HTTP M. Thomson
Internet-Draft Mozilla
Intended status: Standards Track November 29, 2016
Expires: June 2, 2017

Example Handshake Traces for TLS 1.3
draft-thomson-tls-tls13-vectors-latest

Abstract

Examples of TLS 1.3 handshakes are shown. Private keys and inputs are provided so that these handshakes might be reproduced. Intermediate values, including secrets, traffic keys and ivs are shown so that implementations might be checked incrementally against these values.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on June 2, 2017.

Copyright Notice

Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

Table of Contents

1. Introduction

TLS 1.3 [I-D.ietf-tls-tls13] defines a new key schedule and a number new cryptographic operations. This document includes sample handshakes that show all intermediate values. This allows an implementation to be verified incrementally, examining inputs and outputs of each cryptographic computation independently.

Private keys are included with the traces so that implementations can be checked by importing these values and verifying that the same outputs are produced.

2. Private Keys

Ephemeral private keys are shown as they are generated in the traces.

The server in most examples uses an RSA certificate with a private key of:

modulus (public):
b4bb498f8279303d 980836399b36c698 8c0c68de55e1bdb8 26d3901a2461eafd 2de49a91d015abbc 9a95137ace6c1af1 9eaa6af98c7ced43 120998e187a80ee0 ccb0524b1b018c3e 0b63264d449a6d38 e22a5fda43084674 8030530ef0461c8c a9d9efbfae8ea6d1 d03e2bd193eff0ab 9a8002c47428a6d3 5a8d88d79f7f1e3f
public exponent:
010001
private exponent:
04dea705d43a6ea7 209dd8072111a83c 81e322a59278b334 80641eaf7c0a6985 b8e31c44f6de62e1 b4c2309f6126e77b 7c41e923314bbfa3 881305dc1217f16c 819ce538e922f369 828d0e57195d8c84 88460207b2faa726 bcf708bbd7db7f67 9f893492fc2a622e 08970aac441ce4e0 c3088df25ae67923 3df8a3bda2ff9941
prime1:
e435fb7cc8373775 6dacea96ab7f59a2 cc1069db7deb190e 17e33a532b273f30 a327aa0aaabc58cd 67466af9845fadc6 75fe094af92c4bd1 f2c1bc33dd2e0515
prime2:
cabd3bc0e0438664 c8d4cc9f99977a94 d9bbfead8e43870a bae3f7eb8b4e0eee 8af1d9b4719ba619 6cf2cbbaeeebf8b3 490afe9e9ffa74a8 8aa51fc645629303
exponent1:
3f57345c27fe1b68 7e6e761627b78b1b 826433dd760fa0be a6a6acf39490aa1b 47cda4869d68f584 dd5b5029bd32093b 8258661fe715025e 5d70a45a08d3d319
exponent2:
183da01363bd2f28 85cacbdc9964bf47 64f1517636f86401 286f71893c52ccfe 40a6c23d0d086b47 c6fb10d8fd1041e0 4def7e9a40ce957c 417794e10412d139
coefficient:
839ca9a085e4286b 2c90e466997a2c68 1f21339aa3477814 e4dec11833050ed5 0dd13cc038048a43 c59b2acc416889c0 37665fe5afa60596 9f8c01dfa5ca969d

3. Simple 1-RTT Handshake

In this example, the simplest possible handshake is completed. The server is authenticated, but the client remains anonymous. After connecting, a few application data octets are exchanged. The server sends a session ticket that permits the use of 0-RTT in any resumed session.

Note:
This example doesn’t include the calculation of the exporter secret. Support for that will be added to NSS soon.
{client}
create an ephemeral x25519 key pair:
private key (32 octets):
0ccc250620aa1728 219e9ac69e36f02b a957689fc0e33b6f ca0d67596ef720e1
public key (32 octets):
f7ef3d755b65b8e7 00fcfabc32b7d4d1 8a5ab359ec875384 920fb778f84e4c2d

{client}
send a ClientHello handshake message
{client}
send record:
cleartext (512 octets):
010001fc03034084 15733a42bd758a6c 23e6225f655fe6a1 38cc5028ecfce145 744871a207bb0000 3e130113031302c0 2bc02fcca9cca8c0 0ac009c013c023c0 27c014009eccaa00 3300320067003900 38006b0016001300 9c002f003c003500 3d000a0005000401 000195001500fc00 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000b00 0900000673657276 6572ff0100010000 0a00140012001d00 1700180019010001 0101020103010400 0b00020100002300 0000280026002400 1d0020f7ef3d755b 65b8e700fcfabc32 b7d4d18a5ab359ec 875384920fb778f8 4e4c2d002b000706 7f1203030302000d 0020001e04030503 0603020308040805 0806040105010601 0201040205020602 0202002d00020101
ciphertext (517 octets):
1603010200010001 fc0303408415733a 42bd758a6c23e622 5f655fe6a138cc50 28ecfce145744871 a207bb00003e1301 13031302c02bc02f cca9cca8c00ac009 c013c023c027c014 009eccaa00330032 006700390038006b 00160013009c002f 003c0035003d000a 0005000401000195 001500fc00000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000b00090000 06736572766572ff 01000100000a0014 0012001d00170018 0019010001010102 01030104000b0002 0100002300000028 00260024001d0020 f7ef3d755b65b8e7 00fcfabc32b7d4d1 8a5ab359ec875384 920fb778f84e4c2d 002b0007067f1203 030302000d002000 1e04030503060302 0308040805080604 0105010601020104 0205020602020200 2d00020101

{server}
extract secret “early”:
salt:
(absent)
ikm (32 octets):
0000000000000000 0000000000000000 0000000000000000 0000000000000000
secret (32 octets):
33ad0a1c607ec03b 09e6cd9893680ce2 10adf300aa1f2660 e1b22e10f170f92a

{server}
create an ephemeral x25519 key pair:
private key (32 octets):
08f39728895d9919 2e469dccff9e3947 dc0330ccd911e29f 063e3d972120a21f
public key (32 octets):
8db235a330ee184b 953a981ecfb23b05 380768ed12050ec2 f0ec62b74ef8f835

{server}
send a ServerHello handshake message
{server}
extract secret “handshake”:
salt (32 octets):
33ad0a1c607ec03b 09e6cd9893680ce2 10adf300aa1f2660 e1b22e10f170f92a
ikm (32 octets):
934714922b09096f 2684f29d4061c4c5 649431299c7d7962 3b0f814bb549c432
secret (32 octets):
8735476699f7c3d2 b7fa04d32a57b0f4 a876ff7dbcbdd3e1 091cb56c4b4500ac

{server}
derive secret “client handshake traffic secret”:
PRK (32 octets):
8735476699f7c3d2 b7fa04d32a57b0f4 a876ff7dbcbdd3e1 091cb56c4b4500ac
handshake hash (32 octets):
a0be23e02c2e6d06 b8815f9c849f0e99 f8544202d290f055 e1732430725e2085
info (76 octets):
002028544c532031 2e332c20636c6965 6e742068616e6473 68616b6520747261 6666696320736563 72657420a0be23e0 2c2e6d06b8815f9c 849f0e99f8544202 d290f055e1732430 725e2085
output (32 octets):
939292c427396860 e3045a477db10123 5862473bd5616f7d 2ea18a0140259e2d

{server}
derive secret “server handshake traffic secret”:
PRK (32 octets):
8735476699f7c3d2 b7fa04d32a57b0f4 a876ff7dbcbdd3e1 091cb56c4b4500ac
handshake hash (32 octets):
a0be23e02c2e6d06 b8815f9c849f0e99 f8544202d290f055 e1732430725e2085
info (76 octets):
002028544c532031 2e332c2073657276 65722068616e6473 68616b6520747261 6666696320736563 72657420a0be23e0 2c2e6d06b8815f9c 849f0e99f8544202 d290f055e1732430 725e2085
output (32 octets):
c84d41b43a712676 a68e89a1760e9592 998c60e596d6cec4 200960ea830fa65b

{server}
extract secret “master”:
salt (32 octets):
8735476699f7c3d2 b7fa04d32a57b0f4 a876ff7dbcbdd3e1 091cb56c4b4500ac
ikm (32 octets):
0000000000000000 0000000000000000 0000000000000000 0000000000000000
secret (32 octets):
5fd7e72cc33d7e0a e2fd707c70ea3577 957d36dcdf45ed5f b2bf22ace9c66e42

{server}
send record:
cleartext (82 octets):
0200004e7f129f2b fbe752cb49bc8230 3dd32a80cf60483a 38e44bfb695ebd02 80bcc1c70c5b1301 002800280024001d 00208db235a330ee 184b953a981ecfb2 3b05380768ed1205 0ec2f0ec62b74ef8 f835
ciphertext (87 octets):
1603010052020000 4e7f129f2bfbe752 cb49bc82303dd32a 80cf60483a38e44b fb695ebd0280bcc1 c70c5b1301002800 280024001d00208d b235a330ee184b95 3a981ecfb23b0538 0768ed12050ec2f0 ec62b74ef8f835

{server}
derive write traffic keys using label “handshake data”:
PRK (32 octets):
c84d41b43a712676 a68e89a1760e9592 998c60e596d6cec4 200960ea830fa65b
key info (16 octets):
00100c544c532031 2e332c206b657900
key output (16 octets):
3d11ecdc4bd31e1f 0cac0b46a7647536
iv info (15 octets):
000c0b544c532031 2e332c20697600
iv output (12 octets):
a72751a54357b9a6 cb7a5ea6

{server}
send a EncryptedExtensions handshake message
{server}
send a Certificate handshake message
{server}
send a CertificateVerify handshake message
{server}
calculate finished:
PRK (32 octets):
c84d41b43a712676 a68e89a1760e9592 998c60e596d6cec4 200960ea830fa65b
handshake hash (0 octets):
(empty)
info (21 octets):
002011544c532031 2e332c2066696e69 7368656400
output (32 octets):
b172294c64d14131 133ef746e041d3c4 75055641d13d1da0 3187904ee6c14d9a

