ 4d 4e 6d a4 d2 9e e0 37 25 a6 a4 da fc d0 fc 67 d2 ae a7 05 29
+ 51 3e 3d a2 67 7f a5 90 6c 5b 3f 7d 8f 92 f2 28 bd a4 0d da 72
+ 14 70 f9 fb f2 97 b5 ae a6 17 64 6f ac 5c 03 27 2e 97 07 27 c6
+ 21 a7 91 41 ef 5f 7d e6 50 5e 5b fb c3 88 e9 33 43 69 40 93 93
+ 4a e4 d3 57 fa d6 aa cb 00 21 20 3a dd 4f b2 d8 fd f8 22 a0 ca
+ 3c f7 67 8e f5 e8 8d ae 99 01 41 c5 92 4d 57 bb 6f a3 1b 9e 5f
+ 9d
+
+ {client} derive secret "tls13 c e traffic":
+
+ PRK (32 octets): 9b 21 88 e9 b2 fc 6d 64 d7 1d c3 29 90 0e 20 bb
+ 41 91 50 00 f6 78 aa 83 9c bb 79 7c b7 d8 33 2c
+
+ hash (32 octets): 08 ad 0f a0 5d 7c 72 33 b1 77 5b a2 ff 9f 4c 5b
+ 8b 59 27 6b 7f 22 7f 13 a9 76 24 5f 5d 96 09 13
+
+ info (53 octets): 00 20 11 74 6c 73 31 33 20 63 20 65 20 74 72 61
+ 66 66 69 63 20 08 ad 0f a0 5d 7c 72 33 b1 77 5b a2 ff 9f 4c 5b
+ 8b 59 27 6b 7f 22 7f 13 a9 76 24 5f 5d 96 09 13
+
+ expanded (32 octets): 3f bb e6 a6 0d eb 66 c3 0a 32 79 5a ba 0e
+ ff 7e aa 10 10 55 86 e7 be 5c 09 67 8d 63 b6 ca ab 62
+
+ {client} derive secret "tls13 e exp master":
+
+ PRK (32 octets): 9b 21 88 e9 b2 fc 6d 64 d7 1d c3 29 90 0e 20 bb
+ 41 91 50 00 f6 78 aa 83 9c bb 79 7c b7 d8 33 2c
+
+ hash (32 octets): 08 ad 0f a0 5d 7c 72 33 b1 77 5b a2 ff 9f 4c 5b
+ 8b 59 27 6b 7f 22 7f 13 a9 76 24 5f 5d 96 09 13
+
+ info (54 octets): 00 20 12 74 6c 73 31 33 20 65 20 65 78 70 20 6d
+ 61 73 74 65 72 20 08 ad 0f a0 5d 7c 72 33 b1 77 5b a2 ff 9f 4c
+ 5b 8b 59 27 6b 7f 22 7f 13 a9 76 24 5f 5d 96 09 13
+
+ expanded (32 octets): b2 02 68 66 61 09 37 d7 42 3e 5b e9 08 62
+ cc f2 4c 0e 60 91 18 6d 34 f8 12 08 9f f5 be 2e f7 df
+
+
+
+
+Thomson Informational [Page 19]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ {client} derive write traffic keys for early application data:
+
+ PRK (32 octets): 3f bb e6 a6 0d eb 66 c3 0a 32 79 5a ba 0e ff 7e
+ aa 10 10 55 86 e7 be 5c 09 67 8d 63 b6 ca ab 62
+
+ key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
+
+ key expanded (16 octets): 92 02 05 a5 b7 bf 21 15 e6 fc 5c 29 42
+ 83 4f 54
+
+ iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
+
+ iv expanded (12 octets): 6d 47 5f 09 93 c8 e5 64 61 0d b2 b9
+
+ {client} send application_data record:
+
+ payload (6 octets): 41 42 43 44 45 46
+
+ complete record (28 octets): 17 03 03 00 17 ab 1d f4 20 e7 5c 45
+ 7a 7c c5 d2 84 4f 76 d5 ae e4 b4 ed bf 04 9b e0
+
+ {server} extract secret "early" (same as client early secret)
+
+ {server} calculate PSK binder (same as client):
+
+ {server} create an ephemeral x25519 key pair:
+
+ private key (32 octets): de 5b 44 76 e7 b4 90 b2 65 2d 33 8a cb
+ f2 94 80 66 f2 55 f9 44 0e 23 b9 8f c6 98 35 29 8d c1 07
+
+ public key (32 octets): 12 17 61 ee 42 c3 33 e1 b9 e7 7b 60 dd 57
+ c2 05 3c d9 45 12 ab 47 f1 15 e8 6e ff 50 94 2c ea 31
+
+ {server} derive secret "tls13 c e traffic" (same as client)
+
+ {server} derive secret "tls13 e exp master" (same as client)
+
+ {server} construct a ServerHello handshake message:
+
+ ServerHello (96 octets): 02 00 00 5c 03 03 3c cf d2 de c8 90 22
+ 27 63 47 2a e8 13 67 77 c9 d7 35 87 77 bb 66 e9 1e a5 12 24 95
+ f5 59 ea 2d 00 13 01 00 00 34 00 29 00 02 00 00 00 33 00 24 00
+ 1d 00 20 12 17 61 ee 42 c3 33 e1 b9 e7 7b 60 dd 57 c2 05 3c d9
+ 45 12 ab 47 f1 15 e8 6e ff 50 94 2c ea 31 00 2b 00 02 03 04
+
+
+
+
+
+
+
+Thomson Informational [Page 20]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ {server} derive secret for handshake "tls13 derived":
+
+ PRK (32 octets): 9b 21 88 e9 b2 fc 6d 64 d7 1d c3 29 90 0e 20 bb
+ 41 91 50 00 f6 78 aa 83 9c bb 79 7c b7 d8 33 2c
+
+ hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
+ 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+ info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
+ 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
+ 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+ expanded (32 octets): 5f 17 90 bb d8 2c 5e 7d 37 6e d2 e1 e5 2f
+ 8e 60 38 c9 34 6d b6 1b 43 be 9a 52 f7 7e f3 99 8e 80
+
+ {server} extract secret "handshake":
+
+ salt (32 octets): 5f 17 90 bb d8 2c 5e 7d 37 6e d2 e1 e5 2f 8e 60
+ 38 c9 34 6d b6 1b 43 be 9a 52 f7 7e f3 99 8e 80
+
+ IKM (32 octets): f4 41 94 75 6f f9 ec 9d 25 18 06 35 d6 6e a6 82
+ 4c 6a b3 bf 17 99 77 be 37 f7 23 57 0e 7c cb 2e
+
+ secret (32 octets): 00 5c b1 12 fd 8e b4 cc c6 23 bb 88 a0 7c 64
+ b3 ed e1 60 53 63 fc 7d 0d f8 c7 ce 4f f0 fb 4a e6
+
+ {server} derive secret "tls13 c hs traffic":
+
+ PRK (32 octets): 00 5c b1 12 fd 8e b4 cc c6 23 bb 88 a0 7c 64 b3
+ ed e1 60 53 63 fc 7d 0d f8 c7 ce 4f f0 fb 4a e6
+
+ hash (32 octets): f7 36 cb 34 fe 25 e7 01 55 1b ee 6f d2 4c 1c c7
+ 10 2a 7d af 94 05 cb 15 d9 7a af e1 6f 75 7d 03
+
+ info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72
+ 61 66 66 69 63 20 f7 36 cb 34 fe 25 e7 01 55 1b ee 6f d2 4c 1c
+ c7 10 2a 7d af 94 05 cb 15 d9 7a af e1 6f 75 7d 03
+
+ expanded (32 octets): 2f aa c0 8f 85 1d 35 fe a3 60 4f cb 4d e8
+ 2d c6 2c 9b 16 4a 70 97 4d 04 62 e2 7f 1a b2 78 70 0f
+
+ {server} derive secret "tls13 s hs traffic":
+
+ PRK (32 octets): 00 5c b1 12 fd 8e b4 cc c6 23 bb 88 a0 7c 64 b3
+ ed e1 60 53 63 fc 7d 0d f8 c7 ce 4f f0 fb 4a e6
+
+ hash (32 octets): f7 36 cb 34 fe 25 e7 01 55 1b ee 6f d2 4c 1c c7
+ 10 2a 7d af 94 05 cb 15 d9 7a af e1 6f 75 7d 03
+
+
+
+Thomson Informational [Page 21]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72
+ 61 66 66 69 63 20 f7 36 cb 34 fe 25 e7 01 55 1b ee 6f d2 4c 1c
+ c7 10 2a 7d af 94 05 cb 15 d9 7a af e1 6f 75 7d 03
+
+ expanded (32 octets): fe 92 7a e2 71 31 2e 8b f0 27 5b 58 1c 54
+ ee f0 20 45 0d c4 ec ff aa 05 a1 a3 5d 27 51 8e 78 03
+
+ {server} derive secret for master "tls13 derived":
+
+ PRK (32 octets): 00 5c b1 12 fd 8e b4 cc c6 23 bb 88 a0 7c 64 b3
+ ed e1 60 53 63 fc 7d 0d f8 c7 ce 4f f0 fb 4a e6
+
+ hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
+ 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+ info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
+ 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
+ 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+ expanded (32 octets): e2 f1 60 30 25 1d f0 87 4b a1 9b 9a ba 25
+ 76 10 bc 6d 53 1c 1d d2 06 df 0c a6 e8 4a e2 a2 67 42
+
+ {server} extract secret "master":
+
+ salt (32 octets): e2 f1 60 30 25 1d f0 87 4b a1 9b 9a ba 25 76 10
+ bc 6d 53 1c 1d d2 06 df 0c a6 e8 4a e2 a2 67 42
+
+ IKM (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+ secret (32 octets): e2 d3 2d 4e d6 6d d3 78 97 a0 e8 0c 84 10 75
+ 03 ce 58 bf 8a ad 4c b5 5a 50 02 d7 7e cb 89 0e ce
+
+ {server} send handshake record:
+
+ payload (96 octets): 02 00 00 5c 03 03 3c cf d2 de c8 90 22 27 63
+ 47 2a e8 13 67 77 c9 d7 35 87 77 bb 66 e9 1e a5 12 24 95 f5 59
+ ea 2d 00 13 01 00 00 34 00 29 00 02 00 00 00 33 00 24 00 1d 00
+ 20 12 17 61 ee 42 c3 33 e1 b9 e7 7b 60 dd 57 c2 05 3c d9 45 12
+ ab 47 f1 15 e8 6e ff 50 94 2c ea 31 00 2b 00 02 03 04
+
+ complete record (101 octets): 16 03 03 00 60 02 00 00 5c 03 03 3c
+ cf d2 de c8 90 22 27 63 47 2a e8 13 67 77 c9 d7 35 87 77 bb 66
+ e9 1e a5 12 24 95 f5 59 ea 2d 00 13 01 00 00 34 00 29 00 02 00
+ 00 00 33 00 24 00 1d 00 20 12 17 61 ee 42 c3 33 e1 b9 e7 7b 60
+ dd 57 c2 05 3c d9 45 12 ab 47 f1 15 e8 6e ff 50 94 2c ea 31 00
+ 2b 00 02 03 04
+
+
+
+
+Thomson Informational [Page 22]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ {server} derive write traffic keys for handshake data:
+
+ PRK (32 octets): fe 92 7a e2 71 31 2e 8b f0 27 5b 58 1c 54 ee f0
+ 20 45 0d c4 ec ff aa 05 a1 a3 5d 27 51 8e 78 03
+
+ key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
+
+ key expanded (16 octets): 27 c6 bd c0 a3 dc ea 39 a4 73 26 d7 9b
+ c9 e4 ee
+
+ iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
+
+ iv expanded (12 octets): 95 69 ec dd 4d 05 36 70 5e 9e f7 25
+
+ {server} construct an EncryptedExtensions handshake message:
+
+ EncryptedExtensions (44 octets): 08 00 00 28 00 26 00 0a 00 14 00
+ 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c
+ 00 02 40 01 00 00 00 00 00 2a 00 00
+
+ {server} calculate finished "tls13 finished":
+
+ PRK (32 octets): fe 92 7a e2 71 31 2e 8b f0 27 5b 58 1c 54 ee f0
+ 20 45 0d c4 ec ff aa 05 a1 a3 5d 27 51 8e 78 03
+
+ hash (0 octets): (empty)
+
+ info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
+ 64 00
+
+ expanded (32 octets): 4b b7 4c ae 7a 5d c8 91 46 04 c0 bf be 2f
+ 0c 06 23 96 88 39 22 be c8 a1 5e 2a 9b 53 2a 5d 39 2c
+
+ finished (32 octets): 48 d3 e0 e1 b3 d9 07 c6 ac ff 14 5e 16 09
+ 03 88 c7 7b 05 c0 50 b6 34 ab 1a 88 bb d0 dd 1a 34 b2
+
+ {server} construct a Finished handshake message:
+
+ Finished (36 octets): 14 00 00 20 48 d3 e0 e1 b3 d9 07 c6 ac ff
+ 14 5e 16 09 03 88 c7 7b 05 c0 50 b6 34 ab 1a 88 bb d0 dd 1a 34
+ b2
+
+
+
+
+
+
+
+
+
+
+Thomson Informational [Page 23]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ {server} send handshake record:
+
+ payload (80 octets): 08 00 00 28 00 26 00 0a 00 14 00 12 00 1d 00
+ 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c 00 02 40 01
+ 00 00 00 00 00 2a 00 00 14 00 00 20 48 d3 e0 e1 b3 d9 07 c6 ac
+ ff 14 5e 16 09 03 88 c7 7b 05 c0 50 b6 34 ab 1a 88 bb d0 dd 1a
+ 34 b2
+
+ complete record (102 octets): 17 03 03 00 61 dc 48 23 7b 4b 87 9f
+ 50 d0 d4 d2 62 ea 8b 47 16 eb 40 dd c1 eb 95 7e 11 12 6e 8a 71
+ 49 c2 d0 12 d3 7a 71 15 95 7e 64 ce 30 00 8b 9e 03 23 f2 c0 5a
+ 9c 1c 77 b4 f3 78 49 a6 95 ab 25 50 60 a3 3f ee 77 0c a9 5c b8
+ 48 6b fd 08 43 b8 70 24 86 5c a3 5c c4 1c 4e 51 5c 64 dc b1 36
+ 9f 98 63 5b c7 a5
+
+ {server} derive secret "tls13 c ap traffic":
+
+ PRK (32 octets): e2 d3 2d 4e d6 6d d3 78 97 a0 e8 0c 84 10 75 03
+ ce 58 bf 8a ad 4c b5 5a 50 02 d7 7e cb 89 0e ce
+
+ hash (32 octets): b0 ae ff c4 6a 2c fe 33 11 4e 6f d7 d5 1f 9f 04
+ b1 ca 3c 49 7d ab 08 93 4a 77 4a 9d 9a d7 db f3
+
+ info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72
+ 61 66 66 69 63 20 b0 ae ff c4 6a 2c fe 33 11 4e 6f d7 d5 1f 9f
+ 04 b1 ca 3c 49 7d ab 08 93 4a 77 4a 9d 9a d7 db f3
+
+ expanded (32 octets): 2a bb f2 b8 e3 81 d2 3d be be 1d d2 a7 d1
+ 6a 8b f4 84 cb 49 50 d2 3f b7 fb 7f a8 54 70 62 d9 a1
+
+ {server} derive secret "tls13 s ap traffic":
+
+ PRK (32 octets): e2 d3 2d 4e d6 6d d3 78 97 a0 e8 0c 84 10 75 03
+ ce 58 bf 8a ad 4c b5 5a 50 02 d7 7e cb 89 0e ce
+
+ hash (32 octets): b0 ae ff c4 6a 2c fe 33 11 4e 6f d7 d5 1f 9f 04
+ b1 ca 3c 49 7d ab 08 93 4a 77 4a 9d 9a d7 db f3
+
+ info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72
+ 61 66 66 69 63 20 b0 ae ff c4 6a 2c fe 33 11 4e 6f d7 d5 1f 9f
+ 04 b1 ca 3c 49 7d ab 08 93 4a 77 4a 9d 9a d7 db f3
+
+ expanded (32 octets): cc 21 f1 bf 8f eb 7d d5 fa 50 5b d9 c4 b4
+ 68 a9 98 4d 55 4a 99 3d c4 9e 6d 28 55 98 fb 67 26 91
+
+
+
+
+
+
+
+Thomson Informational [Page 24]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ {server} derive secret "tls13 exp master":
+
+ PRK (32 octets): e2 d3 2d 4e d6 6d d3 78 97 a0 e8 0c 84 10 75 03
+ ce 58 bf 8a ad 4c b5 5a 50 02 d7 7e cb 89 0e ce
+
+ hash (32 octets): b0 ae ff c4 6a 2c fe 33 11 4e 6f d7 d5 1f 9f 04
+ b1 ca 3c 49 7d ab 08 93 4a 77 4a 9d 9a d7 db f3
+
+ info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73
+ 74 65 72 20 b0 ae ff c4 6a 2c fe 33 11 4e 6f d7 d5 1f 9f 04 b1
+ ca 3c 49 7d ab 08 93 4a 77 4a 9d 9a d7 db f3
+
+ expanded (32 octets): 3f d9 3d 4f fd dc 98 e6 4b 14 dd 10 7a ed
+ f8 ee 4a dd 23 f4 51 0f 58 a4 59 2d 0b 20 1b ee 56 b4
+
+ {server} derive write traffic keys for application data:
+
+ PRK (32 octets): cc 21 f1 bf 8f eb 7d d5 fa 50 5b d9 c4 b4 68 a9
+ 98 4d 55 4a 99 3d c4 9e 6d 28 55 98 fb 67 26 91
+
+ key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
+
+ key expanded (16 octets): e8 57 c6 90 a3 4c 5a 91 29 d8 33 61 96
+ 84 f9 5e
+
+ iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
+
+ iv expanded (12 octets): 06 85 d6 b5 61 aa b9 ef 10 13 fa f9
+
+ {server} derive read traffic keys for early application data (same
+ as client early application data write traffic keys)
