TLS                                                           M. Thomson
Internet-Draft                                                   Mozilla
Intended status: Informational                             July 09,                        September 27, 2018
Expires: January 10, March 31, 2019

                  Example Handshake Traces for TLS 1.3
                    draft-ietf-tls-tls13-vectors-06
                    draft-ietf-tls-tls13-vectors-07

Abstract

   Examples of TLS 1.3 handshakes are shown.  Private keys and inputs
   are provided so that these handshakes might be reproduced.
   Intermediate values, including secrets, traffic keys and IVs are
   shown so that implementations might be checked incrementally against
   these values.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 10, March 31, 2019.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Private Keys  . . . . . . . . . . . . . . . . . . . . . . . .   2
   3.  Simple 1-RTT Handshake  . . . . . . . . . . . . . . . . . . .   3
   4.  Resumed 0-RTT Handshake . . . . . . . . . . . . . . . . . . .  15  16
   5.  HelloRetryRequest . . . . . . . . . . . . . . . . . . . . . .  26  29
   6.  Client Authentication . . . . . . . . . . . . . . . . . . . .  38  42
   7.  Compatibility Mode  . . . . . . . . . . . . . . . . . . . . .  49  55
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .  60  66
   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  60  66
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .  60  66
     10.1.  Normative References . . . . . . . . . . . . . . . . . .  60  66
     10.2.  Informative References . . . . . . . . . . . . . . . . .  60  66
   Appendix A.  Acknowledgements . . . . . . . . . . . . . . . . . .  61  67
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  61  67

1.  Introduction

   TLS 1.3 [TLS13] defines a new key schedule and a number of new
   cryptographic operations.  This document includes sample handshakes
   that show all intermediate values.  This allows an implementation to
   be verified incrementally, examining inputs and outputs of each
   cryptographic computation independently.

   A private key is included with the traces so that implementations can
   be checked by importing these values and verifying that the same
   outputs are produced.

   Note:  Invocations of HMAC-based Extract-and-Expand Key Derivation
      Function (HKDF) [RFC5869] are not labelled, but can be identified
      through the use of the labels used by HKDF.

2.  Private Keys

   Ephemeral private keys are shown as they are generated in the traces.

   The server in most examples uses an RSA certificate with a private
   key of:

   modulus (public):  b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c
      0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab
      bc 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87
      a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f
      da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0
      3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e
      3f

   public exponent:  01 00 01

   private exponent:  04 de a7 05 d4 3a 6e a7 20 9d d8 07 21 11 a8 3c 81
      e3 22 a5 92 78 b3 34 80 64 1e af 7c 0a 69 85 b8 e3 1c 44 f6 de 62
      e1 b4 c2 30 9f 61 26 e7 7b 7c 41 e9 23 31 4b bf a3 88 13 05 dc 12
      17 f1 6c 81 9c e5 38 e9 22 f3 69 82 8d 0e 57 19 5d 8c 84 88 46 02
      07 b2 fa a7 26 bc f7 08 bb d7 db 7f 67 9f 89 34 92 fc 2a 62 2e 08
      97 0a ac 44 1c e4 e0 c3 08 8d f2 5a e6 79 23 3d f8 a3 bd a2 ff 99
      41

   prime1:  e4 35 fb 7c c8 37 37 75 6d ac ea 96 ab 7f 59 a2 cc 10 69 db
      7d eb 19 0e 17 e3 3a 53 2b 27 3f 30 a3 27 aa 0a aa bc 58 cd 67 46
      6a f9 84 5f ad c6 75 fe 09 4a f9 2c 4b d1 f2 c1 bc 33 dd 2e 05 15

   prime2:  ca bd 3b c0 e0 43 86 64 c8 d4 cc 9f 99 97 7a 94 d9 bb fe ad
      8e 43 87 0a ba e3 f7 eb 8b 4e 0e ee 8a f1 d9 b4 71 9b a6 19 6c f2
      cb ba ee eb f8 b3 49 0a fe 9e 9f fa 74 a8 8a a5 1f c6 45 62 93 03

   exponent1:  3f 57 34 5c 27 fe 1b 68 7e 6e 76 16 27 b7 8b 1b 82 64 33
      dd 76 0f a0 be a6 a6 ac f3 94 90 aa 1b 47 cd a4 86 9d 68 f5 84 dd
      5b 50 29 bd 32 09 3b 82 58 66 1f e7 15 02 5e 5d 70 a4 5a 08 d3 d3
      19

   exponent2:  18 3d a0 13 63 bd 2f 28 85 ca cb dc 99 64 bf 47 64 f1 51
      76 36 f8 64 01 28 6f 71 89 3c 52 cc fe 40 a6 c2 3d 0d 08 6b 47 c6
      fb 10 d8 fd 10 41 e0 4d ef 7e 9a 40 ce 95 7c 41 77 94 e1 04 12 d1
      39

   coefficient:  83 9c a9 a0 85 e4 28 6b 2c 90 e4 66 99 7a 2c 68 1f 21
      33 9a a3 47 78 14 e4 de c1 18 33 05 0e d5 0d d1 3c c0 38 04 8a 43
      c5 9b 2a cc 41 68 89 c0 37 66 5f e5 af a6 05 96 9f 8c 01 df a5 ca
      96 9d

3.  Simple 1-RTT Handshake

   In this example, the simplest possible handshake is completed.  The
   server is authenticated, but the client remains anonymous.  After
   connecting, a few application data octets are exchanged.  The server
   sends a session ticket that permits the use of 0-RTT data in any
   resumed session.

   {client}  create an ephemeral x25519 key pair:

      private key (32 octets):  01 61 d7 bf  49 af 42 ba 7f 79 94 85 2d 71 3e f2 78
         4b a0 6c 35 68 f1 09 54 f0
         f1 cb ca 08 74 60 54 9c a7 91 1d e2 6a dc 7b fe b2 77 6b 46 04 d8 2f aa c2 56 42 cb 63 45 40 e7 ea 50 05

      public key (32 octets):  b0 f5 01 9f b0 f1 e5 37 6b 8b 1d fb 90 5f  99 38 1d 91 51 61 e5 60 e4 bd 43 d2 3d 8e 43 5a 7d
         ba c3 77 07 da d8 90 7b d7 1b 98 07 fe b3 45 c0 6e 51 c1 3c ae 4d 54 13 69 1e 52 9a af 2c

   {client}  send  construct a ClientHello handshake message

   {client}  send handshake record:

      payload

      ClientHello (196 octets):  01 00 00 c0 03 03 d4 b9 50 3c 5e 95 c9 ee
         cc 99 ce cb 34 ec b1 e7 81 63 76 cc ad
         ba 1c 38 c6 da cb 19 6a 6d ff a2 1a 8d 99 12 ec 18 a2 ef 62 83
         02 4d cc 06 d7 c8 f1 fa 44 b0 d9 56 00 e9 a0
         58 6c 67 ec e7 00 00 06 13 01 13 03 13 02 01 00 00 91 00 00 00 0b
         00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00
         12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 23
         00 00 00 33 00 26 00 24 00 1d 00 20 b0 f5 01 9f b0 f1 e5 37 6b 8b
         1d fb 90 5f 99 38 1d 91 51 61 e5 60 e4 bd 43 d2
         3d 8e 43 5a 7d ba c3 77 07 da d8 90 7b d7 1b 98 07 fe b3
         45 c0 6e 51 c1 3c ae 4d 54 13 69 1e 52 9a
         af 2c 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03
         02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06
         02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01

      ciphertext (201

   {client}  send handshake record:

      payload (196 octets):  16 03 01 00 c4  01 00 00 c0 03 03 d4 b9
         50 3c 5e 95 c9 ee cc 99 ce cb 34 ec b1 e7 81 63 76 cc ad ba
         1c 38 c6 da cb 19 6a 6d ff a2 1a 8d 99 12 ec 18 a2 ef 62 83 02
         4d cc 06 d7 c8 f1 fa 44
         b0 d9 56 00 e9 a0 58 6c 67 ec e7 00 00 06 13 01 13 03 13 02 01 00 00 91 00 00 00 0b 00
         09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12
         00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 23 00
         00 00 33 00 26 00 24 00 1d 00 20 b0 f5 01 9f
         b0 f1 e5 37 6b 8b 1d fb 90 5f 99 38 1d 91 51 61 e5 60 e4 bd 43 d2 3d
         8e 43 5a 7d ba c3 77 07 da d8 90
         7b d7 1b 98 07 fe b3 45 c0 6e 51 c1 3c ae 4d 54 13 69 1e 52 9a af
         2c 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03 02
         03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02
         02 02 00 2d 00 02 01 01 00 1c 00 02 40 01

   {server}  extract secret "early":

      salt:  (absent)

      IKM (32

      complete record (201 octets):  16 03 01 00 c4 01 00 00 c0 03 03 cb
         34 ec b1 e7 81 63 ba 1c 38 c6 da cb 19 6a 6d ff a2 1a 8d 99 12
         ec 18 a2 ef 62 83 02 4d ec e7 00 00 06 13 01 13 03 13 02 01 00
         00 91 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01
         00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02
         01 03 01 04 00 23 00 00 00 33 00 26 00 24 00 1d 00 00

      secret (32 octets):  33 ad 0a 1c 20 99 38 1d
         e5 60 7e e4 bd 43 d2 3d 8e 43 5a 7d ba fe b3 c0 6e 51 c1 3c ae 4d
         54 13 69 1e 52 9a af 2c 00 2b 00 03 02 03 04 00 0d 00 20 00 1e
         04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02
         01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01

   {server}  extract secret "early":

      salt:  0 (all zero octets)

      IKM (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c
         e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

   {server}  create an ephemeral x25519 key pair:

      private key (32 octets):  e2 36 b9 50 e1 aa 9b af af ed c6 d1 c9
         31 18 67 fd  b1 58 0e ea df 6d d5 89 b8 ef 4f 2d 56
         52 57 8c c8 10 e9 98 01 91 d2 c1 5e ec 8d 05 3b 5a b0 85 f7 3f 75 a8 6a 83 08 ce a2 16 a2 1e

      public key (32 octets):  9d 3c 94 0d 89 69 0b 84 d0 8a 60 99 3c 14
         4e ca 68 4d 10 81 28 7c 83 4d 53  c9 82 88 76 11 bc f3 20 95 fe 66 76 2b b9 da 1a db f7 c6
         72 e1 56 d6 cc 25 3b 83 3d f1 dd 69 b1 b0 4e 75 1f 0f

   {server}  send  construct a ServerHello handshake message

      ServerHello (90 octets):  02 00 00 56 03 03 a6 af 06 a4 12 18 60
         dc 5e 6e 60 24 9c d3 4c 95 93 0c 8a c5 cb 14 34 da c1 55 77 2e
         d3 e2 69 28 00 13 01 00 00 2e 00 33 00 24 00 1d 00 20 c9 82 88
         76 11 20 95 fe 66 76 2b db f7 c6 72 e1 56 d6 cc 25 3b 83 3d f1
         dd 69 b1 b0 4e 75 1f 0f 00 2b 00 02 03 04

   {server}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
         10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output

      expanded (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba
         b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

   {server}  extract secret "handshake":

      salt (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
         16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

      IKM (32 octets):  81 51 d1 46 4c 1b 55 53 36 23 b9 c2 24 6a 6a 0e
         6e 7e 18 50  8b d4 05 4f b5 5b 9d 63 e1 4a fd af fb ac f9 f0 b6 e1 c6 1a 86 42 4b 9f 0d
         35 e6 d6 3f 53 75 63 ef d4 62 72 90 0f 89 49 2d

      secret (32 octets):  5b 4f 96 5d f0 3c 68 2c 46 e6 ee 86 c3 11 63
         66 15 a1 d2 bb b2 43 45 c2 52 05 95 3c 87 9e 8d  1d c8 26 e9 36 06 aa 6f dc 0a ad c1 2f 74 1b
         01 04 6a a6 b9 9f 69 1e d2 21 a9 f0 ca 04 3f be ac

   {server}  derive secret "tls13 c hs traffic":

      PRK (32 octets):  5b 4f 96 5d f0 3c 68 2c 46 e6 ee 86 c3 11 63 66
         15 a1 d2 bb b2 43 45 c2 52 05 95 3c 87 9e 8d  1d c8 26 e9 36 06

      hash (32 octets):  c6 c9 18 aa 6f dc 0a ad c1 2f 41 99 d5 59 8e af 74 1b 01 16 cb 7a 5c
         2c 14 cb 54
         04 6a a6 b9 9f 69 1e d2 21 a9 f0 ca 04 3f be ac

      hash (32 octets):  86 0c 06 ed c0 78 12 18 88 8d b7 03 0d d5 0d 5e 6d 58 ee 8e 78 f0 e7 42 8c 58 ed
         d6 b4 3f 2c a3 e6 e9 5f 02 ed 06 3c f0 e1 ca d8

      info (54 octets):  00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72
         61 66 66 69 63 20 c6 c9 18 ad 2f 41 99 d5 59 86 0c 06 ed c0 78 58 ee 8e af 01 16 cb 7a
         5c 2c 14 cb 54 78 12 18 88 8d b7 03 0d d5 0d 5e 6d

      output f0 e7 42 8c 58
         ed d6 b4 3f 2c a3 e6 e9 5f 02 ed 06 3c f0 e1 ca d8

      expanded (32 octets):  e2 e2 32 07 bd 93 fb  b3 ed db 12 6e 06 7f e4 fc 2e 29 7a fe 35 a7 80 b3 ab
         16 f4 5e
         2d 8f 3b 1a 95 07 38 f5 2e 96 00 74 6a 0e 52 2b 27 a5 5a b7 5d 64 a8 6e 75 bc ac 3f 3e 51 03 21

   {server}  derive secret "tls13 s hs traffic":

      PRK (32 octets):  5b 4f 96 5d f0 3c 68 2c 46 e6 ee 86 c3 11 63 66
         15 a1 d2 bb b2 43 45 c2 52 05 95 3c 87 9e 8d  1d c8 26 e9 36 06 aa 6f dc 0a ad c1 2f 74 1b 01
         04 6a a6 b9 9f 69 1e d2 21 a9 f0 ca 04 3f be ac

      hash (32 octets):  c6 c9 18 ad 2f 41 99 d5 59  86 0c 06 ed c0 78 58 ee 8e af 01 16 cb 7a 5c
         2c 14 cb 54 78 12 18 88 8d b7 03 0d d5 0d 5e 6d f0 e7 42 8c 58 ed
         d6 b4 3f 2c a3 e6 e9 5f 02 ed 06 3c f0 e1 ca d8

      info (54 octets):  00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72
         61 66 66 69 63 20 c6 c9 18 ad 2f 41 99 d5 59 86 0c 06 ed c0 78 58 ee 8e af 01 16 cb 7a
         5c 2c 14 cb 54 78 12 18 88 8d b7 03 0d d5 0d 5e 6d

      output f0 e7 42 8c 58
         ed d6 b4 3f 2c a3 e6 e9 5f 02 ed 06 3c f0 e1 ca d8

      expanded (32 octets):  3b 7a 83 9c 23 9e f2 bf 0b 73 05 a0 e0 c4 e5
         a8 c6 c6 93 30 a7 53 b3 08 f5 e3 a8 3a a2 ef  b6 7b 7d 69 79 0c c1 6c 4e 75 e5 42 13 cb 2d
         37 b4 e9 c9 12 bc de d9 10 5d 42 be fd 59 d3 91 ad 38

   {server}  derive secret for master "tls13 derived":

      PRK (32 octets):  5b 4f 96 5d f0 3c 68 2c 46 e6 ee 86 c3 11 63 66
         15 a1 d2 bb b2 43 45 c2 52 05 95 3c 87 9e 8d  1d c8 26 e9 36 06 aa 6f dc 0a ad c1 2f 74 1b 01
         04 6a a6 b9 9f 69 1e d2 21 a9 f0 ca 04 3f be ac

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output

      expanded (32 octets):  c8 61 57 19  43 de 77 e0 c7 77 13 85 9a 94 4d b9 db 25
         90 b5 31 90 a6 5b 3e e2 40 37 47 b6 10 76 2c 72 b8 f4
         da 5c 60 99 57 65 d4 04 a9 d0 06 b9 b0 72 7b a5 83 e4 f1 2d d7 a0 bb 7c e2 54 b4

   {server}  extract secret "master":

      salt (32 octets):  c8 61 57 19 e2 40 37 47 b6 10 76 2c 72 b8 f4 da
         5c 60 99 57 65 d4 04 a9 d0 06  43 de 77 e0 c7 77 13 85 9a 94 4d b9 b0 72 7b a5 83 db 25 90 b5
         31 90 a6 5b 3e e2 e4 f1 2d d7 a0 bb 7c e2 54 b4

      IKM (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  5c 79 d1 69 42 4e 26 2b 56 32 03 62 7b e4 eb
         51 03 3f 58 8c 43 c9 ce 03 73 37 2d bc bc  18 df 06 84 3d 13 a0 8b f2 a4 49 84 4c 5f 8a
         47 80 01 85 a7 bc 4d 4c 62 79 84 d5 a4 1d a8 d0 40 29 19

   {server}  send handshake record:

      payload (90 octets):  02 00 00 56 03 03 ee fc e7 f7 b3 7b a1 d1 63
         2e 96 67 78 25 dd f7 39 88 cf c7 98 25 df 56 6d c5 43 0b 9a 04
         5a a6 af 06 a4 12 18 60 dc 5e
         6e 60 24 9c d3 4c 95 93 0c 8a c5 cb 14 34 da c1 55 77 2e d3 e2
         69 28 00 13 01 00 00 2e 00 33 00 24 00 1d 00 20 9d 3c 94 0d 89
         69 0b 84 d0 8a 60 99 3c 14 4e ca 68 4d 10 81 28 7c 83 4d 53 c9 82 88 76 11
         bc f3
         20 95 fe 66 76 2b b9 da 1a db f7 c6 72 e1 56 d6 cc 25 3b 83 3d f1 dd 69
         b1 b0 4e 75 1f 0f 00 2b 00 02 03 04

      ciphertext

      complete record (95 octets):  16 03 03 00 5a 02 00 00 56 03 03 ee fc e7
         f7 b3 7b a1 d1 63 2e 96 67 78 25 dd f7 39 88 cf c7 98 25 df 56
         6d c5 43 0b 9a 04 5a a6
         af 06 a4 12 18 60 dc 5e 6e 60 24 9c d3 4c 95 93 0c 8a c5 cb 14
         34 da c1 55 77 2e d3 e2 69 28 00 13 01 00 00 2e 00 33 00 24 00
         1d 00 20 9d 3c 94 0d 89 69 0b 84 d0 8a 60 99 3c 14 4e ca 68 4d 10 81
         28 7c 83 4d 53 c9 82 88 76 11 bc f3 20 95 fe 66 76 2b b9 da 1a db f7 c6 72 e1 56 d6
         cc 25 3b 83 3d f1 dd 69 b1 b0 4e 75 1f 0f 00 2b 00 02 03 04

   {server}  derive write traffic keys for handshake data:

      PRK (32 octets):  3b 7a 83 9c 23 9e f2 bf 0b 73 05 a0 e0 c4 e5 a8
         c6 c6 93 30 a7 53 b3 08 f5 e3 a8 3a a2 ef  b6 7b 7d 69 79 0c c1 6c 4e 75 e5 42 13 cb 2d 37 b4
         e9 c9 12 bc de d9 10 5d 42 be fd 59 d3 91 ad 38

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output expanded (16 octets):  c6 6c b1 ae c5 19 df 44 c9 1e 10 99 55 11
         ac 8b  3f ce 51 60 09 c2 17 27 d0 f2 e4 e8 6e
         e4 03 bc

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output expanded (12 octets):  f7 f6 88 4c 49 81 71 6c 2d 0d 29 a4

   {server}  send a EncryptedExtensions handshake message

   {server}  send a Certificate handshake message

   {server}  send a CertificateVerify handshake message

   {server}  calculate finished "tls13 finished":

      PRK (32 octets):  3b 7a 83 9c 23 9e f2 bf 0b 73 05 a0 e0 c4 e5 a8
         c6 c6 93 30 a7 53 b3 08 f5 e3 a8 3a a2 ef 69 79

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73  5d 31 33 20 66 69 6e 69 73 68 65
         64 3e b2 67 12 76 ee 13 00

      output (32 octets):  a8 0c b7 d1 5d b3 4a 17 ab b0 c2 37 65 be 68
         c2 6d 3f 10 da 34 90 5b 09 99 47 e5 5e 37 db 17 b3 0b 30

   {server}  send  construct a Finished EncryptedExtensions handshake message

   {server}  send handshake record:

      payload (657

      EncryptedExtensions (40 octets):  08 00 00 24 00 22 00 0a 00 14 00
         12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c
         00 02 40 01 00 00 00 00

   {server}  construct a Certificate handshake message

      Certificate (445 octets):  0b 00 01 b9 00 00 01 b5 00 01 b0 30 82
         01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48
         86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03
         72 73 61 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17
         0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06
         03 55 04 03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7
         0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f
         82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26
         d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c
         1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52
         4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74
         80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93
         ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03
         01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06
         03 55 1d 0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01
         01 0b 05 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a
         72 67 17 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea
         e8 f8 a5 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01
         51 56 72 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be
         c1 fc 63 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b
         1c 3b 84 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8
         96 12 29 ac 91 87 b4 2b 4d e1 00 00