{server}
send a Finished handshake message
{server}
send record:
cleartext (651 octets):
0800001e001c000a 00140012001d0017 0018001901000101 0102010301040000 00000b0001b90000 01b50001b0308201 ac30820115a00302 0102020102300d06 092a864886f70d01 010b0500300e310c 300a060355040313 03727361301e170d 3136303733303031 323335395a170d32 3630373330303132 3335395a300e310c 300a060355040313 0372736130819f30 0d06092a864886f7 0d01010105000381 8d00308189028181 00b4bb498f827930 3d980836399b36c6 988c0c68de55e1bd b826d3901a2461ea fd2de49a91d015ab bc9a95137ace6c1a f19eaa6af98c7ced 43120998e187a80e e0ccb0524b1b018c 3e0b63264d449a6d 38e22a5fda430846 748030530ef0461c 8ca9d9efbfae8ea6 d1d03e2bd193eff0 ab9a8002c47428a6 d35a8d88d79f7f1e 3f0203010001a31a 301830090603551d 1304023000300b06 03551d0f04040302 05a0300d06092a86 4886f70d01010b05 000381810085aad2 a0e5b9276b908c65 f73a7267170618a5 4c5f8a7b337d2df7 a594365417f2eae8 f8a58c8f8172f931 9cf36b7fd6c55b80 f21a030151567260 96fd335e5e67f2db f102702e608ccae6 bec1fc63a42a99be 5c3eb7107c3c54e9 b9eb2bd5203b1c3b 84e0a8b2f759409b a3eac9d91d402dcc 0cc8f8961229ac91 87b42b4de100000f 000084080400805d b9706f9bd41ab01b e55f75b136cb89dd a63dc6e4510e40c7 203cb87f4eba2b12 2644018640641bde 97e03d4caa1d6703 71b8bf81374d5126 f88df68b87ef6c70 6cf9c0ee04063d8e 65cb403433fb006c 800e307b79b3a51f bae6089c2f3988dd fe04a760902e0a21 41046054bdf807cf 48cd3ce83f58a149 ba35b7ff6c2f2a14 00002076e296c598 a785e3afe87eb1ac 7fff2daefc0dda3c 8c860c67d9c8bdac 4c0383
ciphertext (673 octets):
170301029c25e00f a4731b1fa650830d fd5708e26ab6d2fa 6ed889cb9f6e908b de669f7a12787196 a191a94b277d1a58 9f79a909a4bb749d b661d436f30e023d 4dc35f9d4e1edf1a 1954fd7140ee0ecd 43dfa9b7ba264210 8bc207320d7ea6bf 14b3cb0bbc64c4cf 57d2d865af68d96f cc827696af3c1886 ec9a4116ef6825d1 b226fb032892bd2d 4f1d24c701dd5167 021fe212522a5063 4d17ca18eff1d5af 662af102f727b21f f8d23bb62990e4bb 31524d525c637832 83bd6e8509dbc8f7 8572d32168667ffe 8a222d1c23bba7cb 75691d90c559cba3 772e0f2d5339e7c8 b63fe9004d90122b a1e9b07c3b78ddf7 56156a71e95471c9 3f6d32ee52fb1959 5dbf9d2ff8895b93 f0a687f2e40621f2 e4ef70a64c39aa7c 027e5f03544c05e5 d8ae39f55a3f7a52 57cd0a75a84b05e2 56cb0aeaf5c7ad6c f0a3a99ef4a8f363 54ea0ba5baab2cc2 3564d08da56408c5 d924577b319be0e9 6914ff1ffb51ce06 1772e4e8ef7d6ce0 88929971df6a4e75 24ee48a643d0661d 3033d3ed41373c99 bac5ceffe05e20e4 0abfef6348da2453 b109fc9c7d932fbf 9374762bab7bcb6d fc1dbd4174575de5 b53830c6d6fb7649 d1dd6e57b06681d8 19c7f0623fccb8b9 782d642b23fa038f 4d9801c680bd2634 1d237caa0d170912 2587feaaad60b3a8 d3b55a7e86bdd784 04232d1ffc04dc25 e3ce8daa4b9348d4 09795b8aba712f3c e45020b887527c37 324209bb2ecd46e8 7439aec5fa65e518 a1f4e32e2e86220f ea2bd90aa1b71d7c 5ee968b71816ca1e 4c95a697b046d756 a9ce0b492c3a4f45 daeb255915402502 c6d4116369a101a1 f5527c4f916fe502 0c5fd5f64477d78c 18d2ae47fd85c459 da92b3a422f95cc2 4aab9ecb8ea40545 e3471fb435ba6c86 e60de01d67db3dca cd31b0cba3aac379 29c94924289f20bd 1de3f04dfc19a8f5 c0

{server}
derive secret “client application traffic secret”:
PRK (32 octets):
5fd7e72cc33d7e0a e2fd707c70ea3577 957d36dcdf45ed5f b2bf22ace9c66e42
handshake hash (32 octets):
77986442bddbbcc9 11882c0bf7b6c8a1 bf4d5d80e74e3447 20e709951b095c57
info (78 octets):
00202a544c532031 2e332c20636c6965 6e74206170706c69 636174696f6e2074 7261666669632073 6563726574207798 6442bddbbcc91188 2c0bf7b6c8a1bf4d 5d80e74e344720e7 09951b095c57
output (32 octets):
3104c081f7ac7a47 42279bb34a24dc1c 48a179b0560ff79f 610c264c083f6fe2

{server}
derive secret “server application traffic secret”:
PRK (32 octets):
5fd7e72cc33d7e0a e2fd707c70ea3577 957d36dcdf45ed5f b2bf22ace9c66e42
handshake hash (32 octets):
77986442bddbbcc9 11882c0bf7b6c8a1 bf4d5d80e74e3447 20e709951b095c57
info (78 octets):
00202a544c532031 2e332c2073657276 6572206170706c69 636174696f6e2074 7261666669632073 6563726574207798 6442bddbbcc91188 2c0bf7b6c8a1bf4d 5d80e74e344720e7 09951b095c57
output (32 octets):
e2bcfa8959ed6330 e9a9edc9f1db4c22 7109b50d8bfcc6af ccc143973dd11d03

{server}
derive secret “exporter master secret”:
PRK (32 octets):
5fd7e72cc33d7e0a e2fd707c70ea3577 957d36dcdf45ed5f b2bf22ace9c66e42
handshake hash (32 octets):
77986442bddbbcc9 11882c0bf7b6c8a1 bf4d5d80e74e3447 20e709951b095c57
info (67 octets):
00201f544c532031 2e332c206578706f 72746572206d6173 7465722073656372 65742077986442bd dbbcc911882c0bf7 b6c8a1bf4d5d80e7 4e344720e709951b 095c57
output (32 octets):
8528cfa5b1ca3800 35e3fd9b81760157 b68e215c1f44a982 c323385abf4894c7

{server}
derive write traffic keys using label “application data”:
PRK (32 octets):
e2bcfa8959ed6330 e9a9edc9f1db4c22 7109b50d8bfcc6af ccc143973dd11d03
key info (16 octets):
00100c544c532031 2e332c206b657900
key output (16 octets):
c341943d31e87ea8 262031856f218521
iv info (15 octets):
000c0b544c532031 2e332c20697600
iv output (12 octets):
49c037c559236c0b 0b6dfa7f

{server}
derive read traffic keys using label “handshake data”:
PRK (32 octets):
939292c427396860 e3045a477db10123 5862473bd5616f7d 2ea18a0140259e2d
key info (16 octets):
00100c544c532031 2e332c206b657900
key output (16 octets):
f312c613602abab5 4fbe3175fbfc7ecc
iv info (15 octets):
000c0b544c532031 2e332c20697600
iv output (12 octets):
309d33f52461f47e 5caa0b94

{client}
extract secret “early”:
salt:
(absent)
ikm (32 octets):
0000000000000000 0000000000000000 0000000000000000 0000000000000000
secret (32 octets):
33ad0a1c607ec03b 09e6cd9893680ce2 10adf300aa1f2660 e1b22e10f170f92a

{client}
extract secret “handshake”:
salt (32 octets):
33ad0a1c607ec03b 09e6cd9893680ce2 10adf300aa1f2660 e1b22e10f170f92a
ikm (32 octets):
934714922b09096f 2684f29d4061c4c5 649431299c7d7962 3b0f814bb549c432
secret (32 octets):
8735476699f7c3d2 b7fa04d32a57b0f4 a876ff7dbcbdd3e1 091cb56c4b4500ac

{client}
derive secret “client handshake traffic secret”:
PRK (32 octets):
8735476699f7c3d2 b7fa04d32a57b0f4 a876ff7dbcbdd3e1 091cb56c4b4500ac
handshake hash (32 octets):
a0be23e02c2e6d06 b8815f9c849f0e99 f8544202d290f055 e1732430725e2085
info (76 octets):
002028544c532031 2e332c20636c6965 6e742068616e6473 68616b6520747261 6666696320736563 72657420a0be23e0 2c2e6d06b8815f9c 849f0e99f8544202 d290f055e1732430 725e2085
output (32 octets):
939292c427396860 e3045a477db10123 5862473bd5616f7d 2ea18a0140259e2d