+
+ {client} derive secret for handshake "tls13 derived":
+
+ PRK (32 octets): 9b 21 88 e9 b2 fc 6d 64 d7 1d c3 29 90 0e 20 bb
+ 41 91 50 00 f6 78 aa 83 9c bb 79 7c b7 d8 33 2c
+
+ hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
+ 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+ info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
+ 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
+ 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+ expanded (32 octets): 5f 17 90 bb d8 2c 5e 7d 37 6e d2 e1 e5 2f
+ 8e 60 38 c9 34 6d b6 1b 43 be 9a 52 f7 7e f3 99 8e 80
+
+
+
+
+
+Thomson Informational [Page 25]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ {client} extract secret "handshake" (same as server handshake
+ secret)
+
+ {client} derive secret "tls13 c hs traffic" (same as server)
+
+ {client} derive secret "tls13 s hs traffic" (same as server)
+
+ {client} derive secret for master "tls13 derived" (same as server)
+
+ {client} extract secret "master" (same as server master secret)
+
+ {client} derive read traffic keys for handshake data (same as server
+ handshake data write traffic keys)
+
+ {client} calculate finished "tls13 finished" (same as server)
+
+ {client} derive secret "tls13 c ap traffic" (same as server)
+
+ {client} derive secret "tls13 s ap traffic" (same as server)
+
+ {client} derive secret "tls13 exp master" (same as server)
+
+ {client} construct an EndOfEarlyData handshake message:
+
+ EndOfEarlyData (4 octets): 05 00 00 00
+
+ {client} send handshake record:
+
+ payload (4 octets): 05 00 00 00
+
+ complete record (26 octets): 17 03 03 00 15 ac a6 fc 94 48 41 29
+ 8d f9 95 93 72 5f 9b f9 75 44 29 b1 2f 09
+
+ {client} derive write traffic keys for handshake data:
+
+ PRK (32 octets): 2f aa c0 8f 85 1d 35 fe a3 60 4f cb 4d e8 2d c6
+ 2c 9b 16 4a 70 97 4d 04 62 e2 7f 1a b2 78 70 0f
+
+ key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
+
+ key expanded (16 octets): b1 53 08 06 f4 ad fe ac 83 f1 41 30 32
+ bb fa 82
+
+ iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
+
+ iv expanded (12 octets): eb 50 c1 6b e7 65 4a bf 99 dd 06 d9
+
+
+
+
+
+Thomson Informational [Page 26]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ {client} derive read traffic keys for application data (same as
+ server application data write traffic keys)
+
+ {client} calculate finished "tls13 finished":
+
+ PRK (32 octets): 2f aa c0 8f 85 1d 35 fe a3 60 4f cb 4d e8 2d c6
+ 2c 9b 16 4a 70 97 4d 04 62 e2 7f 1a b2 78 70 0f
+
+ hash (0 octets): (empty)
+
+ info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
+ 64 00
+
+ expanded (32 octets): 5a ce 39 4c 26 98 0d 58 12 43 f6 27 d1 15
+ 0a e2 7e 37 fa 52 36 4e 0a 7f 20 ac 68 6d 09 cd 0e 8e
+
+ finished (32 octets): 72 30 a9 c9 52 c2 5c d6 13 8f c5 e6 62 83
+ 08 c4 1c 53 35 dd 81 b9 f9 6b ce a5 0f d3 2b da 41 6d
+
+ {client} construct a Finished handshake message:
+
+ Finished (36 octets): 14 00 00 20 72 30 a9 c9 52 c2 5c d6 13 8f
+ c5 e6 62 83 08 c4 1c 53 35 dd 81 b9 f9 6b ce a5 0f d3 2b da 41
+ 6d
+
+ {client} send handshake record:
+
+ payload (36 octets): 14 00 00 20 72 30 a9 c9 52 c2 5c d6 13 8f c5
+ e6 62 83 08 c4 1c 53 35 dd 81 b9 f9 6b ce a5 0f d3 2b da 41 6d
+
+ complete record (58 octets): 17 03 03 00 35 00 f8 b4 67 d1 4c f2
+ 2a 4b 3f 0b 6a e0 d8 e6 cc 8d 08 e0 db 35 15 ef 5c 2b df 19 22
+ ea fb b7 00 09 96 47 16 d8 34 fb 70 c3 d2 a5 6c 5b 1f 5f 6b db
+ a6 c3 33 cf
+
+ {client} derive write traffic keys for application data:
+
+ PRK (32 octets): 2a bb f2 b8 e3 81 d2 3d be be 1d d2 a7 d1 6a 8b
+ f4 84 cb 49 50 d2 3f b7 fb 7f a8 54 70 62 d9 a1
+
+ key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
+
+ key expanded (16 octets): 3c f1 22 f3 01 c6 35 8c a7 98 95 53 25
+ 0e fd 72
+
+ iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
+
+ iv expanded (12 octets): ab 1a ec 26 aa 78 b8 fc 11 76 b9 ac
+
+
+
+Thomson Informational [Page 27]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ {client} derive secret "tls13 res master":
+
+ PRK (32 octets): e2 d3 2d 4e d6 6d d3 78 97 a0 e8 0c 84 10 75 03
+ ce 58 bf 8a ad 4c b5 5a 50 02 d7 7e cb 89 0e ce
+
+ hash (32 octets): c3 c1 22 e0 bd 90 7a 4a 3f f6 11 2d 8f d5 3d bf
+ 89 c7 73 d9 55 2e 8b 6b 9d 56 d3 61 b3 a9 7b f6
+
+ info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73
+ 74 65 72 20 c3 c1 22 e0 bd 90 7a 4a 3f f6 11 2d 8f d5 3d bf 89
+ c7 73 d9 55 2e 8b 6b 9d 56 d3 61 b3 a9 7b f6
+
+ expanded (32 octets): 5e 95 bd f1 f8 90 05 ea 2e 9a a0 ba 85 e7
+ 28 e3 c1 9c 5f e0 c6 99 e3 f5 be e5 9f ae bd 0b 54 06
+
+ {server} derive read traffic keys for handshake data (same as client
+ handshake data write traffic keys)
+
+ {server} calculate finished "tls13 finished" (same as client)
+
+ {server} derive read traffic keys for application data (same as
+ client application data write traffic keys)
+
+ {server} derive secret "tls13 res master" (same as client)
+
+ {client} send application_data record:
+
+ payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e
+ 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23
+ 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31
+
+ complete record (72 octets): 17 03 03 00 43 b1 ce bc e2 42 aa 20
+ 1b e9 ae 5e 1c b2 a9 aa 4b 33 d4 e8 66 af 1e db 06 89 19 23 77
+ 41 aa 03 1d 7a 74 d4 91 c9 9b 9d 4e 23 2b 74 20 6b c6 fb aa 04
+ fe 78 be 44 a9 b4 f5 43 20 a1 7e b7 69 92 af ac 31 03
+
+ {server} send application_data record:
+
+ payload (50 octets): 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e
+ 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23
+ 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31
+
+ complete record (72 octets): 17 03 03 00 43 27 5e 9f 20 ac ff 57
+ bc 00 06 57 d3 86 7d f0 39 cc cf 79 04 78 84 cf 75 77 17 46 f7
+ 40 b5 a8 3f 46 2a 09 54 c3 58 13 93 a2 03 a2 5a 7d d1 41 41 ef
+ 1a 37 90 0c db 62 ff 62 de e1 ba 39 ab 25 90 cb f1 94
+
+
+
+
+
+Thomson Informational [Page 28]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ {client} send alert record:
+
+ payload (2 octets): 01 00
+
+ complete record (24 octets): 17 03 03 00 13 0f ac ce 32 46 bd fc
+ 63 69 83 8d 6a 82 ae 6d e5 d4 22 dc
+
+ {server} send alert record:
+
+ payload (2 octets): 01 00
+
+ complete record (24 octets): 17 03 03 00 13 5b 18 af 44 4e 8e 1e
+ ec 71 58 fb 62 d8 f2 57 7d 37 ba 5d
+
+5. HelloRetryRequest
+
+ In this example, the client initiates a handshake with an X25519
+ [RFC7748] share. The server, however, prefers P-256
+ [FIPS.186-4.2013] and sends a HelloRetryRequest that requires the
+ client to generate a key share on the P-256 curve.
+
+ Note: The HelloRetryRequest uses the same handshake message type as
+ a ServerHello and so is labeled as ServerHello here.
+
+ {client} create an ephemeral x25519 key pair:
+
+ private key (32 octets): 0e d0 2f 8e 81 17 ef c7 5c a7 ac 32 aa
+ 7e 34 ed a6 4c dc 0d da d1 54 a5 e8 52 89 f9 59 f6 32 04
+
+ public key (32 octets): e8 e8 e3 f3 b9 3a 25 ed 97 a1 4a 7d ca cb
+ 8a 27 2c 62 88 e5 85 c6 48 4d 05 26 2f ca d0 62 ad 1f
+
+ {client} construct a ClientHello handshake message:
+
+ ClientHello (180 octets): 01 00 00 b0 03 03 b0 b1 c5 a5 aa 37 c5
+ 91 9f 2e d1 d5 c6 ff f7 fc b7 84 97 16 94 5a 2b 8c ee 92 58 a3
+ 46 67 7b 6f 00 00 06 13 01 13 03 13 02 01 00 00 81 00 00 00 0b
+ 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00
+ 06 00 1d 00 17 00 18 00 33 00 26 00 24 00 1d 00 20 e8 e8 e3 f3
+ b9 3a 25 ed 97 a1 4a 7d ca cb 8a 27 2c 62 88 e5 85 c6 48 4d 05
+ 26 2f ca d0 62 ad 1f 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04
+ 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01
+ 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01
+
+
+
+
+
+
+
+
+Thomson Informational [Page 29]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ {client} send handshake record:
+
+ payload (180 octets): 01 00 00 b0 03 03 b0 b1 c5 a5 aa 37 c5 91
+ 9f 2e d1 d5 c6 ff f7 fc b7 84 97 16 94 5a 2b 8c ee 92 58 a3 46
+ 67 7b 6f 00 00 06 13 01 13 03 13 02 01 00 00 81 00 00 00 0b 00
+ 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06
+ 00 1d 00 17 00 18 00 33 00 26 00 24 00 1d 00 20 e8 e8 e3 f3 b9
+ 3a 25 ed 97 a1 4a 7d ca cb 8a 27 2c 62 88 e5 85 c6 48 4d 05 26
+ 2f ca d0 62 ad 1f 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03
+ 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04
+ 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01
+
+ complete record (185 octets): 16 03 01 00 b4 01 00 00 b0 03 03 b0
+ b1 c5 a5 aa 37 c5 91 9f 2e d1 d5 c6 ff f7 fc b7 84 97 16 94 5a
+ 2b 8c ee 92 58 a3 46 67 7b 6f 00 00 06 13 01 13 03 13 02 01 00
+ 00 81 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01
+ 00 00 0a 00 08 00 06 00 1d 00 17 00 18 00 33 00 26 00 24 00 1d
+ 00 20 e8 e8 e3 f3 b9 3a 25 ed 97 a1 4a 7d ca cb 8a 27 2c 62 88
+ e5 85 c6 48 4d 05 26 2f ca d0 62 ad 1f 00 2b 00 03 02 03 04 00
+ 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01
+ 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00
+ 1c 00 02 40 01
+
+ {server} construct a ServerHello handshake message:
+
+ ServerHello (176 octets): 02 00 00 ac 03 03 cf 21 ad 74 e5 9a 61
+ 11 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c 5e 07 9e 09 e2
+ c8 a8 33 9c 00 13 01 00 00 84 00 33 00 02 00 17 00 2c 00 74 00
+ 72 71 dc d0 4b b8 8b c3 18 91 19 39 8a 00 00 00 00 ee fa fc 76
+ c1 46 b8 23 b0 96 f8 aa ca d3 65 dd 00 30 95 3f 4e df 62 56 36
+ e5 f2 1b b2 e2 3f cc 65 4b 1b 5b 40 31 8d 10 d1 37 ab cb b8 75
+ 74 e3 6e 8a 1f 02 5f 7d fa 5d 6e 50 78 1b 5e da 4a a1 5b 0c 8b
+ e7 78 25 7d 16 aa 30 30 e9 e7 84 1d d9 e4 c0 34 22 67 e8 ca 0c
+ af 57 1f b2 b7 cf f0 f9 34 b0 00 2b 00 02 03 04
+
+ {server} send handshake record:
+
+ payload (176 octets): 02 00 00 ac 03 03 cf 21 ad 74 e5 9a 61 11
+ be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c 5e 07 9e 09 e2 c8
+ a8 33 9c 00 13 01 00 00 84 00 33 00 02 00 17 00 2c 00 74 00 72
+ 71 dc d0 4b b8 8b c3 18 91 19 39 8a 00 00 00 00 ee fa fc 76 c1
+ 46 b8 23 b0 96 f8 aa ca d3 65 dd 00 30 95 3f 4e df 62 56 36 e5
+ f2 1b b2 e2 3f cc 65 4b 1b 5b 40 31 8d 10 d1 37 ab cb b8 75 74
+ e3 6e 8a 1f 02 5f 7d fa 5d 6e 50 78 1b 5e da 4a a1 5b 0c 8b e7
+ 78 25 7d 16 aa 30 30 e9 e7 84 1d d9 e4 c0 34 22 67 e8 ca 0c af
+ 57 1f b2 b7 cf f0 f9 34 b0 00 2b 00 02 03 04
+
+
+
+
+
+Thomson Informational [Page 30]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ complete record (181 octets): 16 03 03 00 b0 02 00 00 ac 03 03 cf
+ 21 ad 74 e5 9a 61 11 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a bb
+ 8c 5e 07 9e 09 e2 c8 a8 33 9c 00 13 01 00 00 84 00 33 00 02 00
+ 17 00 2c 00 74 00 72 71 dc d0 4b b8 8b c3 18 91 19 39 8a 00 00
+ 00 00 ee fa fc 76 c1 46 b8 23 b0 96 f8 aa ca d3 65 dd 00 30 95
+ 3f 4e df 62 56 36 e5 f2 1b b2 e2 3f cc 65 4b 1b 5b 40 31 8d 10
+ d1 37 ab cb b8 75 74 e3 6e 8a 1f 02 5f 7d fa 5d 6e 50 78 1b 5e
+ da 4a a1 5b 0c 8b e7 78 25 7d 16 aa 30 30 e9 e7 84 1d d9 e4 c0
+ 34 22 67 e8 ca 0c af 57 1f b2 b7 cf f0 f9 34 b0 00 2b 00 02 03
+ 04
+
+ {client} create an ephemeral P-256 key pair:
+
+ private key (32 octets): ab 54 73 46 7e 19 34 6c eb 0a 04 14 e4
+ 1d a2 1d 4d 24 45 bc 30 25 af e9 7c 4e 8d c8 d5 13 da 39
+
+ public key (65 octets): 04 a6 da 73 92 ec 59 1e 17 ab fd 53 59 64
+ b9 98 94 d1 3b ef b2 21 b3 de f2 eb e3 83 0e ac 8f 01 51 81 26
+ 77 c4 d6 d2 23 7e 85 cf 01 d6 91 0c fb 83 95 4e 76 ba 73 52 83
+ 05 34 15 98 97 e8 06 57 80
+
+ {client} construct a ClientHello handshake message:
+
+ ClientHello (512 octets): 01 00 01 fc 03 03 b0 b1 c5 a5 aa 37 c5
+ 91 9f 2e d1 d5 c6 ff f7 fc b7 84 97 16 94 5a 2b 8c ee 92 58 a3
+ 46 67 7b 6f 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b
+ 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00
+ 06 00 1d 00 17 00 18 00 33 00 47 00 45 00 17 00 41 04 a6 da 73
+ 92 ec 59 1e 17 ab fd 53 59 64 b9 98 94 d1 3b ef b2 21 b3 de f2
+ eb e3 83 0e ac 8f 01 51 81 26 77 c4 d6 d2 23 7e 85 cf 01 d6 91
