TLS                                                           M. Thomson
Internet-Draft                                                   Mozilla
Intended status: Standards Track                        December 4, 2017                            May 02, 2018
Expires: June 7, November 3, 2018

                  Example Handshake Traces for TLS 1.3
                    draft-ietf-tls-tls13-vectors-03
                    draft-ietf-tls-tls13-vectors-04

Abstract

   Examples of TLS 1.3 handshakes are shown.  Private keys and inputs
   are provided so that these handshakes might be reproduced.
   Intermediate values, including secrets, traffic keys and ivs are
   shown so that implementations might be checked incrementally against
   these values.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on June 7, November 3, 2018.

Copyright Notice

   Copyright (c) 2017 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Private Keys  . . . . . . . . . . . . . . . . . . . . . . . .   2
   3.  Simple 1-RTT Handshake  . . . . . . . . . . . . . . . . . . .   3
   4.  Resumed 0-RTT Handshake . . . . . . . . . . . . . . . . . . .  13  15
   5.  HelloRetryRequest . . . . . . . . . . . . . . . . . . . . . .  22  26
   6.  Client Authentication . . . . . . . . . . . . . . . . . . . .  33  38
   7.  Compatibility Mode  . . . . . . . . . . . . . . . . . . . . .  49
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .  42
   8.  59
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  42
     8.1.  60
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .  42
     8.2.  60
     9.2.  Informative References  . . . . . . . . . . . . . . . . .  42  60
   Appendix A.  Acknowledgements . . . . . . . . . . . . . . . . . .  43  60
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  43  60

1.  Introduction

   TLS 1.3 [I-D.ietf-tls-tls13] [TLS13] defines a new key schedule and a number new
   cryptographic operations.  This document includes sample handshakes
   that show all intermediate values.  This allows an implementation to
   be verified incrementally, examining inputs and outputs of each
   cryptographic computation independently.

   Private keys are

   A private key is included with the traces so that implementations can
   be checked by importing these values and verifying that the same
   outputs are produced.

2.  Private Keys

   Ephemeral private keys are shown as they are generated in the traces.

   The server in most examples uses an RSA certificate with a private
   key of:

   modulus (public):  b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c
      0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab
      bc 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87
      a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f
      da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0
      3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e
      3f

   public exponent:  01 00 01

   private exponent:  04 de a7 05 d4 3a 6e a7 20 9d d8 07 21 11 a8 3c 81
      e3 22 a5 92 78 b3 34 80 64 1e af 7c 0a 69 85 b8 e3 1c 44 f6 de 62
      e1 b4 c2 30 9f 61 26 e7 7b 7c 41 e9 23 31 4b bf a3 88 13 05 dc 12
      17 f1 6c 81 9c e5 38 e9 22 f3 69 82 8d 0e 57 19 5d 8c 84 88 46 02
      07 b2 fa a7 26 bc f7 08 bb d7 db 7f 67 9f 89 34 92 fc 2a 62 2e 08
      97 0a ac 44 1c e4 e0 c3 08 8d f2 5a e6 79 23 3d f8 a3 bd a2 ff 99
      41

   prime1:  e4 35 fb 7c c8 37 37 75 6d ac ea 96 ab 7f 59 a2 cc 10 69 db
      7d eb 19 0e 17 e3 3a 53 2b 27 3f 30 a3 27 aa 0a aa bc 58 cd 67 46
      6a f9 84 5f ad c6 75 fe 09 4a f9 2c 4b d1 f2 c1 bc 33 dd 2e 05 15

   prime2:  ca bd 3b c0 e0 43 86 64 c8 d4 cc 9f 99 97 7a 94 d9 bb fe ad
      8e 43 87 0a ba e3 f7 eb 8b 4e 0e ee 8a f1 d9 b4 71 9b a6 19 6c f2
      cb ba ee eb f8 b3 49 0a fe 9e 9f fa 74 a8 8a a5 1f c6 45 62 93 03

   exponent1:  3f 57 34 5c 27 fe 1b 68 7e 6e 76 16 27 b7 8b 1b 82 64 33
      dd 76 0f a0 be a6 a6 ac f3 94 90 aa 1b 47 cd a4 86 9d 68 f5 84 dd
      5b 50 29 bd 32 09 3b 82 58 66 1f e7 15 02 5e 5d 70 a4 5a 08 d3 d3
      19

   exponent2:  18 3d a0 13 63 bd 2f 28 85 ca cb dc 99 64 bf 47 64 f1 51
      76 36 f8 64 01 28 6f 71 89 3c 52 cc fe 40 a6 c2 3d 0d 08 6b 47 c6
      fb 10 d8 fd 10 41 e0 4d ef 7e 9a 40 ce 95 7c 41 77 94 e1 04 12 d1
      39

   coefficient:  83 9c a9 a0 85 e4 28 6b 2c 90 e4 66 99 7a 2c 68 1f 21
      33 9a a3 47 78 14 e4 de c1 18 33 05 0e d5 0d d1 3c c0 38 04 8a 43
      c5 9b 2a cc 41 68 89 c0 37 66 5f e5 af a6 05 96 9f 8c 01 df a5 ca
      96 9d

3.  Simple 1-RTT Handshake

   In this example, the simplest possible handshake is completed.  The
   server is authenticated, but the client remains anonymous.  After
   connecting, a few application data octets are exchanged.  The server
   sends a session ticket that permits the use of 0-RTT in any resumed
   session.

   {client}  create an ephemeral x25519 key pair:

      private key (32 octets):  b1 6a 3c 97 a7 19 0b ec c4 00 2a 2f be  33 21 0a 80 40 b5 99 45 df 0b bd 0c e1 ba db c1 a0 78 c8 52 0d 00 71 0a
         06 7b 00 59 68 26 01 05 f4 aa 6d 4f 0f a1 9e bf b5 94 a7 13 2b 62 34 33 ab

      public key (32 octets):  78 e5 89 74 13 f1 71 53 c7  fa 0c f3 3f a3 4c
         84 97 72 4b da b4 f5 7f 9d 01 c9 53 f5 88 d2 25 02 a7 23 6a e7 59 9e e0 14 16
         e8 05 d7 15 55 93 f0 30 46 61 28 b7 a6 f6 dd f4 9b ad 1a 6f 36

   {client}  send a ClientHello handshake message

   {client}  send handshake record:

      payload (190 octets):  01 00 00 ba 03 03 c4 e2 ea b7 cc 4b bb 43
         7d fa b4 7c a5 6a f8 a0 3a 02 32 16 f4 df 71 db 07 2b 90 e5
         f2 af d6 09 5f aa cd 8e b9 12 02 36 f9 c4 a4 9f ac 89 84
         9c 10 b2 ca 79 90 c2 0d 40 cb 69 09
         57 75 35 00 00 06 13 01 13 03 13 02 01 00 00 8b 00 00 00 0b 00
         09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12
         00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 23 00
         00 00 28 33 00 26 00 24 00 1d 00 20 78 e5 89 74 13 f1 71 53 c7 fa 0c
         f3 3f a3 4c 84 97 72 4b da b4 f5 7f 9d 01 c9 53 f5 88 d2 25 02 a7 23 6a e7 59
         9e e0 14 16 e8 05 d7 15 55 93 f0 30 46
         61 28 b7 a6 f6 dd f4 9b ad 1a 6f
         36 00 2b 00 03 02 7f 16 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02
         03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02
         02 02 00 2d 00 02 01 01

      ciphertext (195 octets):  16 03 01 00 be 01 00 00 ba 03 03 c4 e2
         ea b7 cc 4b bb 43 7d fa b4 7c a5 6a f8 a0 3a 02
         32 16 f4 df 71 db 07 2b 90 e5 f2 af d6 09 5f aa cd 8e b9 12 02 36 f9
         c4 a4 9f ac 89 84 9c 10 b2 ca 79 90
         c2 0d 40 cb 69 09 57 75 35 00 00 06 13 01 13 03 13 02 01 00 00
         8b 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00
         00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01
         03 01 04 00 23 00 00 00 28 33 00 26 00 24 00 1d 00 20 78 e5 89 74
         13 f1 71 53 c7 fa 0c f3 3f a3 4c 84 97 72 4b da b4 f5 7f 9d 01 c9
         53 f5 88 d2 25
         02 a7 23 6a e7 59 9e e0 14 16 e8 05 d7 15 55 93 f0 30 46 61 28 b7 a6 f6
         dd f4 9b ad 1a 6f 36 00 2b 00 03 02 7f 16 1c 00 0d 00 20 00 1e 04
         03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01
         04 02 05 02 06 02 02 02 00 2d 00 02 01 01

   {server}  extract secret "early":

      salt:  (absent)

      ikm (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c
         e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

   {server}  create an ephemeral x25519 key pair:

      private key (32 octets):  20 eb 30 48 af fc bf 2b ff 56 df b5 1e
         93 4d 78 a0 f5 d2 38 29  9d ae 7f c7 6c 00 9e 64 32 41 70 b1 0e ea 18 31 69 68 8b 65 c6 27
         99 1a 97 d3 95 9e 32 e7 c8 45 0c 14 f3 b5 30 bf 75 ef 87

      public key (32 octets):  ee 31 96 ca 63 98 21 a1 7b 51 68 ab 61 0d
         70 57 d2 b2 50 84 89 1f 87 ef 26 cf 0c 26  aa 6c be 84 e5 d6 7e 01 8c c1 a7 43 75 b6 d4 ea 18
         ad 51 71 c1 50 ae 55 80 a8 4c 62 ef 05 21 a1 16 8a 25

   {server}  send a ServerHello handshake message

   {server}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
         10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6
         97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

   {server}  extract secret "handshake":

      salt (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
         16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

      ikm (32 octets):  61 d3 4a ad f2 5e  de 19 c3 5f f1 64 46 31 c4 b4 59 9a 22 3a 2c e6 fb 59 f8 a0 f9 d1
         d7 5f 18 87 df b0 6c 0f ff f8 47 6d c3 c5 0f 47 ee eb
         31 aa 4c f3 03 ef 15 48 de 68 ea 83 c9 4b 78 1c

      secret (32 octets):  79 07 c2 82 34 f1 6c  95 96 d5 36 cf ab b0 51 28 69 b3 c3 66 39 1f
         b2 97 59 36 a8 71 a4 6b eb 25 cd da 1f 8c 66 b5 f0 26 54
         7f dc 8a ab 96 d1 4e ef f8 0f 5b 12 f9 ad 8a c9 d6 04 5e 6b

   {server}  derive secret "tls13 c hs traffic":

      PRK (32 octets):  79 07 c2 82 34 f1 6c  95 96 d5 36 cf ab b0 51 28 69 b3 c3 66 39 1f b2
         97 59 36 a8 71 a4 6b eb 25 cd da 1f 8c 66 b5 f0 26 54 7f
         dc 8a ab 96 d1 4e ef f8 0f 5b 12 f9 ad 8a c9 d6 04 5e 6b

      hash (32 octets):  2a 63 e9 0b 84 e5 c9 79 80 56 98 41 19 3b 80 94
         22 19 36 52 19 ad 23 90 b6  58 53 80 64 c2 ae bb 09 69

      info (54 octets):  00 20 12 74 6c 73 f8 31 33 20 63 20 68 73 20 74 72
         61 66 66 69 63 20 2a 63 e9 0b 84 e5 c9 79 80 56 98 41 19 3b 80
         94 22 19 36 52 19 ad 23 90 b6 80 64 c2 ae bb 09 69

      output (32 octets):  40 2b 60 6f 3c b0 c8 5b 6d bf fb fd a9 df 79
         14 58 c7 62 08 c5 2c 34 8c 76 be 4a 0e b9 21 1b b5 e9 0b a4 81 f2 5c 4b 94 e2

   {server}  derive secret "tls13 s hs traffic":

      PRK (32 octets):  79 07 c2 82 34 f1 6c a8 71 a4 6b eb 25
         a6 17 fd 16 da 54 7f 68 b0 a9 50 38 82 fe ea ff 81 dc 8a ab 96 d1 4e ef f8 0f 5b 12 f9 ad 8a c9 d6

      hash (32 octets):  2a 63 e9 0b 84 e5 c9 79 80 56 98 41 19 3b 80 94
         22 19 36 52 19 ad 23 90 b6 80 64 c2 ae bb 09 69

      info (54 octets):  00 20 12 74 6c 73 31 33 20 73 63 20 68 73 20 74 72
         61 66 66 69 63 20 2a 63 e9 0b 84 e5 c9 79 80 56 98 41 19 3b 80
         94 22 19 36 52 19 ad 23 90 b6 58 53 80 64 c2 ae bb 09 69 f8 31 c7 62 08 c5 2c 34 8c 76 be 4a
         4b a6 17 fd 16 da 68 b0 a9 50 38 82 fe ea ff 81 dc

      output (32 octets):  a2 c1 53  ed 5d 2e 57 8f 39 41 2a 63 a1 8e 68 d4 52 e4
         09 21 5b 55 26 42 8b 49 cb e6 cc a8 63 40 29 f2 4c c9 c7 bb 3c 19 23
         7c 37 4e 94 db 25 6c 96 4d 4d 13 76 a9 29 de 1a

   {server}  derive secret "tls13 s hs traffic":

      PRK (32 octets):  95 96 d5 36 cf ab b0 51 28 69 b3 c3 66 39 1f b2
         97 59 36 a8 cd da 1f 8c 66 b5 f0 26 54 04 5e 6b

      hash (32 octets):  58 53 80 f8 31 c7 62 08 c5 2c 34 8c 76 be 4a 4b
         a6 17 fd 16 da 68 b0 a9 50 38 82 fe ea ff 81 dc

      info (54 octets):  00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72
         61 66 66 69 63 20 58 53 80 f8 31 c7 62 08 c5 2c 34 8c 76 be 4a
         4b a6 17 fd 16 da 68 b0 a9 50 38 82 fe ea ff 81 dc

      output (32 octets):  76 53 d6 19 95 c3 c7 b9 a7 db 6e f8 80 0d e0
         63 e2 c4 10 1d 52 15 01 1c 8a 28 36 6e 8a 44 9b b3

   {server}  derive secret for master "tls13 derived":

      PRK (32 octets):  79 07 c2 82 34 f1 6c  95 96 d5 36 cf ab b0 51 28 69 b3 c3 66 39 1f b2
         97 59 36 a8 71 a4 6b eb 25 cd da 1f 8c 66 b5 f0 26 54 7f
         dc 8a ab 96 d1 4e ef f8 0f 5b 12 f9 ad 8a c9 d6 04 5e 6b

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  44 50 97 b3 09 4b 9c e8 35 af 72 02 5d 0f d3
         80 ae 2b ae 88 06 08 f6 b2 b9 92 42 92  ff e0 3e bf eb 04 71 d1 8e f7 7a b4 95 7f 14 95 2f be
         d5 5a 1f 3b 9d 1c e9 4e 1e 00 f7 40 7d 99 72 99 1b

   {server}  extract secret "master":

      salt (32 octets):  44 50 97 b3 09 4b 9c e8 35 af 72 02 5d 0f d3 80
         ae 2b ae 88 06 08 f6 b2 b9 92 42 92  ff e0 3e bf eb 04 71 d1 8e f7 7a b4 95 7f 14 95 2f be d5
         5a 1f 3b 9d 1c e9 4e 1e 00 f7 40 7d 99 72 99 1b

      ikm (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  23 07  fa 2f 37 68 ca 09 44 ef de d6 a1 fd bc 3a 87 b5 9c 46 10 26 27 17 3e 59 84
         d8 4e 03 5f a5 64 75 9c 1e ec 3b 96 4c e9 7a 1f a7 51 b2 1b 6b f2 07 66 1c b2 94 bc 29 f4 49 c7 14

   {server}  send handshake record:

      payload (90 octets):  02 00 00 56 03 03 8e 58 c0 e7 0c 99 2d 7f fc
         80 98 eb dc 67 ba 85 05 e4 2e 44 42 ec 65 e2 f1 86 19 05 bf 77 23 95 49 24 7a b2 ba
         20 3c 8f
         0a e6 42 76 a1 0d 47 b3 5d 5f 26 75 0b c5 a9 b7 aa c6 30 9f 19
         75 71 00 13 01 00 00 2e 00 28 33 00 24 00 1d 00 20 ee 31 96 ca 63
         98 21 a1 7b 51 68 ab 61 0d 70 57 d2 b2 50 aa 6c be 84 89 1f 87 01
         8c c1 a7 43 75 b6 d4 ea 18 ad 51 71 c1 50 ae 55 80 a8 4c 62 ef 26 cf
         0c 26 84 e5 d6 7e
         05 21 a1 16 8a 25 00 2b 00 02 7f 16 1c

      ciphertext (95 octets):  16 03 03 00 5a 02 00 00 56 03 03 8e 58 c0
         e7 0c 99 2d 7f fc 80 98 eb dc 67 ba 85 05 e4 2e 44 42 ec 65
         e2 f1 86 19 05 bf 77 23
         95 49 24 7a b2 ba 20 3c 8f 0a e6 42 76 a1 0d 47 b3 5d 5f 26 75 0b c5 a9
         b7 aa c6 30 9f 19 75 71 00 13 01 00 00 2e 00 28 33 00 24 00 1d 00
         20 ee 31 96 ca 63 98 21 a1 7b aa 6c be 84 01 8c c1 a7 43 75 b6 d4 ea 18 ad 51 68 ab 61 0d 70 57 d2 b2 71 c1 50 84
         89 1f 87 ae
         55 80 a8 4c 62 ef 26 cf 0c 26 84 e5 d6 7e 05 21 a1 16 8a 25 00 2b 00 02 7f 16

   {server}  send a EncryptedExtensions handshake message

   {server}  send a Certificate handshake message 1c

   {server}  send a CertificateVerify  derive write traffic keys for handshake message
   {server}  calculate finished "tls13 finished": data:

      PRK (32 octets):  a2 c1  76 53 5b 55 26 42 8b 49 cb e6 cc 3c d6 19 23 7c
         37 4e 94 95 c3 c7 b9 a7 db 25 6c 96 4d 4d 13 76 a9 de 1a c5 12

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 f8 80 0d e0 63
         e2 c4 10 1d 52 15 01 1c 8a 28 36 6e 8a 44 9b b3

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65
         64 79 00

      key output (16 octets):  6b de 0a 34 c4 42 3c f3 5b f4 a7 ec 1a b0
         aa 06

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  22 07 9a 1b e6 53 89 9a 59 a4 e5 51

   {server}  send a EncryptedExtensions handshake message

   {server}  send a Certificate handshake message

   {server}  send a CertificateVerify handshake message

   {server}  calculate finished "tls13 finished":

      PRK (32 octets):  d2 7d 01 ab e2 d9  76 53 d6 68 98 dc 10 19 95 c3 c7 b9 a7 db 6e f8 5d 92 2f
         d6 ff f5 1d b8 80 f4 af 64 0d e0 63
         e2 c4 10 1d 52 b7 15 01 1c 05 c3 fc 42 67 8a 28 36 6e 8a 44 9b b3

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      output (32 octets):  1c a5 43 d9 08 b8 ec 1c b7 25 55 7f 83 c4 de
         03 f1 71 85 07 b9 0a e4 39 ec 84 92 c2 22 5d 6e 75

   {server}  send a Finished handshake message

   {server}  send handshake record:

      payload (651 octets):  08 00 00 1e 00 1c 00 0a 00 14 00 12 00 1d
         00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 0b
         00 01 b9 00 00 01 b5 00 01 b0 30 82 01 ac 30 82 01 15 a0 03 02
         01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30
         0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 30 1e 17 0d 31 36
         30 37 33 30 30 31 32 33 35 39 5a 17 0d 32 36 30 37 33 30 30 31
         32 33 35 39 5a 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61
         30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d
         00 30 81 89 02 81 81 00 b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b
         36 c6 98 8c 0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4
         9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed
         43 12 09 98 e1 87 a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d
         44 9a 6d 38 e2 2a 5f da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9
         d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28
         a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03 01 00 01 a3 1a 30 18 30 09
         06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 05
         a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 85
         aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 72 67 17 06 18 a5 4c 5f 8a
         7b 33 7d 2d f7 a5 94 36 54 17 f2 ea e8 f8 a5 8c 8f 81 72 f9 31
         9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 51 56 72 60 96 fd 33 5e 5e
         67 f2 db f1 02 70 2e 60 8c ca e6 be c1 fc 63 a4 2a 99 be 5c 3e
         b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b 1c 3b 84 e0 a8 b2 f7 59 40
         9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 96 12 29 ac 91 87 b4 2b 4d
         e1 00 00 0f 00 00 84 08 04 00 80 35 dc 65 98 6e 5d 7a 91 25 7a
         91 01 85 5d 87 54 9c 1b 0d 19 6b 6c 19 da a2 67 38 30 ff 73 a4
         51 ab 60 79 48 55 ca c3 53 73 40 e8 48 fd 10 5a 82 02 3f d3 8f
         e9 bd 96 ed b4 23 48 99 8c d9
         ac ea f9 dd e4 45 12 7b ef 6f c8 5b 2a 29 82 27 a9 0d f6 63 d8 92 7e 88 67 25 57 0a 41 52 26
         12 28 af 19 67 a2 2d 9b
         4d 36 11 7b b0 90 e4 f0 76 ea 5f a4 7d c5 93 f7 6c 00 02 56 02 b8 5b e9 6e 6e 75 a2 5b 72 bd
         d9 38 9d 7c ac 77 cb e6 21 7f 3e
         fa 6f 10 53 12 9e b9 1a cb 05 48 c6 97 95 f3 14 24 60 17 18 9d 4b dd 30 b8 38 16 89 8d 36 17 f5 9a
         5b c3 66 9a 98 d6 41 64 fd c7 80 77 2d ca 3d 06 63 79 8d 6a c0
         38 89 24 1a 21
         32 c4 07 1e 21 f9 f3 f0 cd 1d f4 06 ab 1d 37 bd db 13 e1 c2 93
         f8 a4 46 8b 8e 5b c9 27 de df f9 39 d0 58 8c 09 e5 78 94 e0 f1 14 00 00 20 4a 81 42 ca
         b4 49 41 89 68 94 06 27 07 e6 92 d6 32 a8 6a 12 16 cb aa 5b
         9c 4d 04 ea 5c 83 b2 0b 4c be 2a 81 88 04 7e 8f 95 d9 60 5b 71 24 d1 1d
         de b1 91 bb 6b
         3d ef a1 b3 15 40 db 6d 18

      ciphertext (673 octets):  17 03 03 02 9c 6f 0c 3d 25 89 2d 11 1b
         9e 10 b7 bf 9e cb 09 ec 5e 87 75 53 b3 15 3e b9 80 12 4c 44 59
         58 b1 71 01 41 8b 00 d8 f0 2f af cc 55 ba 06 25 88 ba 53 0e f0
         9a 8f b4 c7 d6 de 1f 8b 7e b8 d8 b6 ad d2 1e 01 34 a9 75 74 ae 71
         2d 5c b6 c1 5d 19 b3 47 c7 8a 88 4a 71 ff b8 c2 e7 60 02 22 16
         a7 93 8f 10 81 8c 3f 81 16 b4 5a 39 79 d0 9d 72 52 e3 b4 4f 10
         ae 3a 51 68 f5 a6 1b 31 d8 e0 b4 15 f8 09 7d d5 14 f1 ba d1 b1 f3
         49 dc bc
         e5 cb 35 48 55 f6 b7 59 e3 6b 17 1d 56 08 c7 b9 d5 85 9a d9 f4 e2 02 84 45 5d
         9d ab 37 d5 6e 09 5e bd 88 68 89 a2 36 3f c9 7b 16 62 06 63 7c
         ca 01 ab 37 7e 9d 3f 3d 06 4f 6a fc 87 22 1a bf e6 0b aa 31 29 a9 83 81 35 a2 2d a4 d2
         d5 23 27 e9 96 c9 4b 86 f6 af be 4d 7e 6d 6d bd 07 0b 84 f7 0f 33 fa 57
         91 6e d4 a3 ed 24 9d 5e 71 04 7d 7f 44 dc 78 64 e4 31 b1 e0 6d a8 01 83
         b0 cc 0c 3b 38 0a 47 46 64 3b fb 8f 2c dd 0a 87 a8 36 17 13 86 c7 f1 b8 2e db 0b 15 30 a4
         39 6c 1a d4 53 2a 60 7a 55 31 90 63 83 f7 bb 9c cc 1d 43 b7
         32 26 b1 be f9 5c 34 58 41 d1 20 da a8 ec
         47 af 17 e5 7e d6 fc c5 f0 61 b7 cb 5a 70 8d 49 09 bf a3 42 6d 96 96 19 3f e4 a5
         13 56 82 a2 2e 0c 99
         33 c1 00 02 03 3f a2 ee 1e 82 67 0b 26 9f 0a 50 ba 93 c5 3a 87 f8 6d 5c
         bf c6 31 6a 19 51 26 ad 05 58 6f e8 7c f8 91
         29 b7 7c 43 41 ae 6c 12 b6 c5 70 d6 fb b5 46 0f f7 c6 5d a5 80 97 b1 17 31 4f 21 c0 b7 a2 0c 49 12 e4 bd b5 9b 2d 14 f2 7a 05 35 3e 51 d2 18 a3 60
         15 4c bf 08 f2 9c 64 4b 28 8f 3d 42 4e e8 ea bb f1 26 fd 6b e4
         b2 b0 f1 97 5f e4 73 a3 df a8 83 78 bd 5b ea ce ee 52 0e 6e 2d
         c7 40 4f 90 c3 66
         ec 8e 83 d8 49 be a6 d5 b2 e0 bb 88 4f 9e 98 d7 19 5a 42 8f 34 36 29 c1 a4 a3 dd fa 58 c3 c3 f8 08 d1
         26 5a 79 3a
         f2 49 38 3d e5 51 a8 a9 67 58 84 f3 8a 43 60 68 e3 72 9f 8a 50 4a ea 31 31 28 27 ad d1 99 1b f8 61 37 95
         0c ed 5e 0e b3 39
         e4 ad a2 32 11 85 aa 27 6f 76 2b 0a 6b cd 9e f8 23 59 c2 5a f7 00 31 cb 18 00 8c 2f a6 e7 c8
         dd 70 58 f8 2c 0f de ac 3b
         60 d6 5d 10 94 99 b9 1f 19 4b 88 4a cd c7 ec e9 23 b0 d6 3b 8c f6 f0 d8
         cb ab f1 3c a9 96 69 42 e1 6a 3d 7a c5 ed c0 39 7b 9d 9a ae cf 3f 0d
         cc 59 83 a4 76 9e 26 0f 15 e6 83 78 74 18 ce 06 75 24 47 ad f3 3e ee e5 f9 fa
         75 93 24 7d f7 d5 a1 60 32 7b de e8 91
         6b 57 31 f8 eb e4 74 55 6b 93 97 9f
         ae 3c d2 fa 90 c3 6e 21 1a 2d fb fb 65 60 07 91 b5 e7 77 d6 2f 3b 51 c5 a0 97 50 df
         a9 70 1b 11 bb 92 08 a6 8d 38 e0 a2 0b 5c ee c9 58 4b c7 aa 83 70 94 b9 6e fd 55
         b0 7a c3 72 00 42 4c f9 eb 54 2d 53 06
         24 6f 76 ac ef b5 6e 71 32 33 83 c1 93 f2
         cd f6 22 08 35 48 7d b1 b6 37 b4 60 38 24 1d aa 6a 07 a0 19 3e cd 23 78 ed b7 dd 72 74 27 fe 9d f9
         d0 46 28 b8 9c 38 0b 3b 83 b5 e6 95 cf ba 2d 8d
         45 c4 7b e1 2f 30 ce 0e 19
         17 ee 05 2e 7e c9 4d 4d da 39 b6 93 e0 1e 5a 71 a1 00 95 02 9e ed 7e 27 8d de a9 f4 46
         2c 68 ad 95 1d 40 cc
         99 66 82 0e 7a 95 9e 1b c6 eb c6 b8 84 da b7 f9 de e7 6f 30 08 73 63 85 05
         f9 00 3c de 12 e4 28 24 ff 3a 17 e0 fd 0b 64 3d a1 a7 62 7c 16 6c 89 38
         5c de 80 87 4b be 7a 19 ff 5c 5e 1a cd 94 eb 26 1b d4 90 4d d0 d2 a8 4e
         70 d0 b5 ab d9 10
         79 5a 3e d7 2d 66 54 ba e0 a7 3a 85 fc dc 9b f8 98 53 82 8c 2c
         4e 07 24 f3 8d 51 be e6 e4 a7 de 11

   {server}  derive secret "tls13 c ap traffic":

      PRK (32 octets):  23 07 37 68 ca 09 44 ef de d6 a1 fd 0d 17 3e 7a 1f
         a7 51 b2 1b 6b f2 07 66 1c 2c 6d 61 79 fe e3 dc bb 80 85 b2 94 bc 29 f4 3f
         fe 1c 39 b6 4e 49 c7

      hash (32 octets):  ad 7f 35 b9 42 29 61 a5 31 34 a3 4c d0 91 f1 be 86 fe fe ce 76 1c 74 0e 47 19
         77 4f e9 ee c7 0e d5 3f 29 fa ec af b1 f2 9c 0b

      info (54 octets):  00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72
         61 66 66 69 63 20 ad 7f 35 b9 42 29 61 a5 31 91 f1 be 86 0e 47
         19 77 4f e9 ee c7 0e d5 3f 29 fa ec af b1 f2 9c 0b

      output (32 octets):  4f c9 93 4a 78 39 af bf b1 ad d1 e0
         4a 09 f9 13 90
         aa 58 f8 16 83 b0 55 75 15 26 0d 8b 40 60 8d 63 b0 86 38 78 c0 b9 9f 6c da aa

   {server}  derive secret "tls13 s ap traffic":

      PRK (32 octets):  23 07 37 68 ca 09 44 ef de 1b d7 75 91 4b 81 24 d6 a1 ec
         42 e6 74 fb e4 8b c6 cf 5a 08 cf fa 98 00 15 08 61 33 27 85 6e
         d7 3f 95 2d b6 fd 17 9f eb 08 85 56 6d 91 79 3e 7a 1f
         a7 51 b2 1b 6b f2 07 66 1c 50 34 ac da 39 8b
         40 3b 6a ce 62 35 47 d5 2f f7 19 98 fe 31 a1 ef d7 f6 fb 85 ea
         b2 06 94 bc 29 db f4 49 c7

      hash (32 octets):  ad 7f 35 b9 42 29 61 a5 d5 00 0f 22 10 bc 3d 31 91 f1 be 86 0e 47 19
         77 4f 24 22 f9 d5 8d e9 ee c7 0e d5 d3 60
         39 bf 8f ae e9 e8 38 33 8c bf 36 b2 b4 82 bd b5 2c 1d 52 32 3b
         a7 4f b2 42 30 64 f9 3f 29 e7 dc 11 54 4f cd ac 52 10 b8 78 91 a1
         7a 14 9b 3c 83 a8 f5 f4 ed b7 63 53 82 01 f7 77 d6 0a e0 5f 36
         a8 2a d6 50 a0 8d a3 64 0e 97 4d 90 ab a9 31 c1 4d 81 c6 ed 19
         1f 32 36 28 72 d1 0b f9 a6 b7 3a c2 a9 e2 89 7b a0 df 61 c6 97
         35 37 a1 10 e5 d4 6c 35 62 75 89 65 36 f3 16 18 72 2a 56 ff 7d
         b2 8a 53 c6 c7 73 3c bb 47