{client}
derive secret “server handshake traffic secret”:
PRK (32 octets):
8735476699f7c3d2 b7fa04d32a57b0f4 a876ff7dbcbdd3e1 091cb56c4b4500ac
handshake hash (32 octets):
a0be23e02c2e6d06 b8815f9c849f0e99 f8544202d290f055 e1732430725e2085
info (76 octets):
002028544c532031 2e332c2073657276 65722068616e6473 68616b6520747261 6666696320736563 72657420a0be23e0 2c2e6d06b8815f9c 849f0e99f8544202 d290f055e1732430 725e2085
output (32 octets):
c84d41b43a712676 a68e89a1760e9592 998c60e596d6cec4 200960ea830fa65b

{client}
extract secret “master” (same as server)
{client}
derive read traffic keys using label “handshake data”:
PRK (32 octets):
c84d41b43a712676 a68e89a1760e9592 998c60e596d6cec4 200960ea830fa65b
key info (16 octets):
00100c544c532031 2e332c206b657900
key output (16 octets):
3d11ecdc4bd31e1f 0cac0b46a7647536
iv info (15 octets):
000c0b544c532031 2e332c20697600
iv output (12 octets):
a72751a54357b9a6 cb7a5ea6

{client}
calculate finished:
PRK (32 octets):
c84d41b43a712676 a68e89a1760e9592 998c60e596d6cec4 200960ea830fa65b
handshake hash (0 octets):
(empty)
info (21 octets):
002011544c532031 2e332c2066696e69 7368656400
output (32 octets):
b172294c64d14131 133ef746e041d3c4 75055641d13d1da0 3187904ee6c14d9a

{client}
derive write traffic keys using label “handshake data” (same as server read traffic keys)
{client}
derive secret “client application traffic secret”:
PRK (32 octets):
5fd7e72cc33d7e0a e2fd707c70ea3577 957d36dcdf45ed5f b2bf22ace9c66e42
handshake hash (32 octets):
77986442bddbbcc9 11882c0bf7b6c8a1 bf4d5d80e74e3447 20e709951b095c57
info (78 octets):
00202a544c532031 2e332c20636c6965 6e74206170706c69 636174696f6e2074 7261666669632073 6563726574207798 6442bddbbcc91188 2c0bf7b6c8a1bf4d 5d80e74e344720e7 09951b095c57
output (32 octets):
3104c081f7ac7a47 42279bb34a24dc1c 48a179b0560ff79f 610c264c083f6fe2

{client}
derive secret “server application traffic secret”:
PRK (32 octets):
5fd7e72cc33d7e0a e2fd707c70ea3577 957d36dcdf45ed5f b2bf22ace9c66e42
handshake hash (32 octets):
77986442bddbbcc9 11882c0bf7b6c8a1 bf4d5d80e74e3447 20e709951b095c57
info (78 octets):
00202a544c532031 2e332c2073657276 6572206170706c69 636174696f6e2074 7261666669632073 6563726574207798 6442bddbbcc91188 2c0bf7b6c8a1bf4d 5d80e74e344720e7 09951b095c57
output (32 octets):
e2bcfa8959ed6330 e9a9edc9f1db4c22 7109b50d8bfcc6af ccc143973dd11d03

{client}
derive secret “exporter master secret” (same as server)
{client}
derive read traffic keys using label “application data” (same as server write traffic keys)
{client}
calculate finished:
PRK (32 octets):
939292c427396860 e3045a477db10123 5862473bd5616f7d 2ea18a0140259e2d
handshake hash (0 octets):
(empty)
info (21 octets):
002011544c532031 2e332c2066696e69 7368656400
output (32 octets):
1a2f90ab6aef7a11 3a2b66ce1a0b5199 30cfb0d269f26a9e 1cf9e086cdbfe36f

{client}
send a Finished handshake message
{client}
send record:
cleartext (36 octets):
14000020acebc8cd 5962e7315eabfd78 d732755eb84fb348 04fc11697b956a36 18c27301
ciphertext (58 octets):
1703010035faac9d ca8dc6a581351ee0 49eecd54d964a4e3 ea27a036e7aa09b9 7bc95521bcdc6bbc 3467cc9622d855ad 8a61a56ff53fa3c3 8628

{client}
derive write traffic keys using label “application data”:
PRK (32 octets):
3104c081f7ac7a47 42279bb34a24dc1c 48a179b0560ff79f 610c264c083f6fe2
key info (16 octets):
00100c544c532031 2e332c206b657900
key output (16 octets):
704dcb72897a5747 5fa4abf43bdc902a
iv info (15 octets):
000c0b544c532031 2e332c20697600
iv output (12 octets):
56775473d5c239c9 0226beea

{client}
derive secret “resumption master secret”:
PRK (32 octets):
5fd7e72cc33d7e0a e2fd707c70ea3577 957d36dcdf45ed5f b2bf22ace9c66e42
handshake hash (32 octets):
4a9b54c127f9e44f 4c51971d9c454fed 21391402e4933069 b8c45a6911bc5923
info (69 octets):
002021544c532031 2e332c2072657375 6d7074696f6e206d 6173746572207365 63726574204a9b54 c127f9e44f4c5197 1d9c454fed213914 02e4933069b8c45a 6911bc5923
output (32 octets):
33ff5389375d4acb faca4e079d5bfc7c 1a0e9eafdb68b047 12cc8e1f09619474

{server}
calculate finished:
PRK (32 octets):
939292c427396860 e3045a477db10123 5862473bd5616f7d 2ea18a0140259e2d
handshake hash (0 octets):
(empty)
info (21 octets):
002011544c532031 2e332c2066696e69 7368656400
output (32 octets):
1a2f90ab6aef7a11 3a2b66ce1a0b5199 30cfb0d269f26a9e 1cf9e086cdbfe36f

{server}
derive read traffic keys using label “application data” (same as client write traffic keys)
{server}
derive secret “resumption master secret” (same as client)
{server}
send a SessionTicket handshake message
{server}
send record:
cleartext (170 octets):
040000a60002a300 d0a8dc2900924e53 5321db0251332a66 d4efd3b0285509fd 8a26b801211c72f5 f9012b8a6f350050 69950156fc02abe5 6744e7c7d2798675 e8372cbba2a93e24 36bcd3dbac7662e6 4e187379bec08105 1957c0da819d44fa fb13d833752c7340 a32df5e133e37175 66ac66b4cc417a4d 0afaa64493997dba 0cd6e601bc11a4ce 5506236c2c4094d1 ea2329d1756ac327 83ef158e91a92c44 0008002e00040002 0000
ciphertext (192 octets):
17030100bb01f8b3 83e7756fc83ae2b6 0ed0232af33314da 2a131b6fa70ee663 dd7be45e15ac20ca 30e978452ec51b9a d1d7cfa9ea9e4a9e d38ba5ebfabf28d7 3a372a1b9f3deb65 71c72f57c30b043b 7576ba145f3d177f 4fd6c86aafe68d3f cac5e9a2a017e707 2f71ec9248162a4e 43ba14a0d8f4e401 e9c4260b65a0aa80 1079474e45cb16e6 959da84d1497cb8b 6ba7c61cd2f42549 8688721cee4bfe83 c14648ca3ff76533 51f4c6e026bee241 f96bfff480097357 f44ac52d871893e6

{client}
send record:
cleartext (50 octets):
0001020304050607 08090a0b0c0d0e0f 1011121314151617 18191a1b1c1d1e1f 2021222324252627 28292a2b2c2d2e2f 3031
ciphertext (72 octets):
1703010043b87a7d 75fbbe1a31e88faa b3e0754f9b4420a4 a080b293e961a43a 5228962ff1c9b5cb e966f8e87df41281 e0e04702dd9f22a6 26c4a704efcfd966 a1dfdd37fdba2444

{server}
send record:
cleartext (50 octets):
0001020304050607 08090a0b0c0d0e0f 1011121314151617 18191a1b1c1d1e1f 2021222324252627 28292a2b2c2d2e2f 3031
ciphertext (72 octets):
1703010043be0d53 e56ade23f624f91a a4906407c5acb5d0 a30b14ad8182f2fd b3c36749df20f212 ed08893a3053d2c6 58d508d7eba3545c e6bb4ca156685acb 5e0ec35975df9158

{client}
send record:
cleartext (2 octets):
0100
ciphertext (24 octets):
170301001359d15a 7220d07277dfec04 8b6eb00d49365b00

{server}
send record:
cleartext (2 octets):
0100
ciphertext (24 octets):
170301001348a004 067af5c8ea025f72 40ff73ee1008f30f

4. Resumed 0-RTT Handshake

This handshake resumes from the handshake in Section 3. Since the server provided a session ticket that permitted 0-RTT, and the client is configured for 0-RTT, the client is able to send 0-RTT data.