   {server}  construct a CertificateVerify handshake message

      CertificateVerify (136 octets):  0f 00 00 84 08 04 00 80 75 40 40 d0
         dd ab 8c f0 5a 74 7c
         5d 88 fa 9b d2 e5 5a b0 85 a6 10 15 b7 21 1f 82 4c d4 84 14 5a
         b3 ff 52 f1 fd a8 47 7b 0b 7a bc 90 db 78 e2 da 2b c4 99 5b d3 3a 5c 14 1a 07
         86 8a d7 45 c8 e1 56 4e 33 cd e1 53 fa 6b ef 78 80 a4 23 92 cc 62 4a 0c 5e a2 48 ee f6 aa a7 85 c4 f3 94 ca b6 7b b3 f0 ae 71 d9 d5 4a 23 09
         73 1d 87 dc 59 f6 42 d7 33 d3 0b
         be 2e b2 74 84 ad 8a 8d 48 59 ee 51 1f 60 29 57 b1 54 11 ac 02 76 71 45 9e 46 44
         5c 9e a5 8c 18 1e 81 8e b3 51 6a
         7a c5 7f 26 25 e2 b5 c0 88 8a 85 41 f4 e7 34 f7 95 b8 c3 fb 0b f3 27 84 09 d3 be 15 2a
         3d 05 47 61 a5 04 3e 06 3d da 65 cd f5 ae a2 0d 53 df
         1d d0 ac d4 2f 74 f3

   {server}  calculate finished "tls13 finished":

      PRK (32 octets):  b6 7b 7d 69 0c c1 6c 4e 75 e5 42 13 cb 2d 37 b4
         e9 c9 12 bc de d9 10 5d 42 be fd 59 d3 91 ad 38

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 3e 9a 74 6c 73 31 33 cf a1 0b 20 66 69 6e 3e b4 eb f7 ac 05 69 73 68 65
         64 00

      expanded (32 octets):  00 8d 3b 66 f8 16 ea 55 9f 96 b5 37 e8 85
         c3 1f c0 68 bf 49 2c 65 2f 01 fd ab
         bd df c5 41 33 bc f2 88 a1 d8 cd c1 9f c8

      finished (32 octets):  9b 9b 14 1d 90 63 37 fb d2 4c 8b bd ce b2 23 b2 aa 03 45 2a 29 cb dc e7 1d f4
         de da 4a b4 2c 30 95 72 cb 7f ff ee 54 54 b7 8f 07 18

   {server}  construct a Finished handshake message

      Finished (36 octets):  14 00 00 20 ac 86 ac bc 9c d2 5a 45 b5 7a d5 b6 4d b1 5d 44 05 cf 8c
         80 e3 9b 9b 14 58 3e bf 32 83 ef 9a 99 31 0c

      ciphertext (679 1d 90 63 37 fb d2 cb
         dc e7 1d f4 de da 4a b4 2c 30 95 72 cb 7f ff ee 54 54 b7 8f 07
         18

   {server}  send handshake record:

      payload (657 octets):  08 00 00 24 00 22 00 0a 00 14 00 12 00 1d
         00 17 00 18 00 19 01 00 01 01 01 02 01 03 03 01 04 00 1c 00 02 a2 f1 40
         01 00 00 00 00 0b 26 d8 fc af 67 00 01 b9 00 00 01 b5
         b8 28 00 01 b0 30 82 01 ac 30
         82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 12 12 22 16 a1 cd 14 18 74 65 b7 76 37 cb cd 78 53 91
         28 bb 93 24 6d cc a1 af 56 f1 ea a2 71 66 60 77 45 5b c5 49 65
         d8 5f 0d
         01 01 0b 05 f9 bd 36 d6 99 61 71 eb 53 6a ff 61 3e ed dc 42 ba d5
         a2 d2 22 7c 46 06 f1 21 5f 98 00 30 0e 7a fa f5 6b d3 b8 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61
         30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 51 be 17 0d 32 36
         30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06 03 55 04
         03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01
         01 05 00 03 10 1a 75 81 8d 07 7b 1c 00 30 81 89 1d 8e 7a 22 94 7e 5a 22 02 81 81 00 b4 bb 49 8f 82 79 30
         3d 98 51 fd
         42 a9 dd 42 26 08 f8 36 39 9b 36 c6 98 8c 0c 68 27 2a bf 92 b3 d4 3f b4 6a c4 20 25 93
         46 06 7f 66 32 2f d7 08 88 56 80 f4 b4 43 3c 29 11 6f de 55 e1 bd b8 26 d3 90 1a
         24 61 ea fd 2d fa 52 e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1a f1 9e 09 bb a5 3c
         aa 6a f9 8c 7c d9 20 ed 43 12 17 24 80 9e ad dc c8 09 98 e1 87 a8 0e e0 cc b0 52 4b 1b 01
         8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 07 ef 08 46 fc
         51 a0 b3 3d 99 d3 9d b3 37 fc d7 61 ce 0f 2b 02 dc 73 de db 6f
         dd b7 7c 4f 74 80 99 bd e9 3d 5b ee 08 bc f2 13 1f 29 a2 a3 7f 30 53
         0e f0
         79 49 e8 f8 bc dd 3e 83 10 b8 46 1c 8c a9 d9 ef bf 8b 34 44 c8 5a af 0d 2a eb 2d
         4f 36 fd 14 d5 cb 51 fc eb ff 41 8b 38 27 13 6a b9 52 9e 9a 3d
         3f 35 e4 c0 ae 8e a6 d1 d0 3e 2b d1 93 ef f0 ab
         9a 80 02 c4 74 9e a2 db c9 49 82 a1 28 1d 3e 6d aa b7 19 aa
         44 60 a6 d3 5a 8d 88 93 21 d7 9f 7f 1e 3f 02 03 01 00 01
         a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d
         0f 04 04 03 02 05 a0 08 bf 10 fa 30 0d 06 ac 0c 61 cc 12 2c c9 09 2a 86 48 86 f7 0d 5e 22
         c0 01 01 0b 05
         00 03 0c 98 6a e8 4a 33 81 81 00 85 aa d2 a0 c4 e5 b9 27 6b 90 8c 65 f7 3a 72 67 17
         06 18 a5 4c 5f 8a 7b 33 7d f1 74 bc fb d5 0b 2d f7 a5 94 36 54 17 f2 ea e8 f8 a5
         8c 8f fd 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2
         40 1a 03 01 51 ab 42 3d b6 3d 58 15 db 2f 83 00 40 f3 05 21 13 1c 98 c6
         6f 16 c3 62 ad dc e2 fb a0 56 72
         60 2c f0 a7 dd df 22 e8 de f7 51 6c
         df ee 95 b4 05 6c c9 ad 38 c9 53 52 96 fd 33 54 21 b5 b1 ff ba df 75
         e5 21 2f da d7 a7 5f 52 a2 80 14 86 a1 ee c3 53 95 80 be e0 e4
         b3 37 cd a6 08 5a c9 ec cd 1a 0f 1a 46 ce bf bb 5c df a3 25 1a
         c2 8c 3b c8 26 14 8c 6d 5e 5e 67 f2 db f1 02 70 2e 60 8c 1e b6 a0 6f 77 f6 ff ca e6 be c1 fc 63 2c 6a 83 e2
         83 e8 f9 df 7c 6d ba bf 1c 6e
         a4 06 29 a8 5b 43 ab 0c 73 d3 4f
         9d 50 72 83 2a 10 4e da 3f 75 f5 d8 3d a6 e1 48 22 a1 8e 14 09
         9d 74 9e af d8 23 ca 2a c7 54 20 86 50 1e ca 20 6c e7 88 79 20
         00 85 73 75 7c e2 f2 30 a8 90 78 2b 99 cc 68 23 77 be ee 81 27
         56 d0 4f 90 25 13 5f b5 99 d7 46 fe fe 73 16 c9 22 ac 26 5c a0
         d2 90 21 37 5a db 63 c1 50 9c 3e 24 2d fb 92 b8 de e8 91 b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b 1c 3b 84
         e0 a8 b2 f7 36
         8c 59 40 58 39 9b 8d b9 07 5f a3 ea c9 d9 1d 40 2d cc 82 16 19 4e 50 3b 66 52 d8 7d
         2c b4 1f 99 ad fd cc 5b e5 ec 7e 1e 63 26 0c c8 f8 96 12 29
         ac 22 d7 0b d3 ba 65
         28 27 53 2d 66 9a ff 91 87 b4 2b 4d e1 00 00 0f 00 00 84 08 04 00 51 73 59 7f 80 39 c3 ea 49 22 d3 ec 75
         76 70 22 2f 6a c2 5a 74 7c 5d
         88 fa 9b 93 e9 0d d2 e5 5a b0 85 a6 10 15 b7 21 1f 82 4c d4 84 14 5a b3
         ff 52 f1 fd a8 47 7b 0b 7a bc 90 db 78 e2 d3 f6 dd 96 32 8e 42 9c fc fd 3a 5c 14 1a 07 86
         53 fa 6b ef 78 0c 5e a2 48 ee aa a7 85 c4 f3 94 ca 22 70 7f e2 d8 6a d1 dc b0 b6 d3 0b be 75 6e 8e

   {server}  derive secret "tls13 c ap traffic":

      PRK (32 octets):  5c 79 d1 69 42 4e 26 2b 56 32 03 62 7b e4 eb
         8d 48 59 ee 51
         03 3f 58 8c 43 c9 ce 03 73 37 2d bc bc 01 85 a7

      hash (32 octets):  f8 c1 1f 60 29 57 b1 54 11 ac 02 76 71 45 9e 46 44 5c
         9e a5 8c 77 c0 38 79 bb c8 eb 6d 56 e0 0d d5
         d8 6e f5 59 18 1e 81 8e 95 b8 c3 fb 0b f3 27 ee fc 08 e1 b0 02 b6 ec e0 5d bf

      info (54 octets):  00 20 12 84 09 d3 be 15 2a 3d
         a5 04 3e 06 3d da 65 cd f5 ae a2 0d 53 df ac d4 2f 74 6c 73 31 33 f3 14 00
         00 20 9b 9b 14 1d 90 63 20 61 70 20 74 37 fb d2 cb dc e7 1d f4 de da 4a b4 2c
         30 95 72
         61 66 66 69 63 20 f8 c1 9e 8c 77 c0 38 79 bb c8 eb 6d 56 e0 0d
         d5 d8 6e f5 59 27 cb 7f ff ee fc 08 e1 b0 54 54 b7 8f 07 18

      complete record (679 octets):  17 03 03 02 b6 ec e0 5d a2 d1 ff 33 4a 56 f5 bf

      output (32 octets):  e2 f0 db 6a 82 e8 82
         f6 59 4a 07 cc 87 b5 80 fc 26 f7 3c 23 3f 50 0f 45 e4 89 85 4e
         e8 61 e7 f3 3a f3 5e 25 df 28 b2 20 79 62 fa
         78 22 26 b2 36 26

   {server}  derive secret "tls13 s ap traffic":

      PRK (32 octets):  5c 79 d1 69 42 4e 26 2b 56 32 03 62 7b e4 eb 51
         03 3f 58 8c 43 c9 ce 03 fc f4 0a a4 0a a2 b8 ea 73 37 2d bc bc 01 85 a7

      hash (32 octets): f8 c1 9e 8c 77 c0 38 79 bb c8 eb 6d 56 e0 0d d5
         d8 6e f5 59 27 ee fc 08 e1 b0 02 b6 ec e0 5d bf

      info (54 octets):  00 20 12 74 6c 73 31 33 20 73 20 48 a7 ca 07 61 70 20 74 72 2e f9 f9 45
         cb 96 0b 40 68 90 51 23 ea 78 b1 11 b4 29 ba 91 91 cd 05 d2 a3
         89 28 0f 52 61 66 66 69 63 20 f8 c1 9e 34 aa dc 7f c7 8c 77 c0 38 79 bb c8 eb 6d 56 e0 0d
         d5 d8 6e f5 59 27 ee fc 08 e1 b0 02 b6 4b 72 9d f8 28 b5 ec e0 5d bf

      output (32 octets):  5b 73 f7 b1 08 3b
         d9 ac 1b 9b 0c 82 48 ca 39 26 ec
         6e 7b c4 7e 41 17 06 96 39 87 ec 11 43 5d 30 ae fb 0e 57 19

   {server}  derive secret "tls13 exp master":

      PRK (32 octets): f2 71 58 5b 8e a9 bb 35 5c 7c 79 d1 69 42 4e 26 2b 56 32 03 62 7b e4 eb 02 07 16 cf b9
         b1 18 3e f3 ab 20 e3 7d 57 a6 b9 d7 47 76 09 ae e6 e1 22 a4 cf
         51
         03 3f 58 8c 43 c9 ce 03 42 73 37 2d bc bc 01 85 a7

      hash (32 octets):  f8 c1 9e 8c 77 c0 38 79 bb c8 eb 6d 56 e0 0d d5
         d8 6e f5 59 27 ee fc 08 e1 b0 02 b6 ec e0 25 25 0c 7d 0e 50 92 89 44 4c 9b 3a 64 8f 1d 71 03 5d
         2e d6 5b 0e 3c dd 0c ba e8 bf

      info (52 octets):  00 20 10 74 6c 73 31 33 20 65 2d 0b 22 78 70 20 6d 61 73
         74 65 12 cb b3 60 98 72 20 f8 c1 9e 8c 77 c0 38 55
         cc 74 41 10 c4 53 ba a4 fc d6 10 92 8d 80 98 10 e4 b7 ed 1a 8f
         d9 91 f0 6a a6 24 82 04 79 bb c8 eb 6d 56 e0 0d d5 7e 36 a6 a7 3b 70 a2 55 9c 09 ea d6
         86 94 5b a2 46 ab 66 e5 ed d8
         6e f5 59 27 ee 04 4b 4c 6d e3 fc 08 e1 b0 02 b6 ec e0 5d bf

      output (32 octets):  b7 73 34 8a 35 a0 f2 a8 94 41 f1 ac
         66 27 2f d8 fb 33 0e f8 19 05 79 b3 68 45 96 89 f8 df 30 09
         7b 1d 25 7a bf 5c c9 60 bd 59 6e ea
         52 0a aa 16 c8 65 10 56 b9 06 a8 d6 c6

   {server}  derive write traffic keys for application data:

      PRK (32 octets):  5b 73 b1 08 d9 ac 1b 9b 0c 82 48 50 f5 63 aa d2 74 09 96 0d ca 39 63 d3 e6 88 61 1e
         a5 e2 2f 44 15 cf 95 38 d5 1a 20 0c 27 03 42 72 96 8a 26 ec 6e 4e d6
         54 0c 84 83 8d 89 f7 2c 24 46 1a ad 6d 26 f5 9e ca ba 9a cb bb
         31 7b c4 7e 41 17 06 96 66 d9 02 f4 f2 92 a3 6a c1 b6 39 87 ec 11 43 5d 30 57 19

      key info (13 octets): c6 37 ce 34 31 17 b6 59
         62 22 45 31 7b 49 ee da 0c 62 58 f1 00 10 09 74 6c 73 d7 d9 61 ff b1 38 64 7e
         92 ea 33 0f ae ea 6d fa 31 c7 a8 4d c3 bd 7e 1b 7a 6c 71 78 af
         36 87 90 18 e3 f2 52 10 7f 24 3d 24 3d c7 33 20 6b 65 79 9d 56 84 c8 b0 37
         8b f3 02 44 da 8c 87 c8 43 f5 e5 6e b4 c5 e8 28 0a 2b 48 05 2c
         f9 3b 16 49 9a 66 db 7c ca 71 e4 59 94 26 f7 d4 61 e6 6f 99 88
         2b d8 9f c5 08 00

      key output (16 octets): be cc a6 88 eb b5 ac 82 2d 6c 74 11 6d 6f 42 d4 bd 29 72 fd a1 fa 80
         f8 5d f8 81 ed be 5a 37 66 89 36 b3 35 58 3b 59 91 86 dc 5c 0c c4 4b
         9b 7d

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69
         18 a3 96 fa 48 a1 81 d6 b6 fa 4f 9d 62 d5 13 af bb 99 2f 2b 99
         2f 67 f8 af e6 7f 76 00

      iv output (12 octets):  c1 91 3f a3 88 cb 56 30 c8 ca d4 42 5a 43 8b 01 e0 c6 5d e7 14 83 0a

   {server}  derive read traffic keys for handshake data:

      PRK (32 octets):  e2 e2 32 07 bd 93 fb 7f e4 fc 2e 29 7a fe ab 16
         0e 52 2b 5a 11
         c6 6a 1e 2a c4 c8 59 77 b7 5d 64 a8 6e 75 bc ac 3f 3e 51 03

      key info (13 octets):  00 c7 a6 99 9b bf 10 09 74 dc 35 ae 69 f5 51
         56 14 63 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  26 79 a4 3e 1d 0b 9b 68 c1 9e d2 e3 1c 0b 3b 66 76 78 40 34 ea 17 30 38 eb ba 42
         f3 b3 8e dc 03 99 f3 a9 f2 3f aa 63 97 8c 31 7f c9 fa 66 a7 3f
         60 f0 50 4d e9 3b 5b 84 5e 27 55 92 c1 23 35 ee 34 0b bc 4f dd
         d5 ad
         26 02 78 40 16 e4 b3 be 7e f0 4d da 49

      iv info (12 octets):  00 f4 b4 40 a3 0c 08 74 6c 73 b5 d2 af
         93 98 28 fd 4a e3 79 4e 44 f9 4d f5 a6 31 33 20 69 76 00

      iv output (12 octets):  54 82 40 52 90 dd ed e4 2c 17 19 bf da
         bf 02 53 fe 51 75 be 89 8e 75 0e dc 53 37 0d 2f 81 c0 d9 42

   {client}  extract 2b

   {server}  derive secret "early":

      salt:  (absent)

      IKM "tls13 c ap traffic":

      PRK (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret  18 df 06 84 3d 13 a0 8b f2 a4 49 84 4c 5f 8a 47
         80 01 bc 4d 4c 62 79 84 d5 a4 1d a8 d0 40 29 19

      hash (32 octets):  33 ad 0a  96 08 10 2a 0f 1c 60 cc 6d b6 25 0b 7b 7e c0 3b 09 e6 cd 98 93 68 0c
         e2 10 ad f3 41 7b 1a
         00 0e aa 1f 26 60 e1 b2 2e 10 f1 da 3d aa e4 77 7a 76 86 c9 ff 83 df 13

      info (54 octets):  00 20 12 74 6c 73 31 33 20 63 20 61 70 f9 20 74 72
         61 66 66 69 63 20 96 08 10 2a

   {client} 0f 1c cc 6d b6 25 0b 7b 7e 41 7b
         1a 00 0e aa da 3d aa e4 77 7a 76 86 c9 ff 83 df 13

      expanded (32 octets):  9e 40 64 6c e7 9a 7f 9d c0 5a f8 88 9b ce
         65 52 87 5a fa 0b 06 df 00 87 f7 92 eb b7 c1 75 04 a5

   {server}  derive secret for handshake "tls13 derived": s ap traffic":

      PRK (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
         10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a  18 df 06 84 3d 13 a0 8b f2 a4 49 84 4c 5f 8a 47
         80 01 bc 4d 4c 62 79 84 d5 a4 1d a8 d0 40 29 19

      hash (32 octets):  e3 b0 c4 42 98 fc  96 08 10 2a 0f 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae cc 6d b6 25 0b 7b 7e 41 7b 1a
         00 0e aa da 3d aa e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 77 7a 76 86 c9 ff 83 df 13

      info (49 (54 octets):  00 20 0d 12 74 6c 73 31 33 20 64 65 73 20 61 70 20 74 72
         61 66 66 69 76 65 64 63 20 e3 b0 c4 42 98 fc 96 08 10 2a 0f 1c 14 9a fb f4 c8 99 6f b9 24 27 ae cc 6d b6 25 0b 7b 7e 41 7b
         1a 00 0e aa da 3d aa e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output 77 7a 76 86 c9 ff 83 df 13

      expanded (32 octets):  6f 26 15  a1 08 c7 02 c5 67 8f 54 fc 9d ba b6
         97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 1a f9 f0 55 31 f8 56 ad 47 11 ba

   {client}  extract 6b 45 a9
         50 32 82 04 b4 f4 4b fb 6b 3a 4b 4f 1f 3f cb 63 16 43

   {server}  derive secret "handshake":

      salt "tls13 exp master":

      PRK (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
         16 c0 76  18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

      IKM (32 octets):  81 51 d1 46 df 06 84 3d 13 a0 8b f2 a4 49 84 4c 1b 55 53 36 23 b9 c2 24 6a 6a 0e
         6e 7e 18 50 63 e1 4a fd af f0 5f 8a 47
         80 01 bc 4d 4c 62 79 84 d5 a4 1d a8 d0 40 29 19

      hash (32 octets):  96 08 10 2a 0f 1c cc 6d b6 e1 c6 25 0b 7b 7e 41 7b 1a
         00 0e aa da 3d aa e4 77 7a 76 86 42

      secret (32 c9 ff 83 df 13

      info (52 octets):  5b 4f  00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73
         74 65 72 20 96 5d f0 3c 68 2c 46 e6 ee 08 10 2a 0f 1c cc 6d b6 25 0b 7b 7e 41 7b 1a 00
         0e aa da 3d aa e4 77 7a 76 86 c3 11 63
         66 15 a1 d2 bb b2 43 45 c2 c9 ff 83 df 13

      expanded (32 octets):  fe 22 f8 81 17 6e da 18 eb 8f 44 52 05 95 3c 87 9e 8d 06

   {client}  derive secret "tls13 c hs traffic" (same as server)

   {client}  derive secret "tls13 s hs traffic" (same as server)

   {client}  derive secret for master "tls13 derived" (same as server)

   {client}  extract secret "master" (same as server)

   {client} 67
         92 c5 0c 9a 3f 89 45 2f 68 d8 ae 31 1b 43 09 d3 cf 50

   {server}  derive read write traffic keys for handshake application data:

      PRK (32 octets):  3b 7a 83 9c 23 9e f2 bf 0b 73 05 a0 e0 c4 e5 a8
         c6 c6 93 30 a7 53 b3 08 f5 e3 a8  a1 1a f9 f0 55 31 f8 56 ad 47 11 6b 45 a9 50 32
         82 04 b4 f4 4b fb 6b 3a a2 ef 69 79 4b 4f 1f 3f cb 63 16 43

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output expanded (16 octets):  c6  9f 02 28 3b 6c b1 ae c5 19 df 44 c9 1e 10 99 55 11 9c 07 ef c2 6b b9 f2 ac 8b
         92 e3 56

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output expanded (12 octets):  f7 f6  cf 78 2b 88 4c 49 81 71 6c 2d 0d 29 a4

   {client}  calculate finished "tls13 finished" (same as server)

   {client}  derive secret "tls13 c ap traffic" (same as server)

   {client}  derive secret "tls13 s ap traffic" (same as server)

   {client}  derive secret "tls13 exp master" (same as server)
   {client}  derive write traffic keys for handshake data (same as
      server read traffic keys)

   {client} dd 83 54 9a ad f1 e9 84

   {server}  derive read traffic keys for application data (same as
      server write traffic keys)

   {client}  calculate finished "tls13 finished": handshake data:

      PRK (32 octets):  e2 e2 32 07 bd 93 fb  b3 ed db 12 6e 06 7f e4 fc 2e 29 7a fe 35 a7 80 b3 ab 16 f4 5e 2d 8f
         3b 1a 95 07 38 f5 2e 96 00 74 6a 0e 52 2b 27 a5 5a b7 5d 64 a8 6e 75 bc ac 3f 3e 51 03

      hash (0 octets):  (empty) 21

      key info (18 (13 octets):  00 20 0e 10 09 74 6c 73 31 33 20 66 69 6e 69 73 68 6b 65
         64 79 00

      output (32

      key expanded (16 octets):  12 1b f5 86 01 b2 ed 13 bf 14 b3 ee ac bd 9d
         a4 ba ba 1e 14 3e  db 66 a1 07 79 59 60 fb d9 e2 1f

   {client}  send a Finished handshake message

   {client}  send handshake record:

      payload (36 octets):  14 00 00 20 b9 02 7a 02 04 b9 72 b5 2c de fa
         58 95 0f a1 58 0d 68 c9 cb 12 4d be 69 1a 71 78 f2 5c 55 4b 23

      ciphertext (58 octets):  17 03 03 00 35 95 39 b4 ae 2f 87 fd 8e 61
         6b 29 56 28 ea 95 3d 9e 38 58 db 27 49 70 a6 93 d1 98 13 ec 13 6c ae
         7d 96 e0 41 77 75 fc ab d3 d8 85 8f dc 60 24 09 12 d2 18 f5 af
         b2 1c

   {client}  derive write traffic keys for application data:

      PRK (32 octets):  e2 f0 db 76 2c 5b 66 6a 82 e8 82 80 fc 26 f7 3c 89 85 4e e8
         61 5e f5 d9 50
         25 df 28 b2 20 79 62 fa 78 22 26 b2 36 26

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  88 b9 6a d6 86 c8 4b e5 5a ce 18 a5 9c ce
         5c 87 8d 01

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output expanded (12 octets):  b9 9d c5 8c d5 ff 5a b0 82 fd ad 19  5b d3 c7 1b 83 6e 0b 76 bb 73 26 5f

   {client}  extract secret "early" (same as server early secret)

   {client}  derive secret for handshake "tls13 res master": derived":

      PRK (32 octets):  5c 79 d1 69 42 4e  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
         10 ad f3 00 aa 1f 26 2b 56 32 03 62 7b e4 eb 51
         03 3f 58 8c 43 c9 ce 03 73 37 2d bc bc 01 85 a7 60 e1 b2 2e 10 f1 70 f9 2a

      hash (32 octets):  50 2f 86  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 57 9e c0 53 d3 28 24 e2
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 0e f6 5c
         c4 37 a3 56 43 45 35 6b df 79 13 ec 3b 87 96 14 52 b8 55

      info (52 (49 octets):  00 20 10 0d 74 6c 73 31 33 20 72 65 73 20 6d 61 73
         74 64 65 72 69 76 65 64
         20 50 2f 86 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 57 9e c0 53 d3 28 24 e2 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 0e f6 5c c4
         37 a3 56 43 45 35 6b df 79 13 ec 3b 87 96 14

      output 52 b8 55

      expanded (32 octets):  f7 84 42 e1 c4 b9 d4 40 ad b6 3b e6  6f 26 15 a1 08 c7 02 c5 67 8f 74 a5
         f3 01 94 6a 2b 2b db 36 54 fc 9d ba
         b6 97 16 c0 45 bb 7c f5 a9 e3 02 f5

   {server}  calculate finished "tls13 finished" (same as client)

   {server}  derive read traffic keys 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

   {client}  extract secret "handshake" (same as server handshake
      secret)

   {client}  derive secret "tls13 c hs traffic" (same as server)

   {client}  derive secret "tls13 s hs traffic" (same as server)

   {client}  derive secret for application master "tls13 derived" (same as server)

   {client}  extract secret "master" (same as server master secret)

   {client}  derive read traffic keys for handshake data (same as
      client server
      handshake data write traffic keys)

   {server}

   {client}  calculate finished "tls13 finished" (same as server)

   {client}  derive secret "tls13 res master" c ap traffic" (same as client)

   {server}  generate resumption server)

   {client}  derive secret "tls13 resumption": s ap traffic" (same as server)

   {client}  derive secret "tls13 exp master" (same as server)

   {client}  derive write traffic keys for handshake data (same as
      server handshake data read traffic keys)

   {client}  derive read traffic keys for application data (same as
      server application data write traffic keys)

   {client}  calculate finished "tls13 finished":

      PRK (32 octets):  f7 84 42 e1 c4 b9 d4 40 ad b6 3b e6  b3 ed db 12 6e 06 7f 35 a7 80 b3 ab f4 5e 2d 8f
         3b 1a 95 07 38 f5 2e 96 00 74 a5 f3
         01 94 6a 2b 2b db 36 c0 45 bb 7c f5 a9 e3 02 f5 0e 27 a5 5a 21

      hash (2 (0 octets):  00 00  (empty)

      info (22 (18 octets):  00 20 10 0e 74 6c 73 31 33 20 72 65 73 75 6d 70 74 66 69 6f 6e 02 00 69 73 68 65
         64 00

      output

      expanded (32 octets):  e3 4f 01 59 72 7d 1b 8e 4c 9c 17 68 59 45 a2
         86  b8 0a d0 10 15 fb 2f 0b d6 5f f7 d4 da 5d
         6b f8 3f 84 82 1d 1f 70 dc 21 05 cb 22 4b 87 fd c7 d3 c7 5b 5a 7b 42 d9 c4

      finished (32 octets):  a8 ec 43 6d bd b3 83 28 2e f5 cf

   {server}  send 67 76 34 ae 52 5a c1 fc eb e1
         1a 03 9e c1 76 94 fa c6 e9 85 27 b6 42 f2 ed d5 ce 61

   {client}  construct a NewSessionTicket Finished handshake message

   {server}

      Finished (36 octets):  14 00 00 20 a8 ec 43 6d 67 76 34 ae 52 5a
         c1 fc eb e1 1a 03 9e c1 76 94 fa c6 e9 85 27 b6 42 f2 ed d5 ce
         61

   {client}  send handshake record:

      payload (205 (36 octets):  04 00 00 c9 00 00 00 1e 2f d3 99 2f 02 00
         00 00 b2 ff 09 9f 96 76 cd ff 8b 0b f8 82 5d 00 00 00  14 00 79 05
         a9 d2 8e fe ef 4a 47 c6 f9 b0 6a 0c ec db 00 70 d9 20 b8 98 99
         7c 75 b7 96 36 94 3e d4 20 46 a9 61 42 bd 08 4a 04 ac fa 0c 49
         0f 45 2d 75 a8 ec 43 6d ea 02 c0 f9 27 25 9f 1f 32 31 ac 0d 54 67 76 34 ae 52 5a c1
         fc eb e1 1a 03 9e c1 76 91
         29 b7 40 ce 38 09 08 94 fa c6 e9 85 27 b6 42 b8 28 f2 ed d5 ce 61

      complete record (58 octets):  17 03 03 00 35 75 ec 4d c2 7f d7 29 f5 97 37 ba 98 aa 7b
         42 e0 43 c5 da 28 f8 dc a8 59 38 cc e6
         0b 2d f4 10 d5 13 4f d6 c4 ca ca 29 80 44 a7 1e 21 9c 56 cc 77 b0 51 7f e9 b9 3c 7a 4b fc 44
         d8 b3 7f 38 f8 03 70 60 2a fa 35 d2 38 ac 98 fc 46 de b3 84 bd 1c ae ac ab 68 67 d7
         26 c4 05 46

   {client}  derive write traffic keys for application data:

      PRK (32 octets):  9e 40 64 6c e7 9a 7f 9d c0 5a f8 88 9b ce 65 bf 4d 12 79 76 bb 36 db da 6a 62
         6f 02 70 e2 0e eb c7 3d 6f ca e2 b1 a0 da 12 2e e9 04 2f 76 be
         56 eb f4 1a a4 69 c3 d2 c9 da 91 97 d8 00 08 00 2a 00 04 00 52
         87 5a fa 0b 06 df 00 87 f7 92 eb b7 c1 75 04 00

      ciphertext (227 a5

      key info (13 octets):  17 03 03  00 de 36 80 c2 b2 10 9d 25 ca
         a2 09 74 6c 3b 06 ee a9 fd c5 cb 73 31 61 3b a7 02 17 33 20 6b 65 96 79 00

      key expanded (16 octets):  17 42 2d da 2e 88 6b
         f6 af 93 59 6e d5 d9 ac d8 90 e3 c6
         3f 50 7b d6 81 61 ad 9c b4 78 06 53 84 2e 10 41 ec bf 51

      iv info (12 octets):  00
         88 a6 5a c4 ef 43 84 19 dd 1d 95 dd d9 bd 2a d4 48 4e 7e 16 7d
         0e 0c 08 74 6c 73 31 33 20 69 76 00

      iv expanded (12 octets):  5b 78 92 3d ee 08 57 90 33 e5 23 d9

   {client}  derive secret "tls13 res master":

      PRK (32 octets):  18 df 06 84 48 ae 58 a0 41 87 3d 13 b6 fc 6c 51 e4 bb 23 a5 37 fb
         75 a7 4f 73 de 31 fe 6a a0 bc 52 25 15 f8 b2 5f 89 55 42 8b 5d
         e5 ac 06 76 2c ec 22 b0 aa 78 c9 43 85 ef 8e 70 fa 24 94 5b 7c
         1f 26 85 10 87 16 89 bb bb fa f2 e7 f4 a4 49 84 4c 5f 8a 47
         80 01 bc 4d 4c 62 79 84 d5 a4 1d a8 d0 40 29 19

      hash (32 octets):  20 91 45 a9 6e e8 e2 a1 92 77 02 4f 22 ff 81 00 47 cc 95 f1 26
         84 65 8d 60 49 e8 64 29 42 6d b8 7c 54 ad 14
         3a b1 2a 3d

      info (52 octets):  00 20 10 74 6c 73 31 ec 63 ad b1 28 cb 39 07 11 fd 33 20 72 65 73 20 6d 06 a4 98 df 3e 98 61 5d 8e b1 02 73
         74 65 72 20 20 91 45 a9 6e e8 e2 33 53 b4 80 ef a1 22 ff 81 00 47 cc a5 e8 e0 95 26 7a 6d 0f e2 44
         1f 84
         65 8d 60 49 e8 64 29 42 6d b8 7c 54 ad 14 c8 c9 66 4a ef b2 cf ff 6a e9 e0 44 27 28 b6 a0 94 0c 1e
         82 4f 3d

      expanded (32 octets):  7d f2 35 f2 03 1d 2a 05 12 87 d0 2b 02 41
         b0 bf da 06

   {client}  generate resumption f8 6c c8 56 23 1f 2d 5a ba 46 c4 34 ec 19 6c

   {server}  calculate finished "tls13 finished" (same as client)

   {server}  derive read traffic keys for application data (same as
      client application data write traffic keys)

   {server}  derive secret "tls13 resumption" res master" (same as
      server)

   {client}  send application_data record:

      payload (50 client)

   {server}  generate resumption secret "tls13 resumption":

      PRK (32 octets):  00 01 02  7d f2 35 f2 03 04 1d 2a 05 06 07 08 09 0a 0b 0c 0d 0e
         0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 87 d0 2b 02 41 b0 bf
         da f8 6c c8 56 23 1f 2d 5a ba 46 c4 34 ec 19 6c

      hash (2 octets):  00 00

      info (22 octets):  00 20 21 22 23
         24 25 26 27 28 29 2a 2b 10 74 6c 73 31 33 20 72 65 73 75 6d 70 74
         69 6f 6e 02 00 00

      expanded (32 octets):  4e cd 0e b6 ec 3b 4d 87 f5 d6 02 8f 92 2c
         a4 c5 85 1a 27 7f d4 13 11 c9 e6 2d 2e 2f 30 31

      ciphertext (72 2c 94 92 e1 c4 f3

   {server}  construct a NewSessionTicket handshake message

      NewSessionTicket (205 octets):  17 03 03  04 00 43 8c 34 97 da 00 ae c9 00 00 00 1e fa d6 aa
         c5 02 3e 53
         c0 1b 43 24 b6 65 40 4c 00 00 00 b2 2c 03 5d 82 93 59 ee 5f f7 af 4e c9 00 00 00
         00 26 2a 64 94 dc 48 6d 2c 8a 34 cb 33 fa 90 bf 1b 00 70 ad 3c
         49 e7 8f e2 bf 4d 17 f6 34 8a 88 83 c9 36 7c 09 a2 be 78 5a bc 55 cd 22 60 97 a3 a9 82 11
         72 83 f8 2a 03 a1 43 ef d3 ff 5d d3 6d 64 e8 34 61 be 7f d6 1d 28
         27 db 27 9c ce 14 50 77 d4 54 a3 66 4d 4e 6d a4 d2 9e e0 37 25
         a6 a4 da fc d0 fc 67 d2 ae a7 05 29 51 e3 63 a0 cd 05 3e 3d a2 67 7f a5 90 6c
         5b 3f 7d 8f 92 f2 28 bd a4 0d da 72 14 70 f9 fb f2 97 b5 ae a6
         17 9c 4f 64 6f ac 5c 03 27 2e 97 07 27 c6 21 a7 91 41 ef 5a d6 89 b5 ca e0 ba 5f 7d e6 50
         5e 5b fb c3 88 e9 33 43 69 40 93 93 4a
         dc 63 63 2e e4 d3 57 1f b7 9a a9 15 44 c6 39 4d 28 a1 00 08 00 2a 00
         04 00 00 04 00

   {server}  send application_data handshake record:

      payload (50 (205 octets):  04 00 00 c9 00 00 00 1e fa d6 aa c5 02 00
         00 00 b2 2c 03 5d 82 93 59 ee 5f f7 af 4e c9 00 00 00 00 26 2a
         64 94 dc 48 6d 2c 8a 34 cb 33 fa 90 bf 1b 00 70 ad 3c 49 88 83
         c9 36 7c 09 a2 be 78 5a bc 55 cd 22 60 97 a3 a9 82 11 72 83 f8
         2a 03 a1 43 ef d3 ff 5d d3 6d 64 e8 61 be 7f d6 1d 28 27 db 27
         9c ce 14 50 77 d4 54 a3 66 4d 4e 6d a4 d2 9e e0 37 25 a6 a4 da
         fc d0 fc 67 d2 ae a7 05 29 51 3e 3d a2 67 7f a5 90 6c 5b 3f 7d
         8f 92 f2 28 bd a4 0d da 72 14 70 f9 fb f2 97 b5 ae a6 17 64 6f
         ac 5c 03 27 2e 97 07 27 c6 21 a7 91 41 ef 5f 7d e6 50 5e 5b fb
         c3 88 e9 33 43 69 40 93 93 4a e4 d3 57 00 08 00 2a 00 04 00 00
         04 00

      complete record (227 octets):  17 03 03 00 de 3a 6b 8f 90 41 4a 97
         d6 95 9c 34 87 68 0d e5 13 4a 2b 24 0e 6c ff ac 11 6e 95 d4 1d
         6a f8 f6 b5 80 dc f3 d1 1d 63 c7 58 db 28 9a 01 59 40 25 2f 55
         71 3e 06 1d c1 3e 07 88 91 a3 8e fb cf 57 53 ad 8e f1 70 ad 3c
         73 53 d1 6d 9d a7 73 b9 ca 7f 2b 9f a1 b6 c0 d4 a3 d0 3f 75 e0
         9c 30 ba 1e 62 97 2a c4 6f 75 f7 b9 81 be 63 43 9b 29 99 ce 13
         06 46 15 13 98 91 d5 e4 c5 b4 06 f1 6e 3f c1 81 a7 7c a4 75 84
         00 25 db 2f 0a 77 f8 1b 5a b0 5b 94 c0 13 46 75 5f 69 23 2c 86
         51 9d 86 cb ee ac 87 aa c3 47 d1 43 f9 60 5d 64 f6 50 db 4d 02
         3e 70 e9 52 ca 49 fe 51 37 12 1c 74 bc 26 97 68 7e 24 87 46 d6
         df 35 30 05 f3 bc e1 86 96 12 9c 81 53 55 6b 3b 6c 67 79 b3 7b
         f1 59 85 68 4f

   {client}  generate resumption secret "tls13 resumption" (same as
      server)

   {client}  send application_data record:

      payload (50 octets):  00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e
         0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23
         24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31

      ciphertext

      complete record (72 octets):  17 03 03 00 43 f6 5f 49 fd 2d f6 cd 23 47
         c3 d3 01 66 e3 cf dd a2 3f 70 54 b6 30 8a 59 06 c0 76 11 2c 6a 37 ff 1d bd
         40 6b 58 13 c0 ab d7 34 88 30 17 a6 b2 83 31 86 b1 3c 14 da 5d
         75 f3 3d 87 60 78 99 94 e2 7d 82 04
         d0 af fa fe 82 28 ba 55 cb ef ac ea 42 f9 14 aa 66 bc ab 3f 2b
         98 19 a8 a5 b4 6b 39 5b d5 4a 9a 20 44 1e 2b 62 97 4e 1f 5a 62
         92 a2 97 70 14 bd 1e 3d ea e6 3a b8 8d 65 ee bb 21 69 49 15 e4

   {server}  send application_data record:

      payload (50 octets):  00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e
         0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23
         24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31

      complete record (72 octets):  17 03 03 00 43 2e 93 7e 11 ef 4a c7
         40 e5 38 ad 36 00 5f c4 a4 69 32 fc 32 25 d0 5f 82 aa 1b 36 e3
         0e fa f9 7d 90 e6 df fc 60 2d cb 50 1a 59 a8 fc c4 9c 4b f2 e5
         f0 a2 1c 00 47 c2 ab f3 32 54 0d d0 32 e1 67 c2 95 5d

   {client}  send alert record:

      payload (2 octets):  01 00

      ciphertext

      complete record (24 octets):  17 03 03 00 13 2c 21 48 16 3d 79 38 a3 5f
         6a cf 2a c9 87 27 60 65 56 66 06 f8 cb d1 d9 f2
         b7 4d 7f f1 15 3e fd 6d b6 d0 b0 e3

   {server}  send alert record:

      payload (2 octets):  01 00
      ciphertext

      complete record (24 octets):  17 03 03 00 13 f8 14 1e bd b5 ed a5 11 e0
         bc e6 39 a5 6f f9 ea 82 5a 21 8f d6 71 66 eb f5
         99 d2 47 20 cf be 7e fa 7a 88 64 a9

4.  Resumed 0-RTT Handshake

   This handshake resumes from the handshake in Section 3.  Since the
   server provided a session ticket that permitted 0-RTT, and the client
   is configured for 0-RTT, the client is able to send 0-RTT data.