   {server}  derive secret "tls13 c ap traffic":

      PRK (32 octets):  fa 2f 37 bc 3a 87 b5 9c 46 10 26 27 17 59 84 d8
         4e 03 5f a5 64 75 9c 1e ec af 3b 96 4c e9 7a 1f 14

      hash (32 octets):  87 c5 9a d5 4c f0 89 e9 40 06 d8 eb b0 80 8f 8e
         32 e5 44 b1 f2 9c 0b b0 79 18 3b 8b eb 89 8e 80 b6 5a 6c

      info (54 octets):  00 20 12 74 6c 73 31 33 20 73 63 20 61 70 20 74 72
         61 66 66 69 63 20 ad 7f 35 b9 42 29 61 a5 31 91 f1 be 86 0e 47
         19 77 4f e9 ee c7 0e 87 c5 9a d5 3f 29 fa ec af b1 f2 9c 0b

      output 4c f0 89 e9 40 06 d8 eb b0 80 8f
         8e 32 e5 44 b1 b0 79 18 3b 8b eb 89 8e 80 b6 5a 6c

      output (32 octets):  71 9b 77 1c 5c 65 41 32 a7 25 1f 09 12 92  f7
         68 b6 d8 9f 1a e9 97 5d 12 75 6a 41 53 17 a4 4c 63 01
         6e 98 39 5d 1e cd da 48 9b cc af 36 f3 1f 79 44 05 00 fc 16 68 b2 b7 4a 3e 86 3f 87 35

   {server}  derive secret "tls13 exp master": s ap traffic":

      PRK (32 octets):  23 07  fa 2f 37 68 ca 09 44 ef de d6 a1 fd bc 3a 87 b5 9c 46 10 26 27 17 3e 59 84 d8
         4e 03 5f a5 64 75 9c 1e ec 3b 96 4c e9 7a 1f
         a7 51 b2 1b 6b f2 07 66 1c b2 94 bc 29 f4 49 c7 14

      hash (32 octets):  ad 7f 35 b9 42 29 61 a5 31 91 f1 be 86 0e 47 19
         77 4f e9 ee c7 0e  87 c5 9a d5 3f 29 fa ec af 4c f0 89 e9 40 06 d8 eb b0 80 8f 8e
         32 e5 44 b1 f2 9c 0b b0 79 18 3b 8b eb 89 8e 80 b6 5a 6c

      info (52 (54 octets):  00 20 10 12 74 6c 73 31 33 20 65 78 70 73 20 6d 61 73 70 20 74 65 72 20 ad 7f 35 b9 42 29
         61 a5 31 91 f1 be 86 0e 47 19 77
         4f e9 ee c7 0e 66 66 69 63 20 87 c5 9a d5 3f 29 fa ec af 4c f0 89 e9 40 06 d8 eb b0 80 8f
         8e 32 e5 44 b1 f2 9c 0b b0 79 18 3b 8b eb 89 8e 80 b6 5a 6c

      output (32 octets):  9d 07 cc 4a ef bc c1 f1 75 81 54 ac 1a ba 78
         8b 0e d5 f3 1b bc 7f a4 ca dd ce 7a 09 7a 3e  e4 25 42

   {client}  extract secret "early":

      salt:  (absent)

      ikm (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c
         e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 b9 1b e3 2a

   {client} 43 fb 9e 5b 7d 9a 00 2d
         59 d8 c7 47 b0 83 b5 72 76 ed 98 bd 46 89 33 f6 72

   {server}  derive secret for handshake "tls13 derived": exp master":

      PRK (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2  fa 2f 37 bc 3a 87 b5 9c 46 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 27 17 59 84 d8
         4e 03 5f a5 64 75 9c 1e ec 3b 96 4c e9 7a 1f 14

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14  87 c5 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 d5 4c a4 95 99 1b 78 52 b8 55 f0 89 e9 40 06 d8 eb b0 80 8f 8e
         32 e5 44 b1 b0 79 18 3b 8b eb 89 8e 80 b6 5a 6c

      info (49 (52 octets):  00 20 0d 10 74 6c 73 31 33 20 64 65 72 69 76 78 70 20 6d 61 73
         74 65 64 72 20 e3 b0 c4 42 98 fc 1c 14 87 c5 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 d5 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6
         97 16 c0 76 18 9c 48 25 0c f0 89 e9 40 06 d8 eb ea c3 57 6c 36 11 ba

   {client}  extract secret "handshake":

      salt (32 octets):  6f 26 15 a1 08 c7 02 c5 67 b0 80 8f 54 fc 9d ba b6 97
         16 c0 76 8e 32
         e5 44 b1 b0 79 18 9c 48 25 0c 3b 8b eb ea c3 57 89 8e 80 b6 5a 6c 36 11 ba

      ikm

      output (32 octets):  14 2d 61 52 63 bc e0 27 60 74 9e c8 d3 4a ad f2 5e 22 3a 2c e6 fb 59 f8 a0 f9 d1
         d7 5f 18 87 df 8e ac
         7a b0 6c 0f ff f8 47 6d c3 c5 ce 85 0f 47

      secret c1 e3 87 85 a0 33 8b 7e 74 d4 65 b2

   {server}  derive write traffic keys for application data:

      PRK (32 octets):  79 07 c2 82 34 f1 6c a8 71 a4 6b eb  e4 25 da 54
         7f dc 8a ab 96 d1 4e ef f8 0f 5b 12 f9 ad 8a c9 d6

   {client}  derive secret "tls13 c hs traffic" (same as server)

   {client}  derive secret "tls13 s hs traffic" (same as server)

   {client}  derive secret for master "tls13 derived" (same as server)

   {client}  extract secret "master" (same as server)

   {client}  calculate finished "tls13 finished" (same as server)

   {client}  derive secret "tls13 c ap traffic" (same as server)

   {client}  derive secret "tls13 s ap traffic" (same as server)

   {client}  derive secret "tls13 exp master" (same as server)

   {client}  calculate finished "tls13 finished":

      PRK (32 octets):  40 2b 60 6f 3c b0 c8 5b 6d bf fb fd a9 df 79 14
         58 4a 0e 33 b9 21 1b e3 2a 43 fb 9e 5b 7d 9a 00 2d 59
         d8 c7 47 b0 83 b5 e9 0b a4 81 f2 5c 4b 94 e2

      hash (0 octets):  (empty) 72 76 ed 98 bd 46 89 33 f6 72

      key info (18 (13 octets):  00 20 0e 10 09 74 6c 73 31 33 20 66 69 6e 69 73 68 6b 65
         64 79 00

      key output (32 (16 octets):  47 af c3 66 da 4c 2d 41 64 19 fe c6 f7 af f1
         3c 58 9b 56  4e 01 d3 e4 ac 71 a2 6a da e0 b6 f3 7a 8d f5 2e a1 d9 33

   {client}  send a Finished handshake message

   {client}  send handshake record:

      payload (36 83 4b b5 71 29 bb 88
         bf d6

      iv info (12 octets):  14 00  00 20 3a d4 3d b6 d0 42 77 0c 3f 79 f7
         a9 1a cc 0a 41 1f 1b 92 21 f0 3f 9d 2a 6b 92 c4 d1 54 51 19 ed

      ciphertext (58 octets):  17 03 03 00 35 32 d7 1d 7f 1b 8e f2 da f3
         58 4c 08 74 6c 09 c7 4a ed 85 6e 75 59 4e 6f 14 67 4c d9 48 f2 73 31 33 20 69 ab
         c1 cc 0e b7 bb 10 76 00

      iv output (12 octets):  a4 45 51 78 88 83 8f 51 34 75 a2 59 ef 80 9b 0f
         94 1f

   {client} 9e a6 d6 d7 fb 65 91 6b b8 fa

   {server}  derive secret "tls13 res master": read traffic keys for handshake data:

      PRK (32 octets):  23 07 37  ed 5d 2e 57 8f 39 41 2a 63 a1 8e 68 ca d4 52 e4 09 44 ef de d6 a1 fd 17 3e 7a 1f
         a7 51 b2 1b 6b f2 07 66 1c b2 94 bc
         21 5b 42 a8 63 40 29 f4 49 f2 4c c9 c7

      hash (32 octets):  2d eb 11 8e 31 f3 d3 8b 38 bb 3c 4d 29 de 1f cc 26 46 d2 21
         ac e6 1f 97 fa 79 75 92 23 7a 65 9c 2b 6b 93 51

      key info (52 (13 octets):  00 20 10 09 74 6c 73 31 33 20 72 65 73 20 6d 61 73
         74 6b 65 72 20 2d eb 11 8e 31 f3 d3 8b 38 de 1f cc 26 46 d2 21 ac
         e6 1f 97 fa 79 75 92 23 7a 65 9c 2b 6b 93 51 00

      key output (32 (16 octets):  ba dd 11  fd 24 5c 26 ad f0 7b 59 f9 d1 90 85 0f e2 d3 1b f9 6d 87 fe
         f2 56 1e 4e 69 d6
         5d 2d

      iv info (12 octets):  00 0c cc 92 3b 08 4a cd 70 6e 74 6c 73 31 33 20 69 76 00 cd 54

      iv output (12 octets):  bd 1f de f0 52 bb 30 8c 0a 88 c1 1c

   {client}  extract secret "early":

      salt:  (absent)

      ikm (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 5b cd 98 93 68 0c
         e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70

   {server}  calculate finished "tls13 finished" (same as client)

   {server} f9 2a

   {client}  derive secret for handshake "tls13 res master" (same as client)

   {server}  generate resumption secret "tls13 resumption": derived":

      PRK (32 octets):  ba dd 11  33 ad f0 7b 59 f9 d1 90 56 1e 4e 69 d6 5d
         2d 0c cc 92 0a 1c 60 7e c0 3b 08 4a 09 e6 cd 70 6e 98 93 68 0c e2
         10 ad f3 00 cd 54 e6 5b aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

      hash (2 (32 octets):  00 00  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (22 (49 octets):  00 20 10 0d 74 6c 73 31 33 20 72 64 65 73 75 6d 70 74 72 69 6f 6e 02 00 00

      output (32 octets): 76 65 64
         20 b3 ed 07 48 e3 b0 c4 42 98 fc 1c 14 86 03 09 cd 47 9a fb 81 0b 36
         9c f1 86 b7 09 7c b7 76 ff 57 f8 a7 ce 12 18 fa fa

   {server}  send a NewSessionTicket handshake message
   {server}  send handshake record:

      payload (205 f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  04 00 00 c9 00 00 00 1e 1a 46 fe 8d  6f 26 15 a1 08 c7 02 00
         00 00 b2 f7 34 a8 af c5 67 8f 54 fc 9d ba b6
         97 16 c0 76 18 42 36 ce f0 ae ea b1 00 00 00 00 68 2d
         66 eb 29 13 c9 9c 48 25 0c eb 94 c6 9a ea c3 57 51 5d df 2f 00 70 c2 f3 4f 9b 2e
         d5 a5 30 91 6c 36 11 ba

   {client}  extract secret "handshake":

      salt (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
         16 c9 d7 4f ca c0 76 18 9c 48 25 0c eb 2b f8 87 51 9a a5 5a 7c 83 ff 27
         fd ea c3 72 ba ec 38 7d be 58 8e d6 27 4b 1f f5 13 57 6c 36 11 ba

      ikm (32 octets):  de 19 c3 5f f1 64 46 31 c4 b4 59 9a 22 2c ee eb
         31 aa 4c f3 03 ef 15 48 de 68 ea 4a
         39 ce 79 08 7c 6e 75 42 b4 9c 7c 0e 83 c9 4b 97 fc 2a 29 73 27 71 8b
         29 bf 63 6a dd 4e 6b 46 a4 1d f2 3f 45 01 78 1c

      secret (32 octets):  95 96 d5 36 cf ab b0 51 28 80 20 69 b3 c3 66 39 1f
         b2 6c e5 75
         d4 c9 f1 87 eb e5 48 07 1b 51 19 97 59 36 a8 cd da 1f 8c 4b 10 f9 4c f7 ce 94 aa 08
         17 66 b5 f0 26 54 04 5e 6b

   {client}  derive secret "tls13 c hs traffic" (same as server)

   {client}  derive secret "tls13 s hs traffic" (same as server)

   {client}  derive secret for master "tls13 derived" (same as server)

   {client}  extract secret "master" (same as server)

   {client}  derive read traffic keys for handshake data:

      PRK (32 octets):  76 53 d6 19 95 c3 c7 b9 a7 2a a8 86 64 63 d9 d7 7f 9c db 81 e6 27 82 c1 33 2e 22 0c
         55 2c dc 6e f8 80 0d e0 63
         e2 c4 10 1d 52 15 01 1c 8a 28 36 6e 8a 44 48 4b e7 ee f7 64 3d c3 8d 00 08 00 2a 00 04 00 9b b3

      key info (13 octets):  00
         04 10 09 74 6c 73 31 33 20 6b 65 79 00

      ciphertext (227

      key output (16 octets):  17 03 03 00  6b de ce 84 1b 0a 34 c4 42 3c f3 5b f4 a7 ec 1a b0
         aa 06

      iv info (12 octets):  00 0c 08 4c ba 5c 21
         cd 70 f7 30 28 18 7c c9 a0 e9 e5 b8 88 f8 d0 ca 5a f7 7d df 96
         eb cd fd 1e 70 c6 8b a2 44 a9 64 3d c8 c2 b3 9c 93 3d 0e a9 1a
         8d 7a 35 df db 3d c3 45 57 bb eb e8 0c a4 0b 64 b8 45 cd 04 b2
         18 2e 74 6c 73 59 f5 53 60 0b 1b 1f 8a c1 29 fd 3c f5 eb 79 91 3a e4
         27 02 a3 10 a7 17 5d e1 15 c7 fd 77 00 06 54 2d cf 8a 7a 94 53
         8d 96 d9 71 72 02 28 4b ed af f5 ff ec a0 23 10 92 12 3e a6 b0
         bc 12 99 ae c3 a9 8c 44 27 e4 35 7c 38 16 d0 a6 c5 d0 93 aa d5
         9c 09 5c 99 31 33 20 69 76 91 b5 88 cc 3c 10 8e 95 d7 f8 39 f9 ec 2c a5 18
         2c 80 53 12 a1 c2 d0 32 88 80 97 c1 4e 38 5a 3c c5 e9 37 0e b6
         49 08 05 4b 52 64 4e 35 09 2a 34 4a 74 77 b8 bb be fb 00

      iv output (12 octets):  22 a8 ff
         c3 9e 84 ac 07 9a 1b e6 53 89 9a 59 a4 e5 51

   {client}  generate resumption  calculate finished "tls13 finished" (same as server)

   {client}  derive secret "tls13 resumption" c ap traffic" (same as server)

   {client}  send application_data record:

      payload (50 octets):  00 01 02 03 04 05 06 07 08  derive secret "tls13 s ap traffic" (same as server)

   {client}  derive secret "tls13 exp master" (same as server)
   {client}  derive write traffic keys for handshake data (same as
      server read traffic keys)

   {client}  derive read traffic keys for application data (same as
      server write traffic keys)

   {client}  calculate finished "tls13 finished":

      PRK (32 octets):  ed 5d 2e 57 8f 39 41 2a 63 a1 8e 68 d4 52 e4 09 0a 0b 0c 0d 0e
         0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20
         21 22 23
         24 25 26 27 28 5b 42 a8 63 40 29 2a 2b 2c 2d 2e 2f 30 31

      ciphertext (72 f2 4c c9 c7 bb 3c 4d 29 de

      hash (0 octets):  (empty)

      info (18 octets):  17 03 03  00 43 18 8a fa 7b 29 8e 8d ef c3
         eb 5e f8 2f dc 60 92 3b b5 5c ca 31 a5 64 63 df ec 71 7a aa 99
         77 9c c6 1f bf ca 90 73 b9 95 51 20 0e 74 6c 73 a0 b7 1c 1b f2 b9 2d b0 60 31 33 20 66 69 6e 69 73 e9 68 65 5b
         64 00

      output (32 octets):  3a db dd 16 1f ca 16 ee 0b 3e 12 ef 76 d8 c8 ee c3 58 09 98
         0a 62 86 91 12 aa 35

   {server} 14 6f ac 25 d2 7b a9 7b 2a fa 3a 66 f9 b0

   {client}  send application_data a Finished handshake message

   {client}  send handshake record:

      payload (50 (36 octets):  14 00 01 02 03 04 05 06 07 08 00 20 e4 dd f9 c5 4e 5c 65 83 5b e0 e9
         f2 57 03 09 0a 0b 0c 0d 0e
         0f 10 11 12 b1 06 f6 72 6e c0 88 2f ca e7 13 14 15 16 17 18 19 1a 8b d7 93 cc c7 1b 1c 1d 1e 1f 20 21 22 23
         24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31

      ciphertext (72 (58 octets):  17 03 03 00 43 d8 27 0a 4b 0b a6 35 e8 a7 c0 74 c3
         83 0b 15 58 a1 cb 89 13 e2 21 d7 08 73 d2 d5 90 fb a2
         33 ee 02 74 58 e2 46 11 a0 b7 1e 8c 3c ba 0b d4 7f 9c 54 28 97 0c ec de d3 bd 66 ce 03 13 db ae 95 24 95 98
         12 7a af 08 ed 15 b8 86 7b 08 67 e2 71 8e e4 d0 ef bc 3f 8a 4d 7e 35
         04 3c 46 48 40 d8 7d eb 66 b7 7d 40 df 36 aa 7d 1d 9c e3 97 38 21 e9 a9
         ca dd

   {client}  send alert record:

      payload (2  derive write traffic keys for application data:

      PRK (32 octets):  f7 1a e9 97 5d 12 75 6a 41 53 17 a4 4c 63 01 00

      ciphertext (24 6e
         98 39 5d 1e cd da 48 9b cc af 4a 3e 86 3f 87 35

      key info (13 octets):  17 03 03  00 13 d5 92 9a 67 ba 50 4f 19 3a
         59 7d 3a ab 2d c3 f9 04 12 7d

   {server}  send alert record:

      payload (2 octets):  01 10 09 74 6c 73 31 33 20 6b 65 79 00

      ciphertext (24

      key output (16 octets):  17 03 03 00 13 69 ed b3 40 6d 1e 57 51 97
         75  ac 85 66 33 d0 d3 1c 93 c8 53 ba 4a c9 27 19 e0 5d 71 18 67

4.  Resumed 0-RTT Handshake

   This handshake resumes from the handshake in Section 3.  Since the
   server provided a session ticket that permitted 0-RTT, and the client
   is configured for 0-RTT, the client is able to send 0-RTT data.

   {client}  create an ephemeral x25519 key pair:

      private key (32 51 b5
         de f8

      iv info (12 octets):  25 ee 23 7a  00 0c 08 74 6c 73 31 33 20 17 69 76 00

      iv output (12 octets):  0d a9 f7 fe 9e 8d f9 98 ee e8 7f 37 60 53
         e1 28 50 9a be 65 e7 87 34 4f f2 b9 ff 9d 04 fd 13 8a fa

      public key 05 12 e5 46

   {client}  derive secret "tls13 res master":

      PRK (32 octets):  fa 5d e3 00 e6 9f 05 d6 19 a4 28 fc fb 02
         88 2f 37 bc 3a 87 b5 57 b6 40 6a 9c 46 10 26 fc 51 13 c0 27 17 59 84 d8
         4e 4a 3c 86 9a 44 03 5f a5 64 75 9c 1e ec 3b 96 4c e9 7a 1f 14

   {client}  extract secret "early":

      salt:  (absent)

      ikm

      hash (32 octets):  80 ec 58 20 b3 ed 07 48 14 86 03 09 cd 47 fb 81 0b 36 9c
         f1 86 b7 09 7c b7 76 ff 57 f8 a7 ce 12 18 fa fa

      secret (32 octets):  35 10 b5 e7 47 ce ef 42 b1 fe ff e7 a7 4f dc
         0f 52 a5 ee fc a2 b6 76 f2 d2 75 b0 82 4e 06 17 c8 64 56 16

   {client}  send a ClientHello handshake message

   {client}  calculate finished "tls13 finished":

      PRK (32 octets):  de 0c 49 be 25 cd 0a b1 79 a9 d1 be e0 5a c0 cc
         a0 3d 51 10 4f cc ac db 7a 13 12 b6 35 77 80 c4 ad 21 40 5a db 2c

      hash (0 octets):  (empty)
         4f 36 36 f0 09 11 33 eb f4 0b 9e 83 4c a4 81 45

      info (18 (52 octets):  00 20 0e 10 74 6c 73 31 33 20 66 69 6e 69 72 65 73 68 20 6d 61 73
         74 65
         64 00 72 20 80 ec 58 20 f2 d2 75 b0 7a 13 77 80 c4 ad 21 40 4f
         36 36 f0 09 11 33 eb f4 0b 9e 83 4c a4 81 45

      output (32 octets):  e6 12  af b3 24 d1 ef b4 01 4b 18 aa e8 db 83 4e 12 6c 40 8d c0 40 5b da e8 e8 bf f1 17 a4 c3 2f a6 a8 40 3b df
         bb 14 8c 35 39 77 c6 27 ad 59 5a 68

   {client}  send handshake record:

      payload (512 octets):  01 00 01 fc 03 03 f4 74 90 c6 31 61 6b 80
         01 47 e5 62 01 b1 13 6d b0 04 92 0c f7 12 84 e8 d9 56 2a 77 fb f9 77 1d
         8a a4 60 8b 48 4d

   {server}  calculate finished "tls13 finished" (same as client)

   {server}  derive read traffic keys for application data (same as
      client write traffic keys)

   {server}  derive secret "tls13 res master" (same as client)

   {server}  generate resumption secret "tls13 resumption":

      PRK (32 octets):  af b3 24 6c 40 8d c0 40 5b a4 c3 2f 40 3b df bb
         14 8c 27 ad 59 5a 92 0c f7 12 84 e8 60 8b 48 4d

      hash (2 octets):  00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00
         09 00

      info (22 octets):  00 06 20 10 74 6c 73 65 31 33 20 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12
         00 1d 00 17 00 18 73 75 6d 70 74
         69 6f 6e 02 00 19 01 00 01 01 01 02 01

      output (32 octets):  cd 0b 4e db 66 32 41 4e 03 01 e9 a1 fb 9c bf 10
         68 c1 3d 7e 0f 94 f7 1d a2 6a 69 51 ba f7 52 9e 76

   {server}  send a NewSessionTicket handshake message

   {server}  send handshake record:

      payload (205 octets):  04 00 28 00
         26 00 24 c9 00 1d 00 20 fa 5d e3 00 e6 9f 05 d6 19 a4 28 fc fb 02
         88 b5 57 b6 40 1e 83 6a 26 fc 51 13 c0 4e 4a 3c 86 9a 44 14 d9 92 02 00 2a
         00 00 b2 20 69 93 e6 82 7e f6 98 84 68 d2 55 00 2b 00 03 02 7f 16 00 0d 00 20 6a 30
         23 72 43 90 67 fc 81 f4 d3 17 f1 b1 ef 33 00 1e 04 03 05 03 06 03 02
         03 08 04 70 15 93 bc b0 32
         cc ea 52 8c 5a 07 c3 7b 16 6f 89 7a 83 b7 15 48 18 b7 d1 1a 4e
         90 7c da 4e 3f af 48 95 97 21 44 b3 a7 d9 96 8d 96 28 b6 e5 66
         9c ce f4 26 0e 45 d6 4d 22 d3 b6 1a b5 7b 7f 59 dd f7 e2 cf 7a
         19 6f 9a 32 a3 d9 4f ea 13 eb 25 ab 2d 73 35 78 83 80 dc e7 4d
         47 76 8e cf f4 67 9e 88 af ac a6 18 97 b9 1c 53 ee 85 82 2c 9f
         08 7b e4 05 8f ed 0d 6e b5 e2 68 e6 54 f4 ec 0c 67 5f fb 08 6e
         06 7d 04 01 05 01 06 01 02 01 04 02 05 02 06 02
         02 02 00 2d 00 02 01 01 00 15 00 5d 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 39 e3 9d ca f1 fb 60 31 98 db 00 08 00 2a 00 04 00 00
         04 00

      ciphertext (227 octets):  17 03 03 00 de a7 77 b6 77 11 b5 34 f1
         0e 38 1f 45 1f 16 da 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 29 00 20 dd 00 b8 00 b2 f7 34 a8 af 18 42 36 ce f0 ae ea b1 00
         00 00 00 68 2d 66 eb 29 13 c9 eb 94 c6 9a 57 51 5d df 2f 00 70 af a4 9d b4 62 c2 f3 4f 9b 2e d5 a5 30 91 16 c9 d7 4f 35 dc cc 6d
         bf c6 39 9c 7e ec 88 ae 2a d6 8b 97 ca eb 2b f8 87 51 9a a5
         5a 23 b1 72 15 59 e6 6f 67
         7c 83 ff e6 8c d1 06 7f 41 27 fd c3 7b ac 40 bb b9 3e 5b 81 0d b4 3c 1c 80
         bd 8b 72 17 17 ba ec 38 7d 23 c6 a0 52 ef 78 b6 dc 2b be 58 8e d6 27 4b 1f f5 13
         6c eb 68 ea 4a 39 ce 79 08 7c 6e 75 42 b4 9c 7c 0e 4b 97 fc 2a
         29 73 27 71 da e0 06 77
         8b 29 bf 63 6a dd 4e 6b 46 a4 1d f2 ab 88 a7 a5 d1 7e a3 b6 3f 45 01 28 80
         20 b2 12 6c e5 75 d4 c9 24 67 33 cc 15 b6 28 b5 b7
         43 71 6d 85 f8 f1 87 eb f6 77 32 91 c7 37 ae 06 f5 f6 ae 95 6b c3 00
         5d f2 a0 64 94 b0 65 77 68 84 3a e8 fe 95 0e be 81 da 4a c9 9c
         34 e8 e5 48 07 1b 73 d5 99 63 75 bb 82 2b 51 19 8c 4b 10 f9 4c 67 b4 ae 3f 9c 06 76 f7 ce e7
         94 aa a1 61 0f cb 12 e8 f7 9f 08 75 91 3d b9 67 c8 17 a7 2a 90 e9 6f 60
         4e dd 6c 06 c7 70 a2 c0 a8 86 64 63 d9 d7 7f 9c db 81 e6 f6 50 27 82
         c1 33 2e 8d 22 03 94 8e a6 b2 3c 14
         d3 89 97 4a

   {client}  generate resumption secret "tls13 resumption" (same as
      server)

   {client}  send application_data record:

      payload (50 octets):  00 01 02 03 04 05 06 07 08 09 0a 0b 0c 55 2c dc 44 48 4b e7 ee f7 64 3d c3 8d 0d 0e
         0f 10 11 12 13 14 15 16 17 18 19 1a 46 fe
         90 00 21 1b 1c 1d 1e 1f 20 34 60 d2 6b d5 55 86 97 91 90 dd 6d 8f 21 22 23
         24 25 3d f3 fa
         d7 d1 64 61 26 27 28 f3 d9 3d 51 57 21 3b 90 86 b3 29 2a 2b 2c 2d 2e 2f 30 31

      ciphertext (517 (72 octets):  16 03 01 02 00 01 00 01 fc  17 03 03 f4 74
         90 c6 31 61 6b 80 01 47 e5 62 01 b1 13 6d b0 04 92 f7 e8 00 43 98 45 d6 12 28 f1 d9 56 a5 da
         a3 2a 77 fb f9 77 1d 06 64 2c 43 68 1c cf 70 65 24 e2 8d 57 15 2f 6b 8f ac d0
         89 fc 98 26 83 c3 30 a3 e1 1f 16 c5 f7 5d 2d 49 21 5c c0 8a 13
         a1 ec fd 41 a4 6c 1b b1 38 c9 63 48 92 ab 22 63 00

   {server}  send application_data record:

      payload (50 octets):  00 06 13 01 13 03 13 02 01 00 01
         cd 00 00 00 0b 00 09 00 00 03 04 05 06 73 65 72 76 65 72 ff 01 00 01 00
         00 07 08 09 0a 00 14 00 0b 0c 0d 0e
         0f 10 11 12 00 1d 00 13 14 15 16 17 00 18 00 19 01 00 01 01 01 02 01
         03 01 04 00 28 00 26 00 24 00 1a 1b 1c 1d 00 1e 1f 20 fa 5d e3 00 e6 9f 05 d6
         19 a4 28 fc fb 02 88 b5 57 b6 40 6a 21 22 23
         24 25 26 fc 51 13 c0 4e 4a 3c 86
         9a 44 14 00 27 28 29 2a 00 00 00 2b 00 03 02 7f 16 00 0d 00 20 00 1e 04
         03 05 03 06 2c 2d 2e 2f 30 31

      ciphertext (72 octets):  17 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01
         04 02 05 02 06 02 02 02 00 2d 00 02 43 01 0a 55 e6 e1 14 d0 51 60
         0a b9 5e e7 a3 03 82 3a 23 ae c5 79 be df fa 3f c3 e0 30 18 01 00 15 00 5d 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 29 00 dd 00 b8 00 b2 f7 34 a8
         95 f8 83 6b 58 3b af 18 42 36
         ce f0 9a 14 ae c3 77 be 43 73 a1 a5 ea b1 00 a1 4e af
         87 9d 3f ca 6f 9b 7e 46 bc 05 46 83 5d 76 71 e8

   {client}  send alert record:

      payload (2 octets):  01 00

      ciphertext (24 octets):  17 03 03 00 13 5f 93 e1 bd 82 9d 2b 00 68 2d 66 eb 29 9c
         ad ac 13 c9 eb 3b 7f 0c 1e 8c 94 c6 9a 57
         51 5d df 2f 40

   {server}  send alert record:

      payload (2 octets):  01 00 70 c2 f3 4f
      ciphertext (24 octets):  17 03 03 00 13 09 39 38 d7 0c 6a 9b 1c 9c
         2e d5 a5 30 91 16 c9 d7 4f ca eb
         2b f8 87 51 9a a5 5a 7c 83 ff 27 fd c3 72 ba ec 38 7d be 35 6b 60 58 8e
         d6 80 70 27 4b 1f f5 13 6c eb 68 ea 4a 39 ce 79 08 7c cd 6e

4.  Resumed 0-RTT Handshake

   This handshake resumes from the handshake in Section 3.  Since the
   server provided a session ticket that permitted 0-RTT, and the client
   is configured for 0-RTT, the client is able to send 0-RTT data.