{client}
create an ephemeral x25519 key pair:
private key (32 octets):
0e96f15628a05c70 0f836c01f6bab557 49614f74b5368b35 279b40591ae64d69
public key (32 octets):
621bb90eca697f96 d7ddc2966218ae0e 7961268d8def400f 8d7805172501932f

{client}
extract secret “early”:
salt:
(absent)
ikm (32 octets):
33ff5389375d4acb faca4e079d5bfc7c 1a0e9eafdb68b047 12cc8e1f09619474
secret (32 octets):
35297fd2d3ccbdf6 5c21894edfe2655a 16ac2d2270a76f98 21b2398028377a3c

{client}
derive secret “resumption psk binder key”:
PRK (32 octets):
35297fd2d3ccbdf6 5c21894edfe2655a 16ac2d2270a76f98 21b2398028377a3c
handshake hash (32 octets):
e3b0c44298fc1c14 9afbf4c8996fb924 27ae41e4649b934c a495991b7852b855
info (70 octets):
002022544c532031 2e332c2072657375 6d7074696f6e2070 736b2062696e6465 72206b657920e3b0 c44298fc1c149afb f4c8996fb92427ae 41e4649b934ca495 991b7852b855
output (32 octets):
f1186e7a08f5f83c 7f326b97d7b447e2 5fe74a72d85dbf8f 6089cee390192737

{client}
derive secret “early exporter master secret”:
PRK (32 octets):
35297fd2d3ccbdf6 5c21894edfe2655a 16ac2d2270a76f98 21b2398028377a3c
handshake hash (32 octets):
e3b0c44298fc1c14 9afbf4c8996fb924 27ae41e4649b934c a495991b7852b855
info (73 octets):
002025544c532031 2e332c206561726c 79206578706f7274 6572206d61737465 7220736563726574 20e3b0c44298fc1c 149afbf4c8996fb9 2427ae41e4649b93 4ca495991b7852b8 55
output (32 octets):
b536f67b0559d62d 2c9c822c23d9e209 b5167d3547c190f7 314574ccd697bf86

{client}
send a ClientHello handshake message
{client}
calculate finished:
PRK (32 octets):
f1186e7a08f5f83c 7f326b97d7b447e2 5fe74a72d85dbf8f 6089cee390192737
handshake hash (0 octets):
(empty)
info (21 octets):
002011544c532031 2e332c2066696e69 7368656400
output (32 octets):
046f81836dd9eccb 189b07c7c7331aab 51d3e18233fad493 f3f100f5f7066015

{client}
send record:
cleartext (512 octets):
010001fc03034e2d 3805200a9433ebdb 4f1bf85d0a773c65 a7430aa904c13966 e49ab96efe250000 3e130113031302c0 2bc02fcca9cca8c0 0ac009c013c023c0 27c014009eccaa00 3300320067003900 38006b0016001300 9c002f003c003500 3d000a0005000401 0001950015003b00 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 00000000000b0009 0000067365727665 72ff01000100000a 00140012001d0017 0018001901000101 010201030104000b 0002010000280026 0024001d0020621b b90eca697f96d7dd c2966218ae0e7961 268d8def400f8d78 05172501932f002a 0000002b0007067f 1203030302000d00 20001e0403050306 0302030804080508 0604010501060102 0104020502060202 02002d0002010100 2900bd009800924e 535321db0251332a 66d4efd3b0285509 fd8a26b801211c72 f5f9012b8a6f3500 5069950156fc02ab e56744e7c7d27986 75e8372cbba2a93e 2436bcd3dbac7662 e64e187379bec081 051957c0da819d44 fafb13d833752c73 40a32df5e133e371 7566ac66b4cc417a 4d0afaa64493997d ba0cd6e601bc11a4 ce5506236c2c4094 d1ea2329d1756ac3 2783ef158e91a92c 44d0a8dc29002120 2deccf4db1a231fa 7359797967c09aa4 ea69c29ecd781b41 cbae9b1d7e4c0ff9
ciphertext (517 octets):
1603010200010001 fc03034e2d380520 0a9433ebdb4f1bf8 5d0a773c65a7430a a904c13966e49ab9 6efe2500003e1301 13031302c02bc02f cca9cca8c00ac009 c013c023c027c014 009eccaa00330032 006700390038006b 00160013009c002f 003c0035003d000a 0005000401000195 0015003b00000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 00000b0009000006 736572766572ff01 000100000a001400 12001d0017001800 1901000101010201 030104000b000201 0000280026002400 1d0020621bb90eca 697f96d7ddc29662 18ae0e7961268d8d ef400f8d78051725 01932f002a000000 2b0007067f120303 0302000d0020001e 0403050306030203 0804080508060401 0501060102010402 050206020202002d 00020101002900bd 009800924e535321 db0251332a66d4ef d3b0285509fd8a26 b801211c72f5f901 2b8a6f3500506995 0156fc02abe56744 e7c7d2798675e837 2cbba2a93e2436bc d3dbac7662e64e18 7379bec081051957 c0da819d44fafb13 d833752c7340a32d f5e133e3717566ac 66b4cc417a4d0afa a64493997dba0cd6 e601bc11a4ce5506 236c2c4094d1ea23 29d1756ac32783ef 158e91a92c44d0a8 dc290021202deccf 4db1a231fa735979 7967c09aa4ea69c2 9ecd781b41cbae9b 1d7e4c0ff9

{client}
derive secret “client early traffic secret”:
PRK (32 octets):
35297fd2d3ccbdf6 5c21894edfe2655a 16ac2d2270a76f98 21b2398028377a3c
handshake hash (32 octets):
061a462f843a884f 36e00be781ee7d35 8ba1ba3fe93b79aa b58f1234b2d18f8a
info (72 octets):
002024544c532031 2e332c20636c6965 6e74206561726c79 2074726166666963 2073656372657420 061a462f843a884f 36e00be781ee7d35 8ba1ba3fe93b79aa b58f1234b2d18f8a
output (32 octets):
e503eb6f1bbae4d8 bd50be03069fa14b 29da5e131880e5b9 ac4117f2faa80a28

{client}
derive write traffic keys using label “early application data”:
PRK (32 octets):
e503eb6f1bbae4d8 bd50be03069fa14b 29da5e131880e5b9 ac4117f2faa80a28
key info (16 octets):
00100c544c532031 2e332c206b657900
key output (16 octets):
6c628986c864a351 79be5a3cd02c0d31
iv info (15 octets):
000c0b544c532031 2e332c20697600
iv output (12 octets):
07441dd5f3c36a3b cb46cf90

{client}
send record:
cleartext (6 octets):
414243444546
ciphertext (28 octets):
17030100175d4fda 95cc37641878e101 1a7c50d2fdba0eec 181887f6

{server}
extract secret “early” (same as client)
{server}
derive secret “resumption psk binder key”:
PRK (32 octets):
35297fd2d3ccbdf6 5c21894edfe2655a 16ac2d2270a76f98 21b2398028377a3c
handshake hash (32 octets):
e3b0c44298fc1c14 9afbf4c8996fb924 27ae41e4649b934c a495991b7852b855
info (70 octets):
002022544c532031 2e332c2072657375 6d7074696f6e2070 736b2062696e6465 72206b657920e3b0 c44298fc1c149afb f4c8996fb92427ae 41e4649b934ca495 991b7852b855
output (32 octets):
f1186e7a08f5f83c 7f326b97d7b447e2 5fe74a72d85dbf8f 6089cee390192737

{server}
derive secret “early exporter master secret”:
PRK (32 octets):
35297fd2d3ccbdf6 5c21894edfe2655a 16ac2d2270a76f98 21b2398028377a3c
handshake hash (32 octets):
e3b0c44298fc1c14 9afbf4c8996fb924 27ae41e4649b934c a495991b7852b855
info (73 octets):
002025544c532031 2e332c206561726c 79206578706f7274 6572206d61737465 7220736563726574 20e3b0c44298fc1c 149afbf4c8996fb9 2427ae41e4649b93 4ca495991b7852b8 55
output (32 octets):
b536f67b0559d62d 2c9c822c23d9e209 b5167d3547c190f7 314574ccd697bf86

{server}
calculate finished:
PRK (32 octets):
f1186e7a08f5f83c 7f326b97d7b447e2 5fe74a72d85dbf8f 6089cee390192737
handshake hash (0 octets):
(empty)
info (21 octets):
002011544c532031 2e332c2066696e69 7368656400
output (32 octets):
046f81836dd9eccb 189b07c7c7331aab 51d3e18233fad493 f3f100f5f7066015

{server}
create an ephemeral x25519 key pair:
private key (32 octets):
02a7fc4a32309fe9 ad7a1db7faa769d4 643c252de955fd68 fa4e9a30ae3db02e
public key (32 octets):
1bcd91fa7f30e671 45cd8d01e8fa9d3c 3498e59f31484f91 914539a1976a6759

{server}
derive secret “client early traffic secret” (same as client)
{server}
send a ServerHello handshake message
{server}
extract secret “handshake”:
salt (32 octets):
35297fd2d3ccbdf6 5c21894edfe2655a 16ac2d2270a76f98 21b2398028377a3c
ikm (32 octets):
b2b9973f3a8996c3 b7a6e14a63107311 714898ce3ba2fcac e806a02fcb8f8121
secret (32 octets):
d96ca8672c34308f af9d2686f10b5cd0 b8530c19c6e0b941 7be51361c52ffd9c

{server}
derive secret “client handshake traffic secret”:
PRK (32 octets):
d96ca8672c34308f af9d2686f10b5cd0 b8530c19c6e0b941 7be51361c52ffd9c
handshake hash (32 octets):
e51346d376227cc6 da94709ee39b813d 95777e7e2d1a6dec 921829530f84c4b8
info (76 octets):
002028544c532031 2e332c20636c6965 6e742068616e6473 68616b6520747261 6666696320736563 72657420e51346d3 76227cc6da94709e e39b813d95777e7e 2d1a6dec92182953 0f84c4b8
output (32 octets):
5bf4684c713a5c30 dda2d92c12d7846e 76990e2c1b2bbd32 bf97d608b94ed0dc

{server}
derive secret “server handshake traffic secret”:
PRK (32 octets):
d96ca8672c34308f af9d2686f10b5cd0 b8530c19c6e0b941 7be51361c52ffd9c
handshake hash (32 octets):
e51346d376227cc6 da94709ee39b813d 95777e7e2d1a6dec 921829530f84c4b8
info (76 octets):
002028544c532031 2e332c2073657276 65722068616e6473 68616b6520747261 6666696320736563 72657420e51346d3 76227cc6da94709e e39b813d95777e7e 2d1a6dec92182953 0f84c4b8
output (32 octets):
bd56625dd9464966 60bc5dda31a10fdd a83d213aef50ad88 2499cc22719cfd4e

{server}
extract secret “master”:
salt (32 octets):
d96ca8672c34308f af9d2686f10b5cd0 b8530c19c6e0b941 7be51361c52ffd9c
ikm (32 octets):
0000000000000000 0000000000000000 0000000000000000 0000000000000000
secret (32 octets):
c965ba3518c038d3 c7d51acd786b8f13 dbc1aa618cfb3320 fa377d0016641816