   {client}  create an ephemeral x25519 key pair:

      private key (32 octets):  53 9d 7e  bf a9 6c 5c eb 7d 86 f0 b9 68
         2a 1d d7 b7 b6 0d 81 c2 73 50 74 35 cd d1 b7 aa f9 11 88 28 38 46 dd 6a 21 34 ef 71
         80 05 1f ca 2b 0b 14 fb 10 dc e7 07 b5 09 8c 0d dd c8 13 b2 df

      public key (32 octets):  b0 31 99 c3 4d 68 2d 91 db  e4 ff b6 8a c0 5f 58 8d 96 10 f6
         c0 9b ec e9 9c 23 c7 7c c6 0d 1e c9 9d a2 66 98 34
         6c 6b e1 64 82 ba dd 0d 25 ed 5d be 70 da fe 05 1a 66 b4 f1 8d 66 8f 0b

   {client}  extract secret "early":

      salt:  (absent)  0 (all zero octets)

      IKM (32 octets):  e3 4f 01 59 72 7d 1b 8e 4c 9c 17 68 59 45 a2 86
         1f 70 dc 21 05 cb 22 4b 6d bd b3 83 28 2e  4e cd 0e b6 ec 3b 4d 87 f5 cf d6 02 8f 92 2c a4 c5
         85 1a 27 7f d4 13 11 c9 e6 2d 2c 94 92 e1 c4 f3

      secret (32 octets):  04 8b 40  9b 21 88 e9 b2 fc 6d 64 d7 1d c3 29 90 0e 20
         bb 41 91 50 00 f6 78 aa 09 ff d4 c6 76 83 9c 54 1a 2f 46 e2
         84 66 06 f7 0d 62 a6 15 97 77 29 c5 b2 81 c7 e7 15 bb 79 7c b7 d8 33 2c

   {client}  send  construct a ClientHello handshake message

   {client}  calculate finished "tls13 finished":

      PRK (32 octets):  20 63 8e c4 e9 90 45 a8 bb 12 1e 86 fe 65 54 82
         db b3 74 0d db f6 2d 0c bc c2 04 9c 10 c7 01 34

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      output (32 octets):  a8 19 28 e3 08 5c 3a 85 63 ed 82 2d a9 af 7a
         b7 1a c5 43 2a 5f 9d 1e 6f 71 32 f1 8b 36 e2 c7 05

   {client}  send handshake record:

      payload (512

      ClientHello (477 octets):  01 00 01 fc 03 03 88 09 d2 a3 9b f9 ae b3
         83 1d 2b 32 e4 1b c3 ce b6 bb e3 9c
         ff f9 32 15 e4 fc 4f 25 71 79 71 bd 79 e8 19 93 83 55 b5 a5 0a db 6d b2 1b 7a 6a f6 49 d7 b4 bc 41
         e3 dd 9b 9d 78
         76 48 7d 95 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b
         00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00
         12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33
         00 26 00 24 00 1d 00 20 b0 31 99 c3 4d 68 2d 91 db e4 ff b6 8a c0 5f 58 8d 96 10 f6
         c0 9b ec e9 9c 23 c7 7c c6 0d 1e c9 9d a2 66 98
         34 6c 6b e1 64 82 ba dd 0d 25 ed 5d be 70 da fe 05 1a 66 b4 f1 8d 66 8f 0b 00 2a
         00 00 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03
         02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06
         02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01 00 15 00 57 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 29 00 dd 00 b8 00 b2 ff 09 9f 96 76 cd ff 8b 0b f8 82 2c 03 5d 82 93 59 ee 5f f7 af 4e c9
         00 00 00 00 79 05 a9 d2 8e fe ef 4a 47 c6 f9 b0 6a 0c ec db 26 2a 64 94 dc 48 6d 2c 8a 34 cb 33 fa 90 bf 1b 00
         70
         d9 20 b8 98 99 7c 75 b7 96 ad 3c 49 88 83 c9 36 94 3e d4 20 46 7c 09 a2 be 78 5a bc 55 cd 22 60 97 a3
         a9 61 42 bd 08 4a
         04 ac fa 0c 49 0f 45 2d 75 82 11 72 83 f8 2a 03 a1 43 ef d3 ff 5d d3 6d ea 02 c0 f9 64 e8 61 be 7f
         d6 1d 28 27 25 9f 1f 32 31 ac
         0d 54 1a 76 91 29 b7 40 db 27 9c ce 38 09 08 42 b8 28 c2 7f d7 29 f5 97
         37 ba 98 aa 7b 42 14 50 77 d4 54 a3 66 4d 4e 6d a4 d2 9e
         e0 43 c5 37 25 a6 a4 da 28 f8 dc a8 59 0b 2d f4 10 d5 13
         4f d6 c4 ca ca d8 b3 03 70 60 2a fa 35 fc d0 fc 67 d2 65 bf 4d 12 79 76 bb
         36 db ae a7 05 29 51 3e 3d a2 67 7f
         a5 90 6c 5b 3f 7d 8f 92 f2 28 bd a4 0d da 6a 62 6f 02 72 14 70 e2 0e eb c7 3d f9 fb f2 97
         b5 ae a6 17 64 6f ca e2 b1 a0 da 12 ac 5c 03 27 2e
         e9 04 2f 76 be 56 eb f4 1a a4 69 c3 d2 c9 da 91 97 d8 2f d3 99
         32 00 07 27 c6 21 20 3c a7 91 41 ef 5f
         7d e6 69 de de c4 4e 50 5e 75 53 8f cc ab 3d b0 45 5b fb
         5d 21 01 19 99 e1 45 12 ee 3a b3 5f 2a f4 c3 88 e9

      ciphertext (517 33 43 69 40 93 93 4a e4 d3 57 fa d6
         aa cb

   {client}  calculate PSK binder:

      ClientHello prefix (477 octets):  16 03 01 02 00  01 00 01 fc 03 03 88 09
         d2 a3 9b f9 ae b3 83 1d 2b 32 e4 1b c3 ce b6 bb
         e3 9c ff f9 32 15 e4 fc 4f 25 71 79
         71 bd 79 e8 19 93 83 55 b5 a5 0a db 6d b2 1b 7a 6a f6 49 d7 b4 bc 41 e3 dd 9b
         9d 78 76 48 7d 95 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00
         00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00
         14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04
         00 33 00 26 00 24 00 1d 00 20 b0 31 99 c3 4d 68 2d 91
         db e4 ff b6 8a c0 5f 58 8d 96 10 f6 c0 9b ec e9 9c 23 c7 7c c6 0d 1e c9 9d a2
         66 98 34 6c 6b e1 64 82 ba dd 0d 25 ed
         5d be 70 da fe 05 1a 66 b4 f1 8d 66 8f 0b
         00 2a 00 00 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03
         06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05
         02 06 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01 00 15 00 57
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 29 29 00 dd 00 b8 00 b2 2c 03 5d 82 93 59 ee 5f f7 af
         4e c9 00 00 00 00 26 2a 64 94 dc 48 6d 2c 8a 34 cb 33 fa 90 bf
         1b 00 70 ad 3c 49 88 83 c9 36 7c 09 a2 be 78 5a bc 55 cd 22 60
         97 a3 a9 82 11 72 83 f8 2a 03 a1 43 ef d3 ff 5d d3 6d 64 e8 61
         be 7f d6 1d 28 27 db 27 9c ce 14 50 77 d4 54 a3 66 4d 4e 6d a4
         d2 9e e0 37 25 a6 a4 da fc d0 fc 67 d2 ae a7 05 29 51 3e 3d a2
         67 7f a5 90 6c 5b 3f 7d 8f 92 f2 28 bd a4 0d da 72 14 70 f9 fb
         f2 97 b5 ae a6 17 64 6f ac 5c 03 27 2e 97 07 27 c6 21 a7 91 41
         ef 5f 7d e6 50 5e 5b fb c3 88 e9 33 43 69 40 93 93 4a e4 d3 57
         fa d6 aa cb

      binder hash (32 octets):  63 22 4b 2e 45 73 f2 d3 45 4c a8 4b 9d
         00 9a 04 f6 be 9e 05 71 1a 83 96 47 3a ef a0 1e 92 4a 14

      PRK (32 octets):  69 fe 13 1a 3b ba d5 d6 3c 64 ee bc c3 0e 39 5b
         9d 81 07 72 6a 13 d0 74 e3 89 db c8 a4 e4 72 56

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      expanded (32 octets):  55 88 67 3e 72 cb 59 c8 7d 22 0c af fe 94
         f2 de a9 a3 b1 60 9f 7d 50 e9 0a 48 22 7d b9 ed 7e aa

      finished (32 octets):  3a dd 4f b2 d8 fd f8 22 a0 ca 3c f7 67 8e
         f5 e8 8d ae 99 01 41 c5 92 4d 57 bb 6f a3 1b 9e 5f 9d

   {client}  send handshake record:

      payload (512 octets):  01 00 01 fc 03 03 1b c3 ce b6 bb e3 9c ff
         93 83 55 b5 a5 0a db 6d b2 1b 7a 6a f6 49 d7 b4 bc 41 9d 78 76
         48 7d 95 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00
         09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12
         00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00
         26 00 24 00 1d 00 20 e4 ff b6 8a c0 5f 8d 96 c9 9d a2 66 98 34
         6c 6b e1 64 82 ba dd da fe 05 1a 66 b4 f1 8d 66 8f 0b 00 2a 00
         00 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03 02
         03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02
         02 02 00 2d 00 02 01 01 00 1c 00 02 40 01 00 15 00 57 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 29 00 dd 00 b8 00 b2 2c 03 5d 82 93 59 ee 5f f7 af 4e c9 00
         00 00 00 26 2a 64 94 dc 48 6d 2c 8a 34 cb 33 fa 90 bf 1b 00 70
         ad 3c 49 88 83 c9 36 7c 09 a2 be 78 5a bc 55 cd 22 60 97 a3 a9
         82 11 72 83 f8 2a 03 a1 43 ef d3 ff 5d d3 6d 64 e8 61 be 7f d6
         1d 28 27 db 27 9c ce 14 50 77 d4 54 a3 66 4d 4e 6d a4 d2 9e e0
         37 25 a6 a4 da fc d0 fc 67 d2 ae a7 05 29 51 3e 3d a2 67 7f a5
         90 6c 5b 3f 7d 8f 92 f2 28 bd a4 0d da 72 14 70 f9 fb f2 97 b5
         ae a6 17 64 6f ac 5c 03 27 2e 97 07 27 c6 21 a7 91 41 ef 5f 7d
         e6 50 5e 5b fb c3 88 e9 33 43 69 40 93 93 4a e4 d3 57 fa d6 aa
         cb 00 21 20 3a dd 4f b2 d8 fd f8 22 a0 ca 3c f7 67 8e f5 e8 8d
         ae 99 01 41 c5 92 4d 57 bb 6f a3 1b 9e 5f 9d

      complete record (517 octets):  16 03 01 02 00 01 00 01 fc 03 03 1b
         c3 ce b6 bb e3 9c ff 93 83 55 b5 a5 0a db 6d b2 1b 7a 6a f6 49
         d7 b4 bc 41 9d 78 76 48 7d 95 00 00 06 13 01 13 03 13 02 01 00
         01 cd 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01
         00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02
         01 03 01 04 00 33 00 26 00 24 00 1d 00 20 e4 ff b6 8a c0 5f 8d
         96 c9 9d a2 66 98 34 6c 6b e1 64 82 ba dd da fe 05 1a 66 b4 f1
         8d 66 8f 0b 00 2a 00 00 00 2b 00 03 02 03 04 00 0d 00 20 00 1e
         04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02
         01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01
         00 15 00 57 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 29 00 dd 00 b8 00 b2 2c 03 5d 82 93 59
         ee 5f f7 af 4e c9 00 00 00 00 26 2a 64 94 dc 48 6d 2c 8a 34 cb
         33 fa 90 bf 1b 00 70 ad 3c 49 88 83 c9 36 7c 09 a2 be 78 5a bc
         55 cd 22 60 97 a3 a9 82 11 72 83 f8 2a 03 a1 43 ef d3 ff 5d d3
         6d 64 e8 61 be 7f d6 1d 28 27 db 27 9c ce 14 50 77 d4 54 a3 66
         4d 4e 6d a4 d2 9e e0 37 25 a6 a4 da fc d0 fc 67 d2 ae a7 05 29
         51 3e 3d a2 67 7f a5 90 6c 5b 3f 7d 8f 92 f2 28 bd a4 0d da 72
         14 70 f9 fb f2 97 b5 ae a6 17 64 6f ac 5c 03 27 2e 97 07 27 c6
         21 a7 91 41 ef 5f 7d e6 50 5e 5b fb c3 88 e9 33 43 69 40 93 93
         4a e4 d3 57 fa d6 aa cb 00 21 20 3a dd 4f b2 d8 fd f8 22 a0 ca
         3c f7 67 8e f5 e8 8d ae 99 01 41 c5 92 4d 57 bb 6f a3 1b 9e 5f
         9d

   {client}  derive secret "tls13 c e traffic":

      PRK (32 octets):  9b 21 88 e9 b2 fc 6d 64 d7 1d c3 29 90 0e 20 bb
         41 91 50 00 f6 78 aa 83 9c bb 79 7c b7 d8 33 2c

      hash (32 octets):  08 ad 0f a0 5d 7c 72 33 b1 77 5b a2 ff 9f 4c 5b
         8b 59 27 6b 7f 22 7f 13 a9 76 24 5f 5d 96 09 13

      info (53 octets):  00 20 11 74 6c 73 31 33 20 63 20 65 20 74 72 61
         66 66 69 63 20 08 ad 0f a0 5d 7c 72 33 b1 77 5b a2 ff 9f 4c 5b
         8b 59 27 6b 7f 22 7f 13 a9 76 24 5f 5d 96 09 13

      expanded (32 octets):  3f bb e6 a6 0d eb 66 c3 0a 32 79 5a ba 0e
         ff 7e aa 10 10 55 86 e7 be 5c 09 67 8d 63 b6 ca ab 62

   {client}  derive secret "tls13 e exp master":

      PRK (32 octets):  9b 21 88 e9 b2 fc 6d 64 d7 1d c3 29 90 0e 20 bb
         41 91 50 00 f6 78 aa 83 9c bb 79 7c b7 d8 33 2c

      hash (32 octets):  08 ad 0f a0 5d 7c 72 33 b1 77 5b a2 ff 9f 4c 5b
         8b 59 27 6b 7f 22 7f 13 a9 76 24 5f 5d 96 09 13

      info (54 octets):  00 20 12 74 6c 73 31 33 20 65 20 65 78 70 20 6d
         61 73 74 65 72 20 08 ad 0f a0 5d 7c 72 33 b1 77 5b a2 ff 9f 4c
         5b 8b 59 27 6b 7f 22 7f 13 a9 76 24 5f 5d 96 09 13

      expanded (32 octets):  b2 02 68 66 61 09 37 d7 42 3e 5b e9 08 62
         cc f2 4c 0e 60 91 18 6d 34 f8 12 08 9f f5 be 2e f7 df

   {client}  derive write traffic keys for early application data:

      PRK (32 octets):  3f bb e6 a6 0d eb 66 c3 0a 32 79 5a ba 0e ff 7e
         aa 10 10 55 86 e7 be 5c 09 67 8d 63 b6 ca ab 62

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key expanded (16 octets):  92 02 05 a5 b7 bf 21 15 e6 fc 5c 29 42
         83 4f 54

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv expanded (12 octets):  6d 47 5f 09 93 c8 e5 64 61 0d b2 b9

   {client}  send application_data record:

      payload (6 octets):  41 42 43 44 45 46

      complete record (28 octets):  17 03 03 00 17 ab 1d f4 20 e7 5c 45
         7a 7c c5 d2 84 4f 76 d5 ae e4 b4 ed bf 04 9b e0

   {server}  extract secret "early" (same as client early secret)

   {server}  calculate PSK binder (same as client)

   {server}  create an ephemeral x25519 key pair:

      private key (32 octets):  de 5b 44 76 e7 b4 90 b2 65 2d 33 8a cb
         f2 94 80 66 f2 55 f9 44 0e 23 b9 8f c6 98 35 29 8d c1 07

      public key (32 octets):  12 17 61 ee 42 c3 33 e1 b9 e7 7b 60 dd 57
         c2 05 3c d9 45 12 ab 47 f1 15 e8 6e ff 50 94 2c ea 31

   {server}  derive secret "tls13 c e traffic" (same as client)

   {server}  derive secret "tls13 e exp master" (same as client)

   {server}  construct a ServerHello handshake message

      ServerHello (96 octets):  02 00 00 5c 03 03 3c cf d2 de c8 90 22
         27 63 47 2a e8 13 67 77 c9 d7 35 87 77 bb 66 e9 1e a5 12 24 95
         f5 59 ea 2d 00 13 01 00 00 34 00 29 00 02 00 00 00 33 00 24 00
         1d 00 20 12 17 61 ee 42 c3 33 e1 b9 e7 7b 60 dd 00 b8 00 b2 ff 09 9f 96 76 cd 57 c2 05 3c d9
         45 12 ab 47 f1 15 e8 6e ff
         8b 0b f8 82 5d 00 50 94 2c ea 31 00 2b 00 02 03 04

   {server}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  9b 21 88 e9 b2 fc 6d 64 d7 1d c3 29 90 0e 20 bb
         41 91 50 00 f6 78 aa 83 9c bb 79 05 a9 d2 8e fe ef 4a 47 c6 f9 b0
         6a 0c ec db 00 70 d9 20 b8 98 99 7c 75 b7 96 36 94 3e d4 20 46
         a9 61 d8 33 2c

      hash (32 octets):  e3 b0 c4 42 bd 08 4a 04 ac fa 0c 49 0f 45 2d 75 6d ea 02 c0 f9 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27
         25 9f 1f 32 31 ac ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 54 1a 74 6c 73 31 33 20 64 65 72 69 76 91 29 b7 40 ce 38 09 08 65 64
         20 e3 b0 c4 42 b8 28
         c2 7f d7 29 f5 97 37 ba 98 aa 7b 42 e0 43 c5 da 28 f8 dc a8 59
         0b 2d fc 1c 14 9a fb f4 10 d5 13 4f d6 c4 ca ca d8 b3 03 70 60 2a fa 35 d2 65
         bf 4d 12 79 76 bb 36 db da 6a 62 6f 02 70 e2 0e eb c7 3d c8 99 6f ca
         e2 b1 a0 da 12 2e e9 04 2f 76 be 56 eb f4 1a b9 24 27 ae 41 e4
         64 9b 93 4c a4 69 c3 95 99 1b 78 52 b8 55

      expanded (32 octets):  5f 17 90 bb d8 2c 5e 7d 37 6e d2 e1 e5 2f
         8e 60 38 c9 da
         91 97 34 6d b6 1b 43 be 9a 52 f7 7e f3 99 8e 80

   {server}  extract secret "handshake":

      salt (32 octets):  5f 17 90 bb d8 2c 5e 7d 37 6e d2 e1 e5 2f d3 8e 60
         38 c9 34 6d b6 1b 43 be 9a 52 f7 7e f3 99 32 00 21 20 3c e6 69 de de c4 4e 5e 8e 80

      IKM (32 octets):  f4 41 94 75 53 8f
         cc ab 3d b0 45 fb 5d 21 01 19 6f f9 ec 9d 25 18 06 35 d6 6e a6 82
         4c 6a b3 bf 17 99 e1 45 77 be 37 f7 23 57 0e 7c cb 2e

      secret (32 octets):  00 5c b1 12 ee 3a fd 8e b4 cc c6 23 bb 88 a0 7c 64
         b3 5f 2a f4 e9

   {client} ed e1 60 53 63 fc 7d 0d f8 c7 ce 4f f0 fb 4a e6

   {server}  derive secret "tls13 c e hs traffic":

      PRK (32 octets):  04 8b 40 aa 09 ff d4  00 5c b1 12 fd 8e b4 cc c6 76 9c 54 1a 2f 46 e2 84
         66 06 f7 23 bb 88 a0 7c 64 b3
         ed e1 60 53 63 fc 7d 0d 62 a6 15 97 77 29 c5 b2 81 f8 c7 e7 15 ce 4f f0 fb 4a e6

      hash (32 octets):  f7 36 cb 34 b6 f2 ae b0 97 8e 4d f4 3a a9 0f b0 c2 8c fe 25 e7 01 55 1b ee 6f d2 4c 1c c7
         10 2a 7d af 94 05 cb 15 d9 7a af e1 6f 75
         c2 f8 0a f8 e6 3a 5b 22 3b c4 a1 83 04 9b 89 b9 7d 03

      info (53 (54 octets):  00 20 11 12 74 6c 73 31 33 20 63 20 65 68 73 20 74 72
         61 66 66 69 63 20 f7 36 cb 34 b6 f2 ae b0 fe 25 e7 01 55 1b ee 6f d2 4c 1c
         c7 10 2a 7d af 94 05 cb 15 d9 7a af e1 6f 75 7d 03

      expanded (32 octets):  2f aa c0 8f 85 1d 35 fe a3 60 4f cb 4d e8
         2d c6 2c 9b 16 4a 70 97 8e 4d f4 3a a9 04 62 e2 7f 1a b2 78 70 0f b0 c2 8c 75
         c2 f8 0a

   {server}  derive secret "tls13 s hs traffic":

      PRK (32 octets):  00 5c b1 12 fd 8e b4 cc c6 23 bb 88 a0 7c 64 b3
         ed e1 60 53 63 fc 7d 0d f8 c7 ce 4f f0 fb 4a e6 3a 5b 22 3b c4 a1 83 04 9b 89 b9

      output

      hash (32 octets):  f7 36 cb 08 b7 85 96 5c 90 ca 74 0d 54 30 7f 9b bc
         69 88 34 fe 25 e7 eb 01 55 1b ee 6f d2 4c 1c c7
         10 2a 7d af 94 05 cb 15 d9 7a af e1 6f 75 7d 03 98 08 ed 93 da 96

      info (54 octets):  00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72
         61 66 66 69 63 20 f7 36 47 cb 34 fe 25 e7 01 55 1b ee 6f d2 4c 1c
         c7 10 2a 7d af 94 05 cb 15 d9 7a af e1 6f 75 7d 03

      expanded (32 octets):  fe 92 7a e2 71 31 2e 8b f0 27 5b 58 1c 87

   {client} 54
         ee f0 20 45 0d c4 ec ff aa 05 a1 a3 5d 27 51 8e 78 03

   {server}  derive secret for master "tls13 e exp master": derived":