   {client}  create an ephemeral x25519 key pair:

      private key (32 octets):  7f cf 6e 75 42 b4 9c
         7c 0e 4b 97 fc 2a 29 73 27 71 8b 29 bf fb 63 6a dd 4e 6b 46 a4 1d
         f2 3f 45 01 28 80 20 b2 6c e5 75 d4 c9 f1 87 eb e5 48 07 1b 51
         19 8c 4b 10 f9 4c f7 3f 0a 1d 23 99 fb
         ce 94 aa 08 e4 d0 69 39 6c 17 a7 2a a8 86 64 63 02 62 fb d9 d7 7f
         9c db 81 e6 27 82 c1 33 2e 22 0c 55 2c dc 44 48 4b e7 ee f7 64
         3d c3 8d 1a f2 46 fe 90 00 21 20 81 11 af 24 ab 34 60 d2 6b d5 55 86 97 91 90 dd
         6d 8f 25 3d f3 fa d7 d1 64 61 28 f3 d9 3d 51 57 21 3b 90 86 b3

   {client}  derive secret "tls13 c e traffic":

      PRK

      public key (32 octets):  35 10  b5 e7 47 ce ef 42 b1 fe ff e7 a7 4f dc 0f
         52 a5 ee fc a2 b6 76 b0 82 4e 06 17 b4 ca 2e 51 9a c8 64 56 16

      hash 32 92 3e af 84 f4 13
         3d 53 b2 00 53 63 d5 a7 ad 8e 07 0b d0 fd 15 d6 92 08

   {client}  extract secret "early":

      salt:  (absent)

      ikm (32 octets):  89  cd 0b 4e e7 2f 01 a8 67 db 66 32 41 4e 03 e9 cc 87 5a 19 44 22 a1 fb 9c bf 10 8a
         e9 68
         c1 3d 7e 0f 94 f7 1d a2 6a 69 51 45 f9 43 b0 89 1f ba f7 52 9e 76

      secret (32 octets):  90 a6 5b c0 8e 4a 66 d4 a9 cf 3c ab 07 4f 12 fa c4 0a f7 ec 2d 85
         be d7 ae 08 af 83 1d 05 d7 0d 6c c0 a9 39 9c 1e 63

   {client}  send a ClientHello handshake message

   {client}  calculate finished "tls13 finished":

      PRK (32 octets):  04 5f b4 75 3e d5 65 30 5b 33 d2 04 0b 21 57 2d
         7d 24 b3 ee 18 e7 63 bd 1a 1b 20 cf 2a a6 1a 92

      hash (0 octets):  (empty)

      info (53 (18 octets):  00 20 11 0e 74 6c 73 31 33 20 63 20 65 20 74 72 61
         66 66 69 63 20 89 4e e7 2f 01 a8 67 e9 cc 87 5a 19 44 22 10 8a
         e9 51 45 f9 43 b0 6e 69 73 68 65
         64 00

      output (32 octets):  89 1f 3c ab 07 4f 12 fa c4 0a

      output (32 octets):  7b dd 21 10 35 33 b9 d8 2b ae 6c 26 be 3e 78
         e9 bd 37 91 42 96 24 db e0 a6 b3 9c e5 bf 69 eb 23

   {client}  derive secret "tls13 e exp master":

      PRK (32 octets):  35 10 b5 e7 47 ce ef 42 60 f7 a3 5f 8e e3 52 30 20 1e cf 77 f8 b1 fe ff e7 a7 4f dc
         29 8f 77 73 0f
         52 a5 ee 0d 84 ab 51 31 a4 bb 00 9b 4f 3d 1f

   {client}  send handshake record:

      payload (512 octets):  01 00 01 fc a2 03 03 0b 27 b6 76 b0 82 4e 06 17 c8 64 56 16

      hash (32 octets):  89 14 3a d0 49 dd
         d0 4e e7 2f 01 a8 67 e9 cc 87 5a 19 44 5c b7 bb 33 22 10 8a
         e9 51 45 f9 43 b0 89 1f 3c ab 07 4f 12 fa c4 d3 60 f6 0a

      info (54 octets): 9b 8e 65 07 bc 79 69 84 19 5b
         d4 e8 cb 00 20 12 74 6c 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00
         09 00 00 06 73 31 33 20 65 20 65 78 70 20 6d
         61 73 74 72 76 65 72 20 89 4e e7 2f ff 01 a8 67 e9 cc 87 5a 19 44 22 10
         8a e9 51 45 f9 43 b0 89 1f 3c ab 07 4f 12 fa c4 00 01 00 00 0a

      output (32 octets):  da 05 9b c4 d7 bd 6e 30 45 b3 df d8 ab c8 68
         1b 22 47 6f 44 b4 54 22 75 00 14 00 12 af a9 af c0 60 3f c1

   {client}  send application_data record:

      payload (6 octets):  41 42 43 44 45 46

      ciphertext (28 octets):  17 03 03
         00 1d 00 17 d8 3a 80 c1 65 49 bf 00 18 00 19 49
         38 a3 9c c1 54 a1 8b a7 cb bb a7 bf 01 00 01 01 01 02 e0

   {server}  extract secret "early" (same as client)

   {server}  calculate finished "tls13 finished" (same as client)

   {server}  create an ephemeral x25519 key pair:

      private key (32 octets):  a3 41 34 2b 44 be 43 fa 13 b5 a2 fa 30
         6a d7 01 03 01 04 00 33 00
         26 00 24 ef 7f 73 a0 87 ac be 4a 79 10 82 b6 00 cd 08 1d 00 20 b5

      public key (32 octets):  66 62 56 0e 42 6c b1 b4 ca 2e 51 9a c8 32 92 3e af 84 f4 13 d5
         3d 53 b2 00 53 63 b1 69 e9 72
         b5 c4 81 dd b6 cc f2 a5 79 39 ed d2 4b a9 e9 b6 2f 5f

   {server}  derive secret "tls13 c e traffic" (same as client)

   {server}  derive secret "tls13 e exp master" (same as client)

   {server}  send a ServerHello handshake message

   {server}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  35 10 b5 e7 47 ce ef 42 b1 fe ff e7 d5 a7 4f dc 0f
         52 a5 ee fc a2 b6 76 b0 82 4e 06 17 c8 64 56 16

      hash (32 octets):  e3 b0 c4 42 98 fc ad 8e 07 0b d0 fd 15 d6 92 08 00 2a 00
         00 00 2b 00 03 02 7f 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets): 00 20 0d 74 6c 73 31 33 00 20 64 65 72 69 76 65 64 00 1e 04 03 05 03 06 03 02
         03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02
         02 02 00 2d 00 02 01 01 00 15 00 5d 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 29 00 dd 00 b8 00 b2 20 e3 b0 c4 42 69 93 e6 82 7e f6 98 84 68 d2 55 00
         00 00 00 6a 30 23 72 43 90 67 fc 1c 14 9a fb 81 f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b d3 17 f1 b1 ef 33 00 70
         15 93 4c a4 95 99 1b 78 bc b0 32 cc ea 52 b8 55

      output (32 octets):  3c 5b 59 45 8c 5a 07 c3 7b 16 6f 89 ee 0f a2 f1 7a 83 b7 15 48
         18 d3 98 fc 3c 3e
         50 f7 13 21 65 bc 5e 20 b7 d1 1a 97 4e 90 7c da df 8e 36 ad 16 ba

   {server}  extract secret "handshake":

      salt (32 octets):  3c 5b 59 4e 3f af 48 95 97 21 44 b3 a7 d9 96 8d
         96 28 b6 e5 66 9c ce f4 26 0e 45 89 ee 0f a2 f1 18 d6 4d 22 d3 98 fc 3c 3e 50
         f7 13 21 65 bc 5e 20 b6 1a 97 da df 8e 36 ad 16 ba

      ikm (32 octets):  ca 49 06 0d 44 b4 58 b8 b5 7b 7f 59
         dd f7 e2 cf 7a 19 6f b7 2a 9a 32 a3 d9 4f ea 13 eb 25 ab 2d 73 35 78
         83 80 dc e7 4d 47 76 8e cf f4 67 9e 88 af ac a6 18 6e bc 44
         6b a8 97 b9 1c 53
         ee 85 82 2c 9f 08 7b e4 0e 05 8f b1 39 5c c7 f7 56 59 ee 86 f8 ed 0d 6e b5 e2 68 e6 54

      secret (32 octets):  6b a5 c1 83 92 4b a3 2c e0 99 85 c9 11 f2 97
         bb 0a f4 ec 0c
         67 5f fb 08 6e 06 7d 04 39 e3 9d ca f1 fb 60 31 98 db 83 6a d9
         95 00 21 20 58 34 0e ab 95 8d 02 3c 39 84 b4 82 81 0b 58 ec 53
         7c de 27 63 1a 6f 2e e8 88 25 19 88 f3 07 d3 d1 c6 a9 9d ca 87 1c 73 57 54

   {server}  derive secret "tls13 c hs traffic":

      PRK (32 1d 45 2f

      ciphertext (517 octets):  6b a5 c1 83 92 4b a3 2c e0 99 85 c9 11 f2 97  16 03 01 02 00 01 00 01 fc 03 03 0b 27
         b6 14 3a d0 49 dd d0 4e 5c b7 bb 33 22 d3 60 f6 0a 7c de 27 63 1a 6f 2e e8 88 25 19 88 f3 9b 8e 65 07 54

      hash (32 octets):  ef 88 42 5a 0d c1 df 66 77 f6 2d de 3e 93
         bc 79 b6
         39 83 b3 a0 89 66 db aa d7 69 84 19 5b d4 c9 c6 b1 79 b3 b7

      info (54 octets): e8 cb 00 20 12 74 6c 00 06 13 01 13 03 13 02 01 00 01
         cd 00 00 00 0b 00 09 00 00 06 73 31 65 72 76 65 72 ff 01 00 01 00
         00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01
         03 01 04 00 33 00 26 00 24 00 1d 00 20 63 20 68 73 20 74 72
         61 66 66 69 63 20 ef 88 42 5a 0d c1 df 66 77 f6 2d de 3e 93 79
         b6 39 83 b3 a0 89 66 db aa d7 d4 c9 c6 b1 79 b3 b7

      output (32 octets):  a2 ba 52 84 b5 b4 0e 7d 65 af ca 2e 51 9a c8 32
         92 3e af 93 c0 93 06 dd
         e4 70 98 a4 ee 28 4c 84 f4 6e 0b 59 09 fe 25 8c a6 4f

   {server}  derive secret "tls13 s hs traffic":

      PRK (32 octets):  6b a5 c1 83 92 4b a3 2c e0 99 85 c9 11 f2 97 bb
         0a 7c de 27 13 3d 53 b2 00 53 63 1a 6f 2e e8 88 25 19 88 f3 d5 a7 ad 8e 07 54

      hash (32 octets):  ef 88 42 5a 0b d0 fd 15
         d6 92 08 00 2a 00 00 00 2b 00 03 02 7f 1c 00 0d c1 df 66 77 f6 2d de 3e 93 79 b6
         39 83 b3 a0 89 66 db aa d7 d4 c9 c6 b1 79 b3 b7

      info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72
         61 66 66 69 63 20 ef 88 42 5a 0d c1 df 66 77 f6 2d de 3e 93 79
         b6 39 83 b3 a0 89 66 db aa d7 d4 c9 c6 b1 79 b3 b7

      output (32 octets):  58 6f 1a b9 cb 2d 93 70 66 1a 00 1e 0b c9 04
         03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01
         04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 15 00 5d 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 29 00 dd 00 b8 00 b2 20 69 93 e6 82 7e f6
         98 84 68 d2 55 00 00 00 00 6a 30 23 72 43 90 67 fc 81 f4 d3 17
         f1 b1 ef 33 00 70 15 93 bc b0 32 cc ea 52 8c
         39 1a 34 67 b9 9e bd 58 5a 07 c3 7b 16 c1 8c 46 a5 28 6e 96 77

   {server}  derive secret for master "tls13 derived":

      PRK (32 octets):  6b a5 c1 6f
         89 7a 83 92 4b a3 2c e0 99 b7 15 48 18 b7 d1 1a 4e 90 7c da 4e 3f af 48 95 97 21
         44 b3 a7 d9 96 8d 96 28 b6 e5 66 9c ce f4 26 0e 45 d6 4d 22 d3
         b6 1a b5 7b 7f 59 dd f7 e2 cf 7a 19 6f 9a 32 a3 d9 4f ea 13 eb
         25 ab 2d 73 35 78 83 80 dc e7 4d 47 76 8e cf f4 67 9e 88 af ac
         a6 18 97 b9 1c 53 ee 85 82 2c 9f 08 7b e4 05 8f ed 0d 6e b5 e2
         68 e6 54 f4 ec 0c 67 5f fb 08 6e 06 7d 04 39 e3 9d ca f1 fb 60
         31 98 db 83 6a d9 95 00 21 20 58 34 0e ab 95 8d 02 3c 39 84 b4
         82 81 0b 58 ec 53 7c d3 d1 c6 a9 9d ca 87 1c 73 57 54 1d 45 2f

   {client}  derive secret "tls13 c e traffic":

      PRK (32 octets):  90 a6 5b c0 8e 4a 66 d4 a9 cf 3c f7 ec 2d 85 be
         d7 ae 08 af 83 1d 05 d7 0d 6c c0 a9 39 9c 1e 63

      hash (32 octets):  02 ce c3 cc b1 be e9 72 06 ff bf 5b 0e db f9 43
         0a d8 02 05 96 0c 04 ba ff ad b6 dc d3 81 b9 0c

      info (53 octets):  00 20 11 74 6c 73 31 33 20 63 20 65 20 74 72 61
         66 66 69 63 20 02 ce c3 cc b1 be e9 72 06 ff bf 5b 0e db f9 43
         0a d8 02 05 96 0c 04 ba ff ad b6 dc d3 81 b9 0c

      output (32 octets):  b0 ea 52 04 68 97 4f 91 39 58 7d cf f5 6f 77
         85 69 96 02 fb c8 0c 0c 18 50 82 79 dc bf d0 7b 03

   {client}  derive secret "tls13 e exp master":

      PRK (32 octets):  90 a6 5b c0 8e 4a 66 d4 a9 cf 3c f7 ec 2d 85 be
         d7 ae 08 af 83 1d 05 d7 0d 6c c0 a9 39 9c 1e 63

      hash (32 octets):  02 ce c3 cc b1 be e9 72 06 ff bf 5b 0e db f9 43
         0a d8 02 05 96 0c 04 ba ff ad b6 dc d3 81 b9 0c

      info (54 octets):  00 20 12 74 6c 73 31 33 20 65 20 65 78 70 20 6d
         61 73 74 65 72 20 02 ce c3 cc b1 be e9 72 06 ff bf 5b 0e db f9
         43 0a d8 02 05 96 0c 04 ba ff ad b6 dc d3 81 b9 0c

      output (32 octets):  bc 79 ec a3 3d c5 5e 77 f4 a2 b3 1d e3 b2 eb
         b7 ff 1a 03 16 e6 a2 ea 2e 1e d1 88 1e 65 c0 ee ba

   {client}  derive write traffic keys for early application data:

      PRK (32 octets):  b0 ea 52 04 68 97 4f 91 39 58 7d cf f5 6f 77 85
         69 96 02 fb c8 0c 0c 18 50 82 79 dc bf d0 7b 03

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  ad 52 61 5a d7 8f ef c8 30 d7 b5 23 c5 6d
         39 6c

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  1a 68 22 06 82 d9 52 2f 6f d9 80 cb

   {client}  send application_data record:

      payload (6 octets):  41 42 43 44 45 46
      ciphertext (28 octets):  17 03 03 00 17 f0 a5 2c ad f2 f8 10 e3 ea
         31 4a 9e 0d 74 94 18 0c 07 e1 b6 dd 23 05

   {server}  extract secret "early" (same as client)

   {server}  calculate finished "tls13 finished" (same as client)

   {server}  create an ephemeral x25519 key pair:

      private key (32 octets):  73 c0 5e e2 5c db 68 51 18 f0 f7 dd 5f
         d2 dd 12 9d 17 a7 98 b9 1c c5 fe 62 ed 70 a9 ba af 53 2f

      public key (32 octets):  47 d1 32 89 df 6f a0 fc 57 3c 74 fa 73 40
         a2 6f 43 38 28 70 7d e5 72 7e 68 28 cb d0 81 9d a9 76

   {server}  derive secret "tls13 c e traffic" (same as client)

   {server}  derive secret "tls13 e exp master" (same as client)

   {server}  send a ServerHello handshake message

   {server}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  90 a6 5b c0 8e 4a 66 d4 a9 cf 3c f7 ec 2d 85 be
         d7 ae 08 af 83 1d 05 d7 0d 6c c0 a9 39 9c 1e 63

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  95 c5 f6 ae c8 48 4c ad 65 ee ff f1 0c 48 a8
         4f 34 d6 53 d6 59 91 bf de 13 69 81 97 b3 b9 b4 5d

   {server}  extract secret "handshake":

      salt (32 octets):  95 c5 f6 ae c8 48 4c ad 65 ee ff f1 0c 48 a8 4f
         34 d6 53 d6 59 91 bf de 13 69 81 97 b3 b9 b4 5d

      ikm (32 octets):  4f 81 91 7a 09 87 67 f2 22 5f cf 33 e8 a5 d5 33
         d6 88 3b d8 ee 16 00 b2 c5 e4 f0 e8 24 02 06 37

      secret (32 octets):  96 eb 95 b5 63 62 0c 58 ca d2 c7 37 0f b7 4b
         8f 55 b2 0e 28 bd bc 2d 70 6e 6f db aa 9e 9e 60 93

   {server}  derive secret "tls13 c hs traffic":

      PRK (32 octets):  96 eb 95 b5 63 62 0c 58 ca d2 c7 37 0f b7 4b 8f
         55 b2 0e 28 bd bc 2d 70 6e 6f db aa 9e 9e 60 93

      hash (32 octets):  ab e0 a2 b9 a8 84 3e 92 93 a8 36 91 96 7c fa 4c
         d0 8d 8e fc 0b 13 63 39 a9 1a 6d 01 45 3d 32 91

      info (54 octets):  00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72
         61 66 66 69 63 20 ab e0 a2 b9 a8 84 3e 92 93 a8 36 91 96 7c fa
         4c d0 8d 8e fc 0b 13 63 39 a9 1a 6d 01 45 3d 32 91

      output (32 octets):  50 26 86 51 18 93 2f ba 00 9f b8 84 c2 6c e1
         8e 44 96 c8 f3 57 dd f0 d1 a9 0b c2 7b 4c 31 92 9c

   {server}  derive secret "tls13 s hs traffic":

      PRK (32 octets):  96 eb 95 b5 63 62 0c 58 ca d2 c7 37 0f b7 4b 8f
         55 b2 0e 28 bd bc 2d 70 6e 6f db aa 9e 9e 60 93

      hash (32 octets):  ab e0 a2 b9 a8 84 3e 92 93 a8 36 91 96 7c fa 4c
         d0 8d 8e fc 0b 13 63 39 a9 1a 6d 01 45 3d 32 91

      info (54 octets):  00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72
         61 66 66 69 63 20 ab e0 a2 b9 a8 84 3e 92 93 a8 36 91 96 7c fa
         4c d0 8d 8e fc 0b 13 63 39 a9 1a 6d 01 45 3d 32 91

      output (32 octets):  c9 23 18 b4 c5 6f ba 46 bf 6e ef 2a 9a 8f 02
         33 a2 8b ab 9b b9 66 67 4a 19 32 0b b5 3c 50 10 19

   {server}  derive secret for master "tls13 derived":

      PRK (32 octets):  96 eb 95 b5 63 62 0c 58 ca d2 c7 37 0f b7 4b 8f
         55 b2 0e 28 bd bc 2d 70 6e 6f db aa 9e 9e 60 93

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  b2 da f2 ee a8 bb d9 2b 5d 84 12 d4 26 7a 3c
         31 6c 09 cd 45 8e 71 ab dc c6 7b e6 b1 41 6c 0f 31

   {server}  extract secret "master":

      salt (32 octets):  b2 da f2 ee a8 bb d9 2b 5d 84 12 d4 26 7a 3c 31
         6c 09 cd 45 8e 71 ab dc c6 7b e6 b1 41 6c 0f 31

      ikm (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  c5 ee bf b8 6e 50 81 37 24 5d 79 91 9a 3d 43
         19 61 bc 0d 5c c8 70 d9 08 9a 2f 30 34 b4 b9 6b 02

   {server}  send handshake record:

      payload (96 octets):  02 00 00 5c 03 03 3e 47 ec 55 17 e3 8e 7e f5
         cc bc 69 f9 2f 5b 20 b8 fa 46 a6 54 66 31 bb 99 fa 08 65 f4 af
         22 8c 00 13 01 00 00 34 00 29 00 02 00 00 00 33 00 24 00 1d 00
         20 47 d1 32 89 df 6f a0 fc 57 3c 74 fa 73 40 a2 6f 43 38 28 70
         7d e5 72 7e 68 28 cb d0 81 9d a9 76 00 2b 00 02 7f 1c

      ciphertext (101 octets):  16 03 03 00 60 02 00 00 5c 03 03 3e 47
         ec 55 17 e3 8e 7e f5 cc bc 69 f9 2f 5b 20 b8 fa 46 a6 54 66 31
         bb 99 fa 08 65 f4 af 22 8c 00 13 01 00 00 34 00 29 00 02 00 00
         00 33 00 24 00 1d 00 20 47 d1 32 89 df 6f a0 fc 57 3c 74 fa 73
         40 a2 6f 43 38 28 70 7d e5 72 7e 68 28 cb d0 81 9d a9 76 00 2b
         00 02 7f 1c

   {server}  derive write traffic keys for handshake data:

      PRK (32 octets):  c9 23 18 b4 c5 6f ba 46 bf 6e ef 2a 9a 8f 02 33
         a2 8b ab 9b b9 66 67 4a 19 32 0b b5 3c 50 10 19

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  0d 71 1f 45 1d c2 0e fc 7e f8 08 9b 44 79
         75 ac

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  ee 5d 71 8a 24 a8 e5 32 8d bc 58 00

   {server}  send a EncryptedExtensions handshake message

   {server}  calculate finished "tls13 finished":

      PRK (32 octets):  c9 23 18 b4 c5 6f ba 46 bf 6e ef 2a 9a 8f 02 33
         a2 8b ab 9b b9 66 67 4a 19 32 0b b5 3c 50 10 19

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      output (32 octets):  89 20 c8 40 6e b4 0e d6 66 66 68 95 ae 3d 8d
         12 67 0e c0 e4 5f 0b cb 63 cf ef f5 13 38 e8 1a 5b

   {server}  send a Finished handshake message

   {server}  send handshake record:

      payload (74 octets):  08 00 00 22 00 20 00 0a 00 14 00 12 00 1d 00
         17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 00 2a
         00 00 14 00 00 20 b5 06 45 62 14 0c b7 fa 10 da 9a 57 ff 61 7b
         f2 66 d7 14 b7 8b 59 41 a0 af 36 3f ac c1 8d a6 b0

      ciphertext (96 octets):  17 03 03 00 5b c8 2d 5e 2c 40 f0 77 cc 7d
         8b c6 f5 0a 61 52 c2 ff e0 d9 30 60 11 a6 c2 7c 1c 2a c3 88 4c
         a6 1e f2 08 46 fb c3 dd 91 19 4e 26 b6 9a 4a 74 73 a2 51 4d e7
         76 68 92 9d 4c 77 63 64 51 21 70 9f 8a 64 a2 9d 14 88 0b 6d f1
         04 08 b5 74 da 7e 2e 5d 0b 6c da 9d 18 4f fe 57 62 b5 5f

   {server}  derive secret "tls13 c ap traffic":

      PRK (32 octets):  c5 ee bf b8 6e 50 81 37 24 5d 79 91 9a 3d 43 19
         61 bc 0d 5c c8 70 d9 08 9a 2f 30 34 b4 b9 6b 02

      hash (32 octets):  11 bf 9b 71 22 aa c5 07 85 59 ef 90 f7 8e e0 78
         32 a6 79 72 a2 c7 f4 bd 8f 56 15 d0 bc 19 7a 39

      info (54 octets):  00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72
         61 66 66 69 63 20 11 bf 9b 71 22 aa c5 07 85 59 ef 90 f7 8e e0
         78 32 a6 79 72 a2 c7 f4 bd 8f 56 15 d0 bc 19 7a 39

      output (32 octets):  bc 39 56 2d 42 a4 e7 62 8d cc 15 1b ba c1 16
         88 06 9c 1c 56 ca cd 17 d4 cc 53 4a bb 05 e3 c0 3e

   {server}  derive secret "tls13 s ap traffic":

      PRK (32 octets):  c5 ee bf b8 6e 50 81 37 24 5d 79 91 9a 3d 43 19
         61 bc 0d 5c c8 70 d9 08 9a 2f 30 34 b4 b9 6b 02

      hash (32 octets):  11 bf 9b 71 22 aa c5 07 85 59 ef 90 f7 8e e0 78
         32 a6 79 72 a2 c7 f4 bd 8f 56 15 d0 bc 19 7a 39

      info (54 octets):  00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72
         61 66 66 69 63 20 11 bf 9b 71 22 aa c5 07 85 59 ef 90 f7 8e e0
         78 32 a6 79 72 a2 c7 f4 bd 8f 56 15 d0 bc 19 7a 39

      output (32 octets):  a2 05 9e be 09 34 8a d4 2b 1d 6a 72 01 9e 8f
         89 06 0d e5 9f de 34 2d 4a d1 68 f2 08 5c ab c3 60

   {server}  derive secret "tls13 exp master":

      PRK (32 octets):  c5 ee bf b8 6e 50 81 37 24 5d 79 91 9a 3d 43 19
         61 bc 0d 5c c8 70 d9 08 9a 2f 30 34 b4 b9 6b 02

      hash (32 octets):  11 bf 9b 71 22 aa c5 07 85 59 ef 90 f7 8e e0 78
         32 a6 79 72 a2 c7 f4 bd 8f 56 15 d0 bc 19 7a 39

      info (52 octets):  00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73
         74 65 72 20 11 bf 9b 71 22 aa c5 07 85 59 ef 90 f7 8e e0 78 32
         a6 79 72 a2 c7 f4 bd 8f 56 15 d0 bc 19 7a 39

      output (32 octets):  e2 d4 f1 2f c6 26 c2 91 de 52 8c 4d d2 cb 1f
         d2 11 b2 d8 44 d9 53 d4 7a 48 d8 17 87 64 05 88 41

   {server}  derive write traffic keys for application data:

      PRK (32 octets):  a2 05 9e be 09 34 8a d4 2b 1d 6a 72 01 9e 8f 89
         06 0d e5 9f de 34 2d 4a d1 68 f2 08 5c ab c3 60

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  2e c4 83 49 b4 00 e4 9d bb 71 9a 98 91 11
         2d 99

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  b2 6b 47 20 2b 9a 93 55 45 90 c0 3c

   {server}  derive read traffic keys for early application data (same
      as client write traffic keys)

   {client}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  90 a6 5b c0 8e 4a 66 d4 a9 cf 3c f7 ec 2d 85 be
         d7 ae 08 af 83 1d 05 d7 0d 6c c0 a9 39 9c 1e 63

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  95 c5 f6 ae c8 48 4c ad 65 ee ff f1 0c 48 a8
         4f 34 d6 53 d6 59 91 bf de 13 69 81 97 b3 b9 b4 5d

   {client}  extract secret "handshake":

      salt (32 octets):  95 c5 f6 ae c8 48 4c ad 65 ee ff f1 0c 48 a8 4f
         34 d6 53 d6 59 91 bf de 13 69 81 97 b3 b9 b4 5d

      ikm (32 octets):  4f 81 91 7a 09 87 67 f2 22 5f cf 33 e8 a5 d5 33
         d6 88 3b d8 ee 16 00 b2 c5 e4 f0 e8 24 02 06 37

      secret (32 octets):  96 eb 95 b5 63 62 0c 58 ca d2 c7 37 0f b7 4b
         8f 55 b2 0e 28 bd bc 2d 70 6e 6f db aa 9e 9e 60 93

   {client}  derive secret "tls13 c hs traffic" (same as server)

   {client}  derive secret "tls13 s hs traffic" (same as server)

   {client}  derive secret for master "tls13 derived" (same as server)

   {client}  extract secret "master" (same as server)

   {client}  derive read traffic keys for handshake data:

      PRK (32 octets):  c9 23 18 b4 c5 6f ba 46 bf 6e ef 2a 9a 8f 02 33
         a2 8b ab 9b b9 66 67 4a 19 32 0b b5 3c 50 10 19

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  0d 71 1f 45 1d c2 0e fc 7e f8 08 9b 44 79
         75 ac

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  ee 5d 71 8a 24 a8 e5 32 8d bc 58 00

   {client}  calculate finished "tls13 finished" (same as server)

   {client}  derive secret "tls13 c ap traffic" (same as server)

   {client}  derive secret "tls13 s ap traffic" (same as server)

   {client}  derive secret "tls13 exp master" (same as server)

   {client}  send a EndOfEarlyData handshake message

   {client}  send handshake record:

      payload (4 octets):  05 00 00 00

      ciphertext (26 octets):  17 03 03 00 15 87 ea 08 9b c5 7f 33 1c 4f
         ad 29 80 d7 5e 3b c1 cc 55 40 e8 75

   {client}  derive write traffic keys for handshake data:

      PRK (32 octets):  50 26 86 51 18 93 2f ba 00 9f b8 84 c2 6c e1 8e
         44 96 c8 f3 57 dd f0 d1 a9 0b c2 7b 4c 31 92 9c

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  4c 0f 31 7d 9a b1 56 f2 7b 71 cb ca 63 3d
         f7 4f

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  e3 19 71 d9 f6 41 4b 45 de 4c 4c e2

   {client}  derive read traffic keys for application data (same as
      server write traffic keys)

   {client}  calculate finished "tls13 finished":

      PRK (32 octets):  50 26 86 51 18 93 2f ba 00 9f b8 84 c2 6c e1 8e
         44 96 c8 f3 57 dd f0 d1 a9 0b c2 7b 4c 31 92 9c

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      output (32 octets):  68 9e a0 1d d9 3b e4 b2 38 94 de ab a8 d0 7c
         56 31 29 ad 6b ef dd 7b 3d 8d ef e5 8e 4f 7e 3a 44

   {client}  send a Finished handshake message

   {client}  send handshake record:

      payload (36 octets):  14 00 00 20 52 90 13 55 ab 06 bb fb ab 3a 81
         cc 67 e3 6f eb 5d 8d a1 63 2a 02 ba 83 0a 8f c8 5f 4c 22 66 cf

      ciphertext (58 octets):  17 03 03 00 35 39 ab 4d 04 21 bb 3e 2b 85
         53 d0 2c ee 16 d3 78 c5 0f a8 76 fd 44 b4 d8 c6 36 26 6e 44 70
         bd 05 f4 77 d4 fb 91 70 f4 42 96 e2 43 3c 78 0e ef c7 50 5f 9b
         e1 68

   {client}  derive write traffic keys for application data:

      PRK (32 octets):  bc 39 56 2d 42 a4 e7 62 8d cc 15 1b ba c1 16 88
         06 9c 1c 56 ca cd 17 d4 cc 53 4a bb 05 e3 c0 3e

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00
      key output (16 octets):  24 56 8c c4 56 c9 16 6a 17 54 e3 f8 4d da
         66 23

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  92 d2 da ec 04 ce c8 de 21 2a 8e 0c

   {client}  derive secret "tls13 res master":

      PRK (32 octets):  c5 ee bf b8 6e 50 81 37 24 5d 79 91 9a 3d 43 19
         61 bc 0d 5c c8 70 d9 08 9a 2f 30 34 b4 b9 6b 02

      hash (32 octets):  74 61 12 2a b1 9d 89 46 41 d8 1c 0b 32 71 a9 35
         90 9f be 21 87 ce 40 18 d1 81 d0 4b 1f 9b 95 8a

      info (52 octets):  00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73
         74 65 72 20 74 61 12 2a b1 9d 89 46 41 d8 1c 0b 32 71 a9 35 90
         9f be 21 87 ce 40 18 d1 81 d0 4b 1f 9b 95 8a

      output (32 octets):  98 85 4e 70 a8 c2 0f 1b 02 44 b8 d9 f2 e9 94
         37 7d 11 dd 0b 6b 09 42 29 de f0 cd 55 56 9a c1 20

   {server}  derive read traffic keys for handshake data:

      PRK (32 octets):  50 26 86 51 18 93 2f ba 00 9f b8 84 c2 6c e1 8e
         44 96 c8 f3 57 dd f0 d1 a9 0b c2 7b 4c 31 92 9c

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  4c 0f 31 7d 9a b1 56 f2 7b 71 cb ca 63 3d
         f7 4f

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  e3 19 71 d9 f6 41 4b 45 de 4c 4c e2

   {server}  calculate finished "tls13 finished" (same as client)

   {server}  derive read traffic keys for application data (same as
      client write traffic keys)

   {server}  derive secret "tls13 res master" (same as client)

   {client}  send application_data record:

      payload (50 octets):  00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e
         0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23
         24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31

      ciphertext (72 octets):  17 03 03 00 43 28 e8 c4 0d 6e 0a 83 0c 62
         58 8a 5a 29 e4 1e 24 48 3d 50 c8 57 f0 1f d2 25 6f a4 51 4e 2d
         4c a3 77 fd ff 96 26 0e a6 46 a6 92 4e 93 3d 96 74 29 3f 26 ab
         a3 a6 da 07 4c 16 c0 27 68 65 ab 02 df 0e 61 01

   {server}  send application_data record:

      payload (50 octets):  00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e
         0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23
         24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31

      ciphertext (72 octets):  17 03 03 00 43 54 25 7b ed c2 61 dd 2c f2
         a5 bd f1 3f ed fc 93 7a 46 dd 32 59 9b 6f 16 df 78 2e 92 42 bd
         43 b0 b4 7e 79 b6 b5 fd 5a 98 23 d7 6f a6 fc ad 1c 84 97 c3 8a
         62 20 70 af 9e 2a 72 6c 78 b3 ee bc 92 9b 27 66

   {client}  send alert record:

      payload (2 octets):  01 00

      ciphertext (24 octets):  17 03 03 00 13 5a d6 a3 97 6d 9d 6c b8 66
         b4 a3 5c 0f b4 53 90 ae dd 88

   {server}  send alert record:

      payload (2 octets):  01 00

      ciphertext (24 octets):  17 03 03 00 13 1d 7f 76 5d 2c d2 65 53 b2
         f3 a8 c4 0a 71 a7 e6 48 c3 87

5.  HelloRetryRequest

   In this example, the client initiates a handshake with an X25519
   [RFC7748] share.  The server however prefers P-256 [FIPS186] and
   sends a HelloRetryRequest that requires the client to generate a key
   share on the P-256 curve.