{server}
send record:
cleartext (88 octets):
020000547f12fdfc d93b480433ea1203 328040a32871339e 25bde2a395839092 dd76afdc3c7e1301 002e002900020000 00280024001d0020 1bcd91fa7f30e671 45cd8d01e8fa9d3c 3498e59f31484f91 914539a1976a6759
ciphertext (93 octets):
1603010058020000 547f12fdfcd93b48 0433ea1203328040 a32871339e25bde2 a395839092dd76af dc3c7e1301002e00 2900020000002800 24001d00201bcd91 fa7f30e67145cd8d 01e8fa9d3c3498e5 9f31484f91914539 a1976a6759

{server}
derive write traffic keys using label “handshake data”:
PRK (32 octets):
bd56625dd9464966 60bc5dda31a10fdd a83d213aef50ad88 2499cc22719cfd4e
key info (16 octets):
00100c544c532031 2e332c206b657900
key output (16 octets):
364b560005e7c8aa 0a742b64a76012a4
iv info (15 octets):
000c0b544c532031 2e332c20697600
iv output (12 octets):
149baf3f367407ea f252dd35

{server}
send a EncryptedExtensions handshake message
{server}
calculate finished:
PRK (32 octets):
bd56625dd9464966 60bc5dda31a10fdd a83d213aef50ad88 2499cc22719cfd4e
handshake hash (0 octets):
(empty)
info (21 octets):
002011544c532031 2e332c2066696e69 7368656400
output (32 octets):
33e063f342a2c926 500361abf503cfe3 c3faceefa3bea9cf 96fe435c0f443a5c

{server}
send a Finished handshake message
{server}
send record:
cleartext (74 octets):
080000220020000a 00140012001d0017 0018001901000101 0102010301040000 0000002a00001400 00200d763631169d c5fb00c4e42a68a0 e50aa09119e12a3b bf7f06a960a35347 a673
ciphertext (96 octets):
170301005bc9e45c cbda0ac2d54868ab 6e4fb62063997bca 18fc6b24704d1f2d 0804a7eeaddab1c1 4244587b099b7ce2 32ede2575c03413e db5c4bcf79aa01dc 1701d906e89ec30b 968529cdfca1ecff 225e43e3ae3baa6b ec107469c32cd1f6

{server}
derive secret “client application traffic secret”:
PRK (32 octets):
c965ba3518c038d3 c7d51acd786b8f13 dbc1aa618cfb3320 fa377d0016641816
handshake hash (32 octets):
f428054b8769752e d0e739135a2a9185 3b1a97973a4b045f d01740c387abf7b1
info (78 octets):
00202a544c532031 2e332c20636c6965 6e74206170706c69 636174696f6e2074 7261666669632073 656372657420f428 054b8769752ed0e7 39135a2a91853b1a 97973a4b045fd017 40c387abf7b1
output (32 octets):
a7783e7ea7525bfb bbbc3e597a22b579 80fdd6085aea4fda 3a4232ac6273e073

{server}
derive secret “server application traffic secret”:
PRK (32 octets):
c965ba3518c038d3 c7d51acd786b8f13 dbc1aa618cfb3320 fa377d0016641816
handshake hash (32 octets):
f428054b8769752e d0e739135a2a9185 3b1a97973a4b045f d01740c387abf7b1
info (78 octets):
00202a544c532031 2e332c2073657276 6572206170706c69 636174696f6e2074 7261666669632073 656372657420f428 054b8769752ed0e7 39135a2a91853b1a 97973a4b045fd017 40c387abf7b1
output (32 octets):
363421e5f4143fe4 fce4fd8b851e3c94 ee55e91de2e6c82a 54d26108fef16cef

{server}
derive secret “exporter master secret”:
PRK (32 octets):
c965ba3518c038d3 c7d51acd786b8f13 dbc1aa618cfb3320 fa377d0016641816
handshake hash (32 octets):
f428054b8769752e d0e739135a2a9185 3b1a97973a4b045f d01740c387abf7b1
info (67 octets):
00201f544c532031 2e332c206578706f 72746572206d6173 7465722073656372 657420f428054b87 69752ed0e739135a 2a91853b1a97973a 4b045fd01740c387 abf7b1
output (32 octets):
06c5543c296076b0 185b97793e0b6340 536f0c924f74476f 4c812135f8f5a1a6

{server}
derive write traffic keys using label “application data”:
PRK (32 octets):
363421e5f4143fe4 fce4fd8b851e3c94 ee55e91de2e6c82a 54d26108fef16cef
key info (16 octets):
00100c544c532031 2e332c206b657900
key output (16 octets):
bc2580465da7bd8e c20b354f28cc6a1b
iv info (15 octets):
000c0b544c532031 2e332c20697600
iv output (12 octets):
8b4d45cc01fd2714 be184987

{server}
derive read traffic keys using label “early application data” (same as client write traffic keys)
{client}
extract secret “handshake”:
salt (32 octets):
35297fd2d3ccbdf6 5c21894edfe2655a 16ac2d2270a76f98 21b2398028377a3c
ikm (32 octets):
b2b9973f3a8996c3 b7a6e14a63107311 714898ce3ba2fcac e806a02fcb8f8121
secret (32 octets):
d96ca8672c34308f af9d2686f10b5cd0 b8530c19c6e0b941 7be51361c52ffd9c

{client}
derive secret “client handshake traffic secret”:
PRK (32 octets):
d96ca8672c34308f af9d2686f10b5cd0 b8530c19c6e0b941 7be51361c52ffd9c
handshake hash (32 octets):
e51346d376227cc6 da94709ee39b813d 95777e7e2d1a6dec 921829530f84c4b8
info (76 octets):
002028544c532031 2e332c20636c6965 6e742068616e6473 68616b6520747261 6666696320736563 72657420e51346d3 76227cc6da94709e e39b813d95777e7e 2d1a6dec92182953 0f84c4b8
output (32 octets):
5bf4684c713a5c30 dda2d92c12d7846e 76990e2c1b2bbd32 bf97d608b94ed0dc

{client}
derive secret “server handshake traffic secret”:
PRK (32 octets):
d96ca8672c34308f af9d2686f10b5cd0 b8530c19c6e0b941 7be51361c52ffd9c
handshake hash (32 octets):
e51346d376227cc6 da94709ee39b813d 95777e7e2d1a6dec 921829530f84c4b8
info (76 octets):
002028544c532031 2e332c2073657276 65722068616e6473 68616b6520747261 6666696320736563 72657420e51346d3 76227cc6da94709e e39b813d95777e7e 2d1a6dec92182953 0f84c4b8
output (32 octets):
bd56625dd9464966 60bc5dda31a10fdd a83d213aef50ad88 2499cc22719cfd4e

{client}
extract secret “master” (same as server)
{client}
derive read traffic keys using label “handshake data”:
PRK (32 octets):
bd56625dd9464966 60bc5dda31a10fdd a83d213aef50ad88 2499cc22719cfd4e
key info (16 octets):
00100c544c532031 2e332c206b657900
key output (16 octets):
364b560005e7c8aa 0a742b64a76012a4
iv info (15 octets):
000c0b544c532031 2e332c20697600
iv output (12 octets):
149baf3f367407ea f252dd35

{client}
calculate finished:
PRK (32 octets):
bd56625dd9464966 60bc5dda31a10fdd a83d213aef50ad88 2499cc22719cfd4e
handshake hash (0 octets):
(empty)
info (21 octets):
002011544c532031 2e332c2066696e69 7368656400
output (32 octets):
33e063f342a2c926 500361abf503cfe3 c3faceefa3bea9cf 96fe435c0f443a5c

{client}
send record:
cleartext (2 octets):
0101
ciphertext (24 octets):
17030100137406f9 ea667034fc0122d5 0387f153d2365e91

{client}
derive write traffic keys using label “handshake data”:
PRK (32 octets):
5bf4684c713a5c30 dda2d92c12d7846e 76990e2c1b2bbd32 bf97d608b94ed0dc
key info (16 octets):
00100c544c532031 2e332c206b657900
key output (16 octets):
b53b9a8999d9ae81 1a3faa15e141e05c
iv info (15 octets):
000c0b544c532031 2e332c20697600
iv output (12 octets):
e53200044cb74dfd 1933343a

{client}
derive secret “client application traffic secret”:
PRK (32 octets):
c965ba3518c038d3 c7d51acd786b8f13 dbc1aa618cfb3320 fa377d0016641816
handshake hash (32 octets):
f428054b8769752e d0e739135a2a9185 3b1a97973a4b045f d01740c387abf7b1
info (78 octets):
00202a544c532031 2e332c20636c6965 6e74206170706c69 636174696f6e2074 7261666669632073 656372657420f428 054b8769752ed0e7 39135a2a91853b1a 97973a4b045fd017 40c387abf7b1
output (32 octets):
a7783e7ea7525bfb bbbc3e597a22b579 80fdd6085aea4fda 3a4232ac6273e073

{client}
derive secret “server application traffic secret”:
PRK (32 octets):
c965ba3518c038d3 c7d51acd786b8f13 dbc1aa618cfb3320 fa377d0016641816
handshake hash (32 octets):
f428054b8769752e d0e739135a2a9185 3b1a97973a4b045f d01740c387abf7b1
info (78 octets):
00202a544c532031 2e332c2073657276 6572206170706c69 636174696f6e2074 7261666669632073 656372657420f428 054b8769752ed0e7 39135a2a91853b1a 97973a4b045fd017 40c387abf7b1
output (32 octets):
363421e5f4143fe4 fce4fd8b851e3c94 ee55e91de2e6c82a 54d26108fef16cef