+ 0c fb 83 95 4e 76 ba 73 52 83 05 34 15 98 97 e8 06 57 80 00 2b
+ 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04
+ 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00
+ 2c 00 74 00 72 71 dc d0 4b b8 8b c3 18 91 19 39 8a 00 00 00 00
+ ee fa fc 76 c1 46 b8 23 b0 96 f8 aa ca d3 65 dd 00 30 95 3f 4e
+ df 62 56 36 e5 f2 1b b2 e2 3f cc 65 4b 1b 5b 40 31 8d 10 d1 37
+ ab cb b8 75 74 e3 6e 8a 1f 02 5f 7d fa 5d 6e 50 78 1b 5e da 4a
+ a1 5b 0c 8b e7 78 25 7d 16 aa 30 30 e9 e7 84 1d d9 e4 c0 34 22
+ 67 e8 ca 0c af 57 1f b2 b7 cf f0 f9 34 b0 00 2d 00 02 01 01 00
+ 1c 00 02 40 01 00 15 00 af 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+
+
+Thomson Informational [Page 31]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ {client} send handshake record:
+
+ payload (512 octets): 01 00 01 fc 03 03 b0 b1 c5 a5 aa 37 c5 91
+ 9f 2e d1 d5 c6 ff f7 fc b7 84 97 16 94 5a 2b 8c ee 92 58 a3 46
+ 67 7b 6f 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00
+ 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06
+ 00 1d 00 17 00 18 00 33 00 47 00 45 00 17 00 41 04 a6 da 73 92
+ ec 59 1e 17 ab fd 53 59 64 b9 98 94 d1 3b ef b2 21 b3 de f2 eb
+ e3 83 0e ac 8f 01 51 81 26 77 c4 d6 d2 23 7e 85 cf 01 d6 91 0c
+ fb 83 95 4e 76 ba 73 52 83 05 34 15 98 97 e8 06 57 80 00 2b 00
+ 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08
+ 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2c
+ 00 74 00 72 71 dc d0 4b b8 8b c3 18 91 19 39 8a 00 00 00 00 ee
+ fa fc 76 c1 46 b8 23 b0 96 f8 aa ca d3 65 dd 00 30 95 3f 4e df
+ 62 56 36 e5 f2 1b b2 e2 3f cc 65 4b 1b 5b 40 31 8d 10 d1 37 ab
+ cb b8 75 74 e3 6e 8a 1f 02 5f 7d fa 5d 6e 50 78 1b 5e da 4a a1
+ 5b 0c 8b e7 78 25 7d 16 aa 30 30 e9 e7 84 1d d9 e4 c0 34 22 67
+ e8 ca 0c af 57 1f b2 b7 cf f0 f9 34 b0 00 2d 00 02 01 01 00 1c
+ 00 02 40 01 00 15 00 af 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+ complete record (517 octets): 16 03 03 02 00 01 00 01 fc 03 03 b0
+ b1 c5 a5 aa 37 c5 91 9f 2e d1 d5 c6 ff f7 fc b7 84 97 16 94 5a
+ 2b 8c ee 92 58 a3 46 67 7b 6f 00 00 06 13 01 13 03 13 02 01 00
+ 01 cd 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01
+ 00 00 0a 00 08 00 06 00 1d 00 17 00 18 00 33 00 47 00 45 00 17
+ 00 41 04 a6 da 73 92 ec 59 1e 17 ab fd 53 59 64 b9 98 94 d1 3b
+ ef b2 21 b3 de f2 eb e3 83 0e ac 8f 01 51 81 26 77 c4 d6 d2 23
+ 7e 85 cf 01 d6 91 0c fb 83 95 4e 76 ba 73 52 83 05 34 15 98 97
+ e8 06 57 80 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03
+ 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05
+ 02 06 02 02 02 00 2c 00 74 00 72 71 dc d0 4b b8 8b c3 18 91 19
+ 39 8a 00 00 00 00 ee fa fc 76 c1 46 b8 23 b0 96 f8 aa ca d3 65
+ dd 00 30 95 3f 4e df 62 56 36 e5 f2 1b b2 e2 3f cc 65 4b 1b 5b
+ 40 31 8d 10 d1 37 ab cb b8 75 74 e3 6e 8a 1f 02 5f 7d fa 5d 6e
+ 50 78 1b 5e da 4a a1 5b 0c 8b e7 78 25 7d 16 aa 30 30 e9 e7 84
+ 1d d9 e4 c0 34 22 67 e8 ca 0c af 57 1f b2 b7 cf f0 f9 34 b0 00
+ 2d 00 02 01 01 00 1c 00 02 40 01 00 15 00 af 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+
+
+Thomson Informational [Page 32]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00
+
+ {server} extract secret "early":
+
+ salt: 0 (all zero octets)
+
+ IKM (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+ secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c
+ e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a
+
+ {server} create an ephemeral P-256 key pair:
+
+ private key (32 octets): 8c 51 06 01 f9 76 5b fb 8e d6 93 44 9a
+ 48 98 98 59 b5 cf a8 79 cb 9f 54 43 c4 1c 5f f1 06 34 ed
+
+ public key (65 octets): 04 58 3e 05 4b 7a 66 67 2a e0 20 ad 9d 26
+ 86 fc c8 5b 5a d4 1a 13 4a 0f 03 ee 72 b8 93 05 2b d8 5b 4c 8d
+ e6 77 6f 5b 04 ac 07 d8 35 40 ea b3 e3 d9 c5 47 bc 65 28 c4 31
+ 7d 29 46 86 09 3a 6c ad 7d
+
+ {server} construct a ServerHello handshake message:
+
+ ServerHello (123 octets): 02 00 00 77 03 03 bb 34 1d 84 7f d7 89
+ c4 7c 38 71 72 dc 0c 9b f1 47 fc ca cb 50 43 d8 6c a4 c5 98 d3
+ ff 57 1b 98 00 13 01 00 00 4f 00 33 00 45 00 17 00 41 04 58 3e
+ 05 4b 7a 66 67 2a e0 20 ad 9d 26 86 fc c8 5b 5a d4 1a 13 4a 0f
+ 03 ee 72 b8 93 05 2b d8 5b 4c 8d e6 77 6f 5b 04 ac 07 d8 35 40
+ ea b3 e3 d9 c5 47 bc 65 28 c4 31 7d 29 46 86 09 3a 6c ad 7d 00
+ 2b 00 02 03 04
+
+ {server} derive secret for handshake "tls13 derived":
+
+ PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
+ 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a
+
+ hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
+ 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+ info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
+ 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
+ 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+
+
+Thomson Informational [Page 33]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ expanded (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba
+ b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba
+
+ {server} extract secret "handshake":
+
+ salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
+ 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba
+
+ IKM (32 octets): c1 42 ce 13 ca 11 b5 c2 23 36 52 e6 3a d3 d9 78
+ 44 f1 62 1f bf b9 de 69 d5 47 dc 8f ed ea be b4
+
+ secret (32 octets): ce 02 2e 5e 6e 81 e5 07 36 d7 73 f2 d3 ad fc
+ e8 22 0d 04 9b f5 10 f0 db fa c9 27 ef 42 43 b1 48
+
+ {server} derive secret "tls13 c hs traffic":
+
+ PRK (32 octets): ce 02 2e 5e 6e 81 e5 07 36 d7 73 f2 d3 ad fc e8
+ 22 0d 04 9b f5 10 f0 db fa c9 27 ef 42 43 b1 48
+
+ hash (32 octets): 8a a8 e8 28 ec 2f 8a 88 4f ec 95 a3 13 9d e0 1c
+ 15 a3 da a7 ff 5b fc 3f 4b fc c2 1b 43 8d 7b f8
+
+ info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72
+ 61 66 66 69 63 20 8a a8 e8 28 ec 2f 8a 88 4f ec 95 a3 13 9d e0
+ 1c 15 a3 da a7 ff 5b fc 3f 4b fc c2 1b 43 8d 7b f8
+
+ expanded (32 octets): 15 8a a7 ab 88 55 07 35 82 b4 1d 67 4b 40
+ 55 ca bc c5 34 72 8f 65 93 14 86 1b 4e 08 e2 01 15 66
+
+ {server} derive secret "tls13 s hs traffic":
+
+ PRK (32 octets): ce 02 2e 5e 6e 81 e5 07 36 d7 73 f2 d3 ad fc e8
+ 22 0d 04 9b f5 10 f0 db fa c9 27 ef 42 43 b1 48
+
+ hash (32 octets): 8a a8 e8 28 ec 2f 8a 88 4f ec 95 a3 13 9d e0 1c
+ 15 a3 da a7 ff 5b fc 3f 4b fc c2 1b 43 8d 7b f8
+
+ info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72
+ 61 66 66 69 63 20 8a a8 e8 28 ec 2f 8a 88 4f ec 95 a3 13 9d e0
+ 1c 15 a3 da a7 ff 5b fc 3f 4b fc c2 1b 43 8d 7b f8
+
+ expanded (32 octets): 34 03 e7 81 e2 af 7b 65 08 da 28 57 4f 6e
+ 95 a1 ab f1 62 de 83 a9 79 27 c3 76 72 a4 a0 ce f8 a1
+
+ {server} derive secret for master "tls13 derived":
+
+ PRK (32 octets): ce 02 2e 5e 6e 81 e5 07 36 d7 73 f2 d3 ad fc e8
+ 22 0d 04 9b f5 10 f0 db fa c9 27 ef 42 43 b1 48
+
+
+
+Thomson Informational [Page 34]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
+ 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+ info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
+ 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
+ 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+ expanded (32 octets): ad 1c bc d3 a0 dc 70 53 ee b3 ed 3a 47 90
+ 1d 16 a9 fc 63 a7 3c 64 be b5 67 48 1a 7d fb 3a 2c b3
+
+ {server} extract secret "master":
+
+ salt (32 octets): ad 1c bc d3 a0 dc 70 53 ee b3 ed 3a 47 90 1d 16
+ a9 fc 63 a7 3c 64 be b5 67 48 1a 7d fb 3a 2c b3
+
+ IKM (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+ secret (32 octets): 11 31 54 5d 0b af 79 dd ce 9b 87 f0 69 45 78
+ 1a 57 dd 18 ef 37 8d cd 20 60 f8 f9 a5 69 02 7e d8
+
+ {server} send handshake record:
+
+ payload (123 octets): 02 00 00 77 03 03 bb 34 1d 84 7f d7 89 c4
+ 7c 38 71 72 dc 0c 9b f1 47 fc ca cb 50 43 d8 6c a4 c5 98 d3 ff
+ 57 1b 98 00 13 01 00 00 4f 00 33 00 45 00 17 00 41 04 58 3e 05
+ 4b 7a 66 67 2a e0 20 ad 9d 26 86 fc c8 5b 5a d4 1a 13 4a 0f 03
+ ee 72 b8 93 05 2b d8 5b 4c 8d e6 77 6f 5b 04 ac 07 d8 35 40 ea
+ b3 e3 d9 c5 47 bc 65 28 c4 31 7d 29 46 86 09 3a 6c ad 7d 00 2b
+ 00 02 03 04
+
+ complete record (128 octets): 16 03 03 00 7b 02 00 00 77 03 03 bb
+ 34 1d 84 7f d7 89 c4 7c 38 71 72 dc 0c 9b f1 47 fc ca cb 50 43
+ d8 6c a4 c5 98 d3 ff 57 1b 98 00 13 01 00 00 4f 00 33 00 45 00
+ 17 00 41 04 58 3e 05 4b 7a 66 67 2a e0 20 ad 9d 26 86 fc c8 5b
+ 5a d4 1a 13 4a 0f 03 ee 72 b8 93 05 2b d8 5b 4c 8d e6 77 6f 5b
+ 04 ac 07 d8 35 40 ea b3 e3 d9 c5 47 bc 65 28 c4 31 7d 29 46 86
+ 09 3a 6c ad 7d 00 2b 00 02 03 04
+
+ {server} derive write traffic keys for handshake data:
+
+ PRK (32 octets): 34 03 e7 81 e2 af 7b 65 08 da 28 57 4f 6e 95 a1
+ ab f1 62 de 83 a9 79 27 c3 76 72 a4 a0 ce f8 a1
+
+ key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
+
+ key expanded (16 octets): 46 46 bf ac 17 12 c4 26 cd 78 d8 a2 4a
+ 8a 6f 6b
+
+
+
+Thomson Informational [Page 35]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
+
+ iv expanded (12 octets): c7 d3 95 c0 8d 62 f2 97 d1 37 68 ea
+
+ {server} construct an EncryptedExtensions handshake message:
+
+ EncryptedExtensions (28 octets): 08 00 00 18 00 16 00 0a 00 08 00
+ 06 00 17 00 18 00 1d 00 1c 00 02 40 01 00 00 00 00
+
+ {server} construct a Certificate handshake message:
+
+ Certificate (445 octets): 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82
+ 01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48
+ 86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03
+ 72 73 61 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17
+ 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06
+ 03 55 04 03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7
+ 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f
+ 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26
+ d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c
+ 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52
+ 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74
+ 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93
+ ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03
+ 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06
+ 03 55 1d 0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01
+ 01 0b 05 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a
+ 72 67 17 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea
+ e8 f8 a5 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01
+ 51 56 72 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be
+ c1 fc 63 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b
+ 1c 3b 84 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8
+ 96 12 29 ac 91 87 b4 2b 4d e1 00 00
+
+ {server} construct a CertificateVerify handshake message:
+
+ CertificateVerify (136 octets): 0f 00 00 84 08 04 00 80 33 ab 13
+ d4 46 27 07 23 1b 5d ca e6 c8 19 0b 63 d1 da bc 74 f2 8c 39 53
+ 70 da 0b 07 e5 b8 30 66 d0 24 6a 31 ac d9 5d f4 75 bf d7 99 a4
+ a7 0d 33 ad 93 d3 a3 17 a9 b2 c0 d2 37 a5 68 5b 21 9e 77 41 12
+ e3 91 a2 47 60 7d 1a ef f1 bb d0 a3 9f 38 2e e1 a5 fe 88 ae 99
+ ec 59 22 8e 64 97 e4 5d 48 ce 27 5a 6d 5e f4 0d 16 9f b6 f9 d3
+ 3b 05 2e d3 dc dd 6b 5a 48 ba af ff bc b2 90 12 84 15 bd 38
+
+ {server} calculate finished "tls13 finished":
+
+ PRK (32 octets): 34 03 e7 81 e2 af 7b 65 08 da 28 57 4f 6e 95 a1
+ ab f1 62 de 83 a9 79 27 c3 76 72 a4 a0 ce f8 a1
+
+
+
+Thomson Informational [Page 36]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ hash (0 octets): (empty)
+
+ info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
+ 64 00
+
+ expanded (32 octets): e7 f8 bb 3e a4 b6 c3 0c 47 10 b3 d0 9c 33
+ 13 65 81 17 e7 0b 09 7e 85 03 68 e2 51 0c a5 63 1f 74
+
+ finished (32 octets): 88 63 e6 bf b0 42 0a 92 7f a2 7f 34 33 6a
+ 70 ae 42 6e 96 8e 3e b8 84 94 5b 96 85 6d ba 39 76 d1
+
+ {server} construct a Finished handshake message:
+
+ Finished (36 octets): 14 00 00 20 88 63 e6 bf b0 42 0a 92 7f a2
+ 7f 34 33 6a 70 ae 42 6e 96 8e 3e b8 84 94 5b 96 85 6d ba 39 76
+ d1
+
+ {server} send handshake record:
+
+ payload (645 octets): 08 00 00 18 00 16 00 0a 00 08 00 06 00 17