      PRK (32 octets):  04 8b 40 aa 09 ff d4  00 5c b1 12 fd 8e b4 cc c6 76 9c 54 1a 2f 46 e2 84
         66 06 f7 23 bb 88 a0 7c 64 b3
         ed e1 60 53 63 fc 7d 0d 62 a6 15 97 77 29 c5 b2 81 f8 c7 e7 15 ce 4f f0 fb 4a e6

      hash (32 octets):  34 b6 f2 ae b0 97 8e 4d f4 3a a9 0f  e3 b0 c2 8c 75
         c2 f8 0a f8 e6 3a 5b 22 3b c4 a1 83 04 9b 89 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (54 (49 octets):  00 20 12 0d 74 6c 73 31 33 20 65 20 65 78 70 20 6d
         61 73 74 64 65 72 69 76 65 64
         20 34 b6 f2 ae b0 97 8e 4d f4 3a a9 0f e3 b0 c2 8c
         75 c2 f8 0a f8 e6 3a 5b 22 3b c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      expanded (32 octets):  e2 f1 60 30 25 1d f0 87 4b a1 83 04 9b 89 b9

      output 9a ba 25
         76 10 bc 6d 53 1c 1d d2 06 df 0c a6 e8 4a e2 a2 67 42

   {server}  extract secret "master":

      salt (32 octets):  d9 dd b0 a3 b4 b9  e2 f1 60 30 25 1d f0 87 4b a1 9b 9a ba 25 76 10
         bc 6d 53 1c 1d d2 06 df 0c 6a 34 7e fb a6 e8 4a e2 a2 67 42

      IKM (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  e2 d3 2d 4e d6 6d d3 78 97 a0 e8 0c 84 10 75
         03 ce 58 bf 8a ad 4c b5 5a 50 02 e6 6b
         f1 d7 7e cb 89 0e ce

   {server}  send handshake record:

      payload (96 octets):  02 00 00 5c 03 03 3c cf d2 de c8 90 22 27 63
         47 2a e8 f7 13 67 77 c9 d7 35 87 77 bb 66 e9 1e a5 12 24 95 f5 59
         ea 2d 00 13 01 00 00 34 f0 e2 43 f2 b5 00 29 00 02 00 00 00 33 00 24 00 1d 00
         20 12 17 61 ee 42 c3 33 e1 b9 e7 7b 60 dd 57 c2 05 3c d9 45 12
         ab 47 f1 15 e8 6e ff 50 94 2c ea 31 00 2b 00 02 03 04

      complete record (101 octets):  16 03 03 00 60 02 00 00 5c 03 03 3c
         cf d2 de c8 90 22 27 63 47 2a e8 13 67 77 c9 d7 35 87 77 bb b2 a1 66 07 ac 18 b7

   {client}
         e9 1e a5 12 24 95 f5 59 ea 2d 00 13 01 00 00 34 00 29 00 02 00
         00 00 33 00 24 00 1d 00 20 12 17 61 ee 42 c3 33 e1 b9 e7 7b 60
         dd 57 c2 05 3c d9 45 12 ab 47 f1 15 e8 6e ff 50 94 2c ea 31 00
         2b 00 02 03 04

   {server}  derive write traffic keys for early application handshake data:

      PRK (32 octets):  cb 08 b7 85 96 5c 90 ca 74 0d 54 30 7f 9b bc 69
         88  fe e7 eb 92 7a e2 71 31 2e 8b f0 27 5b 58 1c 54 ee f0
         20 45 0d c4 ec ff aa 05 a1 a3 5d 27 51 8e 78 03 98 08 ed 93 da 96 36 47 d9 1c 87

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00
      key output expanded (16 octets):  e8 56 97  27 c6 bd c0 a3 12 b9 ba e5 f9 3c 30 dc ea 39 a4 73 26 d7 9b 2b ad
         c9 e4 85 ee

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output expanded (12 octets):  62  95 69 ec dd 4d 05 36 70 5e 9e f7 25

   {server}  construct a EncryptedExtensions handshake message

      EncryptedExtensions (44 octets):  08 00 00 28 00 26 00 0a 00 14 00
         12 30 34 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c c0 fb
         00 02 40 01 00 00 00 00 00 2a 00 00

   {server}  calculate finished "tls13 finished":

      PRK (32 octets):  fe db 55 f6 75

   {client} 92 7a e2 71 31 2e 8b f0 27 5b 58 1c 54 ee f0
         20 45 0d c4 ec ff aa 05 a1 a3 5d 27 51 8e 78 03

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      expanded (32 octets):  4b b7 4c ae 7a 5d c8 91 46 04 c0 bf be 2f
         0c 06 23 96 88 39 22 be c8 a1 5e 2a 9b 53 2a 5d 39 2c

      finished (32 octets):  48 d3 e0 e1 b3 d9 07 c6 ac ff 14 5e 16 09
         03 88 c7 7b 05 c0 50 b6 34 ab 1a 88 bb d0 dd 1a 34 b2

   {server}  construct a Finished handshake message

      Finished (36 octets):  14 00 00 20 48 d3 e0 e1 b3 d9 07 c6 ac ff
         14 5e 16 09 03 88 c7 7b 05 c0 50 b6 34 ab 1a 88 bb d0 dd 1a 34
         b2

   {server}  send application_data handshake record:

      payload (6 (80 octets):  41 42 43 44 45 46
      ciphertext (28  08 00 00 28 00 26 00 0a 00 14 00 12 00 1d 00
         17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c 00 02 40 01
         00 00 00 00 00 2a 00 00 14 00 00 20 48 d3 e0 e1 b3 d9 07 c6 ac
         ff 14 5e 16 09 03 88 c7 7b 05 c0 50 b6 34 ab 1a 88 bb d0 dd 1a
         34 b2

      complete record (102 octets):  17 03 03 00 17 7c b2 38 bd c6 0b 71 2f b1
         40 ca 0f 9b 9b 61 dc 48 23 7b 4b 87 9f
         50 d0 d4 d2 62 ea 8b ef c9 ff 31 31 45 75 47 16 eb 40 dd c1 eb 95 7e 11 12

   {server}  extract secret "early" (same as client)

   {server}  calculate finished "tls13 finished" (same as client)

   {server}  create an ephemeral x25519 key pair:

      private key (32 octets):  34 68 86 bf 6e 8a 71
         49 a0 43 10 79 99 c8 5a e2 c2 d0 12 d3 7a 71 15 95 7e 64 ce 30 00 8b 9e 03 23 f2 c0 5a
         9c 1c 77 b4 f3 78 49 a6 95 ab 25 50 60 a3 3f ee 77 0c a9 5c b8
         48 e2 c1 ac a0 04 38 a6 87 df c9 bb 2c f1 17 cc cc fe

      public key (32 octets):  27 e0 06 8f 6e 6b fd 82 54 08 eb 88 c7 43 b8 70 24 86 5c a3 5c c4 1c 4e e8
         8d ba 83 e3 51 ed 5a 37 49 ae 94 50 5c fb d4 e7 89 28 64 dc b1 36
         9f 98 63 5b c7 a5

   {server}  derive secret "tls13 c e traffic" (same as client)

   {server}  derive secret "tls13 e exp master" (same as client)

   {server}  send a ServerHello handshake message

   {server}  derive secret for handshake "tls13 derived": ap traffic":

      PRK (32 octets):  04 8b 40 aa 09 ff d4 c6 76 9c 54 1a 2f 46  e2 84
         66 06 f7 0d 62 a6 15 d3 2d 4e d6 6d d3 78 97 77 29 c5 b2 81 c7 e7 15 a0 e8 0c 84 10 75 03
         ce 58 bf 8a ad 4c b5 5a 50 02 d7 7e cb 89 0e ce

      hash (32 octets):  e3  b0 ae ff c4 42 98 fc 1c 14 9a fb f4 c8 99 6a 2c fe 33 11 4e 6f b9 24
         27 ae 41 e4 64 9b d7 d5 1f 9f 04
         b1 ca 3c 49 7d ab 08 93 4c a4 95 99 1b 78 52 b8 55 4a 77 4a 9d 9a d7 db f3

      info (49 (54 octets):  00 20 0d 12 74 6c 73 31 33 20 64 65 63 20 61 70 20 74 72
         61 66 66 69 76 65 64 63 20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  9e fc 79 87 0b 08 ff c4 c6 51 20 52 50 af 9b 83
         04 79 6a 2c fe 33 11 b7 83 d5 4e 6f d7 67 8d 7c cc e7 18 18 9e a2 ec

   {server}  extract secret "handshake":

      salt (32 octets):  9e fc 79 87 0b 08 c4 c6 51 20 52 50 af 9b 83 04
         79 11 b7 83 d5 d7 67 8d 7c cc e7 18 18 9e a2 ec

      IKM (32 octets):  b0 66 a1 5b c1 aa ee f8 79 0e 0b 02 e6 2f 82 dc
         44 64 46 e3 7d 6d 61 22 b0 d3 b9 94 ef 11 dd 1f 9f
         04 b1 ca 3c

      secret 49 7d ab 08 93 4a 77 4a 9d 9a d7 db f3

      expanded (32 octets):  ea d8  2a bb f2 b8 c5 9a 15 df 29 d7 9f a4 ac 31 d5 f7
         c9 0e 2e 5c 87 d9 ea fe e3 81 d2 3d be be 1d d2 a7 d1 fe 69 16 cf 2f 29 37 34
         6a 8b f4 84 cb 49 50 d2 3f b7 fb 7f a8 54 70 62 d9 a1

   {server}  derive secret "tls13 c hs s ap traffic":

      PRK (32 octets):  ea d8 b8 c5 9a 15 df 29 d7 9f a4 ac 31 d5 f7 c9
         0e 2e 5c 87 d9 ea fe d1 fe 69 16 cf 2f 29 37 34  e2 d3 2d 4e d6 6d d3 78 97 a0 e8 0c 84 10 75 03
         ce 58 bf 8a ad 4c b5 5a 50 02 d7 7e cb 89 0e ce

      hash (32 octets):  57 f0  b0 ae 2e 58 8f c2 e6 e9 a1 eb d1 a6 1e 58 f9
         0c 8b 8d a1 fc 38 f0 cc 9e 9f ff c4 6a 2c fe 33 d2 21 bb 11 4e 6f d7 d5 1f 9f 04
         b1 ca 92 3c 49 7d ab 08 93 4a 77 4a 9d 9a d7 db f3

      info (54 octets):  00 20 12 74 6c 73 31 33 20 63 20 68 73 20 61 70 20 74 72
         61 66 66 69 63 20 57 f0 b0 ae 2e 58 8f c2 e6 e9 a1 eb d1 a6 1e 58
         f9 0c 8b 8d a1 fc 38 f0 cc 9e 9f ff c4 6a 2c fe 33 d2 21 bb 11 4e 6f d7 d5 1f 9f
         04 b1 ca 92

      output 3c 49 7d ab 08 93 4a 77 4a 9d 9a d7 db f3

      expanded (32 octets):  1f  cc 21 f1 bf 8f eb 7d d5 fa 50 5b d9 c4 90 4b fb a8 99 0c 23 53 45 e7 a7 6c fc
         78 81 a2 40 af 54 10 78 44 ce c0 51 b4 06 5b f4 c2
         68 a9 98 4d 55 4a 99 3d c4 9e 6d 28 55 98 fb 67 26 91

   {server}  derive secret "tls13 s hs traffic": exp master":

      PRK (32 octets):  ea d8 b8 c5 9a 15 df 29  e2 d3 2d 4e d6 6d d3 78 97 a0 e8 0c 84 10 75 03
         ce 58 bf 8a ad 4c b5 5a 50 02 d7 9f a4 ac 31 d5 f7 c9 7e cb 89 0e 2e 5c 87 d9 ea fe d1 fe 69 16 cf 2f 29 37 34 ce

      hash (32 octets):  57 f0  b0 ae 2e 58 8f c2 e6 e9 a1 eb d1 a6 1e 58 f9
         0c 8b 8d a1 fc 38 f0 cc 9e 9f ff c4 6a 2c fe 33 d2 21 bb 11 4e 6f d7 d5 1f 9f 04
         b1 ca 92 3c 49 7d ab 08 93 4a 77 4a 9d 9a d7 db f3

      info (54 (52 octets):  00 20 12 10 74 6c 73 31 33 20 73 65 78 70 20 68 6d 61 73 20
         74 65 72
         61 66 66 69 63 20 57 f0 b0 ae 2e ff c4 6a 2c fe 33 11 4e 6f d7 d5 1f 9f 04 b1
         ca 3c 49 7d ab 08 93 4a 77 4a 9d 9a d7 db f3

      expanded (32 octets):  3f d9 3d 4f fd dc 98 e6 4b 14 dd 10 7a ed
         f8 ee 4a dd 23 f4 51 0f 58 a4 59 2d 0b 20 1b ee 56 b4

   {server}  derive write traffic keys for application data:

      PRK (32 octets):  cc 21 f1 bf 8f c2 e6 e9 a1 eb d1 a6 1e 58 7d d5 fa 50 5b d9 c4 b4 68 a9
         98 4d 55 4a 99 3d c4 9e 6d 28 55 98 fb 67 26 91

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key expanded (16 octets):  e8 57 c6 90 a3 4c 5a 91 29 d8 33 61 96
         84 f9 5e

      iv info (12 octets):  00 0c 8b 8d a1 fc 38 f0 cc 9e 9f 08 74 6c 73 31 33 d2 21 bb ca 92

      output (32 20 69 76 00

      iv expanded (12 octets):  9f a7 18 12 f7 2e 9b cc b4 2b 4b  06 18 95 39
         88 3d d5 8f 98 38 78 85 d6 b5 61 aa b9 ef 87 29 12 3b 63 ff 18 fb 06 10 13 fa f9

   {server}  derive read traffic keys for early application data (same
      as client early application data write traffic keys)

   {client}  derive secret for master handshake "tls13 derived":

      PRK (32 octets):  ea d8 b8 c5 9a 15 df 29  9b 21 88 e9 b2 fc 6d 64 d7 9f a4 ac 31 d5 f7 c9
         0e 2e 5c 87 d9 ea fe d1 fe 69 16 cf 2f 1d c3 29 37 34 90 0e 20 bb
         41 91 50 00 f6 78 aa 83 9c bb 79 7c b7 d8 33 2c

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      expanded (32 octets):  5f 17 90 bb d8 2c 5e 7d 37 6e d2 e1 e5 2f
         8e 60 38 c9 34 6d b6 1b 43 be 9a 52 f7 7e f3 99 8e 80

   {client}  extract secret "handshake" (same as server handshake
      secret)

   {client}  derive secret "tls13 c hs traffic" (same as server)

   {client}  derive secret "tls13 s hs traffic" (same as server)

   {client}  derive secret for master "tls13 derived" (same as server)

   {client}  extract secret "master" (same as server master secret)

   {client}  derive read traffic keys for handshake data (same as server
      handshake data write traffic keys)

   {client}  calculate finished "tls13 finished" (same as server)
   {client}  derive secret "tls13 c ap traffic" (same as server)

   {client}  derive secret "tls13 s ap traffic" (same as server)

   {client}  derive secret "tls13 exp master" (same as server)

   {client}  construct a EndOfEarlyData handshake message

      EndOfEarlyData (4 octets):  05 00 00 00

   {client}  send handshake record:

      payload (4 octets):  05 00 00 00

      complete record (26 octets):  17 03 03 00 15 ac a6 fc 94 48 41 29
         8d f9 95 93 72 5f 9b f9 75 44 29 b1 2f 09

   {client}  derive write traffic keys for handshake data:

      PRK (32 octets):  2f aa c0 8f 85 1d 35 fe a3 60 4f cb 4d e8 2d c6
         2c 9b 16 4a 70 97 4d 04 62 e2 7f 1a b2 78 70 0f

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key expanded (16 octets):  b1 53 08 06 f4 ad fe ac 83 f1 41 30 32
         bb fa 82

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv expanded (12 octets):  eb 50 c1 6b e7 65 4a bf 99 dd 06 d9

   {client}  derive read traffic keys for application data (same as
      server application data write traffic keys)

   {client}  calculate finished "tls13 finished":

      PRK (32 octets):  2f aa c0 8f 85 1d 35 fe a3 60 4f cb 4d e8 2d c6
         2c 9b 16 4a 70 97 4d 04 62 e2 7f 1a b2 78 70 0f

      hash (0 octets):  (empty)

      info (49 (18 octets):  00 20 0d 0e 74 6c 73 31 33 20 64 65 72 66 69 76 6e 69 73 68 65
         64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output 00

      expanded (32 octets):  d0 83  5a ce 39 4c 26 98 0d 58 12 43 f6 27 d1 15
         0a e2 7e 37 fa 52 8c fc 36 56 8e 69 05 c2 4b f7 3a df
         9f 4e 0a 7f 20 ac a9 90 e3 57 0d e0 35 5f f4 35 f9 53 68 6d 09 b1 26

   {server}  extract secret "master":

      salt cd 0e 8e

      finished (32 octets):  d0 83  72 30 a9 c9 52 8c fc 36 56 8e 69 05 c2 4b f7 3a df 9f
         ac a9 90 e3 57 0d e0 35 5f f4 5c d6 13 8f c5 e6 62 83
         08 c4 1c 53 35 dd 81 b9 f9 53 09 b1 26

      IKM (32 6b ce a5 0f d3 2b da 41 6d

   {client}  construct a Finished handshake message

      Finished (36 octets):  14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  8d f1 2b 80 e8 2e f5 9b da 63 dc 17 f1 3b 4f
         a6 b8 05 5a 97 dd 2a 5a e4 57 5e 20 72 30 a9 c9 52 c2 5c d6 13 8f
         c5 e6 62 83 08 b2 7b be 29

   {server} c4 1c 53 35 dd 81 b9 f9 6b ce a5 0f d3 2b da 41
         6d

   {client}  send handshake record:

      payload (96 (36 octets):  02  14 00 00 20 72 30 a9 c9 52 c2 5c 03 03 22 ac 26 b0 26 b9 d5 71 70
         2d ad 44 7e 2d 5a 54 d1 5a e1 e0 6f af 78 35 8a 3e 17 7b e8 3a
         ce 94 00 d6 13 01 00 00 34 00 29 00 02 00 00 00 33 00 24 00 1d 00
         20 27 e0 06 8f 6e fd 82 54 08 eb 88 c7 4e e8 8d ba c5
         e6 62 83 e3 51 ed
         5a 37 49 ae 94 50 5c fb d4 e7 89 28 00 08 c4 1c 53 35 dd 81 b9 f9 6b ce a5 0f d3 2b 00 02 03 04

      ciphertext (101 da 41 6d

      complete record (58 octets):  16  17 03 03 00 60 02 00 00 5c 03 03 22 ac
         26 b0 26 b9 d5 71 70 2d ad 44 7e 2d 5a 54 d1 5a e1 e0 6f af 78 35 8a 3e 17 7b e8 3a ce 94 00 13 01 00 00 34 00 29 00 02 00 00
         00 33 00 24 00 1d 00 20 27 f8 b4 67 d1 4c f2
         2a 4b 3f 0b 6a e0 06 8f 6e fd 82 54 08 eb 88 c7 4e
         e8 d8 e6 cc 8d ba 83 e3 51 ed 5a 37 49 ae 94 50 08 e0 db 35 15 ef 5c fb d4 e7 89 28 00 2b df 19 22
         ea fb b7 00 02 03 04

   {server} 09 96 47 16 d8 34 fb 70 c3 d2 a5 6c 5b 1f 5f 6b db
         a6 c3 33 cf

   {client}  derive write traffic keys for handshake application data:

      PRK (32 octets):  9f a7 18 12 f7 2e 9b cc b4 2b 4b 06 18 95 39 88  2a bb f2 b8 e3 81 d2 3d d5 8f 98 38 78 ef 87 29 12 3b 63 ff 18 be be 1d d2 a7 d1 6a 8b
         f4 84 cb 49 50 d2 3f b7 fb 06 7f a8 54 70 62 d9 a1

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output expanded (16 octets):  ae 83 82 f6 52 62 a0 36  3c f1 22 f3 01 c6 35 8c a7 98 95 53 25
         0e b6 8f fb 45 15
         52 6c fd 72

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output expanded (12 octets):  5b 5d 18 b7 ee c7 ed 46 c3 0f c1 3a

   {server}  send a EncryptedExtensions handshake message

   {server}  calculate finished "tls13 finished":

      PRK (32 octets):  9f a7 18 12 f7 2e 9b cc b4 2b 4b 06 18 95 39 88
         3d d5 8f 98 38 78 ef 87 29 12 3b 63 ff 18 fb 06

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      output (32 octets):  4d 48 4e ab 01 74 3f 01 91 fd 0d c5 10 42 26
         64 f8 67 b6 04 68 8b 5a 2f 47 12 9c 75 a0 c1 a3 63

   {server}  send a Finished handshake message

   {server}  send handshake record:

      payload (80 octets):  08 00 00 28 00 26 00 0a 00 14 00 12 00 1d 00
         17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c 00 02 40 01
         00 00 00 00 00 2a 00 00 14 00 00 20 ef 49 51 b0 98 8b 89 1a 6b
         9d 71 3b f2 25 a6 7a 7b 37 c2 8e  ab bd 52 30 74 bc 01 aa c3 62
         f8 e2

      ciphertext (102 octets):  17 03 03 00 61 44 c1 e3 83 6b a6 a7 ba
         0d ed 9d 4c f8 17 f3 29 79 d8 5c 8b 41 da 53 b2 09 55 80 3d 9e
         a2 e3 42 ef 1a ff d6 6a 02 87 85 e2 19 6a d6 a0 db dd 27 44 3d
         36 87 ec 26 53 c1 96 8b 0f 9c 01 bd cf de 83 cf c1 aa 78 b8 43 b7 81 90
         ab ad 0d c3 ea 30 d1 be 40 e3 ce c8 96 19 88 ce f4 95 8f d1 6b
         7f 1f 9e 47 41

   {server} fc 11 76 b9 ac

   {client}  derive secret "tls13 c ap traffic": res master":