   {client}  create an ephemeral x25519 key pair:

      private key (32 octets):  2f 74 42 ae 1b ce d7 5e 82 f9 be 34 3c
         af cd fd 6c 14 28 e6 19 f1 f5 1a ae 58 68 01 1b 94 4c ab

      public key (32 octets):  18 77 ec d6 d3 b5 46 fb 68 dd 27 35 0f 25
         24 87 b7 e8 7b 8a 91 2c e1 a6 a8 8c d0 bb 02 cd 15 49

   {client}  send a ClientHello handshake message

   {client}  send handshake record:

      payload (174 octets):  01 00 00 aa 03 03 b7 c9 bc 82 7e a9 0b 53
         72 b5 ba 58 29 7e 40 ba 82 77 ce bf be eb 8e af 94 e8 85 36 5b
         91 c5 bb 00 00 06 13 01 13 03 13 02 01 00 00 7b 00 00 00 0b 00
         09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06
         00 1d 00 17 00 18 00 33 00 26 00 24 00 1d 00 20 18 77 ec d6 d3
         b5 46 fb 68 dd 27 35 0f 25 24 87 b7 e8 7b 8a 91 2c e1 a6 a8 8c
         d0 bb 02 cd 15 49 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03
         05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04
         02 05 02 06 02 02 02 00 2d 00 02 01 01

      ciphertext (179 octets):  16 03 01 00 ae 01 00 00 aa 03 03 b7 c9
         bc 82 7e a9 0b 53 72 b5 ba 58 29 7e 40 ba 82 77 ce bf be eb 8e
         af 94 e8 85 36 5b 91 c5 bb 00 00 06 13 01 13 03 13 02 01 00 00
         7b 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00
         00 0a 00 08 00 06 00 1d 00 17 00 18 00 33 00 26 00 24 00 1d 00
         20 18 77 ec d6 d3 b5 46 fb 68 dd 27 35 0f 25 24 87 b7 e8 7b 8a
         91 2c e1 a6 a8 8c d0 bb 02 cd 15 49 00 2b 00 03 02 7f 1c 00 0d
         00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05
         01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01

   {server}  send a ServerHello handshake message

   {server}  send handshake record:

      payload (176 octets):  02 00 00 ac 03 03 cf 21 ad 74 e5 9a 61 11
         be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c 5e 07 9e 09 e2 c8
         a8 33 9c 00 13 01 00 00 84 00 33 00 02 00 17 00 2c 00 74 00 72
         20 1c e9 22 bf 9a 57 cc 0c 63 8a 02 00 00 00 00 b5 89 27 72 3a
         7b 57 e1 de 6d 9d 65 d4 9b 4c 1d 00 30 39 bc 6d f6 e6 1b 34 45
         a1 12 cf 2c 5d f4 b3 bd 4c db 05 07 08 57 d9 f0 22 e8 6a c7 df
         91 a9 4a 1b e9 fd 61 ac b3 22 13 7a d5 63 70 dc fa 29 55 aa c6
         d6 ab 28 a2 98 43 62 89 9d 38 b7 b0 9b 3c 4d 86 76 a4 8b b2 c6
         bd 05 02 fc c5 61 b5 50 2e 00 2b 00 02 7f 1c

      ciphertext (181 octets):  16 03 03 00 b0 02 00 00 ac 03 03 cf 21
         ad 74 e5 9a 61 11 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c
         5e 07 9e 09 e2 c8 a8 33 9c 00 13 01 00 00 84 00 33 00 02 00 17
         00 2c 00 74 00 72 20 1c e9 22 bf 9a 57 cc 0c 63 8a 02 00 00 00
         00 b5 89 27 72 3a 7b 57 e1 de 6d 9d 65 d4 9b 4c 1d 00 30 39 bc
         6d f6 e6 1b 34 45 a1 12 cf 2c 5d f4 b3 bd 4c db 05 07 08 57 d9
         f0 22 e8 6a c7 df 91 a9 4a 1b e9 fd 61 ac b3 22 13 7a d5 63 70
         dc fa 29 55 aa c6 d6 ab 28 a2 98 43 62 89 9d 38 b7 b0 9b 3c 4d
         86 76 a4 8b b2 c6 bd 05 02 fc c5 61 b5 50 2e 00 2b 00 02 7f 1c

   {client}  create an ephemeral P-256 key pair:

      private key (32 octets):  12 04 90 37 70 08 12 91 d2 e2 8c 2e 4c
         cc ae fd fa be a9 02 d6 24 cc 53 7e 17 7e f4 62 e0 4e 68

      public key (65 octets):  04 34 64 59 40 3b b6 5d 0e 0d 11 d1 03 8b
         e7 1b 03 a7 56 2b 01 e0 3a a1 b5 80 25 c4 65 88 a4 09 3f 1c 75
         98 bd 8c 79 ee 7e fc 5b a7 49 bd 24 3c 10 82 12 3a 37 f9 3f 9a
         00 8c ff 64 5b c4 e5 8f 20

   {client}  send a ClientHello handshake message

   {client}  send handshake record:

      payload (512 octets):  01 00 01 fc 03 03 b7 c9 bc 82 7e a9 0b 53
         72 b5 ba 58 29 7e 40 ba 82 77 ce bf be eb 8e af 94 e8 85 36 5b
         91 c5 bb 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00
         09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06
         00 1d 00 17 00 18 00 33 00 47 00 45 00 17 00 41 04 34 64 59 40
         3b b6 5d 0e 0d 11 d1 03 8b e7 1b 03 a7 56 2b 01 e0 3a a1 b5 80
         25 c4 65 88 a4 09 3f 1c 75 98 bd 8c 79 ee 7e fc 5b a7 49 bd 24
         3c 10 82 12 3a 37 f9 3f 9a 00 8c ff 64 5b c4 e5 8f 20 00 2b 00
         03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08
         05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2c
         00 74 00 72 20 1c e9 22 bf 9a 57 cc 0c 63 8a 02 00 00 00 00 b5
         89 27 72 3a 7b 57 e1 de 6d 9d 65 d4 9b 4c 1d 00 30 39 bc 6d f6
         e6 1b 34 45 a1 12 cf 2c 5d f4 b3 bd 4c db 05 07 08 57 d9 f0 22
         e8 6a c7 df 91 a9 4a 1b e9 fd 61 ac b3 22 13 7a d5 63 70 dc fa
         29 55 aa c6 d6 ab 28 a2 98 43 62 89 9d 38 b7 b0 9b 3c 4d 86 76
         a4 8b b2 c6 bd 05 02 fc c5 61 b5 50 2e 00 2d 00 02 01 01 00 15
         00 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      ciphertext (517 octets):  16 03 03 02 00 01 00 01 fc 03 03 b7 c9
         bc 82 7e a9 0b 53 72 b5 ba 58 29 7e 40 ba 82 77 ce bf be eb 8e
         af 94 e8 85 c9 11 f2 97 36 5b 91 c5 bb 00 00 06 13 01 13 03 13 02 01 00 01
         cd 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00
         00 0a 7c de 27 63 1a 6f 2e e8 88 00 08 00 06 00 1d 00 17 00 18 00 33 00 47 00 45 00 17 00
         41 04 34 64 59 40 3b b6 5d 0e 0d 11 d1 03 8b e7 1b 03 a7 56 2b
         01 e0 3a a1 b5 80 25 19 88 f3 07 54

      hash (32 octets):  e3 b0 c4 42 65 88 a4 09 3f 1c 75 98 bd 8c 79 ee 7e
         fc 1c 14 9a fb f4 c8 99 6f b9 5b a7 49 bd 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets): 3c 10 82 12 3a 37 f9 3f 9a 00 8c ff 64 5b c4
         e5 8f 20 00 2b 00 03 02 7f 1c 00 0d 74 6c 73 31 33 00 20 64 65 00 1e 04 03 05 03 06
         03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02
         06 02 02 02 00 2c 00 74 00 72 69 76 65 64 20 e3 b0 c4 42 98 fc 1c 14 e9 22 bf 9a fb f4 c8 99 6f b9 24 57 cc 0c 63 8a
         02 00 00 00 00 b5 89 27 ae 41 e4
         64 72 3a 7b 57 e1 de 6d 9d 65 d4 9b 93 4c a4 95 99 1d
         00 30 39 bc 6d f6 e6 1b 78 52 b8 55

      output (32 octets):  78 31 58 10 11 a6 70 a2 ce 59 0b 80 b8 e5 44 34 45 a1 12 35 49 d6 cf 2c 5d f4 b3 bd 44 3c f6 9e 80 4c db 05
         07 08 57 d9 f0 22 e8 0a 7e 38 93 d7 7e

   {server}  extract secret "master":

      salt (32 octets):  78 31 58 10 11 a6 6a c7 df 91 a9 4a 1b e9 fd 61 ac b3 22 13
         7a d5 63 70 a2 ce 59 0b 80 b8 e5 44 12
         35 49 dc fa 29 55 aa c6 d6 bd 44 3c f6 9e 80 e8 0a 7e ab 28 a2 98 43 62 89 9d 38 93 d7 7e

      ikm (32 octets): b7
         b0 9b 3c 4d 86 76 a4 8b b2 c6 bd 05 02 fc c5 61 b5 50 2e 00 2d
         00 02 01 01 00 15 00 b5 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00

      secret (32 octets):  6b 06 1b 95 b3 81 1d 3a 8a a8 3d a0 1d f0 e6
         d5 c3 be 43 d8 3b 18 b3 bc b8 e8 52 78 14 2b 11 9c

   {server}  send handshake record:

      payload (96 octets):  02 00 00 5c 03 03 4b 98 9e 4c 47 ca 09 2a 18
         78 78 ae 45 7f d5 85 6e dc a0 f7 ae cf 00 4e d0 20 3a fe 0d 57
         e3 86 00 13 01 00 00 34 00 29 00 02 00 00 00 28 00 24
         00 1d 00
         20 66 62 56 0e 42 6c b1 13 d5 63 b1 69 e9 72 b5 c4 81 dd b6 cc
         f2 a5 79 39 ed d2 4b a9 e9 b6 2f 5f 00 2b 00 02 7f 16

      ciphertext (101 octets):  16 03 03 00 60 02 00 00 5c 03 03 4b 98
         9e 4c 47 ca 09 2a 18 78 78 ae 45 7f d5 85 6e dc a0 f7 ae cf 00
         4e d0 20 3a fe 0d 57 e3 86 00 13 01 00 00 34 00 29 00 02 00 00 00 28 00 24 00 1d 00 20 66 62 56 0e 42 6c b1 13 d5 63 b1 69 e9
         72 b5 c4 81 dd b6 cc f2 a5 79 39 ed d2 4b a9 e9 b6 2f 5f 00 2b 00 02 7f 16

   {server}  send a EncryptedExtensions handshake message

   {server}  calculate finished "tls13 finished":

      PRK  extract secret "early":

      salt:  (absent)

      ikm (32 octets):  58 6f 1a b9 cb 2d 93 70 66 1a 1e 0b c9 fc 8c 39
         1a 34 67 b9 9e bd 58 16 c1 8c 46 a5 28 6e 96 77

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      output (32 octets):  98 90 9d e6 86 66 b5 12 80 1c 41 c6 3b 20 f9
         fc 1f 7f 8f e1 19 64 75 d2 07 48 66 e3 a1 5d 14 15

   {server}  send a Finished handshake message

   {server}  send handshake record:

      payload (74 octets):  08 00 00 22 00 20 00 0a 00 14 00 12 00 1d 00
         17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00
         00 00 2a 00 00 14 00 00 20 c9 f5 11 e0 94 08 c2 b3 ff b5 ac 45 3c 7c 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  33 ad 0a
         65 1c 60 7e c0 8c 28 c9 bc 4f 38 54 46 91 9e b8 fd 84 7c e0

      ciphertext (96 octets):  17 03 03 3b 09 e6 cd 98 93 68 0c
         e2 10 ad f3 00 5b f5 a6 a6 20 f2 db 4e 20 aa 1f
         22 8d 73 b4 15 d8 26 60 e1 b2 2e 10 f1 70 f9 2a

   {server}  create an ephemeral P-256 key pair:

      private key (32 octets):  02 03 21 a8 85 5a 5c ce 43 5e a9 76 c4 eb 2c
         74 54 9d cd 14 b2 50 cc 88 ae b4 e1 55 a8 27 5f 2d 89 a4 96 68 d7 be 48
         9a 8b 85 77 a2 a8 3d e2

      public key (65 octets):  04 a9 fc 26 e5 99 e4 8d ed 07 36 f4 b1 b2
         20 5d 2b f4 9c f3 e5 eb 5a 37 0b 59 30 79 e6 0e 10 6e 15 67 29 c2 11 90 0a de
         1f 72 aa 88 8b 45 50 27 32 67 d8 c8 2b f5 dd 40 bb c5 36 85 e5 e8
         eb 52 e1 d3 63 99 1e bc 01 1e 49 14 ea
         3a ee 73 08 76 d4 4a 1a cf 53 25 37 3e 8e a6 e1 75 c1 4c 5f
         20 2c a0 eb 31 00 36 c8 f4 44 be 45 16 4d b8 a7 3a 50 5d f2 34

   {server}  send a ServerHello handshake message

   {server}  derive secret for handshake "tls13 c ap traffic": derived":

      PRK (32 octets):  6b 06 1b 95 b3 81 1d 3a 8a a8 3d a0 1d f0 e6 d5
         c3 be 43 d8  33 ad 0a 1c 60 7e c0 3b 18 b3 bc b8 e8 52 78 14 2b 11 9c 09 e6 cd 98 93 68 0c e2
         10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

      hash (32 octets):  bc be 0c 61 2f 39 63 e4 2c 49 6c b3 03 e9 59 89
         ba 96 f6 21 00 34  e3 b0 c4 42 98 fc 1c 14 9a fb f4 63 05 c8 99 6f b9 75 2a 53 d9 a7 dd 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (54 (49 octets):  00 20 12 0d 74 6c 73 31 33 20 63 20 61 70 20 74 64 65 72
         61 66 66 69 63 76 65 64
         20 bc be 0c 61 2f 39 63 e4 2c 49 6c b3 03 e9 59
         89 ba 96 f6 21 00 34 e3 b0 c4 42 98 fc 1c 14 9a fb f4 63 05 c8 99 6f b9 75 2a 53 d9 a7 dd 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  c9 d1 12 6d be c2 7c  6f 26 15 a1 72 21 37 3f ef 10 4e
         cf a0 6d c4 08 c7 02 c5 67 8f 54 fc 9d ba b6
         97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

   {server}  extract secret "handshake":

      salt (32 octets):  6f 26 15 a1 c4 5c 1d 55 3f 2b 1a 84 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
         16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

      ikm (32 octets):  67 5e 8f e3 7d f3 8e b4 6e ae d1 ac 3e a4 a0 a1 63
         a7 26 56 83 e4 3d ca 95 40 43 87 73 24 aa cf 70

      secret (32 octets):  56 b6 d9 4c b7 89 04 56 07 85 86 b5 d6 5d 69
         69 bc 7c 48 51 ff 7f 95 33 75 ed cb e2 60 4c 1f 8e

   {server}  derive secret "tls13 s ap c hs traffic":

      PRK (32 octets):  6b 06 1b 95 b3 81 1d 3a 8a a8 3d a0 1d f0 e6 d5
         c3 be 43 d8 3b 18 b3  56 b6 d9 4c b7 89 04 56 07 85 86 b5 d6 5d 69 69
         bc b8 e8 52 78 14 2b 11 9c 7c 48 51 ff 7f 95 33 75 ed cb e2 60 4c 1f 8e

      hash (32 octets):  bc be 0c  0b 61 2f 39 63 e4 2c 49 6c b3 d4 9c 83 fe f7 da 03 e9 59 04 0f e3 5e 72 33 fe
         bd 0f 47 e2 c0 e0 9c 85 a4 a1 2f 89
         ba 96 f6 21 00 34 f4 63 05 b9 75 2a 53 d9 a7 dd a0 04 a1 6f

      info (54 octets):  00 20 12 74 6c 73 31 33 20 73 63 20 61 70 68 73 20 74 72
         61 66 66 69 63 20 bc be 0c 0b 61 2f 39 63 e4 2c 49 6c b3 d4 9c 83 fe f7 da 03 e9 59 04 0f e3 5e 72 33
         fe bd 0f 47 e2 c0 e0 9c 85 a4 a1 2f 89 ba a0 04 a1 6f

      output (32 octets):  96 f6 21 00 34 f4 f0 1d 63 05 6d 87 b9 75 2a 53 36 1c 0b 8b 93 0c de d9 a7 dd

      output (32 octets):  aa 91 af 99 99 34 3a 32 8e cf ad 72 cb be e1
         20 71 d7 79 b3 8a 3d
         7b 59 06 0b 89 3b e2 4e 5d 64 b5 25 86 c0 39 ac 18 5a 7d c7 c4 e7 f8 33 33 1c

   {server}  derive secret "tls13 exp master": s hs traffic":

      PRK (32 octets):  6b 06 1b 95 b3 81 1d 3a 8a a8 3d a0 1d f0 e6 d5
         c3 be 43 d8 3b 18 b3  56 b6 d9 4c b7 89 04 56 07 85 86 b5 d6 5d 69 69
         bc b8 e8 52 78 14 2b 11 9c 7c 48 51 ff 7f 95 33 75 ed cb e2 60 4c 1f 8e

      hash (32 octets):  bc be 0c  0b 61 2f 39 63 e4 2c 49 6c b3 d4 9c 83 fe f7 da 03 e9 59 04 0f e3 5e 72 33 fe
         bd 0f 47 e2 c0 e0 9c 85 a4 a1 2f 89
         ba 96 f6 21 00 34 f4 63 05 b9 75 2a 53 d9 a7 dd a0 04 a1 6f

      info (52 (54 octets):  00 20 10 12 74 6c 73 31 33 20 65 78 70 73 20 6d 61 68 73 20 74 65 72 20 bc be 0c
         61 2f 39 66 66 69 63 e4 2c 49 6c b3 20 0b 61 d4 9c 83 fe f7 da 03 e9 59 04 0f e3 5e 72 33
         fe bd 0f 47 e2 c0 e0 9c 85 a4 a1 2f 89 ba
         96 f6 21 00 34 f4 63 05 b9 75 2a 53 d9 a7 dd a0 04 a1 6f

      output (32 octets):  3d 65  48 c0 79 83 b0 b1 9b 41 75 36 af 49 aa 3c 4f f5 ca 07 87 85 69 31 01 cc 71 0f 46
         e2 93 5b 5e c4 61
         a1 20 26 fe fa 16 d0 40 12 8b 7f 87 19 6c ab fe 14 ca bb 08 35 41 a0 84 66 d1 84

   {client}

   {server}  derive secret for handshake master "tls13 derived":

      PRK (32 octets):  35 10 b5 e7 47 ce ef 42 b1 fe ff e7 a7 4f dc 0f
         52 a5 ee fc a2  56 b6 76 b0 82 4e 06 17 c8 64 d9 4c b7 89 04 56 16 07 85 86 b5 d6 5d 69 69
         bc 7c 48 51 ff 7f 95 33 75 ed cb e2 60 4c 1f 8e

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  3c 5b 59 45 89 ee  ef ff c0 f0 7a 08 0f a2 cd c7 7e 55 8a 02 f1 18 d3 98 fc 3c 3e
         50 77
         f7 13 21 65 bc 5e 32 a9 ff 20 1a 97 da df 8e 36 ad 16 12 8b 66 a0 de e7 1c a3 99 74 ba

   {client} c8

   {server}  extract secret "handshake": "master":

      salt (32 octets):  3c 5b 59 45 89 ee  ef ff c0 f0 7a 08 0f a2 cd c7 7e 55 8a 02 f1 18 d3 98 fc 3c 3e 50 77 f7 13 21 65 bc 5e
         32 a9 ff 20 1a 97 da df 8e 36 ad 16 12 8b 66 a0 de e7 1c a3 99 74 ba c8

      ikm (32 octets):  ca 49 06 0d 44 b4 58 b8 e2 6f b7 2a 18 6e bc 44
         6b a8 e4 0e 8f b1 39 5c c7 f7 56 59 ee 86 f8 54  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  6b a5 c1 83 92 4b a3 2c e0 99 85 c9 11 f2 97
         bb 0a 7c de 27 63 1a 6f 2e e8 88 25 19 88  67 f3 07 54

   {client}  derive secret "tls13 c hs traffic" (same as server)

   {client}  derive secret "tls13 s hs traffic" (same as server)

   {client}  derive secret for master "tls13 derived" (same as server)

   {client}  extract secret "master" (same as server)

   {client}  calculate finished "tls13 finished" (same as server)

   {client}  derive secret "tls13 c ap traffic" (same as server)

   {client}  derive secret "tls13 s ap traffic" (same as server)

   {client}  derive secret "tls13 exp master" (same as server)

   {client}  send a EndOfEarlyData handshake message

   {client} ca a1 17 80 44 45 c3 84 1d f0 d6 cf 0c
         be 84 eb 2d 1e 29 29 3c de 0e 59 8b c0 79 99 24 00

   {server}  send handshake record:

      payload (4 (123 octets):  05  02 00 00 77 03 03 a9 8d a5 12 67 95 e8 50
         bf d4 69 ae 41 2c 8a d6 c6 a2 43 da b5 ca 68 9b cc 37 7b 7f 45
         7e 93 57 00 13 01 00 00 4f 00 33 00 45 00 17 00 41 04 a9 fc 26
         e5 99 e4 8d ed 07 36 f4 b1 b2 20 2b f4 9c f3 e5 eb 5a 37 0b aa
         88 8b 45 50 27 32 36 85 e5 e8 eb 52 e1 d3 63 73 08 76 d4 4a 1a
         cf 53 25 8e a6 e1 75 c1 4c 5f 20 2c a0 eb b8 a7 3a f2 34 00 2b
         00 02 7f 1c

      ciphertext (26 (128 octets):  17  16 03 03 00 15 1d ee d3 7b 02 00 00 77 03 03 a9 8d
         a5 12 67 95 e8 50 bf d4 69 ae 41 2c 8a d6 c6 a2 43 da b5 ca 68
         9b 27 ff 4f 3c 92
         2f fd ef 73 89 56 5e cc 79 d1 13 71

   {client}  calculate finished "tls13 finished":

      PRK (32 octets):  a2 ba 52 84 b4 0e 7d 65 af af 93 c0 37 7b 7f 45 7e 93 06 dd 57 00 13 01 00 00 4f 00 33 00 45 00 17
         00 41 04 a9 fc 26 e5 99 e4
         70 98 a4 ee 28 4c 8d ed 07 36 f4 6e b1 b2 20 2b f4 9c f3
         e5 eb 5a 37 0b 59 09 fe aa 88 8b 45 50 27 32 36 85 e5 e8 eb 52 e1 d3 63
         73 08 76 d4 4a 1a cf 53 25 8c 8e a6 e1 75 c1 4c 5f 20 2c a0 eb b8
         a7 3a f2 34 00 2b 00 02 7f 1c

   {server}  derive write traffic keys for handshake data:

      PRK (32 octets):  48 c0 79 83 b0 b1 9b 41 75 36 af 49 aa 3c 4f

      hash (0 a1
         20 26 fe fa 16 d0 40 12 8b 7f 87 19 6c ab fe 14

      key info (13 octets):  (empty)  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  c9 66 8b e3 a4 eb 59 74 eb 92 ff 02 bb d7
         2e 0b

      iv info (18 (12 octets):  00 20 0e 0c 08 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 76 00

      iv output (32 (12 octets):  67 02 97 87 4f 08 e5 10 32 72 a8 be 0c 6d c3
         b4 39 6e 82 28 34 62 6b  a0 3e bc f0 df 01 00 7b 81 7b 21 e6 be 28 b9 d4 b4 35 05

   {client} de

   {server}  send a Finished EncryptedExtensions handshake message

   {client}

   {server}  send a Certificate handshake record:

      payload (36 octets):  14 00 00 20 60 c3 2e 99 5e c1 0d d0 1d 73 79
         e3 eb f1 9f 75 ef 74 0b 18 d4 24 06 c9 62 db 37 a4 53 74 9d 76

      ciphertext (58 octets):  17 03 03 00 35 b1 a4 2d de c8 7d 6a 62 17
         a5 53 19 3b 47 a6 6c 32 b4 51 ab f8 48 dc df 68 21 3b 44 21 76
         a9 e5 9b 8e cf 5e 1a fe d8 94 43 9a 9d f0 c3 a2 4b da ac 97 fc
         34 55

   {client}  derive secret message

   {server}  send a CertificateVerify handshake message

   {server}  calculate finished "tls13 res master": finished":

      PRK (32 octets):  6b 06 1b 95 b3 81 1d 3a 8a a8 3d a0 1d f0 e6 d5
         c3 be 43 d8 3b 18 b3 bc b8 e8 52 78 14 2b 11 9c

      hash (32 octets):  04 5f 9f 6c d4 c6 84 65 a7 79 f4 89 b7 13 57 7f
         42 e9 91 c1 b7 b7 34 db 01 28 a5 7b 88 35  48 c0 79 83 b0 b1 9b 41 27 75 36 af 49 aa 3c 4f a1
         20 26 fe fa 16 d0 40 12 8b 7f 87 19 6c ab fe 14

      hash (0 octets):  (empty)

      info (52 (18 octets):  00 20 10 0e 74 6c 73 31 33 20 72 66 69 6e 69 73 68 65
         64 00

      output (32 octets):  c9 32 f8 bb a8 09 0c d8 3c fa ae 73 20 6d 61 f8 41 79
         6c bb a9 97 73
         74 65 28 e4 53 d6 a1 da c8 8c a8 0b 2b ec

   {server}  send a Finished handshake message

   {server}  send handshake record:

      payload (639 octets):  08 00 00 12 00 10 00 0a 00 08 00 06 00 17
         00 18 00 1d 00 00 00 00 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82
         01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48
         86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03
         72 20 73 61 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17
         0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06
         03 55 04 5f 03 13 03 72 73 61 30 81 9f 6c d4 c6 84 65 a7 79 f4 30 0d 06 09 2a 86 48 86 f7
         0d 01 01 01 05 00 03 81 8d 00 30 81 89 b7 13 57 7f 42
         e9 02 81 81 00 b4 bb 49 8f
         82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26
         d3 90 1a 24 61 ea fd 2d e4 9a 91 c1 b7 b7 34 db 01 28 a5 7b 88 35 41 27

      output (32 octets):  40 7b 7c fa d0 15 ab bc 9a 95 13 7a ce 6c
         1a 5d cd 73 f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52
         4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 75 2a 5f da 43 08 46 74
         80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93
         ef f0 ab 9a 80 13 16 68
         24 4e a8 88 64 19 02 c4 74 28 a6 fe cc d3 5a 8d 88 d7 9f 7f 1e 3f 02 03
         01 f5 7b df d5 5d 15 2a

   {server}  calculate finished "tls13 finished" (same as client)

   {server}  derive secret "tls13 res master" (same as client)
   {client}  send application_data record:

      payload (50 octets): 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06
         03 55 1d 0f 04 04 03 02 05 a0 30 0d 06 07 08 09 0a 0b 0c 2a 86 48 86 f7 0d 0e
         0f 10 11 12 13 14 15 16 01
         01 0b 05 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a
         72 67 17 06 18 19 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea
         e8 f8 a5 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 1b 03 01
         51 56 72 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be
         c1 fc 63 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b
         1c 3b 84 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 1e 1f 20 21 22 23
         24 25 26 27 28 40 2d cc 0c c8 f8
         96 12 29 2a ac 91 87 b4 2b 2c 2d 2e 2f 30 31

      ciphertext (72 octets):  17 03 03 4d e1 00 43 89 8d 41 41 71 76 9c 00 0f 00 00 84 08 04 00 80 7d
         29 50 6f 66 e0 87 23 bd b7 c1 5b 15 f5 46 43 1e c6 80 49 5a fa a6 ac f9 32 5d 66 2f a5 9d 93 72 41 8a 59 c5 74 59
         13 33 9c f3 78 5a 99 d2
         f5 94 63 b8 d9 cd 39 86 78 55 66 d7 95 2d 9e a9 ab 9f 77 87 6e
         6a 39 8b 5b 88 2c 83 e5 43 d3 c1 b1 36 79 08 1d 80 95 30 ef 30 70 fb e4 eb a9
         07 2c 6c 23 95 6b de 0e 61 4c d0 98 13 aa e7 9c b1 86 76 0a 95 55
         aa 7c 4d 26 40 9a bd
         40 62 2a 29 5c ce 9e f4 7b eb 28 06 10 29 4e a0 a4 cc ca d0 be a6 d5 95 85 01 29
         92 00 ab f2 25 44 3d 0b 50 d1 f8 b1 fc 02 15 08 6d b9

   {server}  send application_data record:

      payload (50 octets): fa 9b 98 f3 38 b8 00 01 02 03 04 05 06 07 65 08 09 0a 0b 0c 0d 0e
         0f 10 11 12 13
         87 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23
         24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31

      ciphertext (72 octets):  17 03 03 00 00 20 43 8e 95 04 14 52 07 ad 99 f9
         26 b4 7c 28 f6 0f a5 31 b9 7d 35 4f 55 ac fe 46 59 b0 37 f1 94
         6e 6a 8d c8 da f7 a9 fc 36 27 02 2a 86 e1 4a 5e 66 f5 57 83 3f c1 df 0b a1 8c a5 90 11 fc
         2f 39 96 ea bc 2f 6d 50 eb 85 93 d6 0b 23 87 d4 bc

   {client}  send alert record:

      payload (2 octets):  01 00

      ciphertext (24 octets):  17 03 03 00 71
         13 e4 f4 3b 1b 15 b0 75 40 6c
         2f 32 68 61 99 82 35 6d 78 53

   {server}  send alert record:

      payload (2 octets):  01 00 0b cd 59 ba 06 5d 8d 6d b4 26 ac 11 43 da 0e

      ciphertext (24 (661 octets):  17 03 03 00 13 06 18 b6 02 90 2a 10 90 52 02 96 ad d1
         82 97 94 51 58 6b 74 52 0d b9
         6c 39 08 0f 6b d7 d1 25 ef c8 1d 11 77 14 c5 0d d5 32 d9 df f1 0b 41

5.  HelloRetryRequest

   In this example, the client initiates a handshake with an X25519
   [RFC7748] share.  The server however prefers P-256 [FIPS186] and
   sends a HelloRetryRequest that requires the client to generate a key
   share on the P-256 curve.