+ 00 18 00 1d 00 1c 00 02 40 01 00 00 00 00 0b 00 01 b9 00 00 01
+ b5 00 01 b0 30 82 01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30
+ 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06
+ 03 55 04 03 13 03 72 73 61 30 1e 17 0d 31 36 30 37 33 30 30 31
+ 32 33 35 39 5a 17 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30
+ 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 30 81 9f 30 0d 06
+ 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81
+ 81 00 b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68
+ de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc
+ 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87
+ a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a
+ 5f da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6
+ d1 d0 3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7
+ 9f 7f 1e 3f 02 03 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04
+ 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 05 a0 30 0d 06 09 2a
+ 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 85 aa d2 a0 e5 b9 27
+ 6b 90 8c 65 f7 3a 72 67 17 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5
+ 94 36 54 17 f2 ea e8 f8 a5 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5
+ 5b 80 f2 1a 03 01 51 56 72 60 96 fd 33 5e 5e 67 f2 db f1 02 70
+ 2e 60 8c ca e6 be c1 fc 63 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9
+ b9 eb 2b d5 20 3b 1c 3b 84 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d
+ 40 2d cc 0c c8 f8 96 12 29 ac 91 87 b4 2b 4d e1 00 00 0f 00 00
+ 84 08 04 00 80 33 ab 13 d4 46 27 07 23 1b 5d ca e6 c8 19 0b 63
+ d1 da bc 74 f2 8c 39 53 70 da 0b 07 e5 b8 30 66 d0 24 6a 31 ac
+ d9 5d f4 75 bf d7 99 a4 a7 0d 33 ad 93 d3 a3 17 a9 b2 c0 d2 37
+ a5 68 5b 21 9e 77 41 12 e3 91 a2 47 60 7d 1a ef f1 bb d0 a3 9f
+ 38 2e e1 a5 fe 88 ae 99 ec 59 22 8e 64 97 e4 5d 48 ce 27 5a 6d
+ 5e f4 0d 16 9f b6 f9 d3 3b 05 2e d3 dc dd 6b 5a 48 ba af ff bc
+
+
+
+Thomson Informational [Page 37]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ b2 90 12 84 15 bd 38 14 00 00 20 88 63 e6 bf b0 42 0a 92 7f a2
+ 7f 34 33 6a 70 ae 42 6e 96 8e 3e b8 84 94 5b 96 85 6d ba 39 76
+ d1
+
+ complete record (667 octets): 17 03 03 02 96 99 be e2 0b af 5b 7f
+ c7 27 bf ab 62 23 92 8a 38 1e 6d 0c f9 c4 da 65 3f 9d 2a 7b 23
+ f7 de 11 cc e8 42 d5 cf 75 63 17 63 45 0f fb 8b 0c c1 d2 38 e6
+ 58 af 7a 12 ad c8 62 43 11 4a b1 4a 1d a2 fa e4 26 21 ce 48 3f
+ b6 24 2e ab fa ad 52 56 6b 02 b3 1d 2e dd ed ef eb 80 e6 6a 99
+ 00 d5 f9 73 b4 0c 4f df 74 71 9e cf 1b 68 d7 f9 c3 b6 ce b9 03
+ ca 13 dd 1b b8 f8 18 7a e3 34 17 e1 d1 52 52 2c 58 22 a1 a0 3a
+ d5 2c 83 8c 55 95 3d 61 02 22 87 4c ce 8e 17 90 b2 29 a2 aa 0b
+ 53 c8 d3 77 ee 72 01 82 95 1d c6 18 1d c5 d9 0b d1 f0 10 5e d1
+ e8 4a a5 f7 59 57 c6 66 18 97 07 9e 5e a5 00 74 49 e3 19 7b dc
+ 7c 9b ee ed dd ea fd d8 44 af a5 c3 15 ec fe 65 e5 76 af e9 09
+ 81 28 80 62 0e c7 04 8b 42 d7 f5 c7 8d 76 f2 99 d6 d8 25 34 bd
+ d8 f5 12 fe bc 0e d3 81 4a ca 47 0c d8 00 0d 3e 1c b9 96 2b 05
+ 2f bb 95 0d f6 83 a5 2c 2b a7 7e d3 71 3b 12 29 37 a6 e5 17 09
+ 64 e2 ab 79 69 dc d9 80 b3 db 9b 45 8d a7 60 31 24 d6 dc 00 5e
+ 4d 6e 04 b4 d0 c4 ba f3 27 5d b8 27 db ba 0a 6d b0 96 72 17 1f
+ c0 57 b3 85 1d 7e 02 68 41 e2 97 8f bd 23 46 bb ef dd 03 76 bb
+ 11 08 fe 9a cc 92 18 9f 56 50 aa 5e 85 d8 e8 c7 b6 7a c5 10 db
+ a0 03 d3 d7 e1 63 50 bb 66 d4 50 13 ef d4 4c 9b 60 7c 0d 31 8c
+ 4c 7d 1a 1f 5c bc 57 e2 06 11 80 4e 37 87 d7 b4 a4 b5 f0 8e d8
+ fd 70 bd ae ad e0 22 60 b1 2a b8 42 ef 69 0b 4a 3e e7 91 1e 84
+ 1b 37 4e cd 5e bb bc 2a 54 d0 47 b6 00 33 6d d7 d0 c8 8b 4b c1
+ 0e 58 ee 6c b6 56 de 72 47 fa 20 d8 e9 1d eb 84 62 86 08 cf 80
+ 61 5b 62 e9 6c 14 91 c7 ac 37 55 eb 69 01 40 5d 34 74 fe 1a c7
+ 9d 10 6a 0c ee 56 c2 57 7f c8 84 80 f9 6c b6 b8 c6 81 b7 b6 8b
+ 53 c1 46 09 39 08 f3 50 88 81 75 bd fb 0b 1e 31 ad 61 e3 0b a0
+ ad fe 6d 22 3a a0 3c 07 83 b5 00 1a 57 58 7c 32 8a 9a fc fc fb
+ 97 8d 1c d4 32 8f 7d 9d 60 53 0e 63 0b ef d9 6c 0c 81 6e e2 0b
+ 01 00 76 8a e2 a6 df 51 fc 68 f1 72 74 0a 79 af 11 39 8e e3 be
+ 12 52 49 1f a9 c6 93 47 9e 87 7f 94 ab 7c 5f 8c ad 48 02 03 e6
+ ab 7b 87 dd 71 e8 a0 72 91 13 df 17 f5 ee e8 6c e1 08 d1 d7 20
+ 07 ec 1c d1 3c 85 a6 c1 49 62 1e 77 b7 d7 8d 80 5a 30 f0 be 03
+ 0c 31 5e 54
+
+ {server} derive secret "tls13 c ap traffic":
+
+ PRK (32 octets): 11 31 54 5d 0b af 79 dd ce 9b 87 f0 69 45 78 1a
+ 57 dd 18 ef 37 8d cd 20 60 f8 f9 a5 69 02 7e d8
+
+ hash (32 octets): 50 f6 3c bf 36 b0 dd 04 9e 7a 0b a2 7d 64 55 74
+ 5e a2 aa ac 54 bb 16 7f 99 50 b2 b7 ce 95 09 da
+
+
+
+
+
+
+Thomson Informational [Page 38]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72
+ 61 66 66 69 63 20 50 f6 3c bf 36 b0 dd 04 9e 7a 0b a2 7d 64 55
+ 74 5e a2 aa ac 54 bb 16 7f 99 50 b2 b7 ce 95 09 da
+
+ expanded (32 octets): 75 ec f4 b9 72 52 5a a0 dc d0 57 c9 94 4d
+ 4c d5 d8 26 71 d8 84 31 41 d7 dc 2a 4f f1 5a 21 dc 51
+
+ {server} derive secret "tls13 s ap traffic":
+
+ PRK (32 octets): 11 31 54 5d 0b af 79 dd ce 9b 87 f0 69 45 78 1a
+ 57 dd 18 ef 37 8d cd 20 60 f8 f9 a5 69 02 7e d8
+
+ hash (32 octets): 50 f6 3c bf 36 b0 dd 04 9e 7a 0b a2 7d 64 55 74
+ 5e a2 aa ac 54 bb 16 7f 99 50 b2 b7 ce 95 09 da
+
+ info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72
+ 61 66 66 69 63 20 50 f6 3c bf 36 b0 dd 04 9e 7a 0b a2 7d 64 55
+ 74 5e a2 aa ac 54 bb 16 7f 99 50 b2 b7 ce 95 09 da
+
+ expanded (32 octets): 5c 74 f8 7d f0 42 25 db 0f 82 09 c9 de 64
+ 29 e4 94 35 fd ef a7 ca d6 18 64 87 4d 12 f3 1c fc 8d
+
+ {server} derive secret "tls13 exp master":
+
+ PRK (32 octets): 11 31 54 5d 0b af 79 dd ce 9b 87 f0 69 45 78 1a
+ 57 dd 18 ef 37 8d cd 20 60 f8 f9 a5 69 02 7e d8
+
+ hash (32 octets): 50 f6 3c bf 36 b0 dd 04 9e 7a 0b a2 7d 64 55 74
+ 5e a2 aa ac 54 bb 16 7f 99 50 b2 b7 ce 95 09 da
+
+ info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73
+ 74 65 72 20 50 f6 3c bf 36 b0 dd 04 9e 7a 0b a2 7d 64 55 74 5e
+ a2 aa ac 54 bb 16 7f 99 50 b2 b7 ce 95 09 da
+
+ expanded (32 octets): 7c 06 d3 ae 10 6a 3a 37 4a ce 48 37 b3 98
+ 5c ac 67 78 0a 6e 2c 5c 04 b5 83 19 d5 84 df 09 d2 23
+
+ {server} derive write traffic keys for application data:
+
+ PRK (32 octets): 5c 74 f8 7d f0 42 25 db 0f 82 09 c9 de 64 29 e4
+ 94 35 fd ef a7 ca d6 18 64 87 4d 12 f3 1c fc 8d
+
+ key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
+
+ key expanded (16 octets): f2 7a 5d 97 bd 25 55 0c 48 23 b0 f3 e5
+ d2 93 88
+
+ iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
+
+
+
+Thomson Informational [Page 39]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ iv expanded (12 octets): 0d d6 31 f7 b7 1c bb c7 97 c3 5f e7
+
+ {server} derive read traffic keys for handshake data:
+
+ PRK (32 octets): 15 8a a7 ab 88 55 07 35 82 b4 1d 67 4b 40 55 ca
+ bc c5 34 72 8f 65 93 14 86 1b 4e 08 e2 01 15 66
+
+ key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
+
+ key expanded (16 octets): 2f 1f 91 86 63 d5 90 e7 42 11 49 a2 9d
+ 94 b0 b6
+
+ iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
+
+ iv expanded (12 octets): 41 4d 54 85 23 5e 1a 68 87 93 bd 74
+
+ {client} extract secret "early" (same as server early secret)
+
+ {client} derive secret for handshake "tls13 derived":
+
+ PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
+ 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a
+
+ hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
+ 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+ info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
+ 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
+ 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+ expanded (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba
+ b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba
+
+ {client} extract secret "handshake" (same as server handshake
+ secret)
+
+ {client} derive secret "tls13 c hs traffic" (same as server)
+
+ {client} derive secret "tls13 s hs traffic" (same as server)
+
+ {client} derive secret for master "tls13 derived" (same as server)
+
+ {client} extract secret "master" (same as server master secret)
+
+ {client} derive read traffic keys for handshake data (same as server
+ handshake data write traffic keys)
+
+ {client} calculate finished "tls13 finished" (same as server)
+
+
+
+Thomson Informational [Page 40]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ {client} derive secret "tls13 c ap traffic" (same as server)
+
+ {client} derive secret "tls13 s ap traffic" (same as server)
+
+ {client} derive secret "tls13 exp master" (same as server)
+
+ {client} derive write traffic keys for handshake data (same as
+ server handshake data read traffic keys)
+
+ {client} derive read traffic keys for application data (same as
+ server application data write traffic keys)
+
+ {client} calculate finished "tls13 finished":
+
+ PRK (32 octets): 15 8a a7 ab 88 55 07 35 82 b4 1d 67 4b 40 55 ca
+ bc c5 34 72 8f 65 93 14 86 1b 4e 08 e2 01 15 66
+
+ hash (0 octets): (empty)
+
+ info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
+ 64 00
+
+ expanded (32 octets): 81 be 41 31 fb b9 b6 f4 47 14 50 84 6f 74
+ fd 1e 68 c5 22 4b a7 c2 a8 67 7f 5c 53 ad 22 6f dc 13
+
+ finished (32 octets): 23 f5 2f db 07 09 a5 5b d7 f7 9b 99 1f 25
+ 48 40 87 bc fd 4d 43 80 b1 23 26 a5 2a 28 b2 e3 68 e1
+
+ {client} construct a Finished handshake message:
+
+ Finished (36 octets): 14 00 00 20 23 f5 2f db 07 09 a5 5b d7 f7
+ 9b 99 1f 25 48 40 87 bc fd 4d 43 80 b1 23 26 a5 2a 28 b2 e3 68
+ e1
+
+ {client} send handshake record:
+
+ payload (36 octets): 14 00 00 20 23 f5 2f db 07 09 a5 5b d7 f7 9b
+ 99 1f 25 48 40 87 bc fd 4d 43 80 b1 23 26 a5 2a 28 b2 e3 68 e1
+
+ complete record (58 octets): 17 03 03 00 35 d7 4f 19 23 c6 62 fd
+ 34 13 7c 6f 50 2f 3d d2 b9 3d 95 1d 1b 3b c9 7e 42 af e2 3c 31
+ ab ea 92 fe 91 b4 74 99 9e 85 e3 b7 91 ce 25 2f e8 c3 e9 f9 39
+ a4 12 0c b2
+
+ {client} derive write traffic keys for application data:
+
+ PRK (32 octets): 75 ec f4 b9 72 52 5a a0 dc d0 57 c9 94 4d 4c d5
+ d8 26 71 d8 84 31 41 d7 dc 2a 4f f1 5a 21 dc 51
+
+
+
+Thomson Informational [Page 41]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
+
+ key expanded (16 octets): a7 eb 2a 05 25 eb 43 31 d5 8f cb f9 f7
+ ca 2e 9c
+
+ iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
+
+ iv expanded (12 octets): 86 e8 be 22 7c 1b d2 b3 e3 9c b4 44
+
+ {client} derive secret "tls13 res master":
+
+ PRK (32 octets): 11 31 54 5d 0b af 79 dd ce 9b 87 f0 69 45 78 1a
+ 57 dd 18 ef 37 8d cd 20 60 f8 f9 a5 69 02 7e d8
+
+ hash (32 octets): 0e 8b 34 91 58 b8 55 fd cd 0c 11 db bc 4e 83 e4
+ 3c aa 6e 48 3c 6c 65 df 53 15 18 88 e5 01 65 f4
+
+ info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73
+ 74 65 72 20 0e 8b 34 91 58 b8 55 fd cd 0c 11 db bc 4e 83 e4 3c
+ aa 6e 48 3c 6c 65 df 53 15 18 88 e5 01 65 f4
+
+ expanded (32 octets): 09 17 0c 6d 47 27 21 56 6f 9c f9 9b 08 69
+ 9d af f5 61 ec 8f b2 2d 5a 32 c3 f9 4c e0 09 b6 99 75
+
+ {server} calculate finished "tls13 finished" (same as client)
+
+ {server} derive read traffic keys for application data (same as
+ client application data write traffic keys)
+
+ {server} derive secret "tls13 res master" (same as client)
+
+ {client} send alert record:
+
+ payload (2 octets): 01 00
+
+ complete record (24 octets): 17 03 03 00 13 2e a6 cd f7 49 19 60
+ 23 e2 b3 a4 94 91 69 55 36 42 60 47
+
+ {server} send alert record:
+
+ payload (2 octets): 01 00
+
+ complete record (24 octets): 17 03 03 00 13 51 9f c5 07 5c b0 88
+ 43 49 75 9f f9 ef 6f 01 1b b4 c6 f2
+
+
+
+
+
+
+
+Thomson Informational [Page 42]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+6. Client Authentication
+
+ In this example, the server requests client authentication. The
+ client uses a certificate with an RSA key, the server uses an
+ Elliptic Curve Digital Signature Algorithm (ECDSA) certificate with a
+ P-256 key. Note that private keys for the certificates used in this
+ example are not shown.