      PRK (32 octets):  8d f1 2b 80 e8 2e f5 9b da 63 dc 17 f1 3b 4f a6
         b8 05 5a  e2 d3 2d 4e d6 6d d3 78 97 dd 2a 5a e4 57 5e c9 08 b2 7b be 29 a0 e8 0c 84 10 75 03
         ce 58 bf 8a ad 4c b5 5a 50 02 d7 7e cb 89 0e ce

      hash (32 octets):  d9 66 db 0c cf  c3 c1 22 e0 bd 43 bc 19 68 47 fe 1a 60 90 7a 4a 3f cd
         93 78 65 68 9c a8 76 03 6f 28 ea 20 60 a7 77 f6 11 2d 8f d5 3d bf
         89 c7 73 d9 55 2e 8b 6b 9d 56 d3 61 b3 a9 7b f6

      info (54 (52 octets):  00 20 12 10 74 6c 73 31 33 20 63 72 65 73 20 6d 61 70 20 73
         74 65 72
         61 66 66 69 63 20 d9 66 db 0c cf c3 c1 22 e0 bd 43 bc 19 68 47 fe 1a 60 90 7a 4a 3f
         cd 93 78 65 68 9c a8 76 03 6f 28 ea 20 60 a7 77 f6 11 2d 8f d5 3d bf 89
         c7 73 d9 55

      output 2e 8b 6b 9d 56 d3 61 b3 a9 7b f6

      expanded (32 octets):  a8 ff a2 6f  5e 95 bd f1 f8 90 05 ea 2e 9a a0 ba 85 e7
         28 e3 c1 9c 5f e0 c9 d1 49 3c 3d 3c 3b 32 bc a1
         80 c6 99 e3 f5 9b ba be 25 96 df f8 b2 b0 a1 46 74 0f 8b 00 e5 9f ae bd 0b 54 06

   {server}  derive read traffic keys for handshake data (same as client
      handshake data write traffic keys)

   {server}  calculate finished "tls13 finished" (same as client)

   {server}  derive read traffic keys for application data (same as
      client application data write traffic keys)

   {server}  derive secret "tls13 s ap traffic":

      PRK (32 res master" (same as client)

   {client}  send application_data record:

      payload (50 octets):  8d f1 2b 80 e8 2e f5 9b da 63 dc 17 f1 3b 4f a6
         b8  00 01 02 03 04 05 5a 97 dd 2a 5a e4 57 5e c9 06 07 08 b2 7b be 29

      hash (32 octets):  d9 66 db 09 0a 0b 0c cf bd 43 bc 0d 0e
         0f 10 11 12 13 14 15 16 17 18 19 68 47 fe 1a 60 3f cd
         93 78 65 68 9c a8 76 03 6f 28 ea 1b 1c 1d 1e 1f 20 60 a7 77 55

      info (54 21 22 23
         24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31

      complete record (72 octets):  17 03 03 00 43 b1 ce bc e2 42 aa 20 12 74 6c 73 31
         1b e9 ae 5e 1c b2 a9 aa 4b 33 20 73 20 61 70 20 74 72
         61 66 66 69 63 20 d9 d4 e8 66 af 1e db 0c cf bd 43 bc 06 89 19 68 47 fe 1a 60 3f
         cd 93 78 65 68 9c a8 76 23 77
         41 aa 03 6f 28 ea 1d 7a 74 d4 91 c9 9b 9d 4e 23 2b 74 20 60 a7 77 55

      output (32 octets):  51 a3 db 37 0b d9 f1 ae 7d e1 88 85 09 6b cb c6 1f ea 9b ce 6c cb c2 a2 76 76 4f 62 26 5a 70 9f

   {server}  derive secret "tls13 exp master":

      PRK (32 fb aa 04
         fe 78 be 44 a9 b4 f5 43 20 a1 7e b7 69 92 af ac 31 03

   {server}  send application_data record:

      payload (50 octets):  8d f1 2b 80 e8 2e f5 9b da 63 dc 17 f1 3b 4f a6
         b8  00 01 02 03 04 05 5a 97 dd 2a 5a e4 57 5e c9 06 07 08 b2 7b be 29

      hash (32 octets):  d9 66 db 09 0a 0b 0c cf bd 43 bc 0d 0e
         0f 10 11 12 13 14 15 16 17 18 19 68 47 fe 1a 60 3f cd
         93 78 65 68 9c a8 76 03 6f 28 ea 1b 1c 1d 1e 1f 20 60 a7 77 55

      info (52 21 22 23
         24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31

      complete record (72 octets):  17 03 03 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73
         74 65 72 20 d9 66 db 0c cf bd 43 27 5e 9f 20 ac ff 57
         bc 19 68 47 fe 1a 60 3f cd 93 00 06 57 d3 86 7d f0 39 cc cf 79 04 78 65 68 9c a8 76 03 6f 28 ea 20 60 a7 84 cf 75 77 55

      output (32 octets):  a1 13 c3 cd ff 17 46 f7
         40 b5 f6 5d 28 21 54 d1 a8 3f 46 2a 09 93 54
         90 a0 e3 c3 58 13 93 a2 03 a2 5a 7d bd c9 e9 ca 30 8d 36 21 e4 15 e9 7a fd

   {server}  derive write traffic keys for application data:

      PRK (32 octets):  51 a3 db d1 41 41 ef
         1a 37 0b d9 f1 ae 7d 90 0c db 62 ff 62 de e1 88 85 09 6b cb c6
         1f ea 9b ce 6c ba 39 ab 25 90 cb c2 a2 76 76 4f 62 26 5a 70 9f

      key info (13 f1 94

   {client}  send alert record:

      payload (2 octets):  01 00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  27 c1 35 48 44 71 94 18 ec 91 eb 0b 14 f6
         75 3a

      iv info (12

      complete record (24 octets):  17 03 03 00 0c 08 74 6c 73 31 33 20 13 0f ac ce 32 46 bd fc
         63 69 76 00

      iv output (12 octets):  ee b3 48 83 53 db a7 3d 3a fa cd 9e 8d 6a 82 ae 6d e5 d4 22 dc

   {server}  derive read traffic keys for early application data (same
      as  send alert record:

      payload (2 octets):  01 00

      complete record (24 octets):  17 03 03 00 13 5b 18 af 44 4e 8e 1e
         ec 71 58 fb 62 d8 f2 57 7d 37 ba 5d

5.  HelloRetryRequest

   In this example, the client write traffic keys)

   {client}  derive secret for initiates a handshake "tls13 derived":

      PRK with an X25519
   [RFC7748] share.  The server however prefers P-256 [FIPS186] and
   sends a HelloRetryRequest that requires the client to generate a key
   share on the P-256 curve.

   Note:  The HelloRetryRequest uses the same handshake message type as
      a ServerHello and so is labeled as ServerHello here.

   {client}  create an ephemeral x25519 key pair:

      private key (32 octets):  04 8b 40 aa 09 ff d4 c6 76 9c 54 1a  0e d0 2f 46 e2 84
         66 06 f7 0d 62 a6 15 97 77 29 c5 b2 8e 81 17 ef c7 e7 15

      hash 5c a7 ac 32 aa
         7e 34 ed a6 4c dc 0d da d1 54 a5 e8 52 89 f9 59 f6 32 04

      public key (32 octets):  e8 e8 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f f3 b9 24 3a 25 ed 97 a1 4a 7d ca cb
         8a 27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 2c 62 88 e5 85 c6 48 4d 05 26 2f ca d0 62 ad 1f

   {client}  construct a ClientHello handshake message

      ClientHello (180 octets):  01 00 20 0d 74 6c 00 b0 03 03 b0 b1 c5 a5 aa 37 c5
         91 9f 2e d1 d5 c6 ff f7 fc b7 84 97 16 94 5a 2b 8c ee 92 58 a3
         46 67 7b 6f 00 00 06 13 01 13 03 13 02 01 00 00 81 00 00 00 0b
         00 09 00 00 06 73 31 33 20 64 65 72 69 76 65 64 72 ff 01 00 01 00 00 0a 00 08 00
         06 00 1d 00 17 00 18 00 33 00 26 00 24 00 1d 00 20 e8 e8 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f f3
         b9 24 3a 25 ed 97 a1 4a 7d ca cb 8a 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 octets):  9e fc 79 87 0b 08 c4 2c 62 88 e5 85 c6 51 20 52 50 af 9b 83 48 4d 05
         26 2f ca d0 62 ad 1f 00 2b 00 03 02 03 04 79 11 b7 83 d5 d7 67 8d 7c cc e7 18 18 9e a2 ec

   {client}  extract secret "handshake":

      salt (32 octets):  9e fc 79 87 0b 08 c4 c6 51 00 0d 00 20 52 50 af 9b 83 00 1e 04
         79 11 b7 83 d5 d7 67 8d 7c cc e7 18 18 9e a2 ec

      IKM (32 octets):  b0 66 a1 5b c1 aa ee f8 79 0e 0b
         03 05 03 06 03 02 e6 2f 82 dc
         44 64 46 e3 7d 6d 61 22 b0 d3 b9 94 ef 11 dd 3c

      secret (32 octets):  ea d8 b8 c5 9a 15 df 29 d7 9f a4 ac 31 d5 f7
         c9 0e 2e 5c 87 d9 ea fe d1 fe 69 16 cf 2f 29 37 34

   {client}  derive secret "tls13 c hs traffic" (same as server)

   {client}  derive secret "tls13 s hs traffic" (same as server)

   {client}  derive secret for master "tls13 derived" (same as server)

   {client}  extract secret "master" (same as server)

   {client}  derive read traffic keys for handshake data:

      PRK (32 octets):  9f a7 18 12 f7 2e 9b cc b4 2b 4b 03 08 04 08 05 08 06 18 95 39 88
         3d d5 8f 98 38 78 ef 87 29 12 3b 63 ff 18 fb 04 01 05 01 06 01 02 01
         04 02 05 02 06

      key info (13 octets): 02 02 02 00 10 09 74 6c 73 31 33 20 6b 65 79 2d 00

      key output (16 octets):  ae 83 82 f6 52 62 a0 36 0e b6 8f fb 45 15
         52 6c

      iv info (12 octets): 02 01 01 00 0c 08 74 6c 73 31 33 20 69 76 1c 00

      iv output (12 octets):  5b 5d 18 b7 ee c7 ed 46 c3 0f c1 3a

   {client}  calculate finished "tls13 finished" (same as server)

   {client}  derive secret "tls13 c ap traffic" (same as server)

   {client}  derive secret "tls13 s ap traffic" (same as server)

   {client}  derive secret "tls13 exp master" (same as server)

   {client}  send a EndOfEarlyData handshake message 02 40 01

   {client}  send handshake record:

      payload (4 (180 octets):  05 00  01 00 00

      ciphertext (26 octets):  17 b0 03 03 00 15 77 bf ce 7f c1 b0 b1 c5 a5 aa 37 c5 91 0c fa e9
         65 7a 05 f3 15 9c de f8 68 5a 30 cb

   {client}  derive write traffic keys for handshake data:

      PRK (32 octets):  1f c4 90 4b fb a8 99 0c 23 53 45 e7 a7 6c
         9f 2e d1 d5 c6 ff f7 fc 78
         81 a2 40 af 54 10 78 44 ce c0 51 b4 b7 84 97 16 94 5a 2b 8c ee 92 58 a3 46
         67 7b 6f 00 00 06 5b f4 c2

      key info (13 octets): 13 01 13 03 13 02 01 00 00 81 00 00 00 0b 00 10
         09 74 6c 00 00 06 73 31 33 20 6b 65 79 72 76 65 72 ff 01 00

      key output (16 octets):  e7 d4 94 88 a4 5c 1f 1d b4 ab 7d 7f e5 46
         c9 fa

      iv info (12 octets): 01 00 00 0a 00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  a2 d1 32 5b eb 51 1a 7b 4a 20 c1 0c

   {client}  derive read traffic keys for application data (same as
      server write traffic keys)

   {client}  calculate finished "tls13 finished":

      PRK (32 octets):  1f c4 90 4b fb a8 99 0c 23 53 45 e7 a7 6c fc 78
         81 a2 40 af 54 10 78 44 ce c0 51 b4 06 5b f4 c2

      hash (0 octets):  (empty)

      info (18 octets):
         00 20 0e 74 6c 73 31 1d 00 17 00 18 00 33 20 66 69 6e 69 73 68 65
         64 00

      output (32 octets):  b5 26 00 24 00 1d 00 20 e8 e8 e3 f3 b9
         3a 25 ed 97 08 27 aa 42 a8 db ab 2b da 4c d7 67 89
         5a e6 9a a1 dc f1 b3 d9 78 a0 55 4a 7d ca cb 8a 27 2c 62 88 e5 85 c6 48 4d 05 26
         2f ca d0 79 80 74 50 11

   {client}  send a Finished handshake message

   {client}  send handshake record:

      payload (36 octets):  14 62 ad 1f 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03
         05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04
         02 05 02 06 02 02 02 00 2d 00 20 e1 75 18 96 9c 9f 46 dc 62 94 55
         ae cf e2 36 db a5 48 77 fc 3d a0 7a d5 9d 13 45 77 fd 51 6e 18

      ciphertext (58 02 01 01 00 1c 00 02 40 01

      complete record (185 octets):  17 03  16 03 01 00 b4 01 00 00 35 d0 af c0 f5 b5 5b 5c 88 3c
         cf 4a 46 1f 7a a1 28 47 17 89 eb 7c e4 1b b6 f0 cd 67 a9 64 16
         da 6c 19 ea b0 26 03 03 b0 1d f6 89 18
         b1 c5 a5 aa 37 c5 91 9f 2e d1 d5 c6 ff f7 fc b7 84 97 16 94 5a
         2b 8c ee 92 58 81 a3 46 1f 38 2f 7a 7d 63 da
         fa 39

   {client}  derive write traffic keys for application data:

      PRK (32 octets):  a8 ff a2 67 7b 6f e0 c9 d1 49 3c 3d 3c 3b 32 bc a1 80
         f5 9b ba be 25 96 df f8 b2 b0 a1 46 74 0f 8b 00

      key info (13 octets): 00 10 06 13 01 13 03 13 02 01 00
         00 81 00 00 00 0b 00 09 74 6c 00 00 06 73 31 33 20 6b 65 79 00

      key output (16 octets):  29 ca d2 48 96 e7 df 25 72 76 65 72 ff e0 6f cd 6c 03
         69 09

      iv info (12 octets): 01 00 01
         00 00 0a 00 0c 08 74 6c 73 31 00 06 00 1d 00 17 00 18 00 33 20 69 76 00

      iv output (12 octets):  dc 81 fc 39 54 43 9c 26 00 24 00 1d
         00 20 e8 e8 e3 f3 b9 3a 25 ed 97 a1 4a 7d ca e1 63 96 70

   {client}  derive secret "tls13 res master":

      PRK (32 octets):  8d f1 cb 8a 27 2c 62 88
         e5 85 c6 48 4d 05 26 2f ca d0 62 ad 1f 00 2b 80 e8 2e f5 9b da 63 dc 17 f1 3b 4f a6
         b8 00 03 02 03 04 00
         0d 00 20 00 1e 04 03 05 5a 97 dd 2a 5a e4 57 5e c9 03 06 03 02 03 08 04 08 b2 7b be 29

      hash (32 octets):  a7 87 12 0b d8 96 6c d7 5a 05 ce 0b 9c 5b 26 da
         b9 6b 91 9d c3 61 a3 9e 5f d1 0a 3e 08 06 04 01
         05 18 48 e4

      info (52 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00
         1c 00 02 40 01

   {server}  construct a ServerHello handshake message

      ServerHello (176 octets):  02 00 20 10 00 ac 03 03 cf 21 ad 74 6c 73 31 33 20 72 65 73 20 6d e5 9a 61 73
         74
         11 be 1d 8c 02 1e 65 72 20 a7 87 12 0b d8 96 6c d7 5a 05 ce 0b 9c 5b 26 da b9
         6b b8 91 9d c2 a2 11 16 7a bb 8c 5e 07 9e 09 e2
         c8 a8 33 9c 00 13 01 00 00 84 00 33 00 02 00 17 00 2c 00 74 00
         72 71 dc d0 4b b8 8b c3 61 a3 9e 5f d1 0a 3e 05 18 48 e4

      output (32 octets): 91 19 39 8a 00 00 00 00 ee fa fc 76
         c1 46 b8 23 b0 72 82 ae 96 f8 aa ca d3 65 dd 00 30 95 3f 4e df 62 56 36
         e5 f2 1b b2 e2 3f cc 65 4b 1b 5b 40 31 8d 10 c3 d1 37 ab cb b8 75
         74 e3 83 6e 8a 1f 02 f4 18 a7 fa 5f 7d fa
         9e 44 11 34 69 ae ba 27 1a 5d 6e 50 78 1b 5e da 4a a1 b6 61 ce 41 52 1c ca

   {server}  derive read traffic keys for handshake data:

      PRK (32 octets):  1f c4 90 4b fb a8 99 5b 0c 23 53 45 8b
         e7 a7 6c fc 78
         81 a2 40 af 54 10 78 44 ce c0 51 b4 06 5b f4 c2

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets): 25 7d 16 aa 30 30 e9 e7 d4 94 88 a4 5c 1f 84 1d b4 ab 7d 7f e5 46
         c9 fa

      iv info (12 octets):  00 d9 e4 c0 34 22 67 e8 ca 0c 08 74 6c 73 31 33 20 69 76
         af 57 1f b2 b7 cf f0 f9 34 b0 00

      iv output (12 octets):  a2 d1 32 5b eb 51 1a 7b 4a 20 c1 0c

   {server}  calculate finished "tls13 finished" (same as client)

   {server}  derive read traffic keys for application data (same as
      client write traffic keys) 2b 00 02 03 04

   {server}  derive secret "tls13 res master" (same as client)
   {client}  send application_data handshake record:

      payload (50 (176 octets):  00 01  02 00 00 ac 03 04 05 06 03 cf 21 ad 74 e5 9a 61 11
         be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c 5e 07 08 9e 09 0a 0b 0c 0d 0e
         0f 10 11 12 e2 c8
         a8 33 9c 00 13 14 15 16 01 00 00 84 00 33 00 02 00 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23
         24 25 26 27 28 29 2a 2b 00 2c 2d 2e 2f 30 31

      ciphertext (72 octets):  17 03 03 00 43 c4 83 d1 89 af 82 8c ee 40
         4d cb 5a 16 64 93 50 2e d9 d0 c9 18 e7 0f d8 25 0c 5f b2 13 44
         79 6d 3a 74 00 72 bb 0a
         71 dc d0 4b 5c 59 03 c2 a7 05 6b 82 b8 8b c3 18 91 19 39 8a 00 00 00 00 ee fa fc 17 37 7f 72 e7
         b4 6a 26 a6 97 5b 7e e3 b9 0b 2a 76 c1
         46 b8 23 b0 96 f8 aa ca d3 65 d4 0c 3c

   {server}  send application_data record:

      payload (50 octets): dd 00 01 30 95 3f 4e df 62 56 36 e5
         f2 1b b2 e2 3f cc 65 4b 1b 5b 40 31 8d 10 d1 37 ab cb b8 75 74
         e3 6e 8a 1f 02 03 04 05 06 07 08 09 0a 0b 5f 7d fa 5d 6e 50 78 1b 5e da 4a a1 5b 0c 0d 0e
         0f 10 11 12 13 14 15 8b e7
         78 25 7d 16 17 18 19 1a 1b 1c aa 30 30 e9 e7 84 1d 1e 1f 20 21 d9 e4 c0 34 22 23
         24 25 26 27 28 29 2a 67 e8 ca 0c af
         57 1f b2 b7 cf f0 f9 34 b0 00 2b 2c 2d 2e 2f 30 31

      ciphertext (72 00 02 03 04

      complete record (181 octets):  17  16 03 03 00 43 35 da 03 f1 bd 93 b0 02 00 00 ac 09 82
         d8 8e 1a 9f 6e 0e 86 81 c1 a3 4c 6e 95 ee 03 03 cf ba 10 54 c5
         21 ad 74 e5 9a 61 11 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a bb
         8c 5e 07 9e 09 e2 c8 a8 33 9c 00 e8 7f 2b 78 ab 1f 13 01 00 00 84 00 33 00 02 00
         17 00 2c 00 74 00 72 71 dc d0 4b b8 8b c3 18 91 19 39 8a 00 00
         00 00 ee fa fc 76 c1 46 b8 23 b0 96 f8 aa ca d3 65 dd 00 30 95
         3f 4e df 62 56 36 e5 a4 f2 1b b2 e2 3f 39 a5 8e e8 cc 65 4b 1b 5b 40 bf 97 f5 c9 31 8d 10
         d1 37 ab cb b8 75 74 e3 6e 8a 1f 97
         3a ce 02 5f 7d fa 5d 6e 50 78 eb 92 f8 27 91 2f 42 31 6d 1b 5e
         da 4a a1 7b 5b 0c 8b e7 78 25 7d 16 aa 30 30 e9 e7 84 1d d9 e4 c0
         34 22 b9

   {client}  send alert record:

      payload (2 octets):  01 00

      ciphertext (24 octets):  17 03 03 67 e8 ca 0c af 57 1f b2 b7 cf f0 f9 34 b0 00 13 95 2b 05 3c 66 06 d8 96 08
         89 e1 77 51 23 0e d7 8f a0 80

   {server}  send alert record:

      payload (2 octets):  01 00

      ciphertext (24 octets):  17 03 02 03 00 13 46 95 47 73 f0 bf 82 91 68
         34 7b 99 0b 68 bf 73 3a f5 75

5.  HelloRetryRequest

   In this example, the client initiates a handshake with an X25519
   [RFC7748] share.  The server however prefers P-256 [FIPS186] and
   sends a HelloRetryRequest that requires the client to generate a key
   share on the P-256 curve.
         04