   {client}  create an ephemeral x25519 key pair:

      private key (32 octets):  52 99 fa
         fe 96 c7 3b 66 e4 7d 81 e6 25 2b 66 86 b8 86 37 10 26 0e 15 4b
         c4 8d 8a e2 f2 67 45 f5 98 ee 7b 46 70 cb 87 89 3a 73 81 7f cb
         09 45 5f e5 8d 49 5c 07 7a ca a3 b3 ae 9c cc a4 58 5b 12 6d f4
         8c 5f a4 f9 d2 b4 b5 0b dc 31 26 3d 72 a8 42 eb 09 5f 71 f9 24 77 d4 5d
         d8 ee 69 62 81 87 86 0d f3 d6 8b 80 a3 c7 c7 d4 ca 36 61 69 2f
         a4 64 23 f5 64 2d 73 6e 27 63 b0 41 07 47 f6 55 eb db 18 37 c1
         6f 59 bd c2 db 64 e3 92 fd 92 77 b0 ac e7 1c 1a 15 da e4 13 6c
         84 aa 17 7b 69 4d 33 e0 b0 ac 68 0b f0 46 54 d0 03 75 84 c9 b4
         06 59 87 ff 49 02 70 79 f3 07 f9 1b 95 29 68 d5 1e ce c2 0c 3b aa 64 67 ef a3 87 2c 6a df a9 a9 f8
         75 4a 57 f2 d8 a1 6c 16 d3 34 06 ac 27 a8 93 ca 13 2c c3 3a 89 d2 c2 49 88 09
         2f f1 fa 70 c0 c6 06 10

      public key (32 octets):  9e 1d 89 64 ff 42 3d 13 b7 ac 11 b7 e9 47
         91 b0 51 45 6a 9b 6f 41 b6 66 00 79 60 8e 87 22 d2 81 ad 87 36 92
         bf db 79 f2 9e 67 e4 16 6d 82 a9 5c be 36 e3 d1 e0 f8 c3 99 a4 90 a8 6a cd
         71 9d 46 56 77 db dc b4 45 1f 97 39 e1 67 88 f5 32 33
         7b f9 4c bf 54 31 02 22 40 8a 4e 45 ee 98 0d 05 d4 32

   {client}  send a ClientHello handshake message

   {client}  send handshake record:

      payload (174 octets): 68 fa dc 12 91 a2
         6f 13 81 01 00 00 aa 03 03 24 5c 21 f3 d5 d6 36 9f 29 51 7e a2 f6 1b 9b 7f 20 6a
         63 c8 10 d1 3b 74 e4 29 e6 6d 08 1e 41 7f 96 6e 82 88 da a5 52
         2d b6 cb 22 35 33 d6 e6 84 2a 70 6c e0 9f 3d 12 19 b6 4f 08 f5
         f4 d2 ca 3d 55 6d 88 64 1f 16 25 de 1e cc 65 5f e5 17 c1 f0 a5
         a4 9c 79 62 00 02 2d 22 ad 4c 8b cd cb 70 8c ed
         c8 e7 ee ac 95 93 1b 24 9d 3a dd 7d 98 c5 e0 d8 27 fd d4 16 7a a8 68 fa f7
         be b6 ca 42 e2 da d2 b8 a7 7c 3f a8 68 83 35 f5 d7 81 0d
         fb b1 80 00 00 de 97 f9 06 13 01 13 03 13 02 01 00 00 7b 00 00 00 0b 00 bf 69
         09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06
         00 1d 00 17 00 18 00 28 00 26 00 24 00 1d 00 20 60 b4 23 dd 9c 1a 7e 9e d2 81 f2 d1
         e0 f8 c2 3c 78 4c 52 a7 a0 44 35 6c e1
         27 c3 99 a4 90 a8 6a cd 71 9d 46 56 77 54 73 ed 92 49 fe 68 1a 70 ca 11 db dc b4 45 1f 97 39
         e1 22 40 8a d4 32 00 2b 00 03 02 7f 16 00 0d 00 20 00 1e 04 03
         05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04
         02 05 02 06 02 02 02 00 2d 00 c1 e5 4f 51 12 ae 74
         d1 88 c2 db dc f0 66 13 28 02 01 01

      ciphertext (179 octets):  16 03 01 00 10 5e 8b de ae 01 00 00 aa 03 53 50 b1 b3 55 34
         a6 82 91 73 03 24 cc
         22 ad 4c 8b 8c ed c8 e7 ee ac 95 93 1b 24 9d 3a dd 7d 98 c5 e0
         d8 35 f5 d7 81 0d fb b1 eb 65 3b bc 4b 0c 5c 77 4b b2 94 dc 50 44 c4
         7f 70 5b d6 80 00 00 06 13 01 73 af 3a e5 c6 45 29 1e fc 9d 9c 17 6b 19 bd 95
         47 55 dc a2 2e 2b 52 13 03 a5 37 2e d9 6b 9f 89 f6 30 80 89 f3 98
         2a 13 02 01 00 00
         7b 00 00 00 0b 00 09 00 00 06 f2 41 30 3b 2e 5d c0 d4 3f fa 73 65 72 76 65 72 ff 01 00 01 00
         00 0a 00 08 00 06 00 1d 00 17 00 18 00 28 00 26 00 24 00 1d 00
         20 9e 16 d2 81 f2 79 bd 78 d1 65 e0 f8 c3 99 a4
         33 61 16 66 fd 79 a3 90 a8 95 db f5 5a 43 e0 89 b1 3b db 6a cd 71 33 ef
         b3 bb 0b 67 9c 58 9d 46 2a 3e 4f 56 77 db
         dc b4 45 18 46 dd 9b 34 c4 68 a9 ce 4d
         bd 63 59 29 f7 b5 1f 21 a9 67 92 97 39 e1 22 40 8a d4 32 00 2b 00 03 02 7f 16 00 0d
         00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05
         01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01

   {server}  send a ServerHello handshake message 7d 7e a1 db 4c

   {server}  send handshake record:

      payload (176  derive secret "tls13 c ap traffic":

      PRK (32 octets):  02 00 00 ac 03 03  67 f3 ca a1 17 80 44 45 c3 84 1d f0 d6 cf 21 ad 74 e5 9a 61 11 0c be 1d 8c 02
         84 eb 2d 1e 65 b8 91 c2 a2 11 16 7a bb 8c 5e 07 9e 09 e2 c8
         a8 33 9c 00 13 01 00 29 29 3c de 0e 59 8b c0 79 99 24 00

      hash (32 octets):  91 14 ee f5 c3 d5 c0 86 d1 1a a9 f3 32 fd 35 54
         51 f8 70 7c 4f 14 92 ed 2e 84 7e 08 7e 6a bf 98

      info (54 octets):  00 28 00 02 00 17 00 2c 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 00 72
         3c c7
         61 66 66 69 63 20 91 14 ee f5 c3 d5 c0 86 d1 1a a9 f3 32 fd 35
         54 51 f8 70 7c 4f 14 92 ed 2e 84 7e 08 7e 6a bf 98

      output (32 octets):  33 60 70 33 79 0d 4d 7d 0f 98 68 ee 6d bc bb 7b 7c d0 db d9 6f 3c 78
         21 00 00 00 00 73 d2 77 2a 29
         c9 93 b4 e0 c3 75 8f 78 14 79 4f 9b b1 e9 c9 17 de 7b ef d4 b2

   {server}  derive secret "tls13 s ap traffic":

      PRK (32 octets):  67 f3 ca a1 17 80 44 45 9e c3 84 1d f0 d6 cf 0c be
         84 eb 2d 1e 29 29 3c de 0e 59 8b c0 79 99 ea 24 00 30 97 19 7d a5 86 38 74 31
         85 03 d3 dd e2 41 7d 5f b7 8c 92 76 13

      hash (32 octets):  91 14 10 ea a9 2e 9e 8a ee f5
         4e a0 92 c3 d5 c0 86 7b 67 7d 64 4f 96 d8 c5 fd 48 30 d1 1a a9 f3 32 fd 35 54
         51 f8 70 dd 1b 3f 8a
         85 17 ab ee 19 60 52 d8 e4 29 3d 62 f0 3b 6d 29 b6 88 4b 7c 00
         cc 5e 6c e7 ac 36 47 0e a7 00 2b 00 02 7f 16

      ciphertext (181 4f 14 92 ed 2e 84 7e 08 7e 6a bf 98

      info (54 octets):  16 03 03 00 b0 02  00 00 ac 03 03 cf 21
         ad 20 12 74 e5 9a 61 11 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c
         5e 07 9e 09 e2 c8 a8 33 9c 00 13 01 00 00 84 00 28 00 02 00 17
         00 2c 00 6c 73 31 33 20 73 20 61 70 20 74 00 72 3c c7 0f 98 68
         61 66 66 69 63 20 91 14 ee 6d bc bb 7b 7c 21 00 00 00
         00 73 d2 77 2a 29 c9 93 b4 e0 f5 c3 78 de 45 9e 99 ea 00 30 97 19
         7d a5 d5 c0 86 38 74 31 85 03 d3 dd e2 41 7d 5f b7 8c 92 76 13 14 10
         ea d1 1a a9 2e 9e 8a f5 4e a0 f3 32 fd 35
         54 51 f8 70 7c 4f 14 92 86 7b 67 ed 2e 84 7e 08 7e 6a bf 98

      output (32 octets):  82 4f 40 74 98 f3 55 f7 c4 56 7d 64 1a c4 9d a3
         cc 44 1c fe a5 7c 86 6d 01 28 04 88 63 74 bb 4f 96 d8 c5 fd 48 30
         d1 70 dd 1b 3f 8a 85 a1

   {server}  derive secret "tls13 exp master":

      PRK (32 octets):  67 f3 ca a1 17 ab ee 19 60 52 d8 e4 29 3d 62 80 44 45 c3 84 1d f0 3b 6d d6 cf 0c be
         84 eb 2d 1e 29 b6 88 4b 7c 00 cc 5e 6c e7 ac 36 47 29 3c de 0e a7 00 2b 59 8b c0 79 99 24 00 02 7f 16

   {client}  create an ephemeral P-256 key pair:

      private key

      hash (32 octets):  e5 d7 d7 16  91 14 ee f5 c3 d5 c0 86 d1 1a a9 f3 32 fd 35 54 b7 0d 85 b7 ef
         51 f8 ff 9f
         b4 70 7c 4f 14 92 ed 2e 84 7e 08 7e 6a bf 98

      info (52 octets):  00 20 10 f8 cc 74 6c 73 31 33 20 65 78 70 20 6d 5c 0d 46 cb 4f 3c 96 28 61 c5 73
         74 65 72 20 88 5d e0

      public key (65 octets):  04 17 91 14 ee f5 c3 d5 c0 86 d1 1a a9 f3 32 fd 35 66 97 54 51
         f8 70 7c 4f 14 92 26 4a 94 82 cf 17 8e 99
         0a e8 49 ed 2e 84 7e 08 7e 6a bf 98

      output (32 octets):  aa 09 d0 be d1 a3 55 2f 70 92 4b bd 25 44 60 e7 71 ec b8 4c 7b 02 2b 84 f0 57 eb
         c4 f1 3c 0a 68 8f 6b b9 03 a2 e7
         ad 9d 2f 7d 44 f5 b1 e3 59 1a d0 04 33 a6 b2 d8 6d 57 9a af 1b 6a 2b
         01 35 7b 72 df 0e 6e 00 08 7a bb

   {client}  send a ClientHello handshake message

   {client}  send handshake record:

      payload (512 42 c9 17

   {server}  derive write traffic keys for application data:

      PRK (32 octets):  01 00 01 fc 03 03 24 cc 22 ad 4c 8b 8c ed
         c8 e7 ee ac 95 93 1b 24 9d 3a dd 7d  82 4f 40 74 98 c5 e0 d8 35 f5 d7 81 0d
         fb b1 80 f3 55 f7 c4 56 7d 1a c4 9d a3 cc
         44 1c fe a5 7c 86 6d 01 28 04 88 63 74 bb 4f a1

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00 06 13 01 13 03
      key output (16 octets):  1d dd e3 13 e4 23 c0 bb b4 6e 21 55 4e 62
         bc 02 01

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  1d 33 01 7e 40 29 4c bc df b2 cd 00 00 00 ec

   {server}  derive read traffic keys for handshake data:

      PRK (32 octets):  96 f0 1d 63 6d 87 b9 36 1c 0b 8b 93 0c de d9 7b
         59 06 0b 89 3b e2 4e 5d 64 b5 25 86 c0 39 ac 18

      key info (13 octets):  00 10 09 00 00 06 74 6c 73 31 33 20 6b 65 72 76 65 72 ff 01 00 01 00 79 00 0a

      key output (16 octets):  dd e8 55 4c 07 08 a0 f7 7c dd da 22 50 43
         b4 82

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00 06

      iv output (12 octets):  10 90 01 0f e7 e8 21 c7 40 6b 82 d0

   {client}  extract secret "early":

      salt:  (absent)

      ikm (32 octets):  00 1d 00 17 00 18 00 28 00 47 00 45 00 17 00 41 04 17 35 66 97
         92 26 4a 94 82 cf 17 8e 99 0a e8 49 a3 55 2f 71 ec b8 4c 7b 02
         2b 84 f0 57 eb b9 03 a2 e7 ad 9d 2f 7d 44 e3 59 1a d0 04 33 a6
         b2 d8 6d 57 9a af 1b 6a 2b 01 72 df 0e 6e 00 08 7a bb 00 2b 00
         03 02 7f 16 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08
         05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2c 00 74
         00 72 3c c7 0f 98 68 ee 6d bc bb 7b 7c 21 00 00 00 00 73
         d2 77 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c
         e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 29 c9

   {client}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 b4 e0 c3 68 0c e2
         10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 de 45 9e 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6
         97 16 c0 76 18 9c 48 25 0c eb ea 00 30 c3 57 6c 36 11 ba

   {client}  extract secret "handshake":

      salt (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 19 7d a5
         86 38 74 31 85 03 d3 dd e2 41 7d 5f b7 8c 92
         16 c0 76 13 14 10 18 9c 48 25 0c eb ea a9
         2e 9e 8a f5 4e a0 92 86 7b c3 57 6c 36 11 ba

      ikm (32 octets):  67 5e 8f e3 7d 64 4f 96 d8 c5 fd 48 30 f3 8e b4 ae d1 70
         dd 1b 3f 8a 85 17 ab ee 19 60 52 d8 ac 3e a4 a0 a1 63
         a7 26 56 83 e4 29 3d 62 f0 3b 6d 29 ca 95 40 43 87 73 24 aa cf 70

      secret (32 octets):  56 b6
         88 4b d9 4c b7 89 04 56 07 85 86 b5 d6 5d 69
         69 bc 7c 48 51 ff 7f 95 33 75 ed cb e2 60 4c 1f 8e

   {client}  derive secret "tls13 c hs traffic" (same as server)

   {client}  derive secret "tls13 s hs traffic" (same as server)

   {client}  derive secret for master "tls13 derived" (same as server)

   {client}  extract secret "master" (same as server)

   {client}  derive read traffic keys for handshake data:

      PRK (32 octets):  48 c0 79 83 b0 b1 9b 41 75 36 af 49 aa 3c 4f a1
         20 26 fe fa 16 d0 40 12 8b 7f 87 19 6c ab fe 14

      key info (13 octets):  00 cc 5e 10 09 74 6c e7 ac 36 47 0e a7 00 2d 73 31 33 20 6b 65 79 00

      key output (16 octets):  c9 66 8b e3 a4 eb 59 74 eb 92 ff 02 01 01 00 15
         00 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bb d7
         2e 0b

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  a0 3e bc f0 df 01 00 7b 81 7b 21 de

   {client}  calculate finished "tls13 finished" (same as server)

   {client}  derive secret "tls13 c ap traffic" (same as server)

   {client}  derive secret "tls13 s ap traffic" (same as server)

   {client}  derive secret "tls13 exp master" (same as server)

   {client}  derive write traffic keys for handshake data (same as
      server read traffic keys)

   {client}  derive read traffic keys for application data (same as
      server write traffic keys)

   {client}  calculate finished "tls13 finished":

      PRK (32 octets):  96 f0 1d 63 6d 87 b9 36 1c 0b 8b 93 0c de d9 7b
         59 06 0b 89 3b e2 4e 5d 64 b5 25 86 c0 39 ac 18

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      output (32 octets):  a2 e7 bc 56 e4 4c 66 f7 b1 f7 e9 5f 43 4b 03
         49 7c 09 11 73 96 b8 6e a1 88 a2 e7 5e 4b 5b 52 bd

   {client}  send a Finished handshake message

   {client}  send handshake record:

      payload (36 octets):  14 00 00 20 dd 60 b6 e8 68 65 0c d8 8a 16 ae
         ea be c9 ef 92 8b d1 4a 55 cc fc 9b 25 36 bb f8 5b ef cb a9 2f

      ciphertext (58 octets):  17 03 03 00 35 10 83 df 24 a1 2c 20 11 96
         5e 1c 0c d5 82 85 53 dc 17 d9 4f 60 a4 b9 03 58 8c d3 00 63 3b
         de 1c 93 48 a5 38 d4 a9 67 66 ce e5 2c 32 46 4c 84 8b cd 12 19
         9b 2f

   {client}  derive write traffic keys for application data:

      PRK (32 octets):  33 60 70 33 79 0d 4d 7d 0f d0 db d9 6f 3c 78 21
         75 8f 78 14 79 4f 9b b1 e9 c9 17 de 7b ef d4 b2

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  74 df 54 32 03 d8 58 9d c5 27 43 85 9f 6c
         cd da

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  c1 af 57 8c 97 99 e3 a6 48 08 70 35

   {client}  derive secret "tls13 res master":

      PRK (32 octets):  67 f3 ca a1 17 80 44 45 c3 84 1d f0 d6 cf 0c be
         84 eb 2d 1e 29 29 3c de 0e 59 8b c0 79 99 24 00

      hash (32 octets):  e6 a1 73 98 69 66 1d dc bb dc 11 0a ed ed 74 bc
         13 74 65 fa a9 20 ec 69 ea 9e cc 73 60 b2 9d d2

      info (52 octets):  00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73
         74 65 72 20 e6 a1 73 98 69 66 1d dc bb dc 11 0a ed ed 74 bc 13
         74 65 fa a9 20 ec 69 ea 9e cc 73 60 b2 9d d2

      output (32 octets):  5f 86 e4 2a b7 ff e8 49 b9 3e ed b3 f6 e3 88
         a8 a4 55 72 b1 cc 03 88 30 44 c6 dd 25 04 57 b9 8b

   {server}  calculate finished "tls13 finished" (same as client)

   {server}  derive read traffic keys for application data (same as
      client write traffic keys)

   {server}  derive secret "tls13 res master" (same as client)

   {client}  send alert record:

      payload (2 octets):  01 00

      ciphertext (517 (24 octets):  16  17 03 03 02 00 13 a5 48 29 ee 82 c4 6f 8a 11
         08 8a ff d2 51 1e 5c 2d d6 d1

   {server}  send alert record:

      payload (2 octets):  01 00 01 fc

      ciphertext (24 octets):  17 03 03 24 cc
         22 ad 4c 8b 8c ed c8 e7 ee ac 95 93 1b 24 9d 3a dd 7d 98 c5 e0
         d8 35 f5 d7 81 0d fb b1 80 00 00 06 13 01 13 03 13 02 01 00 01
         cd 00 00 00 0b 00 54 78 81 09 00 00 06 73 65 72 76 65 80 71 83 23 ed
         12 c2 e3 d1 a0 c0 f4 87 72 ff 01 00 01 00
         00 0a 00 08 00 06 00 1d 00 17 00 18 00 28 00 47 00 45 00 17 00
         41 04 17 35 66 97 92 26 4a 94 82 cf 17 8e 99 0a e8 49 a3 55 40

6.  Client Authentication

   In this example, the server requests client authentication.  The
   client uses a certificate with an RSA key, the server uses an ECDSA
   certificate with a P-256 key.  Note that private keys for this
   example are not included in the draft.

   {client}  create an ephemeral x25519 key pair:

      private key (32 octets):  6d 8b a2 5f f1 2f 88 11 f2 67 80 03 48
         ea da fc c1 c5 74 1c 65 fc 45 8d fd b4 f8 f0 19 8f 01 c9

      public key (32 octets):  96 33 5a 91 2f
         71 ec b8 9a 39 44 4c 7b 02 2b 84 cc 04 fd 51 51
         f0 57 eb b9 03 a2 e7 ad 9d de 0b da 04 02 75 dd 2f 07 10 5a 1c 7d 44 e3
         59 1a d0 04 33 a6 b2 d8 6d 57 9a af 1b 6a 2b 93 89 99 13

   {client}  send a ClientHello handshake message

   {client}  send handshake record:

      payload (186 octets):  01 72 df 0e 6e 00
         08 7a bb 00 2b 00 03 02 7f 16 00 0d 00 20 00 1e 04 03 05 03 06 b6 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02
         06 02 02 02 00 2c 00 74 00 72 3c c7 0f 98 68 ee 6d bc bb 7b 7c
         21 00 00 00 00 1d fe f2 73 d2 77 2a 29 c9 93 b4 49 8b 2c
         68 e0 c3 78 de 45 9e 99 ea
         00 30 97 19 7d a5 86 38 74 31 85 03 d3 dd e2 41 7d 5f b7 8c 92
         76 13 14 10 ea a9 2e 9e 8a f5 4e a0 92 86 7b 67 7d 64 4f 96 d8
         c5 fd 48 30 d1 70 dd 1b 3f 8a 85 17 ab ee 19 60 52 d8 e4 29 3d
         62 f0 3b 6d 29 b6 88 44 af 2c 39 12 ca 6e 91 4b 7c 00 cc 5e 6c e7 ac 36 47 0e a7 d8 88 f9 09 41 8b f4 8b a3 b5
         75 a4 a1 00 2d 00 02 06 13 01 13 03 13 02 01 00 15 00 b5 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 87 00 00 00 0b 00
         09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12
         00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00
         26 00 24 00 1d 00 20 96 33 5a 91 2f 9a 39 44 4c cc 04 fd 51 51
         f0 de 0b da 04 02 75 dd 2f 07 10 5a 1c 7d 93 89 99 13 00 2b 00
         03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08
         05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d
         00 02 01 01

      ciphertext (191 octets):  16 03 01 00 ba 01 00 00 b6 03 03 1d fe
         f2 73 b4 49 8b 2c 68 e0 44 af 2c 39 12 ca 6e 91 4b d8 88 f9 09
         41 8b f4 8b a3 b5 75 a4 a1 00 00 06 13 01 13 03 13 02 01 00 00
         87 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00
         00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01
         03 01 04 00 33 00 26 00 24 00 1d 00 20 96 33 5a 91 2f 9a 39 44
         4c cc 04 fd 51 51 f0 de 0b da 04 02 75 dd 2f 07 10 5a 1c 7d 93
         89 99 13 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e 04 03 05 03 06
         03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02
         06 02 02 02 00 2d 00 02 01 01

   {server}  extract secret "early":

      salt:  (absent)

      ikm (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c
         e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

   {server}  create an ephemeral P-256 key pair:

      private key (32 octets):  b1 6d 06 d1 40 ff d5 a9 3b b1 bf 4d 58
         d7 3d 97 06 62 b9 a5 50 25 ca 63 bc b1 b4 f6 75 ac 73 15

      public key (65 octets):  04 89 cf b4 c1 91 61 f7 0e b1 5a 43 81 40
         02 13 53 46 37 bd b4 fe d0 20 a9 2e 59 d9 58 10 ff eb e3 a8 dd
         bd f2 e2 cc 65 71 fe 17 df 28 3a 37 x25519 key pair:

      private key (32 octets):  4c 22 f1 23 f3 32 fc b0 cb 3d
         8b bb 9f 0b c1 22 00 9b 54 ae dc 6f 54 2e
         98 01 4d a2 91 e6 f5 b8 77 03 67 5e 49 f6 10 06 ae 86 65 e0

      public key (32 octets):  c5 4d 65 0c e2 52 6e 90 24 f2 a3 68 9e 3b
         82 58 87 e5 82 b6 c0 e6 07 46 ae 75 dd a0 bd 2f 8a 5b 6d 53

   {server}  send a ServerHello handshake message

   {server}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
         10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6
         97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

   {server}  extract secret "handshake":

      salt (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
         16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

      ikm (32 octets):  ba 1c d6 f8 aa 98  49 a2 de ff b7 ba bb 8e 52 14 3a 0c 4b 7c a4 e9 c1 3a 6f 64 93 88 ec
         4d 2f
         d3 e8 2d 34 87 b5 dc d0 68 37 bd 5c ff 5d 7b e3 0a 20 80 ef 62 6a 92 b3 41 23 a2 e0 1e 5b

      secret (32 octets):  8e f8 e6 41 ab fd 33 02 a2 4a c0 03 d0 98 2a
         3e 6e ef cd 99 46 ed  f4 58 19 82 b8 1b 4d e2 ab c8 7d 79 77 70 fb 25 ec e8 ec 05 ce 3a 97
         3e c3 30 47 00 5c 29 fd f8 b0 3d 35 73 ba 3b 8b 6d

   {server}  derive secret "tls13 c hs traffic":

      PRK (32 octets):  8e f8 e6 41 ab fd 33 02 a2 4a c0 03 d0 98 2a 3e
         6e ef cd 99 46 ed  f4 58 19 82 b8 1b 4d e2 ab c8 7d 79 77 70 fb 25 ec e8 ec 05 ce 3a 97 3e
         c3 30 47 00 5c 29 fd f8 b0 3d 35 73 ba 3b 8b 6d

      hash (32 octets):  87 73 ef 3f d6 03 64 ff ab 64 c5 f1 66 f8 30 09
         c2 9e c6 70 16  b4 76 e5 cc 60 b5 1a 2f d4 d5 07 36 d3 7a 2a dd 9e 27 ed 25 98 2a 10 6e ec
         8c 28 f3 57 ef 19 8c b6 1d e4 a1 3b a2 78 1f 8d

      info (54 octets):  00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72
         61 66 66 69 63 20 87 73 ef 3f d6 03 64 ff ab 64 c5 f1 66 f8 30
         09 c2 9e c6 70 16 b4 76 e5 cc 60 b5 1a 2f d4 d5 07 36 d3 7a 2a dd 9e 27 ed 25 98 2a 10 6e
         ec 8c 28 f3 57 ef 19 8c b6 1d e4 a1 3b a2 78 1f 8d

      output (32 octets):  1e  06 bd cc 2f 05 32 35 23 70 af b2 10 3a c5 96 e5 a8 67 3e ae 2c 42 0c
         ff b2 d9 45 99 d9 00 08 94 0b db a8 8c a7 13 71 84 d5 66
         31 4a cb 81 bb e1 d2 98 02 f5 78 ef 1e 43 72 26 26 35

   {server}  derive secret "tls13 s hs traffic":

      PRK (32 octets):  8e f8 e6 41 ab fd 33 02 a2 4a c0 03 d0 98 2a 3e
         6e ef cd 99 46 ed  f4 58 19 82 b8 1b 4d e2 ab c8 7d 79 77 70 fb 25 ec e8

      hash (32 octets):  87 73 ef 3f d6 03 64 ff ab 64 c5 f1 66 f8 ec 05 ce 3a 97 3e
         c3 30 09
         c2 9e c6 70 16 47 00 5c 29 fd f8 b0 3d 35 73 ba 3b 8b 6d

      hash (32 octets):  b4 76 e5 cc 60 b5 1a 2f d4 d5 07 36 d3 7a 2a dd 9e 27 ed 25 98 2a 10 6e ec
         8c 28 f3 57 ef 19 8c b6 1d e4 a1 3b a2 78 1f 8d

      info (54 octets):  00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72
         61 66 66 69 63 20 87 73 ef 3f d6 03 64 ff ab 64 c5 f1 66 f8 30
         09 c2 9e c6 70 16 b4 76 e5 cc 60 b5 1a 2f d4 d5 07 36 d3 7a 2a dd 9e 27 ed 25 98 2a 10 6e
         ec 8c 28 f3 57 ef 19 8c b6 1d e4 a1 3b a2 78 1f 8d

      output (32 octets):  82 54 e1 25 3f 75 bf a5 bb 5c 4e f2 b1  bb 79
         73 e0 b7 b8 32 51 31 2b ce 86 30 8e a1 27 5b 26 0b 1a b5 52 e0 ab eb 1b 23 63 39 ad c3 90
         39 1e dc 93 38 80 54 eb 6b d6 87 79 d1 38 40 61 f7

   {server}  derive secret for master "tls13 derived":