+
+ {client} create an ephemeral x25519 key pair:
+
+ private key (32 octets): c0 40 b2 bb 8f 3a dd d2 0f d4 05 8c 54
+ 70 03 a3 c6 f9 c1 cd 91 5d 5e 53 5c 87 d8 d1 91 aa f0 71
+
+ public key (32 octets): 08 9c c2 67 1f 73 8d 9a 67 1e 5b 2e 46 49
+ 81 d0 5b 76 e3 61 aa 22 ae a9 1f 1d 49 ca 10 a7 a3 62
+
+ {client} construct a ClientHello handshake message:
+
+ ClientHello (192 octets): 01 00 00 bc 03 03 6a 47 22 36 32 8b 83
+ af 40 38 6d 3a 3e 1f 1c e6 24 fa 4e d8 9a b8 65 a4 ff 0f 41 44
+ ce 3a e2 33 00 00 06 13 01 13 03 13 02 01 00 00 8d 00 00 00 0b
+ 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00
+ 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33
+ 00 26 00 24 00 1d 00 20 08 9c c2 67 1f 73 8d 9a 67 1e 5b 2e 46
+ 49 81 d0 5b 76 e3 61 aa 22 ae a9 1f 1d 49 ca 10 a7 a3 62 00 2b
+ 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04
+ 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00
+ 2d 00 02 01 01 00 1c 00 02 40 01
+
+ {client} send handshake record:
+
+ payload (192 octets): 01 00 00 bc 03 03 6a 47 22 36 32 8b 83 af
+ 40 38 6d 3a 3e 1f 1c e6 24 fa 4e d8 9a b8 65 a4 ff 0f 41 44 ce
+ 3a e2 33 00 00 06 13 01 13 03 13 02 01 00 00 8d 00 00 00 0b 00
+ 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12
+ 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00
+ 26 00 24 00 1d 00 20 08 9c c2 67 1f 73 8d 9a 67 1e 5b 2e 46 49
+ 81 d0 5b 76 e3 61 aa 22 ae a9 1f 1d 49 ca 10 a7 a3 62 00 2b 00
+ 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08
+ 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d
+ 00 02 01 01 00 1c 00 02 40 01
+
+ complete record (197 octets): 16 03 01 00 c0 01 00 00 bc 03 03 6a
+ 47 22 36 32 8b 83 af 40 38 6d 3a 3e 1f 1c e6 24 fa 4e d8 9a b8
+ 65 a4 ff 0f 41 44 ce 3a e2 33 00 00 06 13 01 13 03 13 02 01 00
+ 00 8d 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01
+ 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02
+ 01 03 01 04 00 33 00 26 00 24 00 1d 00 20 08 9c c2 67 1f 73 8d
+
+
+
+Thomson Informational [Page 43]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ 9a 67 1e 5b 2e 46 49 81 d0 5b 76 e3 61 aa 22 ae a9 1f 1d 49 ca
+ 10 a7 a3 62 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03
+ 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05
+ 02 06 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01
+
+ {server} extract secret "early":
+
+ salt: 0 (all zero octets)
+
+ IKM (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+ secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c
+ e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a
+
+ {server} create an ephemeral x25519 key pair:
+
+ private key (32 octets): 73 82 a5 ad 1c dd 20 56 ae 18 cc 70 8b
+ d0 07 d9 81 30 db e2 cd 4d 9e ad 9b 96 95 2b ec bb 08 88
+
+ public key (32 octets): 6c 2e 50 e8 65 91 9a 6b 5a 12 df af 91 8f
+ 92 b4 42 56 7b 0f 89 bc 54 47 8c 69 21 36 66 58 f0 62
+
+ {server} construct a ServerHello handshake message:
+
+ ServerHello (90 octets): 02 00 00 56 03 03 3b 50 fd f1 c3 d5 72
+ e4 0e 68 95 3e 7f ff 4e 27 58 45 9c 59 af a0 58 2c 0e a0 32 87
+ 42 55 fe 6e 00 13 01 00 00 2e 00 33 00 24 00 1d 00 20 6c 2e 50
+ e8 65 91 9a 6b 5a 12 df af 91 8f 92 b4 42 56 7b 0f 89 bc 54 47
+ 8c 69 21 36 66 58 f0 62 00 2b 00 02 03 04
+
+ {server} derive secret for handshake "tls13 derived":
+
+ PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
+ 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a
+
+ hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
+ 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+ info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
+ 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
+ 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+ expanded (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba
+ b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba
+
+
+
+
+
+
+Thomson Informational [Page 44]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ {server} extract secret "handshake":
+
+ salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
+ 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba
+
+ IKM (32 octets): 7d c1 14 f6 47 5d fa 79 77 be 73 6e f7 cb eb c4
+ 8c 70 32 9e 8e 9a 74 b4 d7 03 3c 43 f9 59 7d 4f
+
+ secret (32 octets): d9 95 24 36 74 fb 64 00 d7 d3 7b c0 e9 86 1b
+ db d9 ed 09 56 01 dc f2 99 48 74 f2 80 3d e2 2e 39
+
+ {server} derive secret "tls13 c hs traffic":
+
+ PRK (32 octets): d9 95 24 36 74 fb 64 00 d7 d3 7b c0 e9 86 1b db
+ d9 ed 09 56 01 dc f2 99 48 74 f2 80 3d e2 2e 39
+
+ hash (32 octets): 88 eb c0 42 bd 0d 5a 64 3b 22 fc a7 a4 7d ef d4
+ 00 7d fe 18 49 49 a6 26 1c 59 6c 4e 00 2a 74 a2
+
+ info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72
+ 61 66 66 69 63 20 88 eb c0 42 bd 0d 5a 64 3b 22 fc a7 a4 7d ef
+ d4 00 7d fe 18 49 49 a6 26 1c 59 6c 4e 00 2a 74 a2
+
+ expanded (32 octets): ce c7 a3 0c 68 72 07 0f 22 a7 ee b0 65 76
+ 8d b6 7c 45 e2 95 33 db 87 99 08 ce 6d c6 6f 59 11 de
+
+ {server} derive secret "tls13 s hs traffic":
+
+ PRK (32 octets): d9 95 24 36 74 fb 64 00 d7 d3 7b c0 e9 86 1b db
+ d9 ed 09 56 01 dc f2 99 48 74 f2 80 3d e2 2e 39
+
+ hash (32 octets): 88 eb c0 42 bd 0d 5a 64 3b 22 fc a7 a4 7d ef d4
+ 00 7d fe 18 49 49 a6 26 1c 59 6c 4e 00 2a 74 a2
+
+ info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72
+ 61 66 66 69 63 20 88 eb c0 42 bd 0d 5a 64 3b 22 fc a7 a4 7d ef
+ d4 00 7d fe 18 49 49 a6 26 1c 59 6c 4e 00 2a 74 a2
+
+ expanded (32 octets): 8b 02 d3 c0 04 42 a2 72 2c 40 98 eb e8 67
+ 5b 23 e8 01 51 0f 0d 7e d7 78 d8 eb 0b 8f 42 a1 9a 5e
+
+ {server} derive secret for master "tls13 derived":
+
+ PRK (32 octets): d9 95 24 36 74 fb 64 00 d7 d3 7b c0 e9 86 1b db
+ d9 ed 09 56 01 dc f2 99 48 74 f2 80 3d e2 2e 39
+
+ hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
+ 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+
+
+Thomson Informational [Page 45]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
+ 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
+ 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+ expanded (32 octets): 74 57 55 26 b0 7c 81 a9 c1 b1 7e 6b 34 e0
+ e6 d0 84 74 7a 61 f3 96 f5 97 eb b9 2c 07 36 ec 60 e8
+
+ {server} extract secret "master":
+
+ salt (32 octets): 74 57 55 26 b0 7c 81 a9 c1 b1 7e 6b 34 e0 e6 d0
+ 84 74 7a 61 f3 96 f5 97 eb b9 2c 07 36 ec 60 e8
+
+ IKM (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+ secret (32 octets): 57 c1 5d 7b 9d 44 1b 3d 40 a9 c6 ea 8a 3d 73
+ 0e 07 b3 a1 ea 7a 33 39 ed 70 70 b9 a7 4a 3f 4f 28
+
+ {server} send handshake record:
+
+ payload (90 octets): 02 00 00 56 03 03 3b 50 fd f1 c3 d5 72 e4 0e
+ 68 95 3e 7f ff 4e 27 58 45 9c 59 af a0 58 2c 0e a0 32 87 42 55
+ fe 6e 00 13 01 00 00 2e 00 33 00 24 00 1d 00 20 6c 2e 50 e8 65
+ 91 9a 6b 5a 12 df af 91 8f 92 b4 42 56 7b 0f 89 bc 54 47 8c 69
+ 21 36 66 58 f0 62 00 2b 00 02 03 04
+
+ complete record (95 octets): 16 03 03 00 5a 02 00 00 56 03 03 3b
+ 50 fd f1 c3 d5 72 e4 0e 68 95 3e 7f ff 4e 27 58 45 9c 59 af a0
+ 58 2c 0e a0 32 87 42 55 fe 6e 00 13 01 00 00 2e 00 33 00 24 00
+ 1d 00 20 6c 2e 50 e8 65 91 9a 6b 5a 12 df af 91 8f 92 b4 42 56
+ 7b 0f 89 bc 54 47 8c 69 21 36 66 58 f0 62 00 2b 00 02 03 04
+
+ {server} derive write traffic keys for handshake data:
+
+ PRK (32 octets): 8b 02 d3 c0 04 42 a2 72 2c 40 98 eb e8 67 5b 23
+ e8 01 51 0f 0d 7e d7 78 d8 eb 0b 8f 42 a1 9a 5e
+
+ key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
+
+ key expanded (16 octets): 6c b6 e6 06 19 d8 c7 35 5c 5d 4c 4b c2
+ be 90 d5
+
+ iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
+
+ iv expanded (12 octets): 64 f2 39 53 0c 3b 88 8f de 85 e0 be
+
+
+
+
+
+
+Thomson Informational [Page 46]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ {server} construct an EncryptedExtensions handshake message:
+
+ EncryptedExtensions (40 octets): 08 00 00 24 00 22 00 0a 00 14 00
+ 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c
+ 00 02 40 01 00 00 00 00
+
+ {server} construct a CertificateRequest handshake message:
+
+ CertificateRequest (43 octets): 0d 00 00 27 00 00 24 00 0d 00 20
+ 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06
+ 01 02 01 04 02 05 02 06 02 02 02
+
+ {server} construct a Certificate handshake message:
+
+ Certificate (319 octets): 0b 00 01 3b 00 00 01 37 00 01 32 30 82
+ 01 2e 30 81 d5 a0 03 02 01 02 02 01 07 30 0a 06 08 2a 86 48 ce
+ 3d 04 03 02 30 13 31 11 30 0f 06 03 55 04 03 13 08 65 63 64 73
+ 61 32 35 36 30 1e 17 0d 31 36 30 37 33 30 30 31 32 34 30 30 5a
+ 17 0d 32 36 30 37 33 30 30 31 32 34 30 30 5a 30 13 31 11 30 0f
+ 06 03 55 04 03 13 08 65 63 64 73 61 32 35 36 30 59 30 13 06 07
+ 2a 86 48 ce 3d 02 01 06 08 2a 86 48 ce 3d 03 01 07 03 42 00 04
+ 08 d5 30 16 15 75 f4 cf e7 f1 54 ee 34 48 18 00 86 00 1e 88 43
+ 1a 79 ee 62 ee 6e 2f 83 ef 38 ba 61 e9 fb 37 f3 4e 00 7a 7d f4
+ d2 f5 b5 6d 1f 04 ec e4 5d 62 1f 46 84 06 f5 c3 a1 51 58 94 8d
+ d0 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55
+ 1d 0f 04 04 03 02 07 80 30 0a 06 08 2a 86 48 ce 3d 04 03 02 03
+ 48 00 30 45 02 21 00 df 30 fd 45 07 f5 ed d2 2c 1a 6f f8 6d b4
+ 79 ca 69 3f ee ca 3b 71 b3 f9 ef 55 6b 29 37 c0 59 4d 02 20 62
+ e2 a4 72 50 d3 20 fe a8 3c 7e 2d cb 5b 76 a5 0e 02 00 c0 9a db
+ d1 3f ee 94 6e 51 3e 01 1d 11 00 00
+
+ {server} construct a CertificateVerify handshake message:
+
+ CertificateVerify (79 octets): 0f 00 00 4b 04 03 00 47 30 45 02
+ 21 00 d7 a4 d3 4b d5 4f 55 fe e1 a8 96 25 67 8c 3d d5 e5 f6 0d
+ ac 73 ec 94 0c 5c 7b 93 04 a0 20 84 a9 02 20 28 9f 59 5e d4 88
+ b9 ac 68 9a 3d 19 2b 1a 8b b3 8f 34 af 78 74 c0 59 c9 80 6a 1f
+ 38 26 93 53 e8
+
+ {server} calculate finished "tls13 finished":
+
+ PRK (32 octets): 8b 02 d3 c0 04 42 a2 72 2c 40 98 eb e8 67 5b 23
+ e8 01 51 0f 0d 7e d7 78 d8 eb 0b 8f 42 a1 9a 5e
+
+ hash (0 octets): (empty)
+
+ info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
+ 64 00
+
+
+
+Thomson Informational [Page 47]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ expanded (32 octets): 4e 79 5c de 23 9d 5e 19 0e ae 44 1b 9e 71
+ 6e eb 13 85 49 05 8c db 76 fa 9a ee af 54 8a ef 56 3e
+
+ finished (32 octets): 93 b7 0c df 47 81 98 5b 96 34 5c aa c7 01
+ b4 e7 50 d3 04 2d f1 a6 89 d8 fa ca 81 22 51 11 3c 11
+
+ {server} construct a Finished handshake message:
+
+ Finished (36 octets): 14 00 00 20 93 b7 0c df 47 81 98 5b 96 34
+ 5c aa c7 01 b4 e7 50 d3 04 2d f1 a6 89 d8 fa ca 81 22 51 11 3c
+ 11
+
+ {server} send handshake record:
+
+ payload (517 octets): 08 00 00 24 00 22 00 0a 00 14 00 12 00 1d
+ 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c 00 02 40
+ 01 00 00 00 00 0d 00 00 27 00 00 24 00 0d 00 20 00 1e 04 03 05
+ 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02
+ 05 02 06 02 02 02 0b 00 01 3b 00 00 01 37 00 01 32 30 82 01 2e
+ 30 81 d5 a0 03 02 01 02 02 01 07 30 0a 06 08 2a 86 48 ce 3d 04
+ 03 02 30 13 31 11 30 0f 06 03 55 04 03 13 08 65 63 64 73 61 32
+ 35 36 30 1e 17 0d 31 36 30 37 33 30 30 31 32 34 30 30 5a 17 0d
+ 32 36 30 37 33 30 30 31 32 34 30 30 5a 30 13 31 11 30 0f 06 03
+ 55 04 03 13 08 65 63 64 73 61 32 35 36 30 59 30 13 06 07 2a 86
+ 48 ce 3d 02 01 06 08 2a 86 48 ce 3d 03 01 07 03 42 00 04 08 d5
+ 30 16 15 75 f4 cf e7 f1 54 ee 34 48 18 00 86 00 1e 88 43 1a 79
+ ee 62 ee 6e 2f 83 ef 38 ba 61 e9 fb 37 f3 4e 00 7a 7d f4 d2 f5
+ b5 6d 1f 04 ec e4 5d 62 1f 46 84 06 f5 c3 a1 51 58 94 8d d0 a3
+ 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f
+ 04 04 03 02 07 80 30 0a 06 08 2a 86 48 ce 3d 04 03 02 03 48 00
+ 30 45 02 21 00 df 30 fd 45 07 f5 ed d2 2c 1a 6f f8 6d b4 79 ca
+ 69 3f ee ca 3b 71 b3 f9 ef 55 6b 29 37 c0 59 4d 02 20 62 e2 a4
+ 72 50 d3 20 fe a8 3c 7e 2d cb 5b 76 a5 0e 02 00 c0 9a db d1 3f
+ ee 94 6e 51 3e 01 1d 11 00 00 0f 00 00 4b 04 03 00 47 30 45 02
+ 21 00 d7 a4 d3 4b d5 4f 55 fe e1 a8 96 25 67 8c 3d d5 e5 f6 0d
+ ac 73 ec 94 0c 5c 7b 93 04 a0 20 84 a9 02 20 28 9f 59 5e d4 88
+ b9 ac 68 9a 3d 19 2b 1a 8b b3 8f 34 af 78 74 c0 59 c9 80 6a 1f
+ 38 26 93 53 e8 14 00 00 20 93 b7 0c df 47 81 98 5b 96 34 5c aa
+ c7 01 b4 e7 50 d3 04 2d f1 a6 89 d8 fa ca 81 22 51 11 3c 11
+
+ complete record (539 octets): 17 03 03 02 16 6d 0a 7a c0 79 b3 2a
+ 94 aa 68 c4 e2 89 3e 8b d0 d3 c1 85 f5 49 c2 36 fb bc e3 d6 47
+ f0 8f 3c 94 a2 bf 42 4d 87 08 88 36 05 ad 89 55 f9 77 18 b0 21
+ 3d ea d1 3d fb 23 eb b8 38 1d a5 82 75 66 12 bc b5 a5 d4 08 47
+ 71 9f be 9f 17 9b fa e6 56 f3 ec fd 59 a4 c0 d3 51 32 ce 41 8a
+ 7e 46 f6 b6 a6 06 22 f8 a6 c0 6b 28 d8 33 60 16 35 63 be 9c 37
+ f9 7e b9 02 32 69 24 a7 2b 3e d8 c8 38 12 77 d1 58 1c ab 9c 37
+ 15 ac 24 01 39 84 67 ad 7e bf ab 3d 0c 34 19 e7 50 10 4f 7d 62
+
+
+
+Thomson Informational [Page 48]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ c5 02 79 01 f2 e4 cd 4c a5 b8 07 1e b0 3d 3c 73 2d 83 21 50 66
+ df c4 d2 91 d4 c1 ff 3b 8d 7e 42 98 f6 77 d4 d5 1d ea 11 68 d8
+ f1 6c b2 7b a4 02 66 31 3a 1f ed f9 e2 3c c7 7f 76 54 50 f9 e9
+ 6f 05 d0 8f 3d a2 45 b1 4d 49 46 f0 7e c8 1e ed 6d 56 f2 6b d5
+ 74 f0 b7 f7 c7 04 70 37 c1 6f ce 3b 23 75 4e 66 2f ad 73 e2 b7
+ 21 3f 6a f2 96 76 9c 99 a1 d3 8e 62 32 e0 ec 8d c4 f8 4d 6a a6
+ f7 de 38 87 be 00 57 86 2f 90 18 e0 ab 39 67 05 aa 40 90 ab 5f
+ 2d ff 63 25 a5 57 e7 32 0d 4e ff d4 6b b4 f9 97 d1 63 20 7c ce
+ 66 65 29 4a a4 46 55 41 e3 fe 37 ee 73 50 65 9e a5 50 d6 dc b6
+ af 3c 51 88 52 c7 a1 4c 3c c1 5b c3 2b 32 73 bd f1 75 1d a1 84
+ 20 31 35 b1 17 d3 00 20 4f b1 2d 58 ca 9a c3 4b 68 ec a2 70 30
+ 83 2f 7a 4b 46 d2 a5 57 57 f6 3f e8 f6 e8 5a c4 74 69 e6 19 8d
+ a8 8a 64 58 6b f2 3c 69 59 0d e8 22 26 3b e7 5f d8 36 84 72 40
+ c4 8f 8c 14 5c d6 bd 69 89 62 e7 ed c2 34 eb e5 92 31 35 1e ef
+ 8d 76 52 cf 3b 08 ab 3a f6 e5 ec 74 c5 8a 8d a3 4b 39 f9 b0 d6