{client}
derive secret “exporter master secret” (same as server)
{client}
derive read traffic keys using label “application data” (same as server write traffic keys)
{client}
calculate finished:
PRK (32 octets):
5bf4684c713a5c30 dda2d92c12d7846e 76990e2c1b2bbd32 bf97d608b94ed0dc
handshake hash (0 octets):
(empty)
info (21 octets):
002011544c532031 2e332c2066696e69 7368656400
output (32 octets):
62a08f67bb663439 59fab0f7775865c7 6c8bb08720678454 6e68213c6a1cc9cf

{client}
send a Finished handshake message
{client}
send record:
cleartext (36 octets):
14000020775ed4a3 524ec6c5354e7e33 1e4d84508b678135 62f8841d926a148a 2c1b8771
ciphertext (58 octets):
1703010035d7540d a2eba075379f9509 3d8a1dbc6c4fc93c d3779999f53c7a67 4be5a9a8d8610560 27a5e131ef90f04d dd62c47ec18c8135 abc4

{client}
derive write traffic keys using label “application data”:
PRK (32 octets):
a7783e7ea7525bfb bbbc3e597a22b579 80fdd6085aea4fda 3a4232ac6273e073
key info (16 octets):
00100c544c532031 2e332c206b657900
key output (16 octets):
aaba570775559455 fdb1930701a18102
iv info (15 octets):
000c0b544c532031 2e332c20697600
iv output (12 octets):
e8261ef6f79b679c a812484f

{client}
derive secret “resumption master secret”:
PRK (32 octets):
c965ba3518c038d3 c7d51acd786b8f13 dbc1aa618cfb3320 fa377d0016641816
handshake hash (32 octets):
81731632f7a7cafd 67d0163215040755 5124634fda9569be 7d99e27958148f43
info (69 octets):
002021544c532031 2e332c2072657375 6d7074696f6e206d 6173746572207365 6372657420817316 32f7a7cafd67d016 3215040755512463 4fda9569be7d99e2 7958148f43
output (32 octets):
063481028495f3dd be80fc0a78ec8a2d 648176df0c592676 75133122cb9e221a

{server}
derive read traffic keys using label “handshake data”:
PRK (32 octets):
5bf4684c713a5c30 dda2d92c12d7846e 76990e2c1b2bbd32 bf97d608b94ed0dc
key info (16 octets):
00100c544c532031 2e332c206b657900
key output (16 octets):
b53b9a8999d9ae81 1a3faa15e141e05c
iv info (15 octets):
000c0b544c532031 2e332c20697600
iv output (12 octets):
e53200044cb74dfd 1933343a

{server}
calculate finished:
PRK (32 octets):
5bf4684c713a5c30 dda2d92c12d7846e 76990e2c1b2bbd32 bf97d608b94ed0dc
handshake hash (0 octets):
(empty)
info (21 octets):
002011544c532031 2e332c2066696e69 7368656400
output (32 octets):
62a08f67bb663439 59fab0f7775865c7 6c8bb08720678454 6e68213c6a1cc9cf

{server}
derive read traffic keys using label “application data” (same as client write traffic keys)
{server}
derive secret “resumption master secret” (same as client)
{client}
send record:
cleartext (50 octets):
0001020304050607 08090a0b0c0d0e0f 1011121314151617 18191a1b1c1d1e1f 2021222324252627 28292a2b2c2d2e2f 3031
ciphertext (72 octets):
17030100434e1321 c6ff34f8692a694e 65cabdfd04f31e43 8400e85860ebdaf9 2dba118e6810831e f1bb92c3c514bf2e a05c9ca13821b853 65f79a30edc423e3 4cbb57f57c874fc8

{server}
send record:
cleartext (50 octets):
0001020304050607 08090a0b0c0d0e0f 1011121314151617 18191a1b1c1d1e1f 2021222324252627 28292a2b2c2d2e2f 3031
ciphertext (72 octets):
170301004330de93 1b03d0d49f912181 80ff26eba943b4fb e988418ecb554594 84c5506e0f8c1f2c 14a2acd0447fda44 b3096fcf13069ba7 8cf0bff87471d4bc cf2f413b66f2d63b

{client}
send record:
cleartext (2 octets):
0100
ciphertext (24 octets):
17030100135c364c 700d1b3bade28d17 9392009c56b69868

{server}
send record:
cleartext (2 octets):
0100
ciphertext (24 octets):
1703010013cfde00 66705e1f074b0f84 cef13c2abb44517d

5. HelloRetryRequest

In this example, the client initiates a handshake with an X25519 [RFC7748] share. The server however prefers P-256 [FIPS186] and sends a HelloRetryRequest that requires the client to generate a key share on the P-256 curve.

{client}
create an ephemeral x25519 key pair:
private key (32 octets):
011e2b0b8ee9937b b8ab7b9356d8e20e beb189b1119c85f2 0ce1d191401ff123
public key (32 octets):
60913f97deebe865 6a0e4649ab2e9e9e d6395c9889f51a6e 36677dab3ea28226

{client}
send a ClientHello handshake message
{client}
send record:
cleartext (174 octets):
010000aa0303bffb 6e68d4151b0d2198 1a73e6742347b19f 7f594f5b12cf50a5 d3d97442e3300000 0613011303130201 00007b0000000b00 0900000673657276 6572ff0100010000 0a00080006001d00 1700180028002600 24001d002060913f 97deebe8656a0e46 49ab2e9e9ed6395c 9889f51a6e36677d ab3ea28226002b00 03027f12000d0020 001e040305030603 0203080408050806 0401050106010201 0402050206020202 002d00020101
ciphertext (179 octets):
16030100ae010000 aa0303bffb6e68d4 151b0d21981a73e6 742347b19f7f594f 5b12cf50a5d3d974 42e3300000061301 130313020100007b 0000000b00090000 06736572766572ff 01000100000a0008 0006001d00170018 002800260024001d 002060913f97deeb e8656a0e4649ab2e 9e9ed6395c9889f5 1a6e36677dab3ea2 8226002b0003027f 12000d0020001e04 0305030603020308 0408050806040105 0106010201040205 0206020202002d00 020101

{server}
send a HelloRetryRequest handshake message
{server}
send record:
cleartext (14 octets):
0600000a7f120006 002800020017
ciphertext (19 octets):
160301000e060000 0a7f120006002800 020017

{client}
create an ephemeral P-256 key pair:
private key (32 octets):
ec3f6719addc8d89 a703084a20d3f1b9 6bd676fe47f1195b 8e6e07742ea5cb36
public key (65 octets):
04d58cfd87eca0eb 3da5ba5cf42ad0cb 57ab6803a07cfb88 ba5f8652af73c2a4 691d9b03890b0554 9fe6181f936bde45 c6558ef466b9d066 d448bdae975c67a4 6b

{client}
send a ClientHello handshake message
{client}
send record:
cleartext (207 octets):
010000cb0303bffb 6e68d4151b0d2198 1a73e6742347b19f 7f594f5b12cf50a5 d3d97442e3300000 0613011303130201 00009c0000000b00 0900000673657276 6572ff0100010000 0a00080006001d00 1700180028004700 450017004104d58c fd87eca0eb3da5ba 5cf42ad0cb57ab68 03a07cfb88ba5f86 52af73c2a4691d9b 03890b05549fe618 1f936bde45c6558e f466b9d066d448bd ae975c67a46b002b 0003027f12000d00 20001e0403050306 0302030804080508 0604010501060102 0104020502060202 02002d00020101
ciphertext (212 octets):
16030100cf010000 cb0303bffb6e68d4 151b0d21981a73e6 742347b19f7f594f 5b12cf50a5d3d974 42e3300000061301 130313020100009c 0000000b00090000 06736572766572ff 01000100000a0008 0006001d00170018 0028004700450017 004104d58cfd87ec a0eb3da5ba5cf42a d0cb57ab6803a07c fb88ba5f8652af73 c2a4691d9b03890b 05549fe6181f936b de45c6558ef466b9 d066d448bdae975c 67a46b002b000302 7f12000d0020001e 0403050306030203 0804080508060401 0501060102010402 050206020202002d 00020101

{server}
extract secret “early”:
salt:
(absent)
ikm (32 octets):
0000000000000000 0000000000000000 0000000000000000 0000000000000000
secret (32 octets):
33ad0a1c607ec03b 09e6cd9893680ce2 10adf300aa1f2660 e1b22e10f170f92a

{server}
create an ephemeral P-256 key pair:
private key (32 octets):
24bebcc6cf06cd1c 9cfa3633c467090c e9664330e56c74f1 931c2abd94654c82
public key (65 octets):
0460c7c2a87342e3 5d9992cd366398d0 1d3f6e07f66b2db2 d3336efdd90fa2b5 904c5b8040570954 34be84f9cd5e8a9a a3262b1c7282b99b bcc3fa7c8eae4f7d 47

{server}
send a ServerHello handshake message
{server}
extract secret “handshake”:
salt (32 octets):
33ad0a1c607ec03b 09e6cd9893680ce2 10adf300aa1f2660 e1b22e10f170f92a
ikm (32 octets):
2f4e7a0c28947500 9ab7dcce15ea5ce8 01560dc359f7a1fc fd206ca1dc75533f
secret (32 octets):
e03366f9b148df82 acf75840cdd0233c af8dffeb1b8c58c1 a7d4da19cc72f36d

{server}
derive secret “client handshake traffic secret”:
PRK (32 octets):
e03366f9b148df82 acf75840cdd0233c af8dffeb1b8c58c1 a7d4da19cc72f36d
handshake hash (32 octets):
3abf4a9b315a32ae 9534851ed1c6cad5 3fae6feac4de4006 81d31341a92e608d
info (76 octets):
002028544c532031 2e332c20636c6965 6e742068616e6473 68616b6520747261 6666696320736563 726574203abf4a9b 315a32ae9534851e d1c6cad53fae6fea c4de400681d31341 a92e608d
output (32 octets):
514fbcc257fddf53 b1fd8bfda5a33e4f c1ba1b11c9b5026b 75866a512c63e055