      PRK (32 octets):  8e f8 e6 41 ab fd 33 02 a2 4a c0 03 d0 98 2a 3e
         6e ef cd 99 46 ed  f4 58 19 82 b8 1b 4d e2 ab c8 7d 79 77 70 fb 25 ec e8 ec 05 ce 3a 97 3e
         c3 30 47 00 5c 29 fd f8 b0 3d 35 73 ba 3b 8b 6d

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  91 74 25 ca 4f 3e  30 5e e3 40 22 d4 47 ef 6d 28 26 2a b4 9f 3a f7
         b0 2c e2 e6 bb 99 ff db c1 25 f2 f7
         08 e9 7c 1c 75 56 cd e8 63 52 1f 40 b3 c8 2f 49 fb da 8a 36 45 f4 6f 79 04 e6

   {server}  extract secret "master":

      salt (32 octets):  91 74 25 ca 4f 3e  30 5e e3 40 22 d4 47 ef 6d 28 26 2a b4 9f 3a f7 b0
         2c e2 e6 bb 99 ff db c1 25 f2 f7 08
         e9 7c 1c 75 56 cd e8 63 52 1f 40 b3 c8 2f 49 fb da 8a 36 45 f4 6f 79 04 e6

      ikm (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  5f 5f 3a b7 4a c0 3b 74 79 0f 0f 40 33 f9 e9
         3c 18 44 95 ac 41 03 a9 f2 2d 43 d8 dc 57 86 a2 95  c5 e8 54 45 75 ea 22 fb 0b 25 bc d1 72 1c c7
         56 ed 94 9c f7 7c 56 d4 24 b6 d2 eb d3 4b a7 4c ee

   {server}  send handshake record:

      payload (123 (90 octets):  02 00 00 77 56 03 03 eb 62 5e d0 a8 a3 3c 5f
         a3 c2 77 5a eb a4 c6 d8 ef 9b d4 2a 4f 31 71 f2 ff ea e4 ea 53 38 f5 87 b5 27
         30 41
         6f f7 3a bd c6 67 4a 66 bf e4 04 1a 57 ef de 4f 63 9c c2 4c 22 f9 e9
         77 77 00 13 01 00 00 4f 2e 00 28 33 00 45 24 00 17 1d 00 41 04 89 cf b4
         c1 91 61 f7 0e b1 5a 43 81 40 02 13 53 46 37 bd b4 fe d0 20 a9
         2e 59 d9 c5 4d 65 0c e2
         52 6e 90 24 f2 a3 68 9e 3b 82 58 10 ff eb e3 a8 87 e5 82 b6 c0 e6 07 75 dd a0
         bd f2 e2 cc 65 71 fe 17 df 28 3a
         37 22 f1 23 f3 32 fc b0 cb 3d 8b bb 9f 0b 65 e0 07 46 ae 2f 8a 5b 6d 53 00 2b 00 02 7f 16 1c

      ciphertext (128 (95 octets):  16 03 03 00 7b 5a 02 00 00 77 56 03 03 eb 62
         5e d0 a8 a3 3c 5f a3 c2 77 5a eb a4 c6 d8 ef 9b
         d4 2a 4f 31 71 f2 ff ea e4
         ea 53 38 f5 87 b5 27 30 41 6f f7 3a bd c6 67 4a 66 bf e4 04 1a 57 ef de 4f 63
         9c c2 4c 22 f9 e9 77 77 00 13 01 00 00 4f 2e 00 28 33 00 45 24 00 17 1d 00 41 04 89 cf b4 c1 91 61 f7 0e b1 5a 43 81 40 02 13 53 46 37
         bd b4 fe d0
         20 a9 2e 59 d9 c5 4d 65 0c e2 52 6e 90 24 f2 a3 68 9e 3b 82 58 10 ff eb e3 a8 87 e5 82 b6
         c0 e6 07 75 dd a0 bd 2f 8a 5b 6d 53 00 2b 00 02 7f 1c

   {server}  derive write traffic keys for handshake data:

      PRK (32 octets):  bb 5b 26 0b 1a b5 ab eb 1b 23 63 39 ad c3 90 39
         1e dc 93 38 80 54 eb 6b d6 87 79 d1 38 40 61 f7

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  44 f7 bd 7a d2 f2 e2 cc 65
         71 fe 17 df 28 3a 37 22 f1 23 f3 32 fc b0 cb 3d 8b bb 9f 0b 65
         e0 07 46 ae 13 b2 94 7b c7 29 be 6f
         b7 c4

      iv info (12 octets):  00 2b 0c 08 74 6c 73 31 33 20 69 76 00 02 7f

      iv output (12 octets):  38 29 95 dc ff fc c2 32 16 86 39 75

   {server}  send a EncryptedExtensions handshake message

   {server}  send a CertificateRequest handshake message

   {server}  send a Certificate handshake message

   {server}  send a CertificateVerify handshake message

   {server}  calculate finished "tls13 finished":

      PRK (32 octets):  82 54 e1 25 3f 75 bf a5 bb 5c 4e f2 b1  bb 79 73
         e0 b7 b8 32 51 31 2b ce 86 30 8e a1 27 5b 26 0b 1a b5 52 e0 ab eb 1b 23 63 39 ad c3 90 39
         1e dc 93 38 80 54 eb 6b d6 87 79 d1 38 40 61 f7

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      output (32 octets):  a3 3a 40 a0 16 61 06 92 2f 96 9d 66 28 69 0e
         ad  c7 68 70 3c 8c 1f 97 a6 f7 6c e1 62 ac 22 08
         c4 d4 72 f3 eb 2d 72 71 29 6b 1c 9f 44 14 64 e8 f4 c4 c2 33 14 10 15 0f 2f b7 36 de 45 3e b9

   {server}  send a Finished handshake message

   {server}  send handshake record:

      payload (639 (510 octets):  08 00 00 12 1e 00 10 1c 00 0a 00 14 00 12 00 1d
         00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 0d
         00 00 27 00 00 24 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08
         04 08 05 08 00 06 00 17
         00 18 00 1d 00 00 00 00 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02
         0b 00 01 b9 3b 00 00 01 b5 37 00 01 b0 32 30 82 01 ac 2e 30 82 01 15 81 d5 a0 03 02
         01 02 02 01 02 07 30 0d 0a 06 09 08 2a 86 48
         86 f7 0d 01 01 0b 05 00 ce 3d 04 03 02 30 0e 13 31 0c 11
         30 0a 0f 06 03 55 04 03 13 03
         72 08 65 63 64 73 61 32 35 36 30 1e 17 0d
         31 36 30 37 33 30 30 31 32 33 35 39 5a 17
         0d 32 36 30 37 33 34 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06
         03 55 04 03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7 17 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f
         82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26
         d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c
         1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52
         4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74
         80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93
         ef f0 ab 9a 80 02 c4 74 28 a6 d3 32 36 30 37 33 30
         30 31 32 34 30 30 5a 8d 88 d7 9f 7f 1e 3f 30 13 31 11 30 0f 06 03 55 04 03 13 08 65
         63 64 73 61 32 35 36 30 59 30 13 06 07 2a 86 48 ce 3d 02 01 06
         08 2a 86 48 ce 3d 03 01 07 03 42 00 01 04 08 d5 30 16 15 75 f4 cf
         e7 f1 54 ee 34 48 18 00 86 00 1e 88 43 1a 79 ee 62 ee 6e 2f 83
         ef 38 ba 61 e9 fb 37 f3 4e 00 7a 7d f4 d2 f5 b5 6d 1f 04 ec e4
         5d 62 1f 46 84 06 f5 c3 a1 51 58 94 8d d0 a3 1a 30 18 30 09 06
         03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 05 a0 07 80
         30 0d 0a 06 09 08 2a 86 48 86 f7 0d 01
         01 0b 05 00 ce 3d 04 03 81 81 02 03 48 00 85 aa 30 45 02 21 00 df
         30 fd 45 07 f5 ed d2 a0 e5 b9 27 6b 90 8c 65 f7 3a
         72 67 17 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea
         e8 f8 a5 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 2c 1a 03 01
         51 56 72 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c 6f f8 6d b4 79 ca e6 be
         c1 fc 63 69 3f ee ca 3b 71
         b3 f9 ef 55 6b 29 37 c0 59 4d 02 20 62 e2 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 72 50 d3 20 3b
         1c 3b 84 e0 fe a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40
         3c 7e 2d cc 0c c8 f8
         96 12 29 ac 91 87 b4 2b 4d e1 cb 5b 76 a5 0e 02 00 c0 9a db d1 3f ee 94 6e 51 3e 01
         1d 11 00 00 0f 00 00 84 08 4a 04 03 00 80 96
         ac 87 45 e8 60 64 a1 18 d3 35 75 88 1c c7 db 99 b7 ad 46 30 44 02 20 30 e4 bf a4 27
         2e fb 5c f6 42
         04 2f 0c 6a 4c 65 42 d6 15 3e 47 f7 b4 71 2d 9f 9f 7c 16 7a 9c fe
         1b 9f 7a e7 41 4b ff 4c d1 3c dd 81 1d ce a8 95 68 62 19 07 ce 22 7b f2 ec 74
         38 e9 22 6e 7d da 00 0e f8 34 85 60 ed 21 6b 28 5d a8 bc 6d b6 10
         3c aa 96 59 00 d8 84 7c a6 f0 ea a1 83 51 88 a7 dc
         81 04 7e f8 18 40 64 da 4f 7d 02 20 7f af cb e9 ab db 07 6d c7 b5 98 ff 54
         36 a0 4e 01 7d e3 0d b8 ed 0e fe
         2c 12 eb f3 2e 55 3b e2 60 90 17 47 3d a6 99 4f e7 40 21 15 e8 3e 0f 63 20 63 42
         b8 d3 99 04 3c 7f 14 00
         00 20 a4 98 49 23 dd 33 35 94 bd 90 4b 9e 80 1b c1 ab a1 88
         73 31 14 12 63 9b 3b 55 a5 c3 9b a4 57 ba 4b 16 c7 62 cd a9 f6 f3 0f e9 a6 88 c0 7f 44 92 b7
         64 74 0c 52 6d 57 9e 83 98 40 5b ec 1c

      ciphertext (661 (532 octets):  17 03 03 02 90 11 09 c2 d4 04 4a ea 1f
         e6 a7 d0 0f e7 f9 f2 8e 34 e1 52 4a 86 e6 b3 fd 43 3a 4a 86 8a 8c 10 1a 58 ab b3
         38 1e 66 c6 9a bc b0 0d c0 ba d7 b4 9c c3 24 55 aa 28 c8 e5 13
         13 a0 9b 4f 19 fc 3c b9 9b 35 5e 8a 4a fc 74 84 c4 c6 d4 de 32
         d5 75 01 4c 53 71 48 ce 7d df 31 d9 3a f5 fb f1 ac dd b8 c7 13
         32 e7 ce d7 7a 2f 4d e0 16 dd 98 5a 2c ec 06 8a e2 49 fd a9 bc
         a4 d7 5c
         23 19 5a df d8 b8 03 95 00 e9 e1 d6 c6 01 20 6a 6a 85 32 33
         56 1a ab ca f5 cc f2 e2 b7 c5 9e 74 75 1a 41 ca 95 15 03 26 a8
         f2 25 56 7f bb 9f ad 99 39 8e 43 43 e3 2f e5 17 0e 24 cf d2 64 45 c3 58 79 45 3d
         2a 55 40 45 0f 90 73 32 b6 d6 ca a2 7b 7a 87 36 bd 32 29 39 c9 47 90 05 d9 4b e8 ff
         5c 3a bb 07 ac b8 95 18
         ca 63 84 cf 66 dd 97 36 2f 8c 40 13 26 d4 22 d5 3f bd 68 1b 14
         09 16 ec 14 91 4e 0e 3e 2e 2e 3d 0e bb 71 b9 31 45 32 49 58 5f
         10 6c 5b b7 f9 c7 8d 86 91 76 5c 52 7a bb 61 04 dd 7f 12 97 9a c3 6d
         63 26 96 81 a1 36 f2 22 cd e6 a4 64 38 c5 a9 ac b0 d1 96 15 f4
         7e e9 e3 2a a3 25 2e 0c 3b 1d 4d a1 ec fe f3 d8 1c
         41 c9 9b 39 6a df 7f 47 a9 92 b5 29 09 72 b6 e4 c1 73 94 af 05 06 f1
         41 37 c1 b1 91 7c a5 f1 e4 da 3a 61 8b ea a8 63 50 b4 98 5b 96 51 ef c5 14 80 09 61 4e 1e 28
         ce 2d f7 c4 3f 47 c4 6d 75 df dd e9 33 1f e2 ae e5 44 c4 a1 40 10 2a
         db c1 12 d4 45 1e 80 f2 1b 90 46 02 9e 71 b9 36 60 49 c9 ac aa 36 82
         79 f0 dc 27 00 9a 62 b8 8a 57 58 8a 6d
         67 8e 8d 3f 7f da f4 cf 16 18 b6 4d eb db fc 09 88 eb 40 92 ea
         10 bb 0e ec 14 8f 62 46 47 03 f1 15 1d 96 6d 2d 71 a7 55 44 6a 50 8d 77 05 5d 42 df de 74 9f 3f fb 2b
         10 11 0d
         42 7e f6 89 c7 a6 5f ff 1c bf a1 2c 5e fa 2c e3 77 3d bf f2 a1
         ea 2f 9d c2 1e f7 28 1d 8c be 97 83 41 e8 1d b7 2b 53 ae 2b a8 70 70 f2 79 15 b8
         a3 4a 4c 92 03 70 f0 81 01 7b 00 b2 1d 13 36 3b f7 75 98 a8
         29 7c 99 3d 6d 97 45 53 f7 19 6a 83
         dd e2 a5 5c 30 10 55 f9 c6 2f 78 04 dc fe 20 ee 03 34 ab 7b 52 5f
         6a 67 f6 ed bf dc cf d3 32 af 0c e6 86 ec 45 6c 5e 12 f4 fb 28 3f d5 25 e2 3e eb 0c b8 e3 2b f8 f1 6a 24
         84 ad 1d c6 de 4e 28 03 41 9a 1f 5c 0d 83 7c 3a b3 ad 78 43 04 fc d2 62 65 b4 ef 5f ac d6
         6e 21 87 30 b2 b4 98 06 fd 75 e5 bc b1 8c 36 18 e1 a9 e8 9e 70 06 35 c1
         d3 28 30 f4 af f6 60 7a 7b 9b fa b4
         52 9e 01 7c 04 72 81 1e 4e 19 02 b1 c0 88 4e 3c 97 dd
         44 3f 69 5e e3 fe 76 db 3e 21 d8 99 77 d3 cc d4 36 ae 87 0f 7f 1d 25 b1 3e 00 cc
         41 9c c4 5a 44 69 29 92 c2 be 85 5c ae e1 bc 5d
         e8 20 9a 37 75 c9 79 2c 78 00 a7 6f 62 41 fb c2 24 b8 90 9c ff bd 94
         d7 c8 38 f4 d9 5e 2c a6 d2 6e 8e ae 0f 0c 7b ac f3 85 1c 31 d4 1f
         b1 fd 0c 19 72 80 61 8f 43 c5 ed ba b5 d3 6d 50 59 cb 7a e5 04
         f4 cc 2d 42 f9 81 83 eb eb a6 e3 95 77 2b 31 70 35 d6 bd 45 fc 64 f3 50 ef
         15 6e 7e e0 15 ce 0d d6 c8 9e 23 0b aa 54 33 5b 46 0c fd e3 04 3b
         21 cc a2 66 72 2c c6 4b 92 e8 67 42 a9 51 67 c7 88 4d b3 27 64 0f 48 d8 3f 63 5f 95 be f6 7f b3 60 c3 c9
         8e db d6 ae 57 fb 61 f8
         88 90 4f ae d0 dc 59 38 20 b2 48 3e 6f 73 1e f8 3c 52 4d f9 27 18 86 06 89 8b ea e5 2d ae 39 51 5d
         9c 54 b9 87 88
         98 d1 66 5a 7c ac 02 16 88 29 2e 39 fa 32 55 0a a4 46 a5 e3 7c 9d af 15 73 7f f2 85 43 59 b0

   {server}  derive secret "tls13 c ap traffic":

      PRK (32 octets):  c5 e8 54 45 75 ea 22 fb 0b 25 bc d1 72 1c c7 56
         ed 38 71 39 94 9c f7 7c 56 d4 24 b6 d2 eb d3 4b a7 4c ee

      hash (32 octets):  eb b3 96 15 37 1e 46 21 1d 85 47 cc 53 13 7b 43 f4 0b c5 05 b8
         80 16 8c 02 d3 d8 37 4b 4a 03 4d 38 18 69
         57 81 da 2a 23 ec 82 b5 81 ca 46 58 5a 19 98 3d b0 34 56

      info (54 octets):  00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72
         61 66 66 69 5b 84 63 20 eb b3 96 15 37 94 07 cc 87 dc 85
         4e 0d 06 3e 6d 62 d2 3c 97 97 5e 91 7d b6 d5 1e 46 21 82 83 a2 e8 15
         16 1d 85 43 37 5f f4 0b a1 84 59 91 ed 6f 40 9a 68 31 b5 7a 1c 5d dd 88
         fe b6 e9 cc 66 ee 1f 3c 28 60 f6 1d f0 f8 1e bb 3b 0a 87 2d 0c
         2d 00 ae 84 44 5f 47 89 31 7d c5 05
         b8 80 16 8c 02 e1 b6 75 a8 db cc 45 66 d3 d8 37 ca 46 58 5a 19 98 b0 34 28 56

      output (32 octets):  a7 95 ff 20 77 d8 27 3b d4 3f 76 6c 34 b0 dd 5e 57 12 9d 20 2d 86 43 22 be 4c c6 b3 f0 bf df
         cb 6a 62 53 d4 25 39 69 f8 43 fc 64 db fb 4d e8 d1

   {server}  derive secret "tls13 c s ap traffic":

      PRK (32 octets):  5f 5f 3a b7 4a c0 3b  c5 e8 54 45 75 ea 22 fb 0b 25 bc d1 72 1c c7 56
         ed 94 9c f7 7c 56 d4 24 b6 d2 eb d3 4b a7 4c ee

      hash (32 octets):  eb b3 96 15 37 1e 46 21 1d 85 43 f4 0b c5 05 b8
         80 16 8c 02 d3 d8 37 ca 46 58 5a 19 98 b0 34 56

      info (54 octets):  00 20 12 74 79 0f 0f 40 6c 73 31 33 f9 e9 3c
         18 44 95 ac 41 03 a9 f2 2d 20 73 20 61 70 20 74 72
         61 66 66 69 63 20 eb b3 96 15 37 1e 46 21 1d 85 43 f4 0b c5 05
         b8 80 16 8c 02 d3 d8 dc 57 86 a2 95

      hash 37 ca 46 58 5a 19 98 b0 34 56

      output (32 octets):  62 05 ce 54  92 e7 e7 04 3b 35 7d 6c a6 ca ba 36 0e f1 4f
         b9 c6 f8 0b f2 f4 b4 21 26 f2 e9 c4 2e e5 8d 62 96 79 b7 41 aa

   {server}  derive secret "tls13 exp master":

      PRK (32 octets):  c5 e8 54 45 75 ea 22 fb 0b 25 bc d1 72 1c c7 56
         ed 68 3d 19 12 89
         cd 9b 1f 9a 84 4d 94 c2 3e 95 9c f7 7c 56 d4 24 b6 d2 eb d3 4b a7 4c ee

      hash (32 octets):  eb b3 96 15 37 1e 46 21 1d 85 43 f4 0b c5 05 b8 94 cc 4e 8a 42
         80 16 8c 02 d3 d8 37 ca 46 58 5a 19 98 b0 34 56

      info (54 (52 octets):  00 20 12 10 74 6c 73 31 33 20 63 20 61 65 78 70 20 6d 61 73
         74 65 72
         61 66 66 69 63 20 62 05 ce 54 b4 eb b3 96 15 37 1e 46 21 f2 e9 c4 2e ed 68 3d 19 12
         89 cd 9b 1f 9a 84 4d 94 c2 3e 95 1d 85 43 f4 0b c5 05 b8 94 cc 4e 8a 42 80
         16 8c 02 d3 d8 37 ca 46 58 5a 19 98 b0 34 56

      output (32 octets):  de 2e 40 35 e0 1c 52 ea e4 d5 b8 b3 46 50 c3
         32 04 53 6b 07 03 09  ae a4 f5 ae fb fd 28 fd 24 34 e1 75 96 b2 98
         21 e4 31 95 37 b4 a0 90 65 bc fd db cb 01 8f 22 81 2f 1d 1e e0 d9 37 08 ac

   {server}  derive secret "tls13 s ap traffic": write traffic keys for application data:

      PRK (32 octets):  5f 5f 3a b7 4a c0 3b 74 79 0f 0f 40 33 f9 e9 3c
         18 44 95 ac 41 03 a9 f2 2d 43 d8 dc 57 86 a2 95

      hash (32 octets):  62 05 ce 54 b4 21 f2 e9 c4 2e ed 68 3d 19 12 89
         cd 9b 1f 9a 84 4d 94 c2 3e 95 b8 94 cc 4e 8a 42  92 e7 e7 04 3b 35 7d 6c a6 ca ba 36 0e f1 4f b9
         c6 f8 0b f2 f4 b4 26 f2 e5 8d 62 96 79 b7 41 aa

      key info (54 (13 octets):  00 20 12 10 09 74 6c 73 31 33 20 73 20 61 70 20 74 72
         61 66 66 69 63 20 62 05 ce 54 b4 21 f2 e9 c4 2e ed 68 3d 19 12
         89 cd 9b 1f 9a 84 4d 94 c2 3e 95 b8 94 cc 4e 8a 42 6b 65 79 00

      key output (32 (16 octets):  14 ff 87 2f 92 e2 e2 5c c2 18 e0 15 bf db f7
         b9 1d b3 42 c7  b5 02 c5 17 59 fd 20 00 e2 bd 90 ef 80 f0 b6 d5 3d
         1d 5c 08 06 d7 56 ab 4d

   {server}  derive secret "tls13 exp master":

      PRK (32

      iv info (12 octets):  5f 5f 3a b7 4a c0 3b  00 0c 08 74 79 0f 0f 40 6c 73 31 33 f9 e9 3c
         18 44 95 ac 41 03 a9 f2 2d 43 d8 dc 57 86 a2 95

      hash (32 20 69 76 00

      iv output (12 octets):  62 05 ce 54 b4 21 f2 e9 c4 2e ed 68 3d  19 12 89
         cd 9b 1f 9a 84 4d 94 c2 46 48 8e ca 45 0f 53 3b eb 59 3e 95 b8 94

   {server}  derive read traffic keys for handshake data:

      PRK (32 octets):  06 bd cc 4e 8a 42 2f 05 32 35 23 70 af 13 71 84 d5 66 31
         4a cb 81 bb e1 d2 98 02 f5 78 ef 1e 43 72 26 35

      key info (52 (13 octets):  00 20 10 09 74 6c 73 31 33 20 6b 65 78 70 20 6d 61 73
         74 65 72 20 62 05 ce 54 b4 21 f2 e9 c4 2e ed 68 3d 19 12 89 cd
         9b 1f 9a 84 4d 94 c2 3e 95 b8 94 cc 4e 8a 42 79 00
      key output (32 (16 octets):  10 9f ba 7b bc 8d 86 f3 f8 56  72 ff ef 49 b3 34 ca dc c9 bf d6 a1 0e f3
         c2 fb f6 8c 6e 06 70 1b ab 97 6b a8 ec ee ae 2f
         7e d5

      iv info (12 octets):  00 0c bf 08 74 6c 73 31 33 20 69 76 00 12 d5

      iv output (12 octets):  6b 89 8b 86 fe 32 91 19 81 ef 9f 03

   {client}  extract secret "early":

      salt:  (absent)

      ikm (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c
         e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

   {client}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
         10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6
         97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

   {client}  extract secret "handshake":

      salt (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
         16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

      ikm (32 octets):  ba 1c d6 f8 aa 98  49 a2 de ff b7 ba bb 8e 52 14 3a 0c 4b 7c a4 e9 c1 3a 6f 64 93 88 ec
         4d 2f
         d3 e8 2d 34 87 b5 dc d0 68 37 bd 5c ff 5d 7b e3 0a 20 80 ef 62 6a 92 b3

      secret (32 octets):  8e f8 e6 41 ab fd 33 02 23 a2 4a c0 03 d0 98 2a
         3e 6e ef cd 99 46 ed 19 82 b8 1b 4d e2 ab c8 7d e8

   {client}  derive secret "tls13 c hs traffic" (same as server)

   {client}  derive secret "tls13 s hs traffic" (same as server)

   {client}  derive secret for master "tls13 derived" (same as server)

   {client}  extract e0 1e 5b

      secret "master" (same as server)

   {client}  calculate finished "tls13 finished" (same as server) (32 octets):  f4 58 19 79 77 70 fb 25 ec e8 ec 05 ce 3a 97
         3e c3 30 47 00 5c 29 fd f8 b0 3d 35 73 ba 3b 8b 6d

   {client}  derive secret "tls13 c ap hs traffic" (same as server)

   {client}  derive secret "tls13 s ap hs traffic" (same as server)

   {client}  derive secret for master "tls13 exp master" (same as server)

   {client}  calculate finished "tls13 finished":

      PRK (32 octets):  1e af b2 10 3a c5 96 e5 a8 67 3e ae 2c 42 0c ff
         b2 d9 45 99 d9 00 08 94 0b db a8 8c a7 71 26 26

      hash (0 octets):  (empty)
      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      output (32 octets):  19 3b 17 c6 19 fb 94 85 1f 97 91 db 7b 9a 9e
         03 9d 4f 81 96 9a 93 71 02 06 4b 45 a3 be e9 a3 12

   {client}  send a Finished handshake message

   {client}  send handshake record:

      payload (36 octets):  14 00 00 20 3c 9c 63 c4 72 e5 d6 ab 04 4d 14
         59 2e 5a d8 a2 ef 4c 1d 70 f7 f7 7a 13 3c 8d cc fc 05 a6 df 52

      ciphertext (58 octets):  17 03 03 00 35 cd db d8 39 c3 4d 8d b2 a1
         fc 58 5e 55 78 f6 5f ec 70 81 d6 95 00 88 09 02 5c 0c 9d 4f 87
         5a f9 e7 10 d7 52 a2 0a 3d 2c 59 86 7e 92 6e b4 39 52 e2 8f 91
         83 da derived" (same as server)
   {client}  derive  extract secret "tls13 res master": "master" (same as server)

   {client}  derive read traffic keys for handshake data:

      PRK (32 octets):  5f 5f 3a b7 4a c0 3b 74  bb 5b 26 0b 1a b5 ab eb 1b 23 63 39 ad c3 90 39
         1e dc 93 38 80 54 eb 6b d6 87 79 0f 0f d1 38 40 33 f9 e9 3c
         18 44 95 ac 41 03 a9 f2 2d 43 d8 dc 57 86 a2 95

      hash (32 octets):  cb 0c c7 bc 35 ef 49 7c be e7 ea fa 2b ff a2 2f
         8d a5 b8 28 5e 83 35 48 0c 33 65 81 32 22 2c c2 61 f7

      key info (52 (13 octets):  00 20 10 09 74 6c 73 31 33 20 72 65 73 20 6d 61 73
         74 6b 65 72 20 cb 0c 79 00

      key output (16 octets):  44 f7 bd 7a d2 f2 13 b2 94 7b c7 bc 35 ef 49 7c 29 be e7 ea fa 2b ff a2 2f 8d
         a5 b8 28 5e 83 35 48 6f
         b7 c4

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 65 81 32 22 2c c2 20 69 76 00

      iv output (32 (12 octets):  18 8c 90 bc 6f a9 7a 8d d5 55 1d 80 b1 ae 18
         42 4c f3 e2 f6 90 bc 70 54 e3 6b 33 3f 17 30 17 f3

   {server}  38 29 95 dc ff fc c2 32 16 86 39 75

   {client}  calculate finished "tls13 finished" (same as client)

   {server} server)

   {client}  derive secret "tls13 c ap traffic" (same as server)

   {client}  derive secret "tls13 s ap traffic" (same as server)

   {client}  derive secret "tls13 res exp master" (same as client) server)

   {client}  derive write traffic keys for handshake data (same as
      server read traffic keys)

   {client}  derive read traffic keys for application data (same as
      server write traffic keys)

   {client}  send alert record:

      payload (2 octets):  01 00

      ciphertext (24 octets):  17 03 03 00 13 93 21 5e 8c f7 98 69 b6 9a
         28 57 8f 90 f4 c6 94 6e 5c 9b

   {server} a Certificate handshake message

   {client}  send alert record:

      payload (2 octets):  01 00
      ciphertext (24 a CertificateVerify handshake message

   {client}  calculate finished "tls13 finished":

      PRK (32 octets):  17 03 03 00  06 bd cc 2f 05 32 35 23 70 af 13 71 84 d5 66 31
         4a b5 80 73 c0 a8 93 de 17
         76 47 6d ec cb 81 bb e1 d2 5e 97 84 e3 d1

6.  Client Authentication

   In this example, the server requests client authentication.  The
   client uses a certificate with an RSA key, the server uses an ECDSA
   certificate with a P-256 key.