+ c4 27 9a 9a 1f 82 07 17 29 e7 05 9d d7 f7 b9 5b 94 33 c4 68 4c
+ e1 89 1a 6d 33 43 2d 52 ed db 0b 8c ee 91 81 d4 03 ec cc 12 99
+ 1f 1a d4 aa 62 c3 60 49 71 3a 7b b1 35 fd da 66 61 a0 5a 93 f8
+ c1 6f
+
+ {server} derive secret "tls13 c ap traffic":
+
+ PRK (32 octets): 57 c1 5d 7b 9d 44 1b 3d 40 a9 c6 ea 8a 3d 73 0e
+ 07 b3 a1 ea 7a 33 39 ed 70 70 b9 a7 4a 3f 4f 28
+
+ hash (32 octets): 51 77 a2 9a f5 a1 7f 9b 49 33 e4 31 85 1d 12 83
+ 45 36 6c 17 20 d3 8f 8f 04 65 ee ea e6 74 03 72
+
+ info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72
+ 61 66 66 69 63 20 51 77 a2 9a f5 a1 7f 9b 49 33 e4 31 85 1d 12
+ 83 45 36 6c 17 20 d3 8f 8f 04 65 ee ea e6 74 03 72
+
+ expanded (32 octets): 73 c2 e8 90 fa 8d 06 72 58 d6 d5 0f a9 2f
+ e4 56 b0 98 cf 00 d9 72 7e ed 91 e8 89 2e f4 e6 f8 60
+
+ {server} derive secret "tls13 s ap traffic":
+
+ PRK (32 octets): 57 c1 5d 7b 9d 44 1b 3d 40 a9 c6 ea 8a 3d 73 0e
+ 07 b3 a1 ea 7a 33 39 ed 70 70 b9 a7 4a 3f 4f 28
+
+ hash (32 octets): 51 77 a2 9a f5 a1 7f 9b 49 33 e4 31 85 1d 12 83
+ 45 36 6c 17 20 d3 8f 8f 04 65 ee ea e6 74 03 72
+
+ info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72
+ 61 66 66 69 63 20 51 77 a2 9a f5 a1 7f 9b 49 33 e4 31 85 1d 12
+ 83 45 36 6c 17 20 d3 8f 8f 04 65 ee ea e6 74 03 72
+
+
+
+
+
+Thomson Informational [Page 49]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ expanded (32 octets): c4 9a 91 fa f5 7f 8c 54 5d 50 48 a0 15 bf
+ 84 9f f6 39 42 e4 a7 ed cd 31 9f 8b 43 8a 97 c5 2e 21
+
+ {server} derive secret "tls13 exp master":
+
+ PRK (32 octets): 57 c1 5d 7b 9d 44 1b 3d 40 a9 c6 ea 8a 3d 73 0e
+ 07 b3 a1 ea 7a 33 39 ed 70 70 b9 a7 4a 3f 4f 28
+
+ hash (32 octets): 51 77 a2 9a f5 a1 7f 9b 49 33 e4 31 85 1d 12 83
+ 45 36 6c 17 20 d3 8f 8f 04 65 ee ea e6 74 03 72
+
+ info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73
+ 74 65 72 20 51 77 a2 9a f5 a1 7f 9b 49 33 e4 31 85 1d 12 83 45
+ 36 6c 17 20 d3 8f 8f 04 65 ee ea e6 74 03 72
+
+ expanded (32 octets): 05 2e 39 79 5e 5f 2b e6 e4 e0 97 4c fd d8
+ 6c 6a 7a fe 3e 57 e5 58 98 10 a3 cc cf 64 29 58 be b2
+
+ {server} derive write traffic keys for application data:
+
+ PRK (32 octets): c4 9a 91 fa f5 7f 8c 54 5d 50 48 a0 15 bf 84 9f
+ f6 39 42 e4 a7 ed cd 31 9f 8b 43 8a 97 c5 2e 21
+
+ key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
+
+ key expanded (16 octets): 88 b3 12 3d de ca df 8c 1b a2 98 e2 c1
+ 81 76 b0
+
+ iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
+
+ iv expanded (12 octets): 4e 09 78 51 3f 9d e8 32 7c 08 e4 f3
+
+ {server} derive read traffic keys for handshake data:
+
+ PRK (32 octets): ce c7 a3 0c 68 72 07 0f 22 a7 ee b0 65 76 8d b6
+ 7c 45 e2 95 33 db 87 99 08 ce 6d c6 6f 59 11 de
+
+ key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
+
+ key expanded (16 octets): 91 69 48 f7 28 d9 82 3f a4 1a 00 4d 08
+ 3f 21 7f
+
+ iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
+
+ iv expanded (12 octets): 64 15 3d 79 ba c9 ea 10 ca 5a 0a 88
+
+ {client} extract secret "early" (same as server early secret)
+
+
+
+
+Thomson Informational [Page 50]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ {client} derive secret for handshake "tls13 derived":
+
+ PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
+ 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a
+
+ hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
+ 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+ info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
+ 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
+ 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+ expanded (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba
+ b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba
+
+ {client} extract secret "handshake" (same as server handshake
+ secret)
+
+ {client} derive secret "tls13 c hs traffic" (same as server)
+
+ {client} derive secret "tls13 s hs traffic" (same as server)
+
+ {client} derive secret for master "tls13 derived" (same as server)
+
+ {client} extract secret "master" (same as server master secret)
+
+ {client} derive read traffic keys for handshake data (same as server
+ handshake data write traffic keys)
+
+ {client} calculate finished "tls13 finished" (same as server)
+
+ {client} derive secret "tls13 c ap traffic" (same as server)
+
+ {client} derive secret "tls13 s ap traffic" (same as server)
+
+ {client} derive secret "tls13 exp master" (same as server)
+
+ {client} derive write traffic keys for handshake data (same as
+ server handshake data read traffic keys)
+
+ {client} derive read traffic keys for application data (same as
+ server application data write traffic keys)
+
+ {client} construct a Certificate handshake message:
+
+ Certificate (451 octets): 0b 00 01 bf 00 00 01 bb 00 01 b6 30 82
+ 01 b2 30 82 01 1b a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48
+ 86 f7 0d 01 01 0b 05 00 30 11 31 0f 30 0d 06 03 55 04 03 13 06
+
+
+
+Thomson Informational [Page 51]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ 63 6c 69 65 6e 74 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35
+ 39 5a 17 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 11 31 0f
+ 30 0d 06 03 55 04 03 13 06 63 6c 69 65 6e 74 30 81 9f 30 0d 06
+ 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81
+ 81 00 c3 81 75 e0 04 a6 8d 09 3f 82 3b 9c 37 9d 20 1f bc 0b b7
+ a1 c7 91 90 5e 3f bf 76 84 7e 44 e7 51 eb bc d3 60 bd 94 5c 81
+ e5 22 2b cc 88 46 d3 a8 a0 f9 3e 9b f5 be ba bd 92 ed f1 de 1f
+ f1 90 21 70 3e 7a b6 c0 90 15 13 f9 7e 39 b1 11 f0 9c 93 48 97
+ 1c 7b 21 19 84 a7 54 cd 45 fe 09 5a f0 ea 42 36 82 9b cc f7 a7
+ fe 9b 28 88 e7 8a b4 77 69 0a 5b 9e 1c cb e9 1c 6a 4a 0f 97 a7
+ e0 28 42 01 02 03 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04
+ 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 0d 06 09 2a
+ 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 1a 7a 5a 01 85 32 b0
+ 22 af 07 67 d4 86 16 0c ff 2d 16 7a 19 15 d2 38 35 b5 45 94 91
+ 6d c6 80 be 5d 2e 62 60 76 c5 d5 27 22 eb cc 77 5d 7d 99 f9 80
+ be 2f c9 4d 34 ac f6 cc 00 ba 90 cb cf b0 60 8a a1 e7 e3 97 1e
+ f0 c0 7a 41 d4 7a d8 34 5d 1f 81 fe 41 8a 1c f4 10 54 42 9f d2
+ 17 bd 77 7d c1 cf 08 f0 5d f9 07 99 c6 59 36 1e 0f 1a 8e e4 ac
+ 0f 78 97 42 0b db c8 23 da 80 a2 f2 ba 23 08 1c 00 00
+
+ {client} construct a CertificateVerify handshake message:
+
+ CertificateVerify (136 octets): 0f 00 00 84 08 04 00 80 18 6b 22
+ 23 b5 03 a7 59 c3 5d ba 0e 97 21 b4 b5 79 13 8d 5f 0f 5e 6e c7
+ fe aa f2 7f 3a d7 f3 86 c2 c7 bd 7c b2 be 52 fb f5 ed 83 93 f4
+ 06 ee 79 36 96 92 ec 7a c6 95 65 1d 85 82 19 e6 72 a8 eb 7b 2a
+ 67 7b 64 0b 46 ab 63 0e dc 5f 3f 2f 82 72 b9 c0 d9 06 f8 1f 84
+ dd c5 b8 c7 bc f9 55 c7 8a 3c f9 9e 50 16 f7 3e 04 eb 7d fc b2
+ 88 33 f1 3e 8f 75 ec 2f f3 58 1e 2f 09 8a d4 15 7f d6 d6 ad
+
+ {client} calculate finished "tls13 finished":
+
+ PRK (32 octets): ce c7 a3 0c 68 72 07 0f 22 a7 ee b0 65 76 8d b6
+ 7c 45 e2 95 33 db 87 99 08 ce 6d c6 6f 59 11 de
+
+ hash (0 octets): (empty)
+
+ info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
+ 64 00
+
+ expanded (32 octets): 4f dd d7 6b bc b8 e3 0c 72 61 b1 db 40 1b
+ b1 36 ed 39 bc e6 a4 81 5a 21 24 47 6e 27 e6 cb cb f6
+
+ finished (32 octets): 9a fe 2b a2 f6 3a 09 d2 29 d8 a4 29 e5 b3
+ 7f fd 9f cc 73 bd b5 91 1b 82 42 59 72 aa 28 92 44 0f
+
+
+
+
+
+
+Thomson Informational [Page 52]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ {client} construct a Finished handshake message:
+
+ Finished (36 octets): 14 00 00 20 9a fe 2b a2 f6 3a 09 d2 29 d8
+ a4 29 e5 b3 7f fd 9f cc 73 bd b5 91 1b 82 42 59 72 aa 28 92 44
+ 0f
+
+ {client} send handshake record:
+
+ payload (623 octets): 0b 00 01 bf 00 00 01 bb 00 01 b6 30 82 01
+ b2 30 82 01 1b a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86
+ f7 0d 01 01 0b 05 00 30 11 31 0f 30 0d 06 03 55 04 03 13 06 63
+ 6c 69 65 6e 74 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39
+ 5a 17 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 11 31 0f 30
+ 0d 06 03 55 04 03 13 06 63 6c 69 65 6e 74 30 81 9f 30 0d 06 09
+ 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81
+ 00 c3 81 75 e0 04 a6 8d 09 3f 82 3b 9c 37 9d 20 1f bc 0b b7 a1
+ c7 91 90 5e 3f bf 76 84 7e 44 e7 51 eb bc d3 60 bd 94 5c 81 e5
+ 22 2b cc 88 46 d3 a8 a0 f9 3e 9b f5 be ba bd 92 ed f1 de 1f f1
+ 90 21 70 3e 7a b6 c0 90 15 13 f9 7e 39 b1 11 f0 9c 93 48 97 1c
+ 7b 21 19 84 a7 54 cd 45 fe 09 5a f0 ea 42 36 82 9b cc f7 a7 fe
+ 9b 28 88 e7 8a b4 77 69 0a 5b 9e 1c cb e9 1c 6a 4a 0f 97 a7 e0
+ 28 42 01 02 03 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02
+ 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 0d 06 09 2a 86
+ 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 1a 7a 5a 01 85 32 b0 22
+ af 07 67 d4 86 16 0c ff 2d 16 7a 19 15 d2 38 35 b5 45 94 91 6d
+ c6 80 be 5d 2e 62 60 76 c5 d5 27 22 eb cc 77 5d 7d 99 f9 80 be
+ 2f c9 4d 34 ac f6 cc 00 ba 90 cb cf b0 60 8a a1 e7 e3 97 1e f0
+ c0 7a 41 d4 7a d8 34 5d 1f 81 fe 41 8a 1c f4 10 54 42 9f d2 17
+ bd 77 7d c1 cf 08 f0 5d f9 07 99 c6 59 36 1e 0f 1a 8e e4 ac 0f
+ 78 97 42 0b db c8 23 da 80 a2 f2 ba 23 08 1c 00 00 0f 00 00 84
+ 08 04 00 80 18 6b 22 23 b5 03 a7 59 c3 5d ba 0e 97 21 b4 b5 79
+ 13 8d 5f 0f 5e 6e c7 fe aa f2 7f 3a d7 f3 86 c2 c7 bd 7c b2 be
+ 52 fb f5 ed 83 93 f4 06 ee 79 36 96 92 ec 7a c6 95 65 1d 85 82
+ 19 e6 72 a8 eb 7b 2a 67 7b 64 0b 46 ab 63 0e dc 5f 3f 2f 82 72
+ b9 c0 d9 06 f8 1f 84 dd c5 b8 c7 bc f9 55 c7 8a 3c f9 9e 50 16
+ f7 3e 04 eb 7d fc b2 88 33 f1 3e 8f 75 ec 2f f3 58 1e 2f 09 8a
+ d4 15 7f d6 d6 ad 14 00 00 20 9a fe 2b a2 f6 3a 09 d2 29 d8 a4
+ 29 e5 b3 7f fd 9f cc 73 bd b5 91 1b 82 42 59 72 aa 28 92 44 0f
+
+ complete record (645 octets): 17 03 03 02 80 b4 6a 63 93 4e 67 38
+ 41 ab af 26 74 03 bc 67 7f 6b 6d 2a 1e 2f 12 bb 5f 62 68 3b fe
+ 36 a8 26 73 f0 6d 62 87 dd d6 09 bc f2 f5 fd 32 25 92 3d 24 af
+ 3c 76 68 2c 18 0e e5 71 a1 7c a4 bf be 2f 51 0d c9 a0 e1 fc a5
+ cf f2 ce e8 7d 11 cb 53 1a 6e f9 0b f5 30 9a 6b 63 bb bc 0b 88
+ ea 45 10 3a 43 04 09 15 43 85 9f a1 1e c0 32 ed 87 34 44 cd 51
+ 85 ea d5 f6 a7 64 20 f0 f0 28 6a ce f8 02 c8 e4 78 8c 23 27 5f
+ 1b 06 da 60 0f 4a 7d ec d0 bc 59 d7 be f1 0e 64 9a e3 26 90 39
+ 7f c3 d4 ed 6f 30 f8 01 d8 cd 56 9b 71 ad 4f a0 5e a7 cf 2a c2
+
+
+
+Thomson Informational [Page 53]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ df a1 50 d2 20 50 5d 40 11 b3 4d 09 d5 38 53 eb a6 1a 10 1e 4f
+ 8d ca 47 d8 17 1a 88 4b 19 25 9a 3d d4 8c 5a c1 41 98 3e dc 77
+ 81 4d 25 e7 f6 6b bb db 90 96 83 92 66 e0 65 61 82 8e cf b2 7e
+ af d4 e9 e8 1a 0b 96 e3 bf a4 2d ae 5a d8 03 59 b9 a6 66 14 02
+ c3 a2 10 41 77 03 01 06 db d8 f6 5b b6 a0 15 9d 51 2e b1 3a f2
+ 2a 25 9f 31 3b d5 8c 2e 21 fe 05 3d 57 f2 a9 62 b0 a4 ea 68 2c
+ 96 f7 0b 79 b5 60 13 61 92 82 3b 27 be 6a 2f b7 b1 c7 51 cc c0
+ e3 30 36 15 54 14 85 b7 b3 07 b4 23 33 2c 11 ef a8 0b 72 f9 b8
+ 0a 53 e5 3f 7b b3 8a 3a f4 c5 9f 80 08 ba d0 54 4e 56 14 e6 88
+ ff 57 bc cd 69 35 f8 1f 44 7f 42 0c 1c 1b f4 05 88 18 e9 0b f5
+ dc 71 6c ca e4 25 24 85 6d f8 25 0b cd bd 7a f6 5f 82 dd 53 06
+ 1d 02 4f 6d 2f f5 c1 1e 37 92 a9 a7 0e 0e e2 a3 c2 0a 1b 96 8a
+ c3 91 f8 f9 28 31 13 5d 25 24 2a da 2f e2 41 c2 65 3e c9 96 33
+ 9d fa 12 df ae 7a 33 73 df 88 b0 7c a2 7a ef 6d c2 66 a2 5f 13
+ f7 5c 76 03 9c 1f 46 fd 7a 53 ae 63 99 c9 99 f4 b2 ae e1 8e 48
+ 0d 6d 12 bf ae 22 6b bd c9 2a 6a d5 0b 4d 3b ac 7a bc 3b 36 51
+ eb 5b e5 6f 33 bf 41 12 7b 3c a8 86 dc 71 4a 50 d1 49 03 57 bd
+ 40 d9 fd 6b e4 22 09 a4 dd b9 eb b2 98 7e 29 f1 20 f0 58 14 61
+ 4d 2c 79 32 00 15 b4 61 fe 73 24 44 76 70 a1 af 5f 65 ca ed 15
+ b4 74 ab 7f aa 49 50 16 ad f8 08 e5 3b 94 ef 54 af bb 0e 0a 3a
+ 27 32 ab 59 7f 7d 59 23 c7 73 86 aa 51 24 73 1f 8c c7 3e 70 3b
+ 34 1c 17 5a 45 49 39 a7 7a b6 43 13 c1 5c f3 fe 03 c4 f3 38 42
+ 56 49 76
+
+ {client} derive write traffic keys for application data:
+
+ PRK (32 octets): 73 c2 e8 90 fa 8d 06 72 58 d6 d5 0f a9 2f e4 56
+ b0 98 cf 00 d9 72 7e ed 91 e8 89 2e f4 e6 f8 60
+
+ key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
+
+ key expanded (16 octets): cd c0 9c 80 6a a8 f8 6d fc d5 1e fc 44
+ a0 c0 39
+
+ iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
+
+ iv expanded (12 octets): 6e f8 52 e7 8b 46 d9 13 66 8e 53 e7
+
+ {client} derive secret "tls13 res master":
+
+ PRK (32 octets): 57 c1 5d 7b 9d 44 1b 3d 40 a9 c6 ea 8a 3d 73 0e
+ 07 b3 a1 ea 7a 33 39 ed 70 70 b9 a7 4a 3f 4f 28
+
+ hash (32 octets): 39 1d 00 4b d8 4c 83 1b 15 82 44 44 14 b4 dc 80
+ 64 01 0e cc 76 f3 7f 88 bf eb 1e 88 fe 13 5c 25
+
+
+
+
+
+
+Thomson Informational [Page 54]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73
+ 74 65 72 20 39 1d 00 4b d8 4c 83 1b 15 82 44 44 14 b4 dc 80 64
+ 01 0e cc 76 f3 7f 88 bf eb 1e 88 fe 13 5c 25
+
+ expanded (32 octets): 10 06 dc cb f4 0e b4 eb 97 8b ff 03 92 a9
+ e4 52 a4 fb ad 58 aa 14 78 4d 5a 24 1c 6b 49 da cc fb
+
+ {server} calculate finished "tls13 finished" (same as client)
+
+ {server} derive read traffic keys for application data (same as
+ client application data write traffic keys)
+
+ {server} derive secret "tls13 res master" (same as client)
+
+ {client} send alert record:
+
+ payload (2 octets): 01 00
+
+ complete record (24 octets): 17 03 03 00 13 e4 ad 7d 44 c2 92 45
+ 33 9d 35 59 62 c7 79 b8 9e f4 4c 58
+
+ {server} send alert record:
+
+ payload (2 octets): 01 00
+
+ complete record (24 octets): 17 03 03 00 13 1d ec c5 d6 e6 4b ba
+ 8a 6f 21 b4 fd 07 74 97 da 2a 90 cb
+
+7. Compatibility Mode
+
+ This example shows use of the handshake with the client requesting
+ that the server use compatibility mode as defined in Appendix D.4 of
+ [TLS13].