{server}
derive secret “server handshake traffic secret”:
PRK (32 octets):
e03366f9b148df82 acf75840cdd0233c af8dffeb1b8c58c1 a7d4da19cc72f36d
handshake hash (32 octets):
3abf4a9b315a32ae 9534851ed1c6cad5 3fae6feac4de4006 81d31341a92e608d
info (76 octets):
002028544c532031 2e332c2073657276 65722068616e6473 68616b6520747261 6666696320736563 726574203abf4a9b 315a32ae9534851e d1c6cad53fae6fea c4de400681d31341 a92e608d
output (32 octets):
bad55c1cb0dd3381 a878c3089e06e9b5 36f6ac9a2b93b1f2 94a0e6860c59fe9d

{server}
extract secret “master”:
salt (32 octets):
e03366f9b148df82 acf75840cdd0233c af8dffeb1b8c58c1 a7d4da19cc72f36d
ikm (32 octets):
0000000000000000 0000000000000000 0000000000000000 0000000000000000
secret (32 octets):
c8ddbe8c1c50ef0b 56f753eed0aa6ba6 9a229ea8df5597a0 d0421e0ee8866875

{server}
send record:
cleartext (115 octets):
0200006f7f12ed74 90992fa812e55e64 5de61ec6019ef8be 0f213876f81637af 8738dbc607661301 0049002800450017 00410460c7c2a873 42e35d9992cd3663 98d01d3f6e07f66b 2db2d3336efdd90f a2b5904c5b804057 095434be84f9cd5e 8a9aa3262b1c7282 b99bbcc3fa7c8eae 4f7d47
ciphertext (120 octets):
1603010073020000 6f7f12ed7490992f a812e55e645de61e c6019ef8be0f2138 76f81637af8738db c607661301004900 2800450017004104 60c7c2a87342e35d 9992cd366398d01d 3f6e07f66b2db2d3 336efdd90fa2b590 4c5b804057095434 be84f9cd5e8a9aa3 262b1c7282b99bbc c3fa7c8eae4f7d47

{server}
derive write traffic keys using label “handshake data”:
PRK (32 octets):
bad55c1cb0dd3381 a878c3089e06e9b5 36f6ac9a2b93b1f2 94a0e6860c59fe9d
key info (16 octets):
00100c544c532031 2e332c206b657900
key output (16 octets):
ec09f6974e4a072c f05ea9862f119ce3
iv info (15 octets):
000c0b544c532031 2e332c20697600
iv output (12 octets):
b1ee3ad7f4c678fb 0ba06768

{server}
send a EncryptedExtensions handshake message
{server}
send a Certificate handshake message
{server}
send a CertificateVerify handshake message
{server}
calculate finished:
PRK (32 octets):
bad55c1cb0dd3381 a878c3089e06e9b5 36f6ac9a2b93b1f2 94a0e6860c59fe9d
handshake hash (0 octets):
(empty)
info (21 octets):
002011544c532031 2e332c2066696e69 7368656400
output (32 octets):
718d291e7ad26b84 c688e2fa0d287246 6a09b3b3cbade4fb 5710bcb1c10e20d2

{server}
send a Finished handshake message
{server}
send record:
cleartext (639 octets):
080000120010000a 0008000600170018 001d000000000b00 01b9000001b50001 b0308201ac308201 15a0030201020201 02300d06092a8648 86f70d01010b0500 300e310c300a0603 5504031303727361 301e170d31363037 3330303132333539 5a170d3236303733 303031323335395a 300e310c300a0603 5504031303727361 30819f300d06092a 864886f70d010101 050003818d003081 8902818100b4bb49 8f8279303d980836 399b36c6988c0c68 de55e1bdb826d390 1a2461eafd2de49a 91d015abbc9a9513 7ace6c1af19eaa6a f98c7ced43120998 e187a80ee0ccb052 4b1b018c3e0b6326 4d449a6d38e22a5f da43084674803053 0ef0461c8ca9d9ef bfae8ea6d1d03e2b d193eff0ab9a8002 c47428a6d35a8d88 d79f7f1e3f020301 0001a31a30183009 0603551d13040230 00300b0603551d0f 0404030205a0300d 06092a864886f70d 01010b0500038181 0085aad2a0e5b927 6b908c65f73a7267 170618a54c5f8a7b 337d2df7a5943654 17f2eae8f8a58c8f 8172f9319cf36b7f d6c55b80f21a0301 5156726096fd335e 5e67f2dbf102702e 608ccae6bec1fc63 a42a99be5c3eb710 7c3c54e9b9eb2bd5 203b1c3b84e0a8b2 f759409ba3eac9d9 1d402dcc0cc8f896 1229ac9187b42b4d e100000f00008408 040080605ed0406d 8c7c8f2e366ec3e2 4d85df3f40312662 bd78028d494594a0 1db41a3b72e14dc6 deb8e1ce564ef87d a55ee0c493245c00 32f5f53b53fc48a9 cdb0ffb79c395669 27bb28e54302966c 84a957efa5703d65 8717eb2c4abbe7fb 354512ea61a2f35b acd6c5f50b62cf3b a68c0eefc519e879 0b8eeaaf23f6ae03 854a401400002005 b401e46b05876f58 2b3c4775dfa580d8 0627f7e10fe066e5 43bf161f35d2e9
ciphertext (661 octets):
1703010290c56923 958884db0c2f6c45 458bddccf01e414c 41516d9495520b26 7be60c4fcb7f2cbf 828066de2e8453f8 38a38654cf607e90 e7be26b8c89138e7 24d2b6c11a3c29ca a73ecf427e8aa95e ebc4adc44aab1369 4d5bfe055d476224 42b12f36f11e067d 9ba2e3b6a6356631 6a753826e268f80b e89721119cf6744a 044370f71797e9f9 ca69dfe6141c1533 37d66b3814919959 8b045f9afca318ba 468cef63e49f31ab 34435b1cb92d10fb b18b94fb7b8bbbe2 fad6b5b4d1b9bafc fddeb7dc5e230011 774f3de29e29e4b2 2c0c7a3e8d9ea104 0b5e2e7481d0729a 4dc31745090f3bc8 e63ae4666ba57d8d a6e4618ecdf82b0f 9066cbaf7607b641 b14cbdd3b69600dc eb66bf8c9eba0afb 9c8fd124330c25ef ac24f0d72fff7e45 0312367786c2b3d2 e9ca96991adb3396 7c02a660055435f2 9f07ceeb5688a3c6 1966e59e41d52ee1 57ada845e63661b9 81ca7f79848958b6 596bee994e34c6c6 f4138aebc5d20457 8f236786175e2e87 28164a2356282a11 c633b1756b319c67 24f23f4763cd5745 6a0246679b9b6043 89e65bcd40e3d855 deb536f60fd75734 0598bd9ca276407f 8026cdd37f35a1e2 28976dd7e19cee72 011e1ac99663004d fb6251e0799f8384 951717843417b62b 2a96ff4a8b3ad4e7 220fad1b57cd3fec 4fa6de41264995a8 2d0a79166f28a053 dd94029dc696ef13 7d6f99bf8044e19c 87c73c726d3c08e5 28e7de5d8bfa219b 5cf4cc2c2e886d51 eadc618f627d317d f4107d4aa84b387e a23531f374679fb2 12513dcf9e68ff2b 491c397a1934965e fa4c2aac6871f33e 4cfbdc3f8250bc8b 0c1b4ed55e3cd293 be608930bdc63083 39ab9933a7eb4baf c589c3c6db806f0a d313dcfc13b86036 63d2b2a4ba2365c8 143c9e7349ff3d3f c28891a134f0f1e5 8ce1ebfd91

{server}
derive secret “client application traffic secret”:
PRK (32 octets):
c8ddbe8c1c50ef0b 56f753eed0aa6ba6 9a229ea8df5597a0 d0421e0ee8866875
handshake hash (32 octets):
6bf254b53dda73f9 851d2423db2d2236 d3914c46d364825d 384bc13cfd34bdef
info (78 octets):
00202a544c532031 2e332c20636c6965 6e74206170706c69 636174696f6e2074 7261666669632073 6563726574206bf2 54b53dda73f9851d 2423db2d2236d391 4c46d364825d384b c13cfd34bdef
output (32 octets):
e0823a427f17191c eda7c91dbfbd444d 6471e9d3fc93a119 f55a727689d689a2

{server}
derive secret “server application traffic secret”:
PRK (32 octets):
c8ddbe8c1c50ef0b 56f753eed0aa6ba6 9a229ea8df5597a0 d0421e0ee8866875
handshake hash (32 octets):
6bf254b53dda73f9 851d2423db2d2236 d3914c46d364825d 384bc13cfd34bdef
info (78 octets):
00202a544c532031 2e332c2073657276 6572206170706c69 636174696f6e2074 7261666669632073 6563726574206bf2 54b53dda73f9851d 2423db2d2236d391 4c46d364825d384b c13cfd34bdef
output (32 octets):
cbfde4e175f242bc 036592fdcbb8eb05 e8954294019d81f8 c6f80a7a111e3703

{server}
derive secret “exporter master secret”:
PRK (32 octets):
c8ddbe8c1c50ef0b 56f753eed0aa6ba6 9a229ea8df5597a0 d0421e0ee8866875
handshake hash (32 octets):
6bf254b53dda73f9 851d2423db2d2236 d3914c46d364825d 384bc13cfd34bdef
info (67 octets):
00201f544c532031 2e332c206578706f 72746572206d6173 7465722073656372 6574206bf254b53d da73f9851d2423db 2d2236d3914c46d3 64825d384bc13cfd 34bdef
output (32 octets):
7867e459e0281bdc d69dbe21d558920d 34bddee82ce43fcb d4e1a1c78ab1d855