   {client}  create an ephemeral x25519 key pair:

      private key (32 98 02 f5 78 ef 1e 43 72 26 35

      hash (0 octets):  (empty)

      info (18 octets):  a4 0d c1 93 0c  00 af 20 0e 9d 3b c2 74 6c f9
         0f 5e ee 7d ba 97 17 1f 53 2b 71 7f ef bf bf 87 08 38 c9

      public key 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      output (32 octets):  d5 dd 20 0f ad 08 39 7b 40 f3 e6 14 45 24
         0c 75 78 5e  87 1c e8 63 61 9c 37 09 02 b2 e5 0b 72 7c 5a 04 91 64 0d c1 2c 3a fc aa 08 16 68
         db 0f c5 32 8b bc 3f 0e df 74 66 01 e3 ad e7 d2 a2

   {client}  send a ClientHello Finished handshake message
   {client}  send handshake record:

      payload (186 (623 octets):  0b 00 01 bf 00 00 01 bb 00 01 b6 30 82 01
         b2 30 82 01 1b a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86
         f7 0d 01 01 0b 05 00 30 11 31 0f 30 0d 06 03 a3 ce 55 04 03 a9 0c 76 17 79
         2d ee d9 13 06 63
         6c 69 65 6e 74 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39
         5a 17 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 11 31 0f 30
         0d 06 03 55 04 03 13 06 63 6c 69 65 6e 74 30 81 9f 30 0d 06 09
         2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81
         00 c3 81 75 e0 04 a6 8d 09 3f 82 3b 9c 37 9d 20 1f bc 0b b7 a1
         c7 91 90 5e 3f bf 76 84 7e 44 e7 51 eb bc d3 60 bd 94 5c 81 e5
         22 2b cc 88 46 d3 a8 a0 f9 3e 9b f5 be ba bd 92 ed f1 de 1f f1
         90 21 70 3e 7a b6 c0 90 15 13 f9 7e 39 b1 11 f0 9c 93 48 97 1c
         7b 21 19 84 a7 54 cd 45 fe 09 5a f0 ea 42 36 82 9b cc f7 a7 fe
         9b 28 88 e7 8a b4 77 69 0a 5b 9e 1c cb e9 1c 6a b8 fc 10 91 2c 67 f3 3d db d1 50 b3 25 d5
         ca d6 58 00 4a 0f 97 a7 e0
         28 42 01 02 03 01 00 06 13 01 13 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 01 00 00 87 00 00
         30 00 30 0b 00
         09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12
         00 03 55 1d 00 17 00 18 00 19 01 00 01 01 01 0f 04 04 03 02 07 80 30 0d 06 09 2a 86
         48 86 f7 0d 01 03 01 04 00 28 00
         26 00 24 0b 05 00 1d 03 81 81 00 20 1a 7a 5a 01 85 32 b0 22
         af 07 67 d4 86 16 0c ff 2d 16 7a 19 15 d2 38 35 b5 45 94 91 6d
         c6 80 be 5d 2e 62 60 76 c5 d5 dd 20 0f ad 27 22 eb cc 77 5d 7d 99 f9 80 be
         2f c9 4d 34 ac f6 cc 00 ba 90 cb cf b0 60 8a a1 e7 e3 97 1e f0
         c0 7a 41 d4 7a d8 34 5d 1f 81 fe 41 8a 1c f4 10 54 42 9f d2 17
         bd 77 7d c1 cf 08 39 7b 40 f3 e6 14 45 24
         0c 75 f0 5d f9 07 99 c6 59 36 1e 0f 1a 8e e4 ac 0f
         78 5e b2 e5 97 42 0b 72 7c 5a 04 91 64 0d c1 2c 3a 0e 00 2b db c8 23 da 80 a2 f2 ba 23 08 1c 00
         03 02 7f 16 00 0d 0f 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08
         05 84
         08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01

      ciphertext (191 octets):  16 03 01 00 ba 01 00 00 b6 03 03 a3 ce
         03 a9 0c 76 80 8c 72 81 c7 26 a8 cb 2e 3e 17 79 2d ee d9 6e 55 b1 6a b8 fc 10 91 2c 67 f3 3d
         db d1 50 b3 25 d5 ca 22 7f 3a 56 77 69
         f4 31 a0 9c e1 37 f9 18 83 11 6c 53 4c d2 09 89 40 27 9b a9 1d
         dc d7 17 7f 71 70 59 43 1b d6 58 00 00 06 13 01 13 03 13 02 01 00 00
         87 00 00 00 c5 0b 00 09 00 00 06 73 24 77 7f 55 6d 2f bf e4 8d
         c4 b9 6c 6b 5f bd cb 4c 57 5a 58 88 98 c6 e1 48 ef 5f af dd 2c
         1f ee a5 3f 56 72 f0 aa b4 1f 9a 22 cb fa e4 e0 8b 29 5b 14 99
         c4 71 a8 6a 86 65 72 55 92 f0 f6 a0 43 d3 fd 84 05 0e 7b b4 b7 6f
         9f 26 76 65 72 ff 01 00 01 00
         00 0a 00 c7 12 9a 14 00 12 00 20 34 ef 9a 48 bb 59 75 19 12 14 15
         7f 60 73 9f 40 9a a4 f0 0b 68 b7 9e 1d 00 ee d2 91 e5 09 76 32 df

      ciphertext (645 octets):  17 00 18 00 19 01 00 01 01 01 02 01 03 01 03 02 80 bd 53 8f 8a 51 8e 53 29
         91 44 38 97 42 f7 be 7c e8 d5 cc bc dc 49 7e 99 7e fb eb 45 60
         ae 3f ac ab 2f 07 82 53 1a 3a ed 15 9b 74 88 41 04 00 28 00 26 00 dc 95 9b 90
         63 7d 8c f5 a6 24 00 1d 00 20 25 d5 dd 20 0f ad 08 39 7b
         40 f3 e6 14 45 24 0c 75 78 5e b2 e5 b7 16 57 6b b3 c0 13 99 92 62 0b 72 7c 5a 04 91 64 0d c1
         2c 3a 0e 00 2b 00 03 02 7f 16 00 0d 00 20 00 1e 04 03 05 03 06
         03
         ee 02 03 08 04 08 05 08 06 04 01 05 01 06 01 fa 02 01 32 3c 8c 3e c9 e6 a6 d1 cc 3b 4a e1 37 94 38 da c9
         17 39 8d c9 5c 33 94 19 f7 b4 c0 a8 4e 04 02 05 02 73 af 06 02 02 02 00 2d 00 02 01 01

   {server}  extract secret "early":

      salt:  (absent)
      ikm (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  33 ad 0a 1c 60 50 4d dc e9
         df 3d 7e c0 3b 09 e6 cd 98 93 68 0c
         e2 10 ad b5 a5 3e dd 17 8d 2a 4f 83 c9 2f fa d2 3e 8c 28 a6 17
         94 f3 00 aa c8 45 96 b1 77 0e c5 b4 ec 1f 26 60 e1 b2 2e a4 0a 06 8c e0 40 61 dc 80
         1b d0 d3 a7 d0 73 10 f1 70 f9 2a

   {server}  create an ephemeral x25519 key pair:

      private key (32 octets):  01 f2 df a3 5d 0d c6 e7 42 7d aa 0c 9b 8d 2f f7 47 4e 16 c4 e4
         3c b2 b2 85 25 84 16 22 b4 ae e1 5e c7 e3 3a c1 b6 4f 74 85 7e 89 82 f8 85
         3d 9a 5e 36 96 9d ad 26 08 b6 88 1f cc 27 a7 39 aa 29 9a ce c4
         73 f7 d9 f5 73 4e 5b 24 d9 57 30 4a a5 6b 06 1c be 70 b5 0f 3f
         20 3a d1 64 ca 62 76 7d 9d 2b 7c dc 7c ce 9d 05 df ec 43 dc a6
         9a d4 2d a0 58 a0 35 c7 f5 7a 09 3d 0a e0 b6 e0 a9 40 dc 0e dc 04 27 8c ae fe
         f8 21 bc 86 bf c2 11 72 16 be ec 26 8f 29 5c 9c cc 76 3e 38 f2 f1 e1 dd 7f d6 14 17 b6 aa

      public key (32 octets):  b5 89 13 10 62 da ed c2 12 1b b7 5c 36 88
         bc 31 a1 94 0b 71 12 c1 96 7f fe 17 db 5f a7 ef ef 22 90 90 1e 3d

   {server}  send a ServerHello handshake message

   {server}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 ba 3e 85 cd 98 93 68 0c 58 23 fa e7 28 99 9d ec f1 b0
         7c cc a4 72 94 88 f1 c7 d1 ab e2
         10 56 88 17 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

      hash (32 octets): 19 4f 71 f5 16 cc
         30 28 fa 6e 38 a1 8f 40 e3 bf 68 41 88 84 c6 94 5a de 07 51 b0 c4 42
         ab fe 09 d5 1d 4e 3b d9 95 b5 50 b5 da 84 61 79 30 a5 98 fc 89 19
         56 3d 2c b2 96 ec d9 1b a6 cd d1 09 1c ff d8 d9 14 b3 78 1a 43
         3e e7 67 03 19 ca ed 45 d5 83 de 8b 66 b3 49 3e df 82 bc d9 14
         ba ce e3 06 22 2a 3b 34 de 7f 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 85 7b 9c 9d 19 72 69 76 65 64 b9 7a a8
         26 34 01 be db 19 3b 20 1d f8 dc 33 e3 e9 d6 a6 b8 b0 c4 42 98 fc 1c 14 bc be d3
         02 36 08 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 19 7d 18 8f 21 a0 72 ec 42 7e 5a b8 e5 62 3c 4c 2e
         84 ad 88 91 ff 9f b1 68 69 a3 69 63 0d a6 5b f5 0d 4a 6c 92 fa
         fc 7d 3f b3 00 7e dc b7 7b 55

      output (32 octets):  6f 82 9f 06 ac 49 9f 6a 9b 2a 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6
         97 16 c0 76 18 9c 48 25
         a0 ef 27 67 29 c9 37 84 db 6d 0c eb ea c3 57 6c 36 11 ba

   {server}  extract secret "handshake":

      salt (32 octets):  6f 26 15 81 e7 d6 2a e6 8a d5 c5 6a db
         21 40 a1 08 1a 6a ed 8c 35 e7 9f ab 13 5d 37 79 d9 9e 9f 8e a4 58
         c7 02 c5 67 8f 54 fc 9d ba b6 97 7f 9f 15 f1 53 7c 4c 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

      ikm (32 octets):  94 2f 83 fa ee 2f ad ad 24 2e eb fb c7 a6 6d 5e
         c7 71 04 b1 3c d4 97 e0 b1 0d 9d f3 d7 6c d1 a2 d9 e5 39 a0 34
         26 70 9b 69 1d e8 6a

      secret (32 octets):  53 d7 91 87 9a 6b 32 33 f3 86 45 35 3b 3e 03 49 2d 66 76 c4 e6 71 0a 73 d8 1e e5 e0 88 e4 0b 6c 37 00 12 0c 80 04 25 d3 57 c4 39 81
         99 7d 89 74 c2 51 b4 d5 e9 9f

   {server} 4f 4b cd bc 61 a8 fc c4 a0 d3 ba a6 c0
         a6 0a

   {client}  derive secret "tls13 c hs traffic": write traffic keys for application data:

      PRK (32 octets):  53 d7 91 87 9a 6b 33 f3 86 45 35  a7 95 27 3b 3e 03 49 e5
         e0 88 e4 0b d4 3f 76 6c 37 00 34 b0 dd 5e 57 12 0c 80 04 9d cb
         6a 62 53 d4 25 d3 d5 e9 9f

      hash (32 39 69 f8 43 fc 64 db fb 4d e8 d1

      key info (13 octets):  7a a6 f3 63 a4 49 35 45 a9  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  99 a9 9b da 72 05 59 8c
         e1 5c bc 83 48 40 ce 04 c0 0e 8f 96 0b 27 02 57 00 7a b1 61 ba cf 9d e9 80 7b
         30 5b

      iv info (54 (12 octets):  00 20 12 0c 08 74 6c 73 31 33 20 63 20 68 73 20 74 72
         61 66 66 69 63 20 7a a6 f3 63 a4 49 35 45 a9 31 9b da 72 05 59
         8c e1 5c bc 83 48 40 ce 04 c0 0e 8f 96 0b 27 80 7b 76 00

      iv output (32 (12 octets):  e8 d4 bb 93 8c a3 de 6d 1d 7c 78 01 a5 57 20
         aa df cd 34 2d c8 a4 47 04 1d 21 7c 83 c8 df f3 94

   {server}  4a f0 6c c7 ce be e4 bc ff e2 0d 0d

   {client}  derive secret "tls13 s hs traffic": res master":

      PRK (32 octets):  53 d7 91 87 9a 6b 33 f3 86  c5 e8 54 45 35 3b 3e 03 49 e5
         e0 88 e4 75 ea 22 fb 0b 6c 37 00 12 0c 80 04 25 bc d1 72 1c c7 56
         ed 94 9c f7 7c 56 d4 24 b6 d2 eb d3 d5 e9 9f 4b a7 4c ee

      hash (32 octets):  7a a6 f3 63 a4 49 35 45 a9 31 9b da 72 05 59 8c
         e1 5c bc 83 48 40 ce 04 c0 0e 8f  52 fc a8 f6 61 6c 96 0b 27 80 7b 7f 0e 93 42 dd ab 79 03 1d
         64 cf 07 e3 56 f4 75 13 33 1c 37 05 61 94 9b ff

      info (54 (52 octets):  00 20 12 10 74 6c 73 31 33 20 73 20 68 73 20 74 72 20 72 65 73 20 6d 61 73
         74 65 72 20 52 fc a8 f6 61 6c 96 7f 0e 93 42 dd ab 79 03 1d 64
         cf 07 e3 56 f4 75 13 33 1c 37 05 61 66 66 69 63 20 7a a6 f3 63 a4 49 35 45 a9 31 94 9b da 72 05 59
         8c e1 5c bc 83 48 40 ce 04 c0 0e 8f 96 0b 27 80 7b ff

      output (32 octets):  8b fc e8 b0 11 4e ac cd 83 64 90 6f 3a d8 2d ba 92 f6 b9 ad 03 7f 71 e3
         f4 70 eb f4 63 68 b5 e4 60 30
         fd 32 1c 37 20 7a 41 cd 2c 92 ec ee ca 3a 22 66 4f 56 53 14 f2 1e 05 52 be af

   {server}  calculate finished "tls13 finished" (same as client)
   {server}  derive secret read traffic keys for master application data (same as
      client write traffic keys)

   {server}  derive secret "tls13 derived":

      PRK res master" (same as client)

   {client}  send alert record:

      payload (2 octets):  01 00

      ciphertext (24 octets):  17 03 03 00 13 43 c0 93 e4 62 a8 18 6c fe
         a7 1e 94 46 ff ba bd e7 3b 79

   {server}  send alert record:

      payload (2 octets):  01 00

      ciphertext (24 octets):  17 03 03 00 13 8e d0 6a 3a 56 ab b0 fb 05
         04 ed 3b 3f f9 1d 8c 93 77 8e

7.  Compatibility Mode

   This example shows use of the handshake with the client requesting
   that the server use compatibility mode as defined in Appendix D.4 of
   [TLS13].

   {client}  create an ephemeral x25519 key pair:

      private key (32 octets):  53 d7 91 87  90 d4 67 c3 48 e3 d2 4d 7e bb 3d d0 4c
         46 16 9a 6b 33 f3 86 45 35 3b 3e 03 49 e5
         e0 88 e4 0b 16 bb 64 ec 6c 37 00 12 0c 80 04 25 d3 d5 e9 9f

      hash 4d 56 45 ee ac 7c 2f 02 c9 b5

      public key (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99  17 6f b9 24
         27 7c 2d 12 36 9d 89 37 4c ae 41 e4 64 31 9c 36
         34 ca 43 0f 82 d6 89 60 90 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 ef 1d 87 ad 1e 9d 32 32

   {client}  send a ClientHello handshake message

   {client}  send handshake record:

      payload (218 octets):  01 00 20 0d 74 6c 00 d6 03 03 54 dd 27 fd c8 0f 86 ea
         a7 d3 79 87 46 73 58 44 60 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  6f d8 3c 95 03 f0 45 fb a0 08 69 a3 23 22 28 0f 38 85 3f cd 95 15 f1 3c e5 aa ec 8f e9 3d 6c 32 b8 c0
         0b e1 9c 20 ae 8b b2 af 77 86 0c f6 9d 70 e9 70 b6 29 81 c5 25
         56 65 9d 47 33 c2 ab e8 54 86 3e fe 09 60 f0 e6 ea 86 00 24 84

   {server}  extract secret "master":

      salt (32 octets):  6f d8 3c 95 06 13 01 13 03 f0 45 fb a0 08 69 a3 23 22 28 0f
         38 85 3f cd 95 15 f1 3c e5
         13 02 01 00 00 87 00 00 00 0b 00 09 60 f0 e6 00 24 84

      ikm (32 octets): 00 06 73 65 72 76 65 72
         ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00
         01 01 01 02 01 03 01 04 00 33 00 26 00 24 00 1d 00 20 17 6f 7c
         2d 12 36 9d 89 37 4c ae 31 9c 36 34 ca 43 0f 82 d6 89 60 90 9b
         ef 1d 87 ad 1e 9d 32 32 00 2b 00 03 02 7f 1c 00 0d 00 20 00 1e
         04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02
         01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01

      ciphertext (223 octets):  16 03 01 00 da 01 00 00 d6 03 03 54 dd
         27 fd c8 0f 86 ea a7 d3 79 87 46 73 58 44 60 31 0f 38 aa ec 8f
         e9 3d 6c 32 b8 c0 0b e1 9c 20 ae 8b b2 af 77 86 0c f6 9d 70 e9
         70 b6 29 81 c5 25 56 65 9d 47 33 c2 ab e8 54 86 3e fe 09 ea 86
         00 06 13 01 13 03 13 02 01 00 00 87 00 00 00 0b 00 09 00 00 06
         73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17
         00

      secret (32 octets):  86 05 18 00 52 9e e3 a6 0a 26 44 3e 62 2a 4c 19 01 00
         0a b3 ff 0d ea 05 05 5c c3 ed f3 bf 01 f7 11 db ba

   {server}  send handshake record:

      payload (90 octets): 01 01 02 00 00 56 03 03 0b 21 fe 7a 05 5c 66 77 67
         7b 21 e0 7d fc 22 f9 65 92 1c 5c 3e 0c c8 85 b1 71 5e 2e 01 a8
         91 3d 00 13 03 01 04 00 33 00 2e 00 28 26 00 24 00
         1d 00 20 b5 89 13 10 62
         da ed c2 17 6f 7c 2d 12 1b b7 5c 36 88 0b 71 12 c1 96 7f fe 17 db 5f a7 ef
         ef 22 90 9d 89 37 4c ae 31 9c 36 34 ca 43 0f
         82 d6 89 60 90 9b ef 1d 87 ad 1e 3d 9d 32 32 00 2b 00 03 02 7f 16

      ciphertext (95 octets):  16 03 03 1c
         00 5a 02 0d 00 20 00 56 1e 04 03 05 03 0b 21 fe
         7a 06 03 02 03 08 04 08 05 5c 66 77 67 7b 21 e0 7d fc 22 f9 65 92 1c 5c 3e 0c c8 85
         b1 71 5e 2e 08 06 04
         01 a8 91 3d 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01

   {server}  extract secret "early":

      salt:  (absent)

      ikm (32 octets):  00 00 00 00 00 00 00 13 01 00 00 2e 00 28 00 24 00 1d 00
         20 b5 89 13 10 62 da ed c2 12 1b b7 5c 36 88 0b 71 12 c1 96 7f
         fe 17 db 5f a7 ef ef 22 90 90 1e 3d 00 2b 00 02 7f 16

   {server}  send a EncryptedExtensions handshake message

   {server}  send a CertificateRequest handshake message

   {server}  send a Certificate handshake message

   {server}  send a CertificateVerify handshake message

   {server}  calculate finished "tls13 finished":

      PRK 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  8b fc e8 b0 11 4e ac cd 83 64 68 b5 e4 60 30 fd
         32  33 ad 0a 1c 37 20 7a 41 60 7e c0 3b 09 e6 cd 22 66 4f 56 53 14 f2 1e 05

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 98 93 68 65
         64 0c
         e2 10 ad f3 00

      output aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

   {server}  create an ephemeral x25519 key pair:

      private key (32 octets):  23 48 7f 1e 47 29  50 16 8d 5c 6e 6c a8 2d 2a a3 ef 35 ba ae
         c1 bd 59 f5 19 94 ee 4a d9 79 86 5b 3d fa dc 3c 71 aa 22

      public key (32 octets):  37 69 88 a2 1d dd bc 38 a2 e6 fc de 82 33
         7a ff e6 79 a3 9c 3f e3 fb e1 61 bd 0c d1
         c0 5a 29 f9 5f 9f e8 e5 a0 42 51 86 74 be 62 54 5b f1 62 25 7a d7 d9 4e 9d

   {server}  send a Finished ServerHello handshake message

   {server}  send handshake record:

      payload (512 (122 octets):  08 00 00 1e 00 1c 00 0a 00 14 00 12 00 1d
         00 17 00 18 00 19 01 00 01 01 01  02 01 03 01 04 00 00 00 00 0d
         00 00 27 00 00 24 00 0d 00 20 00 1e 04 03 05 03 06 76 03 02 03 08
         04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02
         0b 00 01 3b 00 00 01 37 00 01 32 30 82 01 2e 30 81 21 c5 c5 ee bb d5 a0 03 02
         01 02 02 01 07 30 0a 06 08 2a 86 48 ce 3d 04 03 02 30 13 31 11
         30 0f 06 03 55 04 03 13 08 65 63 64 73 61 32 35 36 30 1e 17 0d
         31 36 30 37 33 30 30 31 32 34 30 30 5a 17 0d fc 32 36 30
         cd 26 52 41 8e 6d 51 4b da df d0 51 e5 d4 37 33 30
         30 31 32 34 30 30 5a 30 13 e0 bf 0c 0a 31 11 8d
         30 0f 06 03 55 04 03 13 08 a4 b7 20 ae 8b b2 af 77 86 0c f6 9d 70 e9 70 b6 29 81 c5 25
         56 65
         63 64 73 61 32 35 36 30 59 30 13 06 07 2a 9d 47 33 c2 ab e8 54 86 48 ce 3d 02 01 06
         08 2a 3e fe 09 ea 86 48 ce 3d 03 13 01 07 03 42 00 04 08 d5 30 16 15 75 f4 cf
         e7 f1 54 ee 34 48 18 00 86 2e 00 1e
         33 00 24 00 1d 00 20 37 69 88 43 1a 79 ee 62 ee 6e 2f 83
         ef a2 1d dd bc 38 ba 61 e9 fb 37 f3 4e 00 a2 e6 fc de 82 33
         7a 7d f4 d2 f5 b5 6d 1f 04 ec e4
         5d 62 1f 46 84 06 f5 c3 a1 51 58 94 8d d0 ff e6 79 a3 1a 30 18 30 09 06
         03 55 1d 13 04 02 30 9c 3f e3 fb 5a 29 f9 5f 9f e8 e5 a0 42 00 2b 00 30 0b 06 03 55 1d 0f 04 04 03
         02 07 80
         30 0a 06 08 2a 86 48 ce 3d 04 7f 1c

      ciphertext (127 octets):  16 03 02 03 48 00 30 45 7a 02 21 00 df
         30 fd 45 07 f5 ed d2 2c 1a 6f f8 6d b4 79 ca 69 3f ee ca 3b 71
         b3 f9 ef 55 6b 29 37 c0 59 4d 02 20 62 e2 a4 72 50 d3 20 fe a8
         3c 7e 2d cb 5b 76 a5 0e 02 00 c0 9a db d1 3f 76 03 03 21 c5
         c5 ee 94 6e bb d5 fc 32 cd 26 52 41 8e 6d 51 4b da df d0 51 e5 d4 37
         e0 bf 0c 0a 31 8d 30 a4 b7 20 ae 8b b2 af 77 86 0c f6 9d 70 e9
         70 b6 29 81 c5 25 56 65 9d 47 33 c2 ab e8 54 86 3e fe 09 ea 86
         13 01
         1d 11 00 00 0f 2e 00 33 00 4c 04 03 24 00 48 30 46 02 21 1d 00 f7 46 ae b2
         e0 10 2f 20 37 94 0d d8 90 2b 0a 80 63 33 b7 63 69 06 28 9b ae f0
         a9 7d 92 12 ab 14 30 02 21 00 a7 81 31 62 2d 88 a2 1d dd bc 38
         a2 e6 fc de 82 7b ce 23 d5 04
         c7 f8 1e 2a 78 d7 33 7a ff e6 79 a3 9c 3f e3 fb d6 59 fa 09 e1 e7 4c 5a 74 b9 b0 e5 29 f9 5f 3e
         14 9f e8
         e5 a0 42 00 2b 00 20 c6 c0 d6 02 f0 3c e5 92 6c 9e 53 05 04 a0 0a 5f d5
         40 97 5d de c4 6a fd 8a 18 fa 20 85 17 08 d6 7f 1c

   {server}  send change_cipher_spec record:

      payload (1 octets):  01

      ciphertext (534 (6 octets):  17  14 03 03 02 11 17 bf 02 f6 e5 be bf f8
         97 3f de b8 5f 0c 00 01 01

   {server}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 77 d7 5e 02 12 69 d8 47 5d 82 a4 98 93 68 0c e2
         10 ad f3 00 aa 1f 26 74 bf 60 e1 b2 2e 10 f1 70 f9 2a

      hash (32 octets):  e3 6c c7 a2 89 6f 63 b0 c4 42 3a aa 5f e2 b2 f8 96 6a 85 61 cb 25 98 fc 1c 14 9a fb f4
         c4 e2 8e c2 df c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 85 cf 65 72 69 76 65 64 fd f4 28 e6 fb c9 02 49 89 3a 62
         a8 15 c5 7a f9 8d 03 73 44 4f 90 85 40
         20 e3 b0 c4 42 98 fc 1c e2 5f 4b 14 9a fb 30 e9 f4 c8 99
         85 6a b0 eb 87 70 ef b0 1a cb 7e 30 c3 be d5 3d a3 03 32 b7 dc
         1b 31 78 89 49 a8 05 71 4a 06 81 75 4b 6f b9 24 27 ae 41 d4 57 e4
         64 9b 93 c8 b8 28 29
         b1 9f 6a fa ea b5 bc c1 4c a4 95 99 1b 78 3d 0b 5e 39 63 03 52 b8 55

      output (32 octets):  6f 26 15 a1 08 c7 02 c5 67 7e 8f 54 fc 73 26 5a
         2c 9d ba b6
         97 16 c0 76 18 9c 48 25 0c cc 07 02 eb ea c3 57 6c 36 11 ba

   {server}  extract secret "handshake":

      salt (32 octets):  6f e0 98 46 3b 7e e1 d7 26 15 a1 08 c7 e9 81 ff 7c 89 61 d0
         9d e7 02 c5 67 8f 54 fc be 92 77 98 9d ba b6 97
         16 c0 76 18 9c 48 25 98 a5 e9 0f 53 3a 23 5e 1a e3 81 01 fc
         87 07 69 3e 0c eb ea c3 ff 90 47 75 52 87 91 74 65 d3 a6 44 12 2c 73 57 6c
         1f e5 98 a2 a9 45 87 c3 d2 4f b8 6a d2 36 11 ba

      ikm (32 octets):  18 97 2d 99 38 c0 89 42
         ce 28 64 20 db 5a df 44 30 f3 14 a4 3a 39 84 46 55 5f 3b 12 d0 84 5b e9 c8 fe 0c
         8d 71 f6 99 97 b7 08 b7 51 9c 7b 78 70 98 a4 04 47 0e 5d ad 45 89 40 a5 8f
         e4 1a 93 be d5 45 1f 31 08 42 7a d7 fd 3a 6f 27 ef e0 9f 35 d4 ad
         b3 a5 cb 4f b7 9f 75 da 58 b6 fa f7 e2 cf ff f0 36

      secret (32 octets):  50 9a 53 59 61 b3 41 87 ad 77 d3 24 94 53 e7 bf ac fe 6e
         6d 1d be 83 7e d6 bd ab 06 d2 d8 97 59 33 b9 07 d9

   {server}  derive secret "tls13 c hs traffic":

      PRK (32 octets):  50 9a 53 59 90 ac a8 b1 4c ec 21 cd c3 1b 78 e8
         bb b8 e0 30 d7 f7 c8 0c 56 dc 7c 2f f8 b5 61 77 d3 24 94 53 0f 95 8c 0f e7 bf ac fe 6e 6d
         1d be 83 7e d6 bd ab 81
         3b c8 3e b3 d7 a9 72 5d 36 0f b2 06 d2 d8 97 59 33 7c df c9 3c b9 07 d9

      hash (32 octets):  b3 d7 ed ea
         ea 75 75 cd cc 43 8d da d9 ff b9 64 09 bb de 07 05 47 b4 c6 94
         cc b7 9b 4a ed a1 a9 f2 19 e4 71 a4 6f 09 2d 79 ae a9 3c c0 6e 2a 31 51 a8
         c7 f0 ef 15 16 a2 fd 34 1a bf b5 b3 9f 32 7c 6b fb e7 4c

      info (54 octets):  00 20 12 74 6c 73 31 54 33 6e 5c
         6e 94 ed 2c c2 ca 95 ff 69 d4 25 48 3c 20 63 d2 a4 04 60 b0 03 c0
         4a b6 f5 bf 0e dc 3c 4e 20 68 73 20 74 72
         61 66 21 a7 6f ff ff 1a 4d ae 84 7b 17 b8
         e5 ea 2b b5 47 e0 5f e3 8a 0f dc 66 69 63 78 fd cf 45 5c 20 b3 8d da d9 ff b9 92 17 8f
         e6 12 9d bd a3 49 64 09 bb de 07 05 47 b4 c6
         94 cc b7 9b 4a ed a1 71 a4 c5 6c d3 1e 04 ab bc 4c 5d 6f 09 2d f5 0d 0c 06
         04 75 ec 11 8b 0e 3d 82 f0 79 cb 5e ec 44 1f c1 f1 78 88 db f7
         9b 04 f4 fa 89 39 ab be ae fb e7 4c

      output (32 octets):  4b 4c d4 8c 4f 39 9c 05 77 bd 73 11 5b b5 12
         f1 af 4e 3c 65 c4 b6 26 43 5c c8 dc fa da 60 d5 24 6b 3e 64 b5 7d c5 ec

   {server}  derive secret "tls13 c ap s hs traffic":

      PRK (32 octets):  86  50 9a 53 59 61 77 d3 24 94 53 e7 bf ac fe 6e 6d
         1d be 83 7e d6 bd ab 06 d2 d8 97 59 33 b9 07 d9

      hash (32 octets):  b3 8d da d9 ff b9 64 09 bb de 07 05 00 52 9e e3 a6 0a 26 44 3e 62 2a 47 b4 c6 94
         cc b7 9b 4a ed a1 71 a4 6f 09 2d 79 ae fb e7 4c

      info (54 octets):  00 0a 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72
         61 66 66 69 63 20 b3 8d da d9 ff 0d ea 05 b9 64 09 bb de 07 05 5c c3 47 b4 c6
         94 cc b7 9b 4a ed f3 a1 71 a4 6f 09 2d 79 ae fb e7 4c

      output (32 octets):  2c e0 bf 01 f7 11 ee 1c 9c bf 77 3a 21 40 b1 4b 14 a0
         8c 65 de ee 09 4a bc db ba

      hash 0f 01 8a 1d 50 33 1f 30 cd

   {server}  derive secret for master "tls13 derived":

      PRK (32 octets):  35 56 64 82 3a  50 9a 53 59 61 77 d3 24 94 53 e7 bf ac fe 6e 6d
         1d be 83 7e d6 bd ab 06 d2 d8 97 59 33 b9 07 6c 67 8f 60 11 3d f2 d9

      hash (32 octets):  e3 b0 c4 fa 18
         3e 44 c0 0b 0a 94 38 c7 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 d2 96 e9 2a 76 e3 06 4c a4 95 99 1b 78 52 b8 55

      info (54 (49 octets):  00 20 12 0d 74 6c 73 31 33 20 63 20 61 70 20 74 64 65 72
         61 66 66 69 63 20 35 56 64 82 3a 07 6c 67 8f 60 11 3d f2 c4 fa
         18 3e 44 c0 0b 0a 94 38 c7 93 d2 96 e9 2a 76 65 64
         20 e3 06

      output (32 octets):  49 94 b0 c4 1b d3 5f 90 84 9c da c8 42 98 fc 1c ee eb 48
         cf 0a 25 08 9c da 15 66 d0 14 9a fb f4 c8 51 ce 42 67 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55 0e

      output (32 octets):  42 60 f4 bc 75 60 30 9b de 27 31 79 f9 2c 94
         f1 13 e3 10 02 fb ba b3 b3 17 98 a3 05 04 10 e2 33