+
+ {client} create an ephemeral x25519 key pair:
+
+ private key (32 octets): de a0 0b 45 69 5d c7 81 f1 9d 34 a6 2c
+ 1a fd 31 ab 43 69 af 1e 85 5a 3b bb 25 8d 84 42 cd e6 d7
+
+ public key (32 octets): 8e 72 92 cf 30 56 db b0 d2 5f cb e5 5c 10
+ 7d c9 bb f8 3d d9 70 8f 39 20 3b a3 41 24 9a 7d 9b 63
+
+ {client} construct a ClientHello handshake message:
+
+ ClientHello (224 octets): 01 00 00 dc 03 03 4e 64 0a 3f 2c 27 38
+ f0 9c 94 18 bd 78 ed cc d7 55 9d 05 31 19 92 76 d4 d9 2a 0e 9e
+ e9 d7 7d 09 20 a8 0c 16 55 81 a8 e0 d0 6c 00 18 d5 4d 3a 06 dd
+ 32 cf d4 05 1e b0 26 fa d3 fd 0b a9 92 69 e6 ef 00 06 13 01 13
+
+
+
+Thomson Informational [Page 55]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ 03 13 02 01 00 00 8d 00 00 00 0b 00 09 00 00 06 73 65 72 76 65
+ 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01
+ 00 01 01 01 02 01 03 01 04 00 33 00 26 00 24 00 1d 00 20 8e 72
+ 92 cf 30 56 db b0 d2 5f cb e5 5c 10 7d c9 bb f8 3d d9 70 8f 39
+ 20 3b a3 41 24 9a 7d 9b 63 00 2b 00 03 02 03 04 00 0d 00 20 00
+ 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01
+ 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40
+ 01
+
+ {client} send handshake record:
+
+ payload (224 octets): 01 00 00 dc 03 03 4e 64 0a 3f 2c 27 38 f0
+ 9c 94 18 bd 78 ed cc d7 55 9d 05 31 19 92 76 d4 d9 2a 0e 9e e9
+ d7 7d 09 20 a8 0c 16 55 81 a8 e0 d0 6c 00 18 d5 4d 3a 06 dd 32
+ cf d4 05 1e b0 26 fa d3 fd 0b a9 92 69 e6 ef 00 06 13 01 13 03
+ 13 02 01 00 00 8d 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72
+ ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00
+ 01 01 01 02 01 03 01 04 00 33 00 26 00 24 00 1d 00 20 8e 72 92
+ cf 30 56 db b0 d2 5f cb e5 5c 10 7d c9 bb f8 3d d9 70 8f 39 20
+ 3b a3 41 24 9a 7d 9b 63 00 2b 00 03 02 03 04 00 0d 00 20 00 1e
+ 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02
+ 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01
+
+ complete record (229 octets): 16 03 01 00 e0 01 00 00 dc 03 03 4e
+ 64 0a 3f 2c 27 38 f0 9c 94 18 bd 78 ed cc d7 55 9d 05 31 19 92
+ 76 d4 d9 2a 0e 9e e9 d7 7d 09 20 a8 0c 16 55 81 a8 e0 d0 6c 00
+ 18 d5 4d 3a 06 dd 32 cf d4 05 1e b0 26 fa d3 fd 0b a9 92 69 e6
+ ef 00 06 13 01 13 03 13 02 01 00 00 8d 00 00 00 0b 00 09 00 00
+ 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00
+ 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00 26 00 24
+ 00 1d 00 20 8e 72 92 cf 30 56 db b0 d2 5f cb e5 5c 10 7d c9 bb
+ f8 3d d9 70 8f 39 20 3b a3 41 24 9a 7d 9b 63 00 2b 00 03 02 03
+ 04 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06
+ 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01
+ 01 00 1c 00 02 40 01
+
+ {server} extract secret "early":
+
+ salt: 0 (all zero octets)
+
+ IKM (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+ secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c
+ e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a
+
+
+
+
+
+
+Thomson Informational [Page 56]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ {server} create an ephemeral x25519 key pair:
+
+ private key (32 octets): 01 7c 38 a3 64 79 21 ca 2d 9e d6 bd 7a
+ e7 13 2b 94 21 1b 13 31 bb 20 8c 8c cd d5 15 56 40 99 95
+
+ public key (32 octets): 3e 30 f0 f4 ba 55 1a fd 62 76 83 41 17 5f
+ 52 65 e4 da f0 c8 84 16 17 aa 4f af dd 21 42 32 0c 22
+
+ {server} construct a ServerHello handshake message:
+
+ ServerHello (122 octets): 02 00 00 76 03 03 e5 dd 59 48 c4 35 f7
+ a3 8f 0f 01 30 70 8d c3 22 d9 df 09 ab d4 83 81 17 c1 83 a7 bb
+ 6d 99 4f 2c 20 a8 0c 16 55 81 a8 e0 d0 6c 00 18 d5 4d 3a 06 dd
+ 32 cf d4 05 1e b0 26 fa d3 fd 0b a9 92 69 e6 ef 13 01 00 00 2e
+ 00 33 00 24 00 1d 00 20 3e 30 f0 f4 ba 55 1a fd 62 76 83 41 17
+ 5f 52 65 e4 da f0 c8 84 16 17 aa 4f af dd 21 42 32 0c 22 00 2b
+ 00 02 03 04
+
+ {server} send handshake record:
+
+ payload (122 octets): 02 00 00 76 03 03 e5 dd 59 48 c4 35 f7 a3
+ 8f 0f 01 30 70 8d c3 22 d9 df 09 ab d4 83 81 17 c1 83 a7 bb 6d
+ 99 4f 2c 20 a8 0c 16 55 81 a8 e0 d0 6c 00 18 d5 4d 3a 06 dd 32
+ cf d4 05 1e b0 26 fa d3 fd 0b a9 92 69 e6 ef 13 01 00 00 2e 00
+ 33 00 24 00 1d 00 20 3e 30 f0 f4 ba 55 1a fd 62 76 83 41 17 5f
+ 52 65 e4 da f0 c8 84 16 17 aa 4f af dd 21 42 32 0c 22 00 2b 00
+ 02 03 04
+
+ complete record (127 octets): 16 03 03 00 7a 02 00 00 76 03 03 e5
+ dd 59 48 c4 35 f7 a3 8f 0f 01 30 70 8d c3 22 d9 df 09 ab d4 83
+ 81 17 c1 83 a7 bb 6d 99 4f 2c 20 a8 0c 16 55 81 a8 e0 d0 6c 00
+ 18 d5 4d 3a 06 dd 32 cf d4 05 1e b0 26 fa d3 fd 0b a9 92 69 e6
+ ef 13 01 00 00 2e 00 33 00 24 00 1d 00 20 3e 30 f0 f4 ba 55 1a
+ fd 62 76 83 41 17 5f 52 65 e4 da f0 c8 84 16 17 aa 4f af dd 21
+ 42 32 0c 22 00 2b 00 02 03 04
+
+ {server} send change_cipher_spec record:
+
+ payload (1 octets): 01
+
+ complete record (6 octets): 14 03 03 00 01 01
+
+ {server} derive secret for handshake "tls13 derived":
+
+ PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
+ 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a
+
+
+
+
+
+Thomson Informational [Page 57]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
+ 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+ info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
+ 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
+ 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+ expanded (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba
+ b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba
+
+ {server} extract secret "handshake":
+
+ salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
+ 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba
+
+ IKM (32 octets): ee f7 90 55 90 77 db 5b b6 3b 66 84 e4 16 9f 05
+ 1e 8f b3 4c e5 9b af ce 2f 9c 8e e6 8c c4 eb 79
+
+ secret (32 octets): f9 17 61 35 4a 67 e9 b0 7c 6d cc 3a 55 70 7e
+ fa 69 c4 51 9d 80 40 e5 f2 15 12 1e 0d f6 9a fa 4a
+
+ {server} derive secret "tls13 c hs traffic":
+
+ PRK (32 octets): f9 17 61 35 4a 67 e9 b0 7c 6d cc 3a 55 70 7e fa
+ 69 c4 51 9d 80 40 e5 f2 15 12 1e 0d f6 9a fa 4a
+
+ hash (32 octets): 74 5c 55 ba c3 99 31 0b 7b 5a 7c 81 a2 c1 30 b4
+ d5 6d ff 6f 68 c3 ab 47 78 57 60 1e 01 f1 f8 d1
+
+ info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72
+ 61 66 66 69 63 20 74 5c 55 ba c3 99 31 0b 7b 5a 7c 81 a2 c1 30
+ b4 d5 6d ff 6f 68 c3 ab 47 78 57 60 1e 01 f1 f8 d1
+
+ expanded (32 octets): 2c 3c b2 4a 10 81 ed b5 95 18 ee 68 61 e8
+ 9a 6b 72 b3 80 1a fe 77 13 e4 cb bc 21 c0 79 5b f8 31
+
+ {server} derive secret "tls13 s hs traffic":
+
+ PRK (32 octets): f9 17 61 35 4a 67 e9 b0 7c 6d cc 3a 55 70 7e fa
+ 69 c4 51 9d 80 40 e5 f2 15 12 1e 0d f6 9a fa 4a
+
+ hash (32 octets): 74 5c 55 ba c3 99 31 0b 7b 5a 7c 81 a2 c1 30 b4
+ d5 6d ff 6f 68 c3 ab 47 78 57 60 1e 01 f1 f8 d1
+
+ info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72
+ 61 66 66 69 63 20 74 5c 55 ba c3 99 31 0b 7b 5a 7c 81 a2 c1 30
+ b4 d5 6d ff 6f 68 c3 ab 47 78 57 60 1e 01 f1 f8 d1
+
+
+
+
+Thomson Informational [Page 58]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ expanded (32 octets): ca ce 3d 55 5c c1 c5 77 cf 97 0c ff 28 cf
+ 97 8d 6a 98 00 08 54 42 e1 8d 69 5b 50 f3 15 1d 18 c8
+
+ {server} derive secret for master "tls13 derived":
+
+ PRK (32 octets): f9 17 61 35 4a 67 e9 b0 7c 6d cc 3a 55 70 7e fa
+ 69 c4 51 9d 80 40 e5 f2 15 12 1e 0d f6 9a fa 4a
+
+ hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
+ 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+ info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
+ 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
+ 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+ expanded (32 octets): 5d a1 2d c4 78 35 ba 73 fd d9 94 b1 4a b7
+ e6 3c c6 3f 0d 79 16 2f 67 56 e9 a4 67 56 c8 b2 b6 42
+
+ {server} extract secret "master":
+
+ salt (32 octets): 5d a1 2d c4 78 35 ba 73 fd d9 94 b1 4a b7 e6 3c
+ c6 3f 0d 79 16 2f 67 56 e9 a4 67 56 c8 b2 b6 42
+
+ IKM (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+
+ secret (32 octets): 62 81 12 da e2 f7 02 48 80 63 e4 2d e6 c8 50
+ a5 c0 82 0b 90 90 3e 00 ab c3 18 75 da 03 d4 bc 5b
+
+ {server} derive write traffic keys for handshake data:
+
+ PRK (32 octets): ca ce 3d 55 5c c1 c5 77 cf 97 0c ff 28 cf 97 8d
+ 6a 98 00 08 54 42 e1 8d 69 5b 50 f3 15 1d 18 c8
+
+ key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
+
+ key expanded (16 octets): 04 10 91 fd ab 29 f2 c8 ab fb 15 6d c5
+ fc 8d 54
+
+ iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
+
+ iv expanded (12 octets): 74 64 d7 91 68 5d e0 59 98 fc ba db
+
+ {server} construct an EncryptedExtensions handshake message:
+
+ EncryptedExtensions (40 octets): 08 00 00 24 00 22 00 0a 00 14 00
+ 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c
+ 00 02 40 01 00 00 00 00
+
+
+
+Thomson Informational [Page 59]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ {server} construct a Certificate handshake message:
+
+ Certificate (445 octets): 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82
+ 01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48
+ 86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03
+ 72 73 61 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17
+ 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06
+ 03 55 04 03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7
+ 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f
+ 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26
+ d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c
+ 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52
+ 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74
+ 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93
+ ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03
+ 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06
+ 03 55 1d 0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01
+ 01 0b 05 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a
+ 72 67 17 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea
+ e8 f8 a5 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01
+ 51 56 72 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be
+ c1 fc 63 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b
+ 1c 3b 84 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8
+ 96 12 29 ac 91 87 b4 2b 4d e1 00 00
+
+ {server} construct a CertificateVerify handshake message:
+
+ CertificateVerify (136 octets): 0f 00 00 84 08 04 00 80 a2 30 1a
+ 68 dd 1c ee e6 93 8f e9 d4 0c 46 b9 20 1b 34 d5 99 52 a3 7e 06
+ 52 3a 39 cf 8b a6 c9 c8 b6 8a e9 44 92 af 78 05 16 ed 7b 73 c8
+ 28 12 e9 9d d3 fa be a4 5e 09 d9 c6 84 87 21 c2 80 8c 61 50 1b
+ 0c 75 e7 fc ab a5 f7 8b ef 68 a2 c2 b6 9b 19 55 8b 3e 40 38 7e
+ ea 93 d2 5c 77 81 c1 cc 00 e9 f5 19 f7 e2 e4 ad b7 3e 76 d6 60
+ 89 00 0a 2d c8 66 c2 ed 30 bb a5 0a 0d 45 7f 19 dc 6e b9 f3
+
+ {server} calculate finished "tls13 finished":
+
+ PRK (32 octets): ca ce 3d 55 5c c1 c5 77 cf 97 0c ff 28 cf 97 8d
+ 6a 98 00 08 54 42 e1 8d 69 5b 50 f3 15 1d 18 c8
+
+ hash (0 octets): (empty)
+
+ info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
+ 64 00
+
+ expanded (32 octets): 2c 9f 72 f2 7b 81 e7 df 66 8c ac cd 49 37
+ 1f 12 86 d4 11 e1 6c 8c cc 1c 0d 9a ed 72 cb bd c0 80
+
+
+
+
+Thomson Informational [Page 60]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ finished (32 octets): c8 c3 a8 f1 bf f5 27 40 61 f4 bc 3a 7c af
+ fb dc 96 16 09 4c a6 25 ca a6 5f 8e 76 ed 46 db 74 d3
+
+ {server} construct a Finished handshake message:
+
+ Finished (36 octets): 14 00 00 20 c8 c3 a8 f1 bf f5 27 40 61 f4
+ bc 3a 7c af fb dc 96 16 09 4c a6 25 ca a6 5f 8e 76 ed 46 db 74
+ d3
+
+ {server} send handshake record:
+
+ payload (657 octets): 08 00 00 24 00 22 00 0a 00 14 00 12 00 1d
+ 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c 00 02 40
+ 01 00 00 00 00 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82 01 ac 30
+ 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d
+ 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61
+ 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17 0d 32 36
+ 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06 03 55 04
+ 03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01
+ 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f 82 79 30
+ 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 d3 90 1a
+ 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1a f1 9e
+ aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52 4b 1b 01
+ 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74 80 30 53
+ 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 ef f0 ab
+ 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03 01 00 01
+ a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d