{server}
derive write traffic keys using label “application data”:
PRK (32 octets):
cbfde4e175f242bc 036592fdcbb8eb05 e8954294019d81f8 c6f80a7a111e3703
key info (16 octets):
00100c544c532031 2e332c206b657900
key output (16 octets):
5d4514cfc8a17ab3 7ba2ce1ca5713dbb
iv info (15 octets):
000c0b544c532031 2e332c20697600
iv output (12 octets):
176a295c9e8e6f83 ca5568cb

{server}
derive read traffic keys using label “handshake data”:
PRK (32 octets):
514fbcc257fddf53 b1fd8bfda5a33e4f c1ba1b11c9b5026b 75866a512c63e055
key info (16 octets):
00100c544c532031 2e332c206b657900
key output (16 octets):
a47f60a96ba8e984 557f800464ff6519
iv info (15 octets):
000c0b544c532031 2e332c20697600
iv output (12 octets):
0ead0c4aebc52ab7 30f80263

{client}
extract secret “early”:
salt:
(absent)
ikm (32 octets):
0000000000000000 0000000000000000 0000000000000000 0000000000000000
secret (32 octets):
33ad0a1c607ec03b 09e6cd9893680ce2 10adf300aa1f2660 e1b22e10f170f92a

{client}
extract secret “handshake”:
salt (32 octets):
33ad0a1c607ec03b 09e6cd9893680ce2 10adf300aa1f2660 e1b22e10f170f92a
ikm (32 octets):
2f4e7a0c28947500 9ab7dcce15ea5ce8 01560dc359f7a1fc fd206ca1dc75533f
secret (32 octets):
e03366f9b148df82 acf75840cdd0233c af8dffeb1b8c58c1 a7d4da19cc72f36d

{client}
derive secret “client handshake traffic secret”:
PRK (32 octets):
e03366f9b148df82 acf75840cdd0233c af8dffeb1b8c58c1 a7d4da19cc72f36d
handshake hash (32 octets):
3abf4a9b315a32ae 9534851ed1c6cad5 3fae6feac4de4006 81d31341a92e608d
info (76 octets):
002028544c532031 2e332c20636c6965 6e742068616e6473 68616b6520747261 6666696320736563 726574203abf4a9b 315a32ae9534851e d1c6cad53fae6fea c4de400681d31341 a92e608d
output (32 octets):
514fbcc257fddf53 b1fd8bfda5a33e4f c1ba1b11c9b5026b 75866a512c63e055

{client}
derive secret “server handshake traffic secret”:
PRK (32 octets):
e03366f9b148df82 acf75840cdd0233c af8dffeb1b8c58c1 a7d4da19cc72f36d
handshake hash (32 octets):
3abf4a9b315a32ae 9534851ed1c6cad5 3fae6feac4de4006 81d31341a92e608d
info (76 octets):
002028544c532031 2e332c2073657276 65722068616e6473 68616b6520747261 6666696320736563 726574203abf4a9b 315a32ae9534851e d1c6cad53fae6fea c4de400681d31341 a92e608d
output (32 octets):
bad55c1cb0dd3381 a878c3089e06e9b5 36f6ac9a2b93b1f2 94a0e6860c59fe9d

{client}
extract secret “master” (same as server)
{client}
derive read traffic keys using label “handshake data”:
PRK (32 octets):
bad55c1cb0dd3381 a878c3089e06e9b5 36f6ac9a2b93b1f2 94a0e6860c59fe9d
key info (16 octets):
00100c544c532031 2e332c206b657900
key output (16 octets):
ec09f6974e4a072c f05ea9862f119ce3
iv info (15 octets):
000c0b544c532031 2e332c20697600
iv output (12 octets):
b1ee3ad7f4c678fb 0ba06768

{client}
calculate finished:
PRK (32 octets):
bad55c1cb0dd3381 a878c3089e06e9b5 36f6ac9a2b93b1f2 94a0e6860c59fe9d
handshake hash (0 octets):
(empty)
info (21 octets):
002011544c532031 2e332c2066696e69 7368656400
output (32 octets):
718d291e7ad26b84 c688e2fa0d287246 6a09b3b3cbade4fb 5710bcb1c10e20d2

{client}
derive write traffic keys using label “handshake data” (same as server read traffic keys)
{client}
derive secret “client application traffic secret”:
PRK (32 octets):
c8ddbe8c1c50ef0b 56f753eed0aa6ba6 9a229ea8df5597a0 d0421e0ee8866875
handshake hash (32 octets):
6bf254b53dda73f9 851d2423db2d2236 d3914c46d364825d 384bc13cfd34bdef
info (78 octets):
00202a544c532031 2e332c20636c6965 6e74206170706c69 636174696f6e2074 7261666669632073 6563726574206bf2 54b53dda73f9851d 2423db2d2236d391 4c46d364825d384b c13cfd34bdef
output (32 octets):
e0823a427f17191c eda7c91dbfbd444d 6471e9d3fc93a119 f55a727689d689a2

{client}
derive secret “server application traffic secret”:
PRK (32 octets):
c8ddbe8c1c50ef0b 56f753eed0aa6ba6 9a229ea8df5597a0 d0421e0ee8866875
handshake hash (32 octets):
6bf254b53dda73f9 851d2423db2d2236 d3914c46d364825d 384bc13cfd34bdef
info (78 octets):
00202a544c532031 2e332c2073657276 6572206170706c69 636174696f6e2074 7261666669632073 6563726574206bf2 54b53dda73f9851d 2423db2d2236d391 4c46d364825d384b c13cfd34bdef
output (32 octets):
cbfde4e175f242bc 036592fdcbb8eb05 e8954294019d81f8 c6f80a7a111e3703

{client}
derive secret “exporter master secret” (same as server)
{client}
derive read traffic keys using label “application data” (same as server write traffic keys)
{client}
calculate finished:
PRK (32 octets):
514fbcc257fddf53 b1fd8bfda5a33e4f c1ba1b11c9b5026b 75866a512c63e055
handshake hash (0 octets):
(empty)
info (21 octets):
002011544c532031 2e332c2066696e69 7368656400
output (32 octets):
764e58fab463dd2c e6e1277e747e7d78 cf47631d282f9ae0 b75d589c0f6cbdd5

{client}
send a Finished handshake message
{client}
send record:
cleartext (36 octets):
14000020096bd69a 68a032b92ca9de00 89fc7f936b33d2a2 7cc8f6ce05c9147c 75c38202
ciphertext (58 octets):
17030100357e8199 60cd15f35bfc2103 43bba44f5b16109f cde46a06f54474d6 377f48a3bc030657 a49b0f864c21f0e0 01e29d873c46644a e563

{client}
derive write traffic keys using label “application data”:
PRK (32 octets):
e0823a427f17191c eda7c91dbfbd444d 6471e9d3fc93a119 f55a727689d689a2
key info (16 octets):
00100c544c532031 2e332c206b657900
key output (16 octets):
3c99d096985ca35d 4e7b10bd36772fb6
iv info (15 octets):
000c0b544c532031 2e332c20697600
iv output (12 octets):
f1f7a260881b4fbe 20e40941

{client}
derive secret “resumption master secret”:
PRK (32 octets):
c8ddbe8c1c50ef0b 56f753eed0aa6ba6 9a229ea8df5597a0 d0421e0ee8866875
handshake hash (32 octets):
b441cf12a1c1c18d 9c970282dea28394 df6272d4e15a4848 f19a1721d3337616
info (69 octets):
002021544c532031 2e332c2072657375 6d7074696f6e206d 6173746572207365 6372657420b441cf 12a1c1c18d9c9702 82dea28394df6272 d4e15a4848f19a17 21d3337616
output (32 octets):
9d09aedcce0c5866 10cbc46812474d1c 4d2b256c90dc027a e05ffacc3b73d315

{server}
calculate finished:
PRK (32 octets):
514fbcc257fddf53 b1fd8bfda5a33e4f c1ba1b11c9b5026b 75866a512c63e055
handshake hash (0 octets):
(empty)
info (21 octets):
002011544c532031 2e332c2066696e69 7368656400
output (32 octets):
764e58fab463dd2c e6e1277e747e7d78 cf47631d282f9ae0 b75d589c0f6cbdd5

{server}
derive read traffic keys using label “application data” (same as client write traffic keys)
{server}
derive secret “resumption master secret” (same as client)
{client}
send record:
cleartext (2 octets):
0100
ciphertext (24 octets):
1703010013029b49 f09900a4b23667df 7ed165fdb1b7eb8f

{server}
send record:
cleartext (2 octets):
0100
ciphertext (24 octets):
1703010013c2bc84 7f0273ee1adb166a 264e07d1b0f63c18

6. Security Considerations

It probably isn’t a good idea to use the private key here. If it weren’t for the fact that it is too small to provide any meaningful security, it is now very well known.

7. References

7.1. Normative References

[I-D.ietf-tls-tls13] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", Internet-Draft draft-ietf-tls-tls13-18, October 2016.

7.2. Informative References

[FIPS186] National Institute of Standards and Technology (NIST), "Digital Signature Standard (DSS)", NIST PUB 186-4 , July 2013.
[RFC7748] Langley, A., Hamburg, M. and S. Turner, "Elliptic Curves for Security", RFC 7748, DOI 10.17487/RFC7748, January 2016.

Appendix A. Acknowledgements

None of this would have been possible without Franziskus Kiefer, Eric Rescorla and Tim Taubert, who did a lot of the work in NSS.

Author's Address

Martin Thomson Mozilla EMail: martin.thomson@gmail.com
Fork me on GitHub