   {client}  create an ephemeral x25519 P-256 key pair:

      private key (32 octets):  a8 f7 4c 62 7c 09 56 a7 89 81 aa 60 39
         e1 58 56 80 f4  ab 54 73 46 7e 19 34 6c eb 0a 04 14 e4
         1d a2 1d 4d 24 45 bc 30 25 af 93 c6 0b 4a 9c cc 35 1f 3c 1a c9 05 e9 7c 4e 8d c8 d5 13 da 39

      public key (32 (65 octets):  28 90 65 44  04 a6 da 73 92 ec 59 1e 17 ab fd 53 59 64
         b9 98 94 d1 3b ef b2 21 b3 de f2 eb 46 f9 bc c3 63 92 e3 83 0e 28 a6
         4c 72 a5 ff d1 ac 8f 01 51 81 26
         77 c4 d6 d2 23 7e 85 cf 01 d6 91 0c fb f5 71 83 95 4e 76 ba 73 52 83
         05 34 15 98 97 e8 06 36 c0 5b 88 ab a0 35 38 0c 57 80

   {client}  send  construct a ClientHello handshake message

   {client}  send handshake record:

      payload (180

      ClientHello (512 octets):  01 00 00 b0 01 fc 03 03 8f bb 74 7c 54 ca 32 cd b0 b1 c5 a5 aa 37 c5
         91 9f 2e d1 d5 c6 ff f7 fc b7 84 97 16 94 5a 2b a9 d9 26 76 15 ca 2d 28 56 8c 44 0d ce 64 e3 4a 3e f6 bc 7e
         98 e9 d3 ee 92 58 a3
         46 67 7b 6f 00 00 06 13 01 13 03 13 02 01 00 00 81 01 cd 00 00 00 0b
         00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00
         06 00 1d 00 17 00 18 00 33 00 26 47 00 24 45 00 1d 17 00 20 28 90 65 44 eb
         46 f9 bc c3 63 92 0e 28 41 04 a6 4c 72 a5 ff da 73
         92 ec 59 1e 17 ab fd 53 59 64 b9 98 94 d1 3b ef b2 21 b3 de f2
         eb e3 83 0e ac 8f 01 51 81 26 77 c4 d6 d2 23 7e 85 cf 01 d6 91
         0c fb f5 71 83 95 4e 76 ba 73 52 83 05 34 15 98 97 e8 06 36 c0 5b
         88 ab a0 35 38 0c 57 80 00 2b
         00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04
         08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d
         2c 00 02 01 01 74 00 1c 72 71 dc d0 4b b8 8b c3 18 91 19 39 8a 00 02 40 01

      ciphertext (185 octets):  16 03 01 00 b4 01 00 00 b0 03 03 8f bb
         74 7c 54 ca 32 cd 2b a9 d9 26
         ee fa fc 76 15 c1 46 b8 23 b0 96 f8 aa ca 2d 28 d3 65 dd 00 30 95 3f 4e
         df 62 56 8c 44 0d ce 64 36 e5 f2 1b b2 e2 3f cc 65 4b 1b 5b 40 31 8d 10 d1 37
         ab cb b8 75 74 e3 6e 8a 1f 02 5f 7d fa 5d 6e 50 78 1b 5e da 4a 3e f6 bc 7e 98
         a1 5b 0c 8b e7 78 25 7d 16 aa 30 30 e9 d3 e7 84 1d d9 e4 c0 34 22
         67 e8 ca 0c af 57 1f b2 b7 cf f0 f9 34 b0 00 2d 00 06 13 02 01 13 03 13 01 00
         1c 00 02 40 01 00 15 00 af 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00
         81 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06 00 1d
         00 17 00 18 00 33 00 26 00 24 00 1d 00
         20 28 90 65 44 eb 46 f9 bc c3 63 92 0e 28 a6 4c 72 a5 ff d1 fb
         f5 71 06 36 c0 5b 88 ab a0 35 38 0c 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05
         01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01

   {server}  send a ServerHello handshake message

   {server}  send handshake record:

      payload (176 octets):  02 00 00 ac 03 03 cf 21 ad 74 e5 9a 61 11
         be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c 5e 07 9e 09 e2 c8
         a8 33 9c 00 13 01 00 00 84
         00 33 00 02 00 17 00 2c 00 74 00 72
         f7 b8 f7 e4 4a 25 b1 e4 15 e3 a1 d4 00 00 00 00 65 a4 46 6b 5a
         a7 aa eb be d0 bc 0b 6d 96 5a 58 00 30 df ac fb a2 00 23 21 e1
         2a ec 00 07 b4 da c5 d1 65 20 c4 46 f0 18 49 37 ea 29 a3 07 01
         78 a7 fc 5b 0f f8 3d b3 f6 7d 0c 13 a6 a5 df e6 b9 09 87 8b 44
         ec 76 80 e7 86 75 60 fe bf ed c9 1f af 1a 87 19 1b a8 c3 c8 cd
         96 2f 88 13 ff 3f 47 96 ae 00 2b 00 02 03 04

      ciphertext (181 octets):  16 03 03 00 b0 02 00 00 ac 03 03 cf 21
         ad 74 e5 9a 61 11 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c
         5e 07 9e 09 e2 c8 a8 33 9c 00 13 01 00 00 84
         00 33 00 02 00 17 00 2c 00 74 00 72 f7 b8 f7 e4 4a 25 b1 e4 15 e3 a1 d4 00 00 00 00 65 a4 46 6b 5a a7 aa eb be d0 bc 0b 6d 96 5a 58 00 30 df ac
         fb a2 00 23 21 e1 2a ec 00 07 b4 da c5 d1 65 20 c4 46 f0 18 49
         37 ea 29 a3 07 01 78 a7 fc 5b 0f f8 3d b3 f6 7d 0c 13 a6 a5 df
         e6 b9 09 87 8b 44 ec 76 80 e7 86 75 60 fe bf ed c9 1f af 1a 87
         19 1b a8 c3 c8 cd 96 2f 88 13 ff 3f 47 96 ae 00 2b 00 02 03 04

   {client}  create an ephemeral P-256 key pair:

      private key (32 octets):  73 eb 34 d9 e6 f4 90 00 0d 35 bc 12 94
         f1 ea 1c 3f 2b f9 95 56 0a 1f 35 a2 b9 cb 21 13 d5 48 b1

      public key (65 octets):  04 35 8d 1d 9c a8 f6 79 5d fa fd 0d d3 88
         14 65 67 20 14 9b bc 1b 39 8a a1 46 a2 0f 60 d6 17 db 9f 02 68
         3d ac 20 ac 2c 06 a3 a5 ef a3 e2 12 49 03 d6 d2 eb a7 65 b4 42
         90 1f 15 51 28 f7 e7 0e 06

   {client}  send a ClientHello handshake message

   {client}  send handshake record:

      payload (512 octets):  01 00 01 fc 03 03 8f bb 74 7c 54 ca 32 cd b0 b1 c5 a5 aa 37 c5 91
         9f 2e d1 d5 c6 ff f7 fc b7 84 97 16 94 5a 2b a9 d9 26 76 15 ca 2d 28 56 8c 44 0d ce 64 e3 4a 3e f6 bc 7e
         98 e9 d3 ee 92 58 a3 46
         67 7b 6f 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00
         09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 06
         00 1d 00 17 00 18 00 33 00 47 00 45 00 17 00 41 04 35 8d 1d 9c
         a8 f6 79 5d fa fd 0d d3 88 14 65 67 20 14 9b bc 1b 39 8a a1 46
         a2 0f 60 d6 a6 da 73 92
         ec 59 1e 17 db 9f 02 68 3d ac 20 ac 2c 06 a3 a5 ab fd 53 59 64 b9 98 94 d1 3b ef a3 e2 12
         49 03 b2 21 b3 de f2 eb
         e3 83 0e ac 8f 01 51 81 26 77 c4 d6 d2 eb a7 65 b4 42 90 1f 23 7e 85 cf 01 d6 91 0c
         fb 83 95 4e 76 ba 73 52 83 05 34 15 51 28 f7 e7 0e 98 97 e8 06 57 80 00 2b 00
         03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08
         05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2c
         00 74 00 72 f7 71 dc d0 4b b8 f7 e4 4a 25 b1 e4 15 e3 a1 d4 8b c3 18 91 19 39 8a 00 00 00 00 65
         a4 ee
         fa fc 76 c1 46 6b 5a a7 aa eb be d0 bc 0b 6d b8 23 b0 96 5a 58 f8 aa ca d3 65 dd 00 30 95 3f 4e df ac fb a2
         00 23 21 e1 2a ec 00 07 b4 da c5 d1
         62 56 36 e5 f2 1b b2 e2 3f cc 65 20 c4 46 f0 18 49 4b 1b 5b 40 31 8d 10 d1 37 ea
         29 a3 07 01 ab
         cb b8 75 74 e3 6e 8a 1f 02 5f 7d fa 5d 6e 50 78 a7 fc 1b 5e da 4a a1
         5b 0f f8 3d b3 f6 7d 0c 13 a6 a5 df e6 b9
         09 87 8b 44 ec 76 80 e7 86 75 60 fe bf ed c9 1f 78 25 7d 16 aa 30 30 e9 e7 84 1d d9 e4 c0 34 22 67
         e8 ca 0c af 1a 87 19 1b
         a8 c3 c8 cd 96 2f 88 13 ff 3f 47 96 ae 57 1f b2 b7 cf f0 f9 34 b0 00 2d 00 02 01 01 00 1c
         00 02 40 01 00 15 00 af 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      ciphertext

      complete record (517 octets):  16 03 03 02 00 01 00 01 fc 03 03 8f bb
         74 7c 54 ca 32 cd b0
         b1 c5 a5 aa 37 c5 91 9f 2e d1 d5 c6 ff f7 fc b7 84 97 16 94 5a
         2b a9 d9 26 76 15 ca 2d 28 56 8c 44 0d ce 64
         e3 4a 3e f6 bc 7e 98 e9 d3 ee 92 58 a3 46 67 7b 6f 00 00 06 13 01 13 03 13 02 01 00
         01 cd 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01
         00 00 0a 00 08 00 06 00 1d 00 17 00 18 00 33 00 47 00 45 00 17
         00 41 04 35 8d 1d 9c a8 f6 79 5d fa fd 0d d3 88 14 65 67 20 14 9b
         bc 1b 39 8a a1 46 a2 0f 60 d6 17 db 9f 02 68 3d ac 20 ac 2c 06
         a3 a5 a6 da 73 92 ec 59 1e 17 ab fd 53 59 64 b9 98 94 d1 3b
         ef a3 e2 12 49 03 b2 21 b3 de f2 eb e3 83 0e ac 8f 01 51 81 26 77 c4 d6 d2 eb a7 65 b4 42 90 1f 23
         7e 85 cf 01 d6 91 0c fb 83 95 4e 76 ba 73 52 83 05 34 15 51 28 f7
         e7 0e 98 97
         e8 06 57 80 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03
         06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05
         02 06 02 02 02 00 2c 00 74 00 72 f7 71 dc d0 4b b8 f7 e4 4a 25 b1 e4 15 e3 a1
         d4 8b c3 18 91 19
         39 8a 00 00 00 00 65 a4 ee fa fc 76 c1 46 6b 5a a7 aa eb be d0 bc 0b 6d b8 23 b0 96 5a 58 f8 aa ca d3 65
         dd 00 30 95 3f 4e df ac fb a2 00 23 21 e1 2a ec 00 07 b4 da c5 d1 62 56 36 e5 f2 1b b2 e2 3f cc 65 20 c4
         46 f0 18 49 4b 1b 5b
         40 31 8d 10 d1 37 ea 29 a3 07 01 ab cb b8 75 74 e3 6e 8a 1f 02 5f 7d fa 5d 6e
         50 78 a7 fc 1b 5e da 4a a1 5b 0f f8 3d b3 f6 7d 0c
         13 a6 a5 df e6 b9 09 87 8b 44 ec 76 80 e7 86 75 60 fe bf ed c9
         1f 78 25 7d 16 aa 30 30 e9 e7 84
         1d d9 e4 c0 34 22 67 e8 ca 0c af 1a 87 19 1b a8 c3 c8 cd 96 2f 88 13 ff 3f 47 96 ae 57 1f b2 b7 cf f0 f9 34 b0 00
         2d 00 02 01 01 00 1c 00 02 40 01 00 15 00 af 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00

   {server}  extract secret "early":

      salt:  (absent)  0 (all zero octets)

      IKM (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c
         e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

   {server}  create an ephemeral P-256 key pair:

      private key  create an ephemeral P-256 key pair:

      private key (32 octets):  8c 51 06 01 f9 76 5b fb 8e d6 93 44 9a
         48 98 98 59 b5 cf a8 79 cb 9f 54 43 c4 1c 5f f1 06 34 ed

      public key (65 octets):  04 58 3e 05 4b 7a 66 67 2a e0 20 ad 9d 26
         86 fc c8 5b 5a d4 1a 13 4a 0f 03 ee 72 b8 93 05 2b d8 5b 4c 8d
         e6 77 6f 5b 04 ac 07 d8 35 40 ea b3 e3 d9 c5 47 bc 65 28 c4 31
         7d 29 46 86 09 3a 6c ad 7d

   {server}  construct a ServerHello handshake message

      ServerHello (123 octets):  02 00 00 77 03 03 bb 34 1d 84 7f d7 89
         c4 7c 38 71 72 dc 0c 9b f1 47 fc ca cb 50 43 d8 6c a4 c5 98 d3
         ff 57 1b 98 00 13 01 00 00 4f 00 33 00 45 00 17 00 41 04 58 3e
         05 4b 7a 66 67 2a e0 20 ad 9d 26 86 fc c8 5b 5a d4 1a 13 4a 0f
         03 ee 72 b8 93 05 2b d8 5b 4c 8d e6 77 6f 5b 04 ac 07 d8 35 40
         ea b3 e3 d9 c5 47 bc 65 28 c4 31 7d 29 46 86 09 3a 6c ad 7d 00
         2b 00 02 03 04

   {server}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
         10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      expanded (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba
         b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

   {server}  extract secret "handshake":

      salt (32 octets):  22 da f5 8e bd 87 da df 82 8e  6f 8c 5d 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
         16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

      IKM (32 octets):  c1 42 ce 13 ca 11 b5 c2 23 36 52 e6 3a d3 d9 78
         44 f1 62 1f bf b9 de 69 d5 47 dc 8f ed ea be b4

      secret (32 octets):  ce 02 2e 5e 6e 81 e5 07 36 d7 73 f2 d3 ad fc
         e8 22 0d 04 9b f5 10 f0 db fa c9 27 ef 42 43 df b1 48

   {server}  derive secret "tls13 c hs traffic":

      PRK (32 octets):  ce 02 2e 5e 6e 81 e5 07 36 d7 73 f2 d3 ad fc e8
         22 0d 04 9b f5 10 f0 db fa c9 27 ef 42 43 b1 48

      hash (32 octets):  8a a8 e8 28 ec 2f 8a 88 be 8b 4f ec 95 a3 13 9d e0 1c
         15 a3 da a7 ff 5b fc 3f 4b fc c2 1b 43 8d 7b f8

      info (54 octets):  00 20 12 74 6c 73 31 33 20 63 45 20 68 73 20 74 72
         61 66 66 69 63 20 8a a8 e8 28 ec 2f 8a 88 4f ec 95 a3 13 9d e0
         1c 15 a3 da a7 ff 5b fc 3f 4b fc c2 1b 43 8d 7b f8

      expanded (32 octets):  15 8a a7 ab 88 55 07 35 82 b4 1d 67 4b 40
         55 ca bc c5 34 72 8f 65 93 14 86 1b 4e 08 e2 01 15 66

   {server}  derive secret "tls13 s hs traffic":

      PRK (32 octets):  ce 02 44 5c 5c 46 2e 5e 6e 81 e5 07 36 d7 73 f2 d3 ad fc e8
         22 0d 04 9b f5 10 f0 db fa c9 27 ef 42 43 b1 48

      hash (32 octets):  8a a8 e8 28 ec 2f 8a 88 4f ec 95 a3 13 9d e0 1c
         15 a3 da a7 ff 5b fc 3f 4f f4 2d 37 4b fc c2 1b 43 8d 7b

      public key (65 f8

      info (54 octets):  04 3c  00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72
         61 66 66 69 63 20 8a a8 e8 28 ec 2f 8a 88 4f ec 95 a3 13 9d e0
         1c 15 a3 da a7 ff 48 5b fc 3f 4b fc c2 1b 43 8d 7b 22 65 d1 42 f8 08 c0

      expanded (32 octets):  34 03 e7 81 e2 af 7b 65 ff
         32 b1 2c b3 a6 08 58 25 6f 15 cd da 28 57 4f 6e
         95 a1 ab f1 62 de 4e 94 6a 3c b6 67 1a 83 a9 65
         2c 31 8d 06 ec d6 5c 84 60 04 58 4a d9 79 d5 47 5c 7e 6b 9d 22
         7a 14 2c 16 da 45 ac 8b d4

   {server}  send a ServerHello handshake message 27 c3 76 72 a4 a0 ce f8 a1

   {server}  derive secret for handshake master "tls13 derived":

      PRK (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
         10 ad f3 00 aa 1f 26 60 e1 b2  ce 02 2e 5e 6e 81 e5 07 36 d7 73 f2 d3 ad fc e8
         22 0d 04 9b f5 10 f1 70 f9 2a f0 db fa c9 27 ef 42 43 b1 48

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output

      expanded (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6
         97  ad 1c bc d3 a0 dc 70 53 ee b3 ed 3a 47 90
         1d 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

   {server}  extract secret "handshake":

      salt (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 a9 fc 9d ba b6 97
         16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

      IKM (32 octets):  65 ab 95 4f 63 a7 3c 64 be b5 67 48 f4 18 1a 7d bd 5f 83 6f 63 95 86 5b
         87 a4 39 98 ef ae 26 ad 24 4c ba d2 aa 2c e4 69

      secret (32 octets):  86 69 c5 a3 9b 4a fb fb 02 93 d4 a7 20 0f aa
         b7 a4 95 e9 3a 7a c3 3f 8a c5 16 24 20 04 df 28 7a 2c b3

   {server}  derive  extract secret "tls13 c hs traffic":

      PRK "master":

      salt (32 octets):  86 69 c5 a3 9b 4a fb fb 02 93 d4 a7 20 0f aa b7
         a4 95 e9  ad 1c bc d3 a0 dc 70 53 ee b3 ed 3a 7a c3 3f 8a c5 47 90 1d 16 24 20 04 df 28 7a

      hash (32 octets):  b3 c1 a8 be 98 f4 11 09 a0 ec 84 d6 0a d0 f8 03
         cc 0e
         a9 fc 63 a7 3c d8 7a b2 9a 64 be b5 67 fc 17 2e 76 ee 96 69 f5

      info (54 48 1a 7d fb 3a 2c b3

      IKM (32 octets):  00 20 12 74 6c 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  11 31 33 20 63 20 68 73 20 74 72
         61 66 66 54 5d 0b af 79 dd ce 9b 87 f0 69 63 45 78
         1a 57 dd 18 ef 37 8d cd 20 b3 c1 a8 be 98 f4 11 09 a0 ec 84 d6 0a d0 60 f8
         03 cc 0e 3c d8 7a b2 9a 67 fc 17 2e 76 ee 96 f9 a5 69 f5

      output (32 02 7e d8

   {server}  send handshake record:

      payload (123 octets):  37 7b ec 72 bf e0 e9 93  02 00 00 77 03 03 bb 34 1d 84 7f d7 89 e5 e9 13 e2 b2 95 c4
         7c 38 71 72 dc 0c 9b f6 22 f1 47 fc ca cb 50 43 d8 6c a4 c5 98 d3 ff
         57 1b 98 00 13 87 0f fb da 69 25 ae 01 00 00 4f 00 33 00 45 00 17 ce de 00 41 04 58 3e 05
         4b 0c 01

   {server}  derive secret "tls13 s hs traffic":

      PRK (32 octets): 7a 66 67 2a e0 20 ad 9d 26 86 69 c5 a3 9b 4a fb fb 02 93 fc c8 5b 5a d4 a7 20 1a 13 4a 0f aa b7
         a4 95 e9 3a 7a c3 3f 8a c5 16 24 20 03
         ee 72 b8 93 05 2b d8 5b 4c 8d e6 77 6f 5b 04 df 28 7a

      hash (32 octets): ac 07 d8 35 40 ea
         b3 c1 a8 be 98 f4 11 e3 d9 c5 47 bc 65 28 c4 31 7d 29 46 86 09 a0 ec 84 d6 0a d0 f8 3a 6c ad 7d 00 2b
         00 02 03
         cc 0e 3c d8 7a b2 9a 67 fc 17 2e 76 ee 96 69 f5

      info (54 04

      complete record (128 octets):  16 03 03 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72
         61 66 66 69 63 20 b3 c1 a8 be 98 f4 11 09 a0 ec 84 d6 0a d0 f8 7b 02 00 00 77 03 cc 0e 3c 03 bb
         34 1d 84 7f d7 89 c4 7c 38 71 72 dc 0c 9b f1 47 fc ca cb 50 43
         d8 6c a4 c5 98 d3 ff 57 1b 98 00 13 01 00 00 4f 00 33 00 45 00
         17 00 41 04 58 3e 05 4b 7a b2 9a 66 67 2a e0 20 ad 9d 26 86 fc 17 2e 76 c8 5b
         5a d4 1a 13 4a 0f 03 ee 96 69 f5

      output (32 octets):  19 72 b8 93 fc e3 6b d1 f0 4e c1 0d 14 b6 9d 3e 12
         8e 61 35 d5 1f 62 5e 14 b7 a6 c2 15 05 2b d8 5b 4c 63 80 21 a7 8d e6 77 6f 5b
         04 ac 07 d8 35 40 ea b3 e3 d9 c5 47 bc 65 28 c4 31 7d 29 46 86
         09 3a 6c ad 7d 00 2b 00 02 03 04