+ 0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05
+ 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 72 67 17
+ 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea e8 f8 a5
+ 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 51 56 72
+ 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be c1 fc 63
+ a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b 1c 3b 84
+ e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 96 12 29
+ ac 91 87 b4 2b 4d e1 00 00 0f 00 00 84 08 04 00 80 a2 30 1a 68
+ dd 1c ee e6 93 8f e9 d4 0c 46 b9 20 1b 34 d5 99 52 a3 7e 06 52
+ 3a 39 cf 8b a6 c9 c8 b6 8a e9 44 92 af 78 05 16 ed 7b 73 c8 28
+ 12 e9 9d d3 fa be a4 5e 09 d9 c6 84 87 21 c2 80 8c 61 50 1b 0c
+ 75 e7 fc ab a5 f7 8b ef 68 a2 c2 b6 9b 19 55 8b 3e 40 38 7e ea
+ 93 d2 5c 77 81 c1 cc 00 e9 f5 19 f7 e2 e4 ad b7 3e 76 d6 60 89
+ 00 0a 2d c8 66 c2 ed 30 bb a5 0a 0d 45 7f 19 dc 6e b9 f3 14 00
+ 00 20 c8 c3 a8 f1 bf f5 27 40 61 f4 bc 3a 7c af fb dc 96 16 09
+ 4c a6 25 ca a6 5f 8e 76 ed 46 db 74 d3
+
+ complete record (679 octets): 17 03 03 02 a2 48 de 89 1d 9c 36 24
+ a6 7a 6c 6f 06 01 ab 7a c2 0c 1f 6a 9e 14 d2 e6 00 7e 99 9e 13
+ 03 67 a8 af 1b cf ea 94 98 fb ce 19 df 45 05 ee ce 3a 25 da 52
+ 3c be 55 ea 1b 3b da 4e 91 99 5e 45 5d 50 0a 4f aa 62 27 b7 11
+
+
+
+Thomson Informational [Page 61]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ 1e 1c 85 47 e2 d7 c1 79 db 21 53 03 d2 58 27 f3 cd 18 f4 8f 64
+ 91 32 8c f5 c0 f8 14 d3 88 15 0b d9 e9 26 4a ae 49 1d b6 99 50
+ 69 be a1 76 65 d5 e0 c8 17 28 4d 4a c2 18 80 05 4c 36 57 33 1e
+ 23 a9 30 4d c8 8a 15 c0 4e c8 0b d3 85 2b f7 f9 d3 c6 61 5b 15
+ fa c8 3b bc a0 31 c6 d2 31 0d 9f 5d 7a 4b 02 0a 4f 7c 19 06 2b
+ 65 c0 5a 1d 32 64 b5 57 ec 9d 8e 0f 7c ee 27 e3 6f 79 30 39 de
+ 8d d9 6e df ca 90 09 e0 65 10 34 bf f3 1d 7f 34 9e ec e0 1d 99
+ fc b5 fc ab 84 0d 77 07 c7 22 99 c3 b5 d0 45 64 e8 80 a3 3c 5e
+ 84 6c 76 2e 3d 92 2b b5 53 03 d1 d8 7c c0 f0 65 73 f1 7d cb 9b
+ 8f fd 35 bb d8 83 c1 cb 3a a2 4f cc 32 50 05 f7 68 ce 2f b6 24
+ ca 97 b6 c4 d9 8e 17 f3 5b c2 c7 94 0a 06 10 0c 2d 44 8d b7 18
+ 0b 2d 86 21 64 43 5c 9c 21 0e 98 60 39 4e 05 aa b2 3f f1 b0 20
+ 3f 66 2c 58 8d a5 bc 44 11 47 7a 30 b4 11 36 c4 88 a0 a6 3f ca
+ b5 c1 5a c6 13 22 6d ae 82 7a 1d 1f e9 5e ce 6b 30 bc ee 15 60
+ a8 d4 08 d2 64 55 5e 76 0f 9b fc 62 4c 2c 87 fd 04 56 c9 bf b4
+ 1b cd 1a 7b 21 27 86 d2 b6 7f d5 78 04 fa cf a1 ee f7 cf 29 19
+ d8 b9 98 c9 78 9f 76 3b 4d 9c aa 09 3a 9d ed 43 17 5d 46 a7 6b
+ 4d 54 f0 ce 0c 5d 22 59 b6 07 e3 0a 9d 24 12 63 87 4f a5 9d 6f
+ 57 0d c4 0d 83 a2 d8 3b f9 e9 85 0d 45 4c 57 80 65 35 a8 99 8a
+ e0 35 7d f9 2f 00 b9 66 73 44 c2 41 14 cc c9 ef 53 91 24 b2 04
+ e7 e6 e7 48 c3 0a 28 a3 d1 d1 83 99 72 43 ea cc bb d3 3b 0c 11
+ 15 a0 32 71 06 a1 e6 a7 52 71 d4 98 30 86 f6 32 ff 0e b8 b4 c6
+ 31 02 cb ce f5 bb 72 da e1 27 9d 5d e8 eb 19 09 6d 8c db 07 fa
+ 8e a9 89 78 8f ac 23 e6 6e 04 88 c1 93 f3 f3 fe a8 c8 83 88 96
+ bf 3a e4 b6 84 8d 42 ce d4 bd f4 1a be 6f c3 31 b4 42 25 e7 a1
+ f7 d3 56 41 47 d5 45 8e 71 aa 90 9c b0 2b e9 58 bb c4 2e 3a a5
+ a2 7c c6 ea f4 b6 fe 51 ae 44 95 69 4d 8a b6 32 0a ab 92 01 83
+ fd 5b 31 a3 59 04 2f bd 67 39 1e c5 e4 d1 89 2a 2e 52 10 14 1a
+ 49 4e 93 01 b2 4a 11 3c 47 4c 7f 2a 73 45 78 47
+
+ {server} derive secret "tls13 c ap traffic":
+
+ PRK (32 octets): 62 81 12 da e2 f7 02 48 80 63 e4 2d e6 c8 50 a5
+ c0 82 0b 90 90 3e 00 ab c3 18 75 da 03 d4 bc 5b
+
+ hash (32 octets): 07 07 dc ac 7b 2f a4 28 cc 7f 69 16 94 a2 59 0c
+ 80 6a aa 5c 0c f5 08 7e d5 38 50 12 e7 f9 6c d4
+
+ info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72
+ 61 66 66 69 63 20 07 07 dc ac 7b 2f a4 28 cc 7f 69 16 94 a2 59
+ 0c 80 6a aa 5c 0c f5 08 7e d5 38 50 12 e7 f9 6c d4
+
+ expanded (32 octets): 74 3e 4c 6b 56 cf 39 09 d1 b0 6d 01 95 6c
+ cd 2c 4b 37 75 84 49 ae c4 1d 98 da e4 49 24 ea a2 99
+
+
+
+
+
+
+
+Thomson Informational [Page 62]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ {server} derive secret "tls13 s ap traffic":
+
+ PRK (32 octets): 62 81 12 da e2 f7 02 48 80 63 e4 2d e6 c8 50 a5
+ c0 82 0b 90 90 3e 00 ab c3 18 75 da 03 d4 bc 5b
+
+ hash (32 octets): 07 07 dc ac 7b 2f a4 28 cc 7f 69 16 94 a2 59 0c
+ 80 6a aa 5c 0c f5 08 7e d5 38 50 12 e7 f9 6c d4
+
+ info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72
+ 61 66 66 69 63 20 07 07 dc ac 7b 2f a4 28 cc 7f 69 16 94 a2 59
+ 0c 80 6a aa 5c 0c f5 08 7e d5 38 50 12 e7 f9 6c d4
+
+ expanded (32 octets): b6 b8 14 4a a3 35 ed 30 59 c0 c9 c8 f0 ec
+ ab f7 af c9 4a f6 64 3b de cd fd 92 10 18 8f ab 74 51
+
+ {server} derive secret "tls13 exp master":
+
+ PRK (32 octets): 62 81 12 da e2 f7 02 48 80 63 e4 2d e6 c8 50 a5
+ c0 82 0b 90 90 3e 00 ab c3 18 75 da 03 d4 bc 5b
+
+ hash (32 octets): 07 07 dc ac 7b 2f a4 28 cc 7f 69 16 94 a2 59 0c
+ 80 6a aa 5c 0c f5 08 7e d5 38 50 12 e7 f9 6c d4
+
+ info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73
+ 74 65 72 20 07 07 dc ac 7b 2f a4 28 cc 7f 69 16 94 a2 59 0c 80
+ 6a aa 5c 0c f5 08 7e d5 38 50 12 e7 f9 6c d4
+
+ expanded (32 octets): fb 69 12 1c ea 33 4d b4 59 e1 22 72 d1 79
+ ba ca 23 69 b6 43 d1 1a 6a c7 2b 8b 27 a5 c9 64 fe b1
+
+ {server} derive write traffic keys for application data:
+
+ PRK (32 octets): b6 b8 14 4a a3 35 ed 30 59 c0 c9 c8 f0 ec ab f7
+ af c9 4a f6 64 3b de cd fd 92 10 18 8f ab 74 51
+
+ key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
+
+ key expanded (16 octets): ed c4 cb d0 04 1c 28 cc 71 67 44 1d 7c
+ a5 3e 6a
+
+ iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
+
+ iv expanded (12 octets): bf 6c 7d 8e 0a 95 45 b4 27 dc f1 39
+
+ {server} derive read traffic keys for handshake data:
+
+ PRK (32 octets): 2c 3c b2 4a 10 81 ed b5 95 18 ee 68 61 e8 9a 6b
+ 72 b3 80 1a fe 77 13 e4 cb bc 21 c0 79 5b f8 31
+
+
+
+Thomson Informational [Page 63]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
+
+ key expanded (16 octets): 62 d1 3c 13 ff d7 40 2f c1 c0 9e 3d 16
+ 36 65 cb
+
+ iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
+
+ iv expanded (12 octets): 71 66 f2 00 28 bf 14 6d cf bd 5a 40
+
+ {client} extract secret "early" (same as server early secret)
+
+ {client} derive secret for handshake "tls13 derived":
+
+ PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
+ 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a
+
+ hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
+ 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+ info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
+ 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
+ 64 9b 93 4c a4 95 99 1b 78 52 b8 55
+
+ expanded (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba
+ b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba
+
+ {client} extract secret "handshake" (same as server handshake
+ secret)
+
+ {client} derive secret "tls13 c hs traffic" (same as server)
+
+ {client} derive secret "tls13 s hs traffic" (same as server)
+
+ {client} derive secret for master "tls13 derived" (same as server)
+
+ {client} extract secret "master" (same as server master secret)
+
+ {client} derive read traffic keys for handshake data (same as server
+ handshake data write traffic keys)
+
+ {client} calculate finished "tls13 finished" (same as server)
+
+ {client} derive secret "tls13 c ap traffic" (same as server)
+
+ {client} derive secret "tls13 s ap traffic" (same as server)
+
+ {client} derive secret "tls13 exp master" (same as server)
+
+
+
+
+Thomson Informational [Page 64]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ {client} send change_cipher_spec record:
+
+ payload (1 octets): 01
+
+ complete record (6 octets): 14 03 03 00 01 01
+
+ {client} derive write traffic keys for handshake data (same as
+ server handshake data read traffic keys)
+
+ {client} derive read traffic keys for application data (same as
+ server application data write traffic keys)
+
+ {client} calculate finished "tls13 finished":
+
+ PRK (32 octets): 2c 3c b2 4a 10 81 ed b5 95 18 ee 68 61 e8 9a 6b
+ 72 b3 80 1a fe 77 13 e4 cb bc 21 c0 79 5b f8 31
+
+ hash (0 octets): (empty)
+
+ info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
+ 64 00
+
+ expanded (32 octets): 77 34 1a bc 8c 0f fa b5 18 07 36 71 3e 41
+ d2 f6 65 c4 10 a4 04 c8 c2 1e dc d9 48 a4 44 0f d8 0c
+
+ finished (32 octets): 69 2c ab 15 5c c6 c1 00 ea d6 07 33 d0 61
+ 7f 6f b0 9b 71 aa 1e 8c 9a cc bb bc 9e 8e d3 36 c1 dd
+
+ {client} construct a Finished handshake message:
+
+ Finished (36 octets): 14 00 00 20 69 2c ab 15 5c c6 c1 00 ea d6
+ 07 33 d0 61 7f 6f b0 9b 71 aa 1e 8c 9a cc bb bc 9e 8e d3 36 c1
+ dd
+
+ {client} send handshake record:
+
+ payload (36 octets): 14 00 00 20 69 2c ab 15 5c c6 c1 00 ea d6 07
+ 33 d0 61 7f 6f b0 9b 71 aa 1e 8c 9a cc bb bc 9e 8e d3 36 c1 dd
+
+ complete record (58 octets): 17 03 03 00 35 32 d0 30 e2 73 77 3a
+ 86 96 c7 99 98 1a f6 ce d0 7f 87 48 2e 81 56 5e 39 4e 87 c8 67
+ f3 3d f3 d6 5b 75 06 f1 a6 26 af 91 d4 82 1d 5f 7a 1f 21 0e f8
+ dd 3c 6d 16
+
+ {client} derive write traffic keys for application data:
+
+ PRK (32 octets): 74 3e 4c 6b 56 cf 39 09 d1 b0 6d 01 95 6c cd 2c
+ 4b 37 75 84 49 ae c4 1d 98 da e4 49 24 ea a2 99
+
+
+
+Thomson Informational [Page 65]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+ key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
+
+ key expanded (16 octets): 33 d7 f9 70 97 56 c9 66 48 8a d4 43 84
+ 37 e6 73
+
+ iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
+
+ iv expanded (12 octets): c5 f3 0d 34 b0 e9 1b 7d 6c 8e ea 65
+
+ {client} derive secret "tls13 res master":
+
+ PRK (32 octets): 62 81 12 da e2 f7 02 48 80 63 e4 2d e6 c8 50 a5
+ c0 82 0b 90 90 3e 00 ab c3 18 75 da 03 d4 bc 5b
+
+ hash (32 octets): a0 21 d3 a0 5b d4 18 a7 72 81 38 75 ef 79 b0 af
+ 68 c5 12 32 15 42 7a b7 33 3f 8c 27 72 2a 9f d5
+
+ info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73
+ 74 65 72 20 a0 21 d3 a0 5b d4 18 a7 72 81 38 75 ef 79 b0 af 68
+ c5 12 32 15 42 7a b7 33 3f 8c 27 72 2a 9f d5
+
+ expanded (32 octets): 0b 5d 44 07 ce a0 a4 2a 3a 81 dd 47 76 47
+ b7 fe 91 80 db 29 7e 51 14 f1 ad 87 96 b4 dc 47 50 04
+
+ {server} calculate finished "tls13 finished" (same as client)
+
+ {server} derive read traffic keys for application data (same as
+ client application data write traffic keys)
+
+ {server} derive secret "tls13 res master" (same as client)
+
+ {client} send alert record:
+
+ payload (2 octets): 01 00
+
+ complete record (24 octets): 17 03 03 00 13 0f 62 91 55 38 2d ba
+ 23 c4 e2 c5 f7 f8 4e 6f 2e d3 08 3d
+
+ {server} send alert record:
+
+ payload (2 octets): 01 00
+
+ complete record (24 octets): 17 03 03 00 13 b7 25 7b 0f ec af 69
+ d4 f0 9e 3f 89 1e 2a 25 d1 e2 88 45
+
+
+
+
+
+
+
+Thomson Informational [Page 66]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+8. Security Considerations
+
+ It probably isn't a good idea to use the private key included in this
+ document. In addition to the fact that it is too small to provide
+ any meaningful security, it is now very well known.
+
+9. IANA Considerations
+
+ This document has no IANA actions.
+
+10. References
+
+10.1. Normative References
+
+ [TLS13] Rescorla, E., "The Transport Layer Security (TLS) Protocol
+ Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
+ <https://www.rfc-editor.org/info/rfc8446>.
+
+10.2. Informative References
+
+ [FIPS.186-4.2013]
+ National Institute of Standards and Technology, "Digital
+ Signature Standard (DSS)", FIPS 186-4,
+ DOI 10.6028/NIST.FIPS.186-4, July 2013,
+ <https://nvlpubs.nist.gov/nistpubs/fips/
+ nist.fips.186-4.pdf>.
+
+ [NSS] Mozilla, "Network Security Services", November 2018,
+ <https://developer.mozilla.org/en-US/docs/Mozilla/
+ Projects/NSS>.
+
+ [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
+ Key Derivation Function (HKDF)", RFC 5869,
+ DOI 10.17487/RFC5869, May 2010,
+ <https://www.rfc-editor.org/info/rfc5869>.
+
+ [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
+ for Security", RFC 7748, DOI 10.17487/RFC7748, January
+ 2016, <https://www.rfc-editor.org/info/rfc7748>.
+
+
+
+
+
+
+
+
+
+
+
+
+Thomson Informational [Page 67]
+
+RFC 8448 TLS 1.3 Traces January 2019
+
+
+Acknowledgements
+
+ This document was generated using tests that were written for Network
+ Security Services [NSS]. None of this would have been possible
+ without Franziskus Kiefer, Eric Rescorla, and Tim Taubert, all of
+ whom did a lot of the work in NSS.
+
+Author's Address
+
+ Martin Thomson
+ Mozilla
+
+ Email: martin.thomson@gmail.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Thomson Informational [Page 68]
+