   {server}  derive  extract secret "master":

      salt (32 octets):  42 60 f4 bc 75 60 30 9b de 27 31 79 f9 2c 94 f1
         13 e3 10 02 fb ba b3 b3 17 98 a3 05 04 10 e2 33

      ikm (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret "tls13 s ap traffic":

      PRK (32 octets):  86 05 00 52 9e e3 a6 0a 26 44 3e 62 2a 4c 00 0a
         b3 ff 0d ea 05 05 5c c3 ed f3  6a c7 28 bf 27 30 55 d8 24 4f 71 01 f7 11 db ba

      hash (32 octets):  35 56 64 82 3a 07 6c 67 8f 60 fe 11 3d f2 c4 fa 18
         3e 44
         91 ec 30 47 c0 0b 0a 94 38 c7 93 d2 96 e9 2a 76 e3 06 86 14 aa d5 2f 51 62 27 7f 00 7b

   {server}  derive write traffic keys for handshake data:

      PRK (32 octets):  2c e0 bf ee 1c 9c bf 77 3a 21 40 b1 4b 14 a0 8c
         65 de ee 09 4a bc db 0f 01 8a 1d 50 33 1f 30 cd

      key info (54 (13 octets):  00 20 12 10 09 74 6c 73 31 33 20 73 20 61 70 20 74 72
         61 66 66 69 63 20 35 56 64 82 3a 07 6c 67 8f 60 11 3d f2 c4 fa
         18 3e 44 c0 0b 0a 94 38 c7 93 d2 96 e9 2a 76 e3 06 6b 65 79 00

      key output (32 (16 octets):  04 94 45 e6 ca b5 c5 4c 87 af 8a d9 c9 4f c1
         28 14 f5 4c 22 bb c4 6a 08 5e 9e 3f 55 91  1e 77 f6 3e cc 95 0c e3 96 b0 11 16 ad 52 35
         3f f1

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  73 ab 6b 2d c5 8a 11 fd 05 70 4a ce

   {server}  derive secret  send a EncryptedExtensions handshake message

   {server}  send a Certificate handshake message

   {server}  send a CertificateVerify handshake message

   {server}  calculate finished "tls13 exp master": finished":

      PRK (32 octets):  86 05 00 52 9e e3 a6 0a 26 44 3e 62 2a 4c 00 0a
         b3 ff 0d ea 05 05 5c c3 ed f3  2c e0 bf 01 f7 11 ee 1c 9c bf 77 3a 21 40 b1 4b 14 a0 8c
         65 de ee 09 4a bc db ba 0f 01 8a 1d 50 33 1f 30 cd

      hash (32 (0 octets):  35 56 64 82 3a 07 6c 67 8f 60 11 3d f2 c4 fa 18
         3e 44 c0 0b 0a 94 38 c7 93 d2 96 e9 2a 76 e3 06  (empty)

      info (52 (18 octets):  00 20 10 0e 74 6c 73 31 33 20 65 78 70 20 6d 61 66 69 6e 69 73
         74 68 65 72 20 35 56
         64 82 3a 07 6c 67 8f 60 11 3d f2 c4 fa 18 3e
         44 c0 0b 0a 94 38 c7 93 d2 96 e9 2a 76 e3 06 00

      output (32 octets):  84 69 2c 16  37 b0 91 ce 10 db 07 3f 25 97 e5 f6 0f cb 4b 14 df bb
         ff 45 1e 50 c4 af 44 24 c2 6b 04 55 73 7a bc e2 46 9b
         74 5c f4 77 80 ea d7 68 be 99 35 59 2c 16 0d 0d 57

   {client}  extract secret "early":

      salt:  (absent)
      ikm (32 f1 de 1f 14 41

   {server}  send a Finished handshake message

   {server}  send handshake record:

      payload (651 octets):  08 00 00 1e 00 1c 00 0a 00 14 00 12 00 1d
         00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 00 00 00 0b
         00 01 b9 00 00 01 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  33 ad 0a 1c 60 7e c0 3b 01 b0 30 82 01 ac 30 82 01 15 a0 03 02
         01 02 02 01 02 30 0d 06 09 e6 cd 98 93 68 0c
         e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

   {client}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
         10 ad f3 86 48 86 f7 0d 01 01 0b 05 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 30
         0e 31 0c 30 0a 06 03 55

      info (49 octets):  00 20 0d 74 6c 04 03 13 03 72 73 61 30 1e 17 0d 31 36
         30 37 33 20 64 65 30 30 31 32 33 35 39 5a 17 0d 32 36 30 37 33 30 30 31
         32 33 35 39 5a 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 69 76 65 64
         20 e3 b0 c4 42 73 61
         30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d
         00 30 81 89 02 81 81 00 b4 bb 49 8f 82 79 30 3d 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 08 36 39 9b 93 4c a4 95 99 1b 78 52 b8
         36 c6 98 8c 0c 68 de 55

      output (32 octets):  6f e1 bd b8 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6
         97 16 c0 76 18 9c 48 25 0c eb d3 90 1a 24 61 ea c3 57 fd 2d e4
         9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 36 11 ba

   {client}  extract secret "handshake":

      salt (32 octets):  6f 1a f1 9e aa 6a f9 8c 7c ed
         43 12 09 98 e1 87 a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 15 a1 4d
         44 9a 6d 38 e2 2a 5f da 43 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
         16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

      ikm (32 octets):  94 2f 83 fa ee 2f ad ad 24 2e eb fb c7 46 74 80 30 53 0e f0 46 1c 8c a9
         d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28
         a6 6d 5e
         c7 71 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03 01 00 01 a3 1a 30 18 30 09
         06 03 55 1d 13 04 b1 3c d4 97 e0 b1 0d 9d 70 69 02 30 00 30 0b 06 03 55 1d e8 6a

      secret (32 octets):  53 d7 91 87 9a 6b 33 f3 86 45 35 3b 3e 0f 04 04 03 49
         e5 e0 88 e4 02 05
         a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 6c 37 05 00 12 0c 80 04 25 d3 d5 e9 9f

   {client}  derive secret "tls13 c hs traffic" (same as server)

   {client}  derive secret "tls13 s hs traffic" (same as server)

   {client}  derive secret for master "tls13 derived" (same as server)

   {client}  extract secret "master" (same as server)

   {client}  calculate finished "tls13 finished" (same as server)

   {client}  derive secret "tls13 c ap traffic" (same as server)

   {client}  derive secret "tls13 s ap traffic" (same as server)

   {client}  derive secret "tls13 exp master" (same as server)
   {client}  send a Certificate handshake message

   {client}  send a CertificateVerify handshake message

   {client}  calculate finished "tls13 finished":

      PRK (32 octets): 03 81 81 00 85
         aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 72 67 17 06 18 a5 4c 5f 8a
         7b 33 7d 2d f7 a5 94 36 54 17 f2 ea e8 d4 bb 93 f8 a5 8c 8f 81 72 f9 31
         9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 51 56 72 60 96 fd 33 5e 5e
         67 f2 db f1 02 70 2e 60 8c a3 de 6d 1d ca e6 be c1 fc 63 a4 2a 99 be 5c 3e
         b7 10 7c 78 01 a5 57 3c 54 e9 b9 eb 2b d5 20 aa
         df cd 34 3b 1c 3b 84 e0 a8 b2 f7 59 40
         9b a3 ea c9 d9 1d 40 2d cc 0c c8 a4 47 f8 96 12 29 ac 91 87 b4 2b 4d
         e1 00 00 0f 00 00 84 08 04 00 80 58 c8 c3 2b e7 b4 d2 a7 42 2b
         f3 32 1d 0b dc 63 4c 8e 54 7e 12 0e 57 f8 90 ac 3c 2b 93 b1 c9
         9d 36 4b 9a 59 9e ad f4 cb 17 50 22 2f 65 61 aa b6 b6 89 10 15
         eb 6b 27 4c 21 7c 83 c8 72 4a df f3 94

      hash (0 octets):  (empty)

      info (18 octets): 97 f0 00 20 0e ff 03 de 8f 14 24 53 28 5f b4
         4b 7e 65 96 7c ea 58 74 6c 73 31 33 3e a1 cb 7a 28 62 d0 18 12 64 6b ff 50
         04 9e 5b e1 ea 5d c3 50 ed 7e 53 a4 38 5d d3 f0 aa dc e4 bc ec
         9d 64 8f 82 0d e1 3d da e4 2f 9f 96 20 66 69 6e 69 73 68 65 14 00 00 20 ed 0a 13 2e
         5f e8 fb 5b 43 aa aa 7b ab 9e 46 34 63 64 00

      output (32 11 0a 1b 25 33 75 ab
         fc 6d ea 46 ef 91 c0

      ciphertext (673 octets):  17 03 c1 ff eb 03 02 9c 1e 4e 15 9f 57 8e 9d 1d
         73 88 13 e5 1b e1 ec 89 ea 1c 80 1b 85 ab bc 4f 0d 52 92 7f aa 30
         6c 04 e6 7f a8 02 ab 02 38 56 18 aa 0e b3 d1 af c1 16 94 42 a3 a0 84 62 ec f3
         a0 04 a5 f2 dc 51 be 25 10 8f dd d6 38 92 04 88 3a 39 bd f1 0d
         bb de 5f b7 8c 33 4a f4 3d 55 4e c8 5b 94 ae 3f e9 18 3f 54 55 f1 84

   {client}  send a Finished handshake message

   {client}  send handshake record:

      payload (623 octets):  0b 00 01 c5 bf 11 85 86 de c0 38 2d cf 00 00 01 bb 00 01 b6 30 82 01 b2 30 82 01 1b 69 13 8a fe
         27 28 37 0c c1 9a 3d 58 12 4c b1 99 be b9 7c a0 03 02 01 02 02 01 a8 a9 ab af 01
         c2 38 f2 9c 45 b5 30 0d 06 09 28 f8 d8 d2 2a 86 48 86
         f7 0d 01 49 0b d8 2c f2 53 3a 76 72
         4d 67 d8 a7 2a b0 fb 94 53 63 fb 92 4f 8c a5 e1 32 e6 b3 3c 85
         29 4b 12 1c 69 8d df 37 52 ec f3 bc b9 f9 b9 01 0b 05 00 30 11 31 0f 30 37 bf d3 ad 0d 06 03 55
         fd 04 03 13 06 52 2c 27 1e 63 23 11 37 93 a5 c7 36 ee fa b2 73 a4 79 c3
         d8 b0 07 2d 0c 39 d9 4f 7d 1b ea c3 2f 02 15 be 45 04 14 6e 83
         c8 d3 37 c8 27 e7 f0 05 d4 83 a8 46 ef 6c c8 1a 13 ed 52 88 d1
         69 65 6e 74 30 4e c1 76 a2 7f fb 62 c5 93 ab 1e df dc 8c 6f 0c ec 57 34 7a
         e8 81 ab 17 0d ab a9 49 b4 f5 1a 0b 61 49 09 00 ff 92 16 bd b2 26
         99 5b 54 9c 8d 5d 19 31 36 30 37 33 30 30 a0 11 de 06 bf 75 0f 8c 1c 54 8b 4b d7
         00 2d 9a 76 7e 7b 66 77 f6 4b d2 3f e7 a5 ce 3c 55 5e 7b 8b c6
         ed e8 72 f5 d9 6a fa c0 50 e9 a0 2c 80 1a 0f 15 12 4a 46 42 aa
         89 cc d0 e5 fe b6 70 a9 68 dd db 31 32 33 35 39 7b fc e9 db 82 9f 63 d4 5a
         bf e6 1a f9 56 d1 b3 c6 ea 8d fe 17 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 3b 13 d3 db 69 38 7b 54 23
         f2 78 d2 d7 49 e1 9e 2e 61 d4 f6 85 b6 e6 57 40 8f 99 3a b5 b4
         5c 3c dc ed fd be 44 b0 5f 6a dd 3a 5d e9 30 11 31 0f 46 f2 af bb 30
         0d 06 ea
         03 26 47 eb 7d b7 8a c4 6a 1c 54 52 e3 e9 39 69 82 ef 55 04 03 13 06 63 6c 2e 69 65 6e 74 30 81 9f 30 0d
         cc a5 a7 9d 57 af 22 10 2f da 06 09
         2a 86 7d 2d 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81
         00 c3 f6 9a 91 5c 41 87 81 75
         29 10 ec b4 7e 76 41 78 e0 04 a6 8d ad cc 92 10 42 bc 9f ac 44 53 54 09 3f 82 3b 9c 37
         10 b5 02 9d 20 79 e4 1f bc 87 d2 66 01 16 18 45 2b 38 b0 0f 97 a6 32
         20 30 4c d8 56 b8 0c f7 d7 f0 dc 30 7d 2b 9b 57 db 57 ad 29 3a
         58 85 f9 4f c2 65 c1 84 af d9 0b 85 a2 52 12 f5 6c 8c c8 29 c1
         b7 a1
         c7 d1 6d ce 0b 8b 48 26 44 2d 79 6f 76 fb 1a 8d ff d3 06 96 cf
         07 c8 c9 58 4a f9 76 ba 4c 86 4b f4 75 12 fb 8c a3 3f 8d 96 1a
         5b 66 68 d1 b5 ad c3 8f 16 aa 8b 87 91 90 5e 3f bf 76 84 7e be da 44 e7 51 eb bc d3 60 bd 94 5c 81 e5 a4 89 8b 0b
         c8 c8 de 04 22 2b cc 88 46 d3 a8 a0 f9 3e 9b 81 25 21 42 50 cf 49 f4 3d ce d2 28 f5 be ba bd 4c 01 d6
         b2 e1 fa d7 33 50 e9 a3 69 1e ee fc af 8a 4c a3 66 45 92 ed f1 de 1f f1
         90 21 70 3e 7a b6 c0 90 15 13 f9 7e 39 b1 11 f0 9c 93 48 0e 72
         97 1c
         7b 21 19 84 a7 54 cd 45 fe 09 5a f0 ea 42 af 36 82 9b cc f7 a7 1e 01 27 0e d1 fe
         9b 28 88 e7 8a b4 77 69 0a 5b 9e 1c cb e9 1c

   {server}  derive secret "tls13 c ap traffic":

      PRK (32 octets):  6a 4a 0f 97 a7 e0 c7 28 42 01 02 03 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02
         30 00 bf 27 30 0b 06 03 55 1d 0f 04 04 03 02 d8 24 4f 71 01 07 80 fe 11 91
         ec 30 0d 06 09 2a 86
         48 47 c0 e9 86 f7 0d 01 14 aa d5 2f 51 62 27 7f 00 7b

      hash (32 octets):  9e 61 88 ec d4 0e c8 d1 45 81 2f 15 70 04 59 47
         bc 41 6a fc cf a8 ca 34 1a 4a 76 01 0b 05 f6 a7 39 cd

      info (54 octets):  00 03 81 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72
         61 66 66 69 63 20 9e 61 88 ec d4 0e c8 d1 45 81 00 2f 15 70 04 59
         47 bc 41 6a fc cf a8 ca 34 1a 7a 5a 4a 76 01 85 32 b0 22
         af f6 a7 39 cd

      output (32 octets):  07 67 d4 86 16 04 02 00 14 0c 44 d3 60 5a 53 0b 0d b2 ee
         e6 ad 5b ff 2d 16 7a 19 4a 51 64 20 df 10 95 d6 26 15 d2 38 35 b5 45 94 91 6d
         c6 80 3b be 5d 2e 62 60 76 c5

   {server}  derive secret "tls13 s ap traffic":

      PRK (32 octets):  6a c7 28 bf 27 30 55 d8 24 4f 71 01 07 fe 11 91
         ec 30 47 c0 e9 86 14 aa d5 2f 51 62 27 22 eb cc 77 5d 7d 99 f9 80 be 7f 00 7b

      hash (32 octets):  9e 61 88 ec d4 0e c8 d1 45 81 2f c9 4d 15 70 04 59 47
         bc 41 6a fc cf a8 ca 34 ac 1a 4a 76 01 f6 cc a7 39 cd

      info (54 octets):  00 ba 90 cb cf b0 60 8a a1 e7 e3 97 1e f0
         c0 7a 41 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72
         61 66 66 69 63 20 9e 61 88 ec d4 7a d8 34 5d 1f 0e c8 d1 45 81 fe 2f 15 70 04 59
         47 bc 41 8a 1c f4 10 54 42 9f d2 17
         bd 77 7d c1 6a fc cf 08 a8 ca 34 1a 4a 76 01 f6 a7 39 cd

      output (32 octets):  a1 16 af 52 37 f0 5d f9 07 99 c6 00 ca 95 4a 76 f0 bf 59 36 1e 0f 1a 8e e4 ac 0f 78 97 42 0b
         2d db c8 23 da 80 a2 f2 ba 23 08 1c 00 00 0f 00 00 84
         08 04 00 80 84 81 45 9e b5 f0 36 eb 72 10 d9 4d 75 9a c5 a1 87 9c 61 ed 9e ab 6c 23 36

   {server}  derive secret "tls13 exp master":

      PRK (32 octets):  6a c7 28 bf 27 30 55 d8 24 4f 71 49 48 04 09 7f
         9d 94 6f 41 e0 02 2a 66 ee 8e 0d 3b bc f4 37 c2 6f db cb 1d b6
         69 45 94 f9 01 71 82 e2 80 5c 1a 68 24 e1 06 d1 07 fe 11 91
         ec 30 47 c0 e9 86 dd 42 37 53
         60 89 14 3d 06 12 ec 33 08 50 2c aa d5 a1 54 3e 82 fb 9d b5 58 7e
         54 07 6e 18 7a d6 ad 9b 89 35 42 a7 54 1d f0 47 49 2f 51 62 27 7f fb 6c e2
         5d df f8 fd e7 ed 8a 67 98 f2 b7 de 1f 00 7b

      hash (32 octets):  9e 61 88 ec d4 0e c8 d1 45 81 2f 15 70 04 59 47
         bc 41 6a fc cf a8 d9 f9 67 ca 34 1a 4a 76 15 3a 3d 01 9c 5a cc af 97 14 00 f6 a7 39 cd

      info (52 octets):  00 20 49 3e e4 87 b7 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73
         74 65 72 20 9e 61 88 ec d4 0e c8 d1 45 81 2f 15 70 04 59 47 bc
         41 6a fc 2b f5 19 b7 cf a8 ca 34 1a 4a 76 01 f6 a7 39 cd
         2b 6b 33 b5 0f 5b

      output (32 octets):  a6 e6 d5 23 ca 68 ff 08 62 3b ca de 3d 27 35 95 eb
         ae 49 93 aa e4 7d c1 d8 cf 2f 1d 12 e9 d8 ee 91 5e

   {server}  derive write traffic keys for application data:

      PRK (32 octets):  a1 16 af 52 37 a4 96 2e 39 d0 ec 13 92 f0 00 ca 95 4a 76 80

      ciphertext (645 octets):  17 03 03 02 80 4d 75 ab 8f 1d f0 bf 59 78 2d
         db 81 45 9e b5 f0 36 eb 72 06 a6
         3e 10 ed 9e ab 6c 23 36

      key info (13 octets):  00 ac cd 41 c6 aa d6 3f e1 4d df 10 09 74 6c 73 31 33 20 42 8f 59 68 d7 fc 60 61
         2f d2 5f f6 49 ae 82 c6 2e 3b 1e 6b 0d 07 d4 26 ae d4 3f a8 1f
         c2 65 79 00

      key output (16 octets):  b2 1c 13 11 a2 57 45 a0 c1 d8 de 68 c7 ce
         7a dc

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 15 00

      iv output (12 octets):  d1 7b 34 2a f3 32 e9 90 1f 42 44 43 92 5d 9a

   {server}  derive read traffic keys for handshake data:

      PRK (32 octets):  4b 4c d4 8c 53 57 b2 0d 5d 4f 39 9c 05 77 bd 73 11 5b b5 12 f1
         af 4e 3c 65 fa da 60 d5 24 6b 3e 64 b5 7d fe 67 7d 8f df 7c
         b3 5f 07 48 02 a0 c5 5a 12 ec

      key info (13 octets):  00 10 09 74 6c 73 31 de a8 d4 27 1d fa 5f 5d 33 20 6b 65 21 a4
         f4 67 c4 78 5d b0 54 79 00

      key output (16 octets):  cc 08 24 4c 19 61 00 74 6d 6e bd e5 6f ee
         e9 01

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  c0 52 e0 7a ce 1d 8e 0f af aa f1 fb 84 8f 8b 01 a9

   {client}  extract secret "early":

      salt:  (absent)

      ikm (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 8d cb 9c 63 a3 86
         3a 6b d3 e8 8d b5 a3 67 34 53 2d f3 cd 98 93 68 b0 f5 7a 12 b5 65 94 b2 0c
         e2 10 ad f3 00 aa 1f 26 60 e1 6b 69 4e 5c e6 c1 b2 2e 10 f1 70 f9 2a

   {client}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
         10 ad f3 ab 6f 1f a0 a9 f5 40 e3 80 2d 6b f2
         4f eb e4 2b 72 00 aa 1f 13 ab 80 90 26 60 e1 b2 2e 10 f1 54 e4 14 54 72 70 f9 1b 9a fe d6
         c5 b4 51 39 7e a0 fd 19 8c 04 48 af 73 44 2a

      hash (32 octets):  e3 b0 c4 42 91 57 43 11 53 4d
         22 91 07 65 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 88 00 5c f0 51 db 32 70 83 44 93 4c 2c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 e9 22
         a2 bd 94 a2 c9 d8 40 70 7b 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6
         97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

   {client}  extract secret "handshake":

      salt (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
         16 c0 76 18 9c 48 25 0c 56 ff 09 eb ea c3 57 6c 36 b1 b7 ad 8c 76
         f7 bf c2 dc 8b 75 19 d2 29 ad 7b a5 6d 0a 16 12 d0 56 f8 78 da 11 ba

      ikm (32 octets):  18 5a b9 91 c9 ce 3d d0 df 44 62 8c 5a 0f ab 4d 51 30 f3 14 af 7f 95 7e f1
         f5 27 05 6b 5d 16 a4 a4 04 47 0e 8b b2 ad 6d b0 a9 3b 5d d5 45 35
         b3 cb 4f b7 9f 75 da 58 b6 fa f7 e2 3c 5f 68 7e 0a 28
         ec 76 32 a2 1f cf ff f0 36

      secret (32 octets):  50 9a 53 59 61 77 d3 24 4f 9e 94 53 e7 bf ac fe 6e
         6d 1d 04 4f f9 2d 3c 1f b1 8e f8 1a bb
         cf 38 08 24 d4 cb 1c e4 51 7a be 83 7e d6 c1 45 f0 56 8b 41 bd ab 06 d2 d8 97 59 33 b9 36 26 65
         68 ac 23 1e c9 48 eb b3 32 1f 5f b0 14 36 21 af 9b 3c e7 51 7b
         08 88 07 d9

   {client}  derive secret "tls13 c hs traffic" (same as server)

   {client}  derive secret "tls13 s hs traffic" (same as server)

   {client}  derive secret for master "tls13 derived" (same as server)

   {client}  extract secret "master" (same as server)

   {client}  derive read traffic keys for handshake data:

      PRK (32 octets):  2c e0 71 c6 17 4b 7b 05 a7 bf ce a2 d9 e2 50 16 1a f7 0f 93
         73 a9 c2 fc 2d 41 06 85 52 38 bc 54 f0 78 ee 1c 9c bf 77 3a 21 40 b1 4b 14 a0 8c
         65 de ee 09 4a bc db 0f 01 8a 1d 50 33 1f 30 cd

      key info (13 octets):  00 10 09 74 6c 75 82 7a 46 73 31 33 20 6b 65 79 00

      key output (16 octets):  1e
         c2 c3 59 19 f6 75 3e cc 95 0c e3 96 b0 11 16 44 ad 52 35
         3f f1

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  73 ab 6b 2d c5 8a 11 fd 05 70 4a ce b6

   {client}  calculate finished "tls13 finished" (same as server)

   {client}  derive secret "tls13 c ap traffic" (same as server)

   {client}  derive secret "tls13 s ap traffic" (same as server)

   {client}  derive secret "tls13 exp master" (same as server)
   {client}  send change_cipher_spec record:

      payload (1 octets):  01

      ciphertext (6 octets):  14 03 03 00 01 01

   {client}  derive write traffic keys for handshake data (same as
      server read traffic keys)

   {client}  derive read traffic keys for application data (same as
      server write traffic keys)

   {client}  calculate finished "tls13 finished":

      PRK (32 octets):  4b 4c d4 8c 4f 39 9c 05 77 bd 73 11 31 5b b5 12 f1
         af 4e 3c 65 fa da 60 d5 24 6b 3e f5 57 09 64 b5 2b 32 7d c5 ec

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      output (32 octets):  00 f1 67 b7 01 24 12 32 92 d1 2f d4 77 08 23 d6 4b a7 f5
         09 0e 8b 93 bd 24 9d bd 4d 1d 19 2f 6d 6c 75 e3 4d d6 bd e8 f3 c8 2c 30 49 f4
         f6 68 4a

   {client}  send a Finished handshake message

   {client}  send handshake record:

      payload (36 octets):  14 00 00 20 9c dd f7 4d 18 4d 72 76 57 9f a7 08 0e f0 6b ce 6c 90 bb
         d0 03 1e 1b c8 82 1a 64 70 ea 2a 61 d6 d8 42 b1 51 a6 6b bd 6b 50 1c 35 2c

      ciphertext (58 octets):  17 82 6d cd
         0d 31 25 bc a5 47 03 03 00 35 df b2 f9 ab 53 43 fd a4 2a bb eb 5b f9 ca 6d
         02 45 8e 7e 9f 06 1c 68 4c 3c 96
         08 9b 15 58 8c 8d bf af 32 67 a3 d0 83 60 ae b1 d1 59 ce 92 85
         f7 4e 91 b7 91 7b 4d 7a 1d 11 d6 7d cf 8b 8c fe 4c af 21 5d a9 58
         b4 a9

   {client}  derive write traffic keys for application data:

      PRK (32 octets):  07 04 70 e5 e6 93 02 00 14 0c 44 d3 60 5a 53 0b 0d b2 ee a4 c2 ca 50 2f e8 e6 d4
         78 7b 57 18 6d 85 40 7d
         ad 5b ff 4a 51 64 20 df 0d 5e 0c 8a be 1a 73 46 10 95 d6 cd 30 86
         5a c5 fc 9d f2 d3 8e 84 1e f3 67 91 26 15 b5 3b be e0 dd 3a 1a 95 b9 c3 2d
         3e 8e 97 04 c8 7b fe bd 35 ea f5 cb db 4a 72 32 46 82 04 a5 75
         63 2c ed 27 76 70

      key info (13 octets):  00 10 09 74 6c d5 02 a5 66 d1 30 73 31 33 20 6b 65 79 00

      key output (16 octets):  f0 72 a4 38 13 be 60 17 99 b4 c1 ab 40 9a 1c e4 ab 21 2c 45
         28 18

      iv info (12 octets):  00 0c 08
         c5 8c 04 ae 75 74 6c 73 31 33 94 8b 63 4b ff 14 54 b6 91 a1 e9 88 20 69 76 00
      iv output (12 octets):  47 c6 de 54
         85 7e 12 05 65 fc bc 6e 3d 01 ed fa 7a ab c5 f9 2c 45 b4 df 22
         50 c0 c2 e5 1c 04 f6 e9 21 f4 99

   {client}  derive secret "tls13 res master":

      PRK (32 octets):  86 05 00 52 9e e3 a6 0a 26 44 3e 62 2a 4c 00 0a
         b3 ff 0d ea 05 05 5c c3 ed f3  6a c7 28 bf 27 30 55 d8 24 4f 71 01 f7 07 fe 11 db ba 91
         ec 30 47 c0 e9 86 14 aa d5 2f 51 62 27 7f 00 7b

      hash (32 octets):  7f 2d 4e 12 6e 73  7a 0a 30 81 19 4d bc f1 bd af c6 f4 02 a0 62 ae 2f a2
         b1 e3 3a c9 6e ea 3c b9 1f 32 ec b0
         f7 ba 7f 60 c4 ee a4 41 0f 80 26 dc 33 25 77 88 6f c3 22 62 c5 20 49 bf d7 1a

      info (52 octets):  00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73
         74 65 72 20 7f 2d 4e 12 6e 73 7a 0a 30 81 19 4d bc f1 bd af c6 f4 02 a0 62 ae 2f a2 b1
         e3 3a c9 6e ea 3c b9 1f 32 ec b0 f7
         ba 7f 60 c4 ee a4 41 0f 80 26 dc 33 25 77 88 6f c3 22 62 c5 20 49 bf d7 1a

      output (32 octets):  42 f1 0b 54 0d ee 84 7b 5b 1c 5b 0d 89 2c f7  69 5c b5 3a dd e2 0c 27 6b 9d 87 11 7d 9a 13 9b 89 20 64 88 a3 52 eb ee d8 cb 6f 90 a8 df 03
         6c cc ce be 5c 82 ed ab 0c 3a 6c 5f 39 84 54 1e 77

   {server}  calculate finished "tls13 finished" (same as client)

   {server}  derive read traffic keys for application data (same as
      client write traffic keys)

   {server}  derive secret "tls13 res master" (same as client)

   {client}  send alert record:

      payload (2 octets):  01 00

      ciphertext (24 octets):  17 03 03 00 13 70 16 fa 95 9e 65 31 0b cf
         54 11 09 dd 74 cc 4b bd 42 95 85 3c c0 b9 9c 64 e3 78 5c
         c8 53 b5 61 a1 24 0f f6 35 75

   {server}  send alert record:

      payload (2 octets):  01 00

      ciphertext (24 octets):  17 03 03 00 13 92 e3 7d 92 18 1a 14 ec cf
         3e 35 13 f4 54 63 4f b1 70 d9

7. 2b cd 23 33 71 26 6e b4 bc
         ce 2d 27 56 f3 8f 37 15 ea 19

8.  Security Considerations

   It probably isn't a good idea to use the private key here.  If it
   weren't for the fact that it is too small to provide any meaningful
   security, it is now very well known.

8.

9.  References

8.1.

9.1.  Normative References

   [I-D.ietf-tls-tls13]

   [TLS13]    Rescorla, E., "The Transport Layer Security (TLS) Protocol
              Version 1.3", draft-ietf-tls-tls13-22 draft-ietf-tls-tls13-28 (work in progress),
              November 2017.

8.2.
              March 2018.

9.2.  Informative References

   [FIPS186]  National Institute of Standards and Technology (NIST),
              "Digital Signature Standard (DSS)", NIST PUB 186-4 , July
              2013.

   [RFC7748]  Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
              for Security", RFC 7748, DOI 10.17487/RFC7748, January
              2016, <https://www.rfc-editor.org/info/rfc7748>.

8.3.

9.3.  URIs

   [1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS

Appendix A.  Acknowledgements

   This draft is generated using tests that were written for NSS [1].
   None of this would have been possible without Franziskus Kiefer, Eric
   Rescorla and Tim Taubert, who did a lot of the work in NSS.

Author's Address

   Martin Thomson
   Mozilla

   Email: martin.thomson@gmail.com