   {server}  derive secret write traffic keys for master "tls13 derived": handshake data:

      PRK (32 octets):  86 69 c5 a3 9b 4a fb fb 02 93 d4 a7 20 0f aa b7
         a4  34 03 e7 81 e2 af 7b 65 08 da 28 57 4f 6e 95 e9 3a 7a a1
         ab f1 62 de 83 a9 79 27 c3 3f 8a c5 16 24 76 72 a4 a0 ce f8 a1

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 04 df 28 7a

      hash (32 6b 65 79 00

      key expanded (16 octets):  e3 b0  46 46 bf ac 17 12 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 26 cd 78 52 b8 55 d8 a2 4a
         8a 6f 6b

      iv info (49 (12 octets):  00 20 0d 0c 08 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 00

      iv expanded (12 octets):  32 25 e8 e6 82 c8 0f 84 51 c2 69 99 ca 10 99
         36 69 68  c7 d3 95 c0 8d 8c 6f 82 82 e6 94 18 62 f2 97 d1 37 5b 7e 10 6d 51

   {server}  extract secret "master":

      salt (32 octets):  32 25 e8 e6 82 c8 0f 84 51 c2 69 99 ca 10 99 36
         69 68 8d 8c 6f 82 82 e6 94 18 37 5b 7e 10 6d 51

      IKM (32 ea

   {server}  construct a EncryptedExtensions handshake message

      EncryptedExtensions (28 octets):  08 00 00 18 00 16 00 0a 00 08 00
         06 00 17 00 18 00 1d 00 1c 00 02 40 01 00 00 00 00

   {server}  construct a Certificate handshake message

      Certificate (445 octets):  0b 00 01 b9 00 00 01 b5 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  a6 57 77 cf ab f2 b2 7d fc 68 75 6f 4e fd 2d
         f9 a3 ff 0d c3 2e c3 0e 62 5f 2e 7e 18 14 a4 d2 b9

   {server}  send handshake record:

      payload (123 octets): 01 b0 30 82
         01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48
         86 f7 0d 01 01 0b 05 00 00 77 30 0e 31 0c 30 0a 06 03 55 04 03 13 03
         72 73 61 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17
         0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06
         03 3f 2c 62 94 55 ca 56 6e
         8e a2 43 7d f8 04 03 13 03 72 73 e2 c4 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7
         0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f
         82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26
         d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc a6 1a 51 da 4d b6 cb 7e 9a 95 63 7d
         51 42 7e 00 13 7a ce 6c
         1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52
         4b 1b 01 00 00 4f 00 33 00 45 00 17 00 41 04 3c ff 48
         7b 22 65 d1 42 f8 08 c0 65 ff 32 b1 2c b3 a6 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 58 25 6f 15 cd
         de 4e 94 6a 3c b6 67 1a 46 74
         80 30 53 0e f0 46 1c 8c a9 65 2c 31 8d 06 ec d6 5c 84 60 04 58
         4a d9 79 d5 47 5c 7e 6b 9d 22 7a 14 2c 16 da 45 ac 8b d4 00 ef bf ae 8e a6 d1 d0 3e 2b
         00 d1 93
         ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03 04

      ciphertext (128 octets):  16 03 03
         01 00 7b 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 00 77 03 30 0b 06
         03 3f 2c
         62 94 55 ca 56 6e 8e a2 43 7d f8 73 e2 c4 1d 0f 04 04 03 02 05 a0 30 0d 06 bc a6 1a 51 da 4d
         b6 cb 7e 95 63 7d 51 42 7e 00 13 09 2a 86 48 86 f7 0d 01
         01 0b 05 00 03 81 81 00 4f 00 33 00 45 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a
         72 67 17
         00 41 04 3c ff 48 06 18 a5 4c 5f 8a 7b 22 65 d1 42 f8 08 c0 65 ff 32 b1 2c b3 a6
         08 58 25 6f 15 cd de 4e 33 7d 2d f7 a5 94 6a 3c b6 67 1a a9 65 2c 36 54 17 f2 ea
         e8 f8 a5 8c 8f 81 72 f9 31 8d 06 ec 9c f3 6b 7f d6 5c 84 c5 5b 80 f2 1a 03 01
         51 56 72 60 04 58 4a d9 79 d5 47 5c 7e 6b 9d 22 7a 14 2c 16 da
         45 ac 8b d4 00 2b 00 96 fd 33 5e 5e 67 f2 db f1 02 03 04

   {server}  derive write traffic keys for handshake data:

      PRK (32 octets):  19 93 fc e3 6b d1 f0 4e 70 2e 60 8c ca e6 be
         c1 0d 14 b6 9d fc 63 a4 2a 99 be 5c 3e 12 8e
         61 35 d5 1f 62 5e 14 b7 a6 c2 15 4c 63 80 21 a7

      key info (13 octets):  00 10 09 74 6c 73 31 33 7c 3c 54 e9 b9 eb 2b d5 20 6b 65 79 00

      key output (16 octets):  0d d2 f3 46 9c de 17 30 9f c3 3b
         1c 3b 84 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c 61 64 8d
         13 c8 f8
         96 12 29 ac 91 87 b4

      iv info (12 2b 4d e1 00 00

   {server}  construct a CertificateVerify handshake message

      CertificateVerify (136 octets):  0f 00 0c 00 84 08 04 00 80 33 ab 13
         d4 46 27 07 23 1b 5d ca e6 c8 19 0b 63 d1 da bc 74 6c 73 f2 8c 39 53
         70 da 0b 07 e5 b8 30 66 d0 24 6a 31 ac d9 5d f4 75 bf d7 99 a4
         a7 0d 33 20 69 76 00

      iv output (12 octets): ad 93 d3 a3 17 a9 b2 c0 d2 37 a5 68 5b 21 9e 33 da a8 77 41 12
         e3 91 a2 47 60 7d 1a ef f1 bb d0 a3 9f 38 2e e1 a5 fe 88 ae 99
         ec 59 22 8e 64 97 e4 5d 48 ce 27 5a 6d 5e f4 0d 16 9f b6 e9 71 f9 d3 ad 89 ce 2c

   {server}  send a EncryptedExtensions handshake message

   {server}  send a Certificate handshake message

   {server}  send a CertificateVerify handshake message
         3b 05 2e d3 dc dd 6b 5a 48 ba af ff bc b2 90 12 84 15 bd 38

   {server}  calculate finished "tls13 finished":

      PRK (32 octets):  19 93 fc e3 6b d1 f0 4e c1 0d 14 b6 9d 3e 12 8e
         61 35 d5 1f  34 03 e7 81 e2 af 7b 65 08 da 28 57 4f 6e 95 a1
         ab f1 62 5e 14 b7 a6 c2 15 4c 63 80 21 a7 de 83 a9 79 27 c3 76 72 a4 a0 ce f8 a1

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      output

      expanded (32 octets):  e2 03 13 64  e7 f8 bb 3e a4 a5 64 fc 3f f0 da 32 3b 2b 95
         c3 9b 9a be 54 8a c7 19 e8 16 3d 7c c6 9f b6 6b 4c c3 0c 47 10 b3 d0 9c 33
         13 65 81 17 e7 0b 09 7e 85 03 68 e2 51 0c a5 63 1f 74

      finished (32 octets):  88 63 e6 bf b0 42 0a 92 7f a2 7f 34 33 6a
         70 ae 42 6e 96 8e 3e b8 84 94 5b 96 85 6d ba 39 76 d1

   {server}  send  construct a Finished handshake message
      Finished (36 octets):  14 00 00 20 88 63 e6 bf b0 42 0a 92 7f a2
         7f 34 33 6a 70 ae 42 6e 96 8e 3e b8 84 94 5b 96 85 6d ba 39 76
         d1

   {server}  send handshake record:

      payload (645 octets):  08 00 00 18 00 16 00 0a 00 08 00 06 00 17
         00 18 00 1d 00 1c 00 02 40 01 00 00 00 00 0b 00 01 b9 00 00 01
         b5 00 01 b0 30 82 01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30
         0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06
         03 55 04 03 13 03 72 73 61 30 1e 17 0d 31 36 30 37 33 30 30 31
         32 33 35 39 5a 17 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30
         0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61 30 81 9f 30 0d 06
         09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81
         81 00 b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68
         de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc
         9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87
         a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a
         5f da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6
         d1 d0 3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7
         9f 7f 1e 3f 02 03 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04
         02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 05 a0 30 0d 06 09 2a
         86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 85 aa d2 a0 e5 b9 27
         6b 90 8c 65 f7 3a 72 67 17 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5
         94 36 54 17 f2 ea e8 f8 a5 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5
         5b 80 f2 1a 03 01 51 56 72 60 96 fd 33 5e 5e 67 f2 db f1 02 70
         2e 60 8c ca e6 be c1 fc 63 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9
         b9 eb 2b d5 20 3b 1c 3b 84 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d
         40 2d cc 0c c8 f8 96 12 29 ac 91 87 b4 2b 4d e1 00 00 0f 00 00
         84 08 04 00 80 6b b7 6f a4 24 aa d9 99 c2 72 49 23 c1 6c 5e 44
         6d 47 2e 33 ab 13 d4 2c e2 46 27 07 23 1b 5d ca e6 c8 19 0b 63
         d1 da bc 74 f2 8c 39 53 70 da 0b 07 e5 b8 30 66 f6 e3 3c c0 9a b6 84 09 d0 24 30 17 45 6a 31 ac
         d9 5d f4
         48 f8 22 e8 cd b1 e7 1e 74 2f 75 bf d7 99 a4 a7 0d 33 ad 93 d3 a3 17 a9 b2 c0 d2 37
         a5 68 5b 21 9e 77 41 12 e3 91 8e df a2 47 60 7d 1a ef f1 bb d0 a3 37 54 42 11 11 6c
         33 3a 36 9f a8
         38 2e e1 a5 fe 88 ae 99 ec 59 22 8e 64 97 61 07 e4 5d 48 ce 27 5a 6d d6 71 3a 28 e0 7a 22 4f c6 4d 1f dc
         8d 6f 23 01 90 05 36
         5e f4 a9 2c 00 8d 09 9a cb 68 d8 15 9c 0d 16 9f b6 f9 d3 3b 05 2e d3 dc dd 6b 5a 48 ba af ff f0
         ac c3 71 f8 9e 4a f0 19 bc
         b2 35 f0 c5 1d 71 a4 21 b8 ca 8d 03 36
         87 00 74 ce 7b 05 8a 90 12 84 15 bd 38 14 00 00 20 d2 0d 7e 67 8b 35 c0 03 2e 88 63 e6 bf b0 42 0a 92 7f a2
         7f 34 33 6a 70 ae 42 6e 96
         37 6f 7a 49 40 bc f3 20 4b 90 8e 3e cf 90 ed af ec eb 95 f3 02 3d
         32

      ciphertext b8 84 94 5b 96 85 6d ba 39 76
         d1

      complete record (667 octets):  17 03 03 02 96 68 9c 22 eb eb 99 be e2 0b af 5b 7f
         c7 1d df
         1b 02 14 96 5a 39 a0 61 27 bf 12 af 84 c2 ee 0e 12 13 ae 3e 1c ab
         c0 ce ca c6 06 37 3e 81 eb 3f 61 55 5e e5 a4 58 bf d4 3e db e1
         f2 eb 62 23 92 8a 38 1e 6d 0c b8 28 01 27 9e 02 15 8c f9 c4 da 65 3f 9d 2a 7b 50 3b 86 a1 23
         f7 de 11 cc e8 42 a7 56 c4 1e
         d2 40 b8 d5 cf 75 63 17 63 45 0f e8 c4 b1 93 66 ec f1 ac 3a b7 64 f0 c5 37 7a ef 35
         6f 27 d6 01 3e fb 8b 0c c1 d2 38 e6
         58 af 7a 12 ad c8 62 43 11 4a b1 4a 1d a2 fa e4 26 21 ce 48 3f
         b6 24 2e ab fa ad bc 72 fc 49 4b 6e bc 9d c2 55 75 44 18
         38 cf 52 56 6b 02 9e 73 05 72 7e f8 0d 7b 7d 51 21 b3 1d 2e d4 d8 8a f5 bc 1a dd ed ef eb 80 37 8e 1c e6 6a 28 8e e5 14 75 7b ea b7 8a 48 af fc 89 7c 49 20
         2c fd ed 99 a7 81 05 cf 87 69 a4 c3
         00 d5 f9 73 b4 0c 4f df 74 71 9e cf 1b 81 82 66 67 68 d7 f9 c3 b6 ce b9 03
         ca 13 dd 1b b8 f8 18 7a e3 34 17 e1 d1 52 52 2c 58 22 a1 a0 3a
         d5 2c 83 8c 55 95 3d 61 02 22 87 4c ce c8
         0b 15 8e 17 90 b2 29 a2 c4 61 68 f8 cb 44 23 70 e6 1c 4d cd f5 bc c0 25 aa 0b
         53 f7
         50 31 c8 d3 77 ee 72 01 82 95 1d c6 18 1d c5 d9 0b d1 f0 10 11 9f 5e d1
         e8 4a a5 f7 59 57 c6 66 18 97 07 9e 5e a5 00 74 49 e3 19 7b dc
         7c 9b ee ed dd ea fd d8 44 af a5 c3 15 ec fe 65 e5 76 af e9 09
         81 28 80 62 0e 05 94 d5 a3 63 b2 7e 27 72 dc 96 79 24 d3 c7 04 8b 42 d7 f5 c7 8d 76 f2 99 d6 ce b8 6e 7d d0 01 6b 8f 33 92 51 36 e4 69 6c 6d 43 38 4b 31 d8 25 34 bd
         d8 f5 12 ec 7c 15 8a f6 88 ce 18 83 26 67 b4 ff fe 2a c4 17 bc 0e d3 81 4a 98 eb
         fd c9 17 45 ca 47 0c d8 00 0d 3e 1c b9 96 76 a4 f3 21 f1 65 64 ec 23 90 ba 37 c3 00 b1
         e7 a9 da 6c ce b2 ac 0c 45 13 5b 66 84 32 2b b2 34 f9 46 70 2a
         c2 42 c7 55 7c 05
         2f bb 95 0d f6 83 a5 2c 2b a7 7e d3 71 f0 ee 65 3b 12 29 37 a6 c9 e5 17 09
         64 e2 ab 79 69 dc d9 80 b3 db 9b 45 8d a7 93 60 31 24 d6 94 fe 1f 7f b2 67
         ce 6e 83 22 5c 9f 10 b5 b8 8d db 25 53 5b f6 cc 73 2f c7 da 79
         b8 09 28 90 82 7a dc 00 97 11 74 a5 f0 90 30 5e
         4d 6e 04 b4 d0 b9 bb 5f 22 8b 08
         f7 aa 2f 7c 2c 57 ac 9b 7d 69 c8 1d 56 f0 c4 ba f3 27 5d b8 27 db 07 98 9e 87 4c 4e
         42 0e d8 32 aa 87 4d ba 0a 6d b0 96 72 c3 c9 36 17 1f
         c0 57 b3 85 00 f5 aa 3a 9a 9c 8f 76
         f7 1d 7e 02 68 41 b7 dc 20 82 ab 8b e2 97 8f f4 e7 4e 8b 47 e6 6b 26 fc c6 ff bc
         9a 68 b0 5b 1a db 37 bf 6e da 22 99 bd 23 ee 4b 40 f6 3c 34 90 c6
         63 f6 82 f4 12 58 25 46 bb ef dd 03 76 bb
         11 08 fe 9a cc 92 18 9f 56 50 aa 5e 94 2a 36 85 d8 e8 c7 b6 7a cd 0c c5 10 db
         a0 03 d3 d7 e1 63 50 bb 66 d4 50 13 ef d4 4c 9b 60 7c 0d 31 8c
         4c 7d f9 c8 7e 6a 75 5e
         53 7e 7e 1a cb ba b7 b1 a4 30 b9 26 75 e4 1f 5c 97 58 14 ed 91 7e
         78 30 7a 5f 99 6b bc 57 e2 06 11 80 4e 37 87 47 f4 41 ca 36 93 2d 45 d5 2a 0b b1 48 6a
         6f 53 75 0d 01 23 f0 8a d7 b4 a4 b5 f0 8e d8
         fd 70 ca c6 8c bd ae ad e0 22 60 b1 2a b8 42 ef 69 0b 4a 3e e7 91 1e 84
         1b 37 4e cd 5e bb bc 2a 54 d0 47 b6 00 d2 33 6d d7 d0 c8 8b 4b c1
         0e 58 ee 6c b6 56 de 72 47 fa 20 d8 e9 1d eb 84 e3 ac 09 05 62 86 08 cf 80
         68 ca af d4 f9 ae 46 92 04
         61 5b 62 e9 6c 14 91 c7 ac 37 55 eb 69 01 cb 40 5d 34 74 fe 1a c7
         9d 10 6a 0c ee 56 c2 57 9c c4 67 ad f7 67 7f c8 84 80 f9 6c b6 b8 c6 81 b7 b6 8b
         53 c1 46 09 39 08 c5
         95 32 06 51 e5 8c 92 cc 99 a6 62 9d 5f f3 50 88 81 75 bd 57 34 ac 3f cc 34 21
         5d fb 0b 1e 31 b6 09 d2 c7 86 11 ad 61 e3 0b a0
         ad fe 6d 22 3a a0 3c 07 83 b5 00 f4 70 12 ae 8d dc 40 bd ba b9 fa 72
         2a e6 cc 2a bb b8 93 14 1a 57 58 7c 32 8a 9a fc fc fb 06 be
         97 8d 1c d4 32 8f 2f 2b cb 65 7d 9d 60 53 0e 63 0b ef d9 6c 0c 81 6e e2 0b
         01 00 76 8a e2 a6 df 51 fc 68 f1 72 74 0a 79 af 5b 1e ba 11 39 8e e3 be
         12 52 49
         c5 1f a9 c6 93 47 9e af 87 7f 94 a1 a0 f9 33 53 f6 e2 fb 84 c9 ab 7c 5f 8c ad 48 0c cb 35 be 46 cb
         cd 3f b4 12 64 02 03 e6
         ab 7b 87 f0 dd 71 e8 a0 72 eb d8 e5 62 5d c9 aa e7 b0 7b 93 91 13 df 17 f5 ee e8 de
         34 21 6f 6c e1 08 d1 d7 20
         07 ec 1c d1 3c 85 a6 c1 49 62 1e 77 b7 d7 8d 80 5a 30 f0 be 03
         0c 31 5e 54

   {server}  derive secret "tls13 c ap traffic":

      PRK (32 octets):  a6  11 31 54 5d 0b af 79 dd ce 9b 87 f0 69 45 78 1a
         57 77 cf ab f2 b2 7d fc 68 75 6f 4e fd 2d dd 18 ef 37 8d cd 20 60 f8 f9
         a3 ff 0d c3 2e c3 0e 62 5f 2e a5 69 02 7e 18 14 a4 d2 b9 d8

      hash (32 octets):  6c 45 a9 b1 b6 a9 d8 18 94 52 79 25 8e cc  50 f6 3c bf 36 b0 dd 04 9e 7a 0b a2 7d 64 55 74
         5e a2 aa ac 54 bb 16 fa
         33 9c e6 c6 37 17 56 1c 67 ee 7f 99 50 b2 ca 27 dc d0 0e b7 ce 95 09 da

      info (54 octets):  00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72
         61 66 66 69 63 20 6c 45 a9 b1 b6 a9 d8 18 94 52 79 25 8e cc 50 f6 3c bf 36 b0 dd 04 9e 7a 0b a2 7d 64 55
         74 5e a2 aa ac 54 bb 16
         fa 33 9c e6 c6 37 17 56 1c 67 ee 7f 99 50 b2 ca 27 dc d0 0e

      output b7 ce 95 09 da

      expanded (32 octets):  f3  75 ec f4 b9 72 b2 bf 29 76 71 90 a8 e0 fd 31 33 47 52 5a a0 dc d0 57 c9 94 4d
         4c d5 d8
         15 14 2c 37 76 3d c1 00 78 26 71 91 1f 7b 5c d8 84 31 0d 40 41 d7 dc 2a 4f f1 5a 21 dc 51

   {server}  derive secret "tls13 s ap traffic":

      PRK (32 octets):  a6  11 31 54 5d 0b af 79 dd ce 9b 87 f0 69 45 78 1a
         57 77 cf ab f2 b2 7d fc 68 75 6f 4e fd 2d dd 18 ef 37 8d cd 20 60 f8 f9
         a3 ff 0d c3 2e c3 0e 62 5f 2e a5 69 02 7e 18 14 a4 d2 b9 d8

      hash (32 octets):  6c 45 a9 b1 b6 a9 d8 18 94 52 79 25 8e cc  50 f6 3c bf 36 b0 dd 04 9e 7a 0b a2 7d 64 55 74
         5e a2 aa ac 54 bb 16 fa
         33 9c e6 c6 37 17 56 1c 67 ee 7f 99 50 b2 ca 27 dc d0 0e b7 ce 95 09 da

      info (54 octets):  00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72
         61 66 66 69 63 20 6c 45 a9 b1 b6 a9 d8 18 94 52 79 25 8e cc 50 f6 3c bf 36 b0 dd 04 9e 7a 0b a2 7d 64 55
         74 5e a2 aa ac 54 bb 16
         fa 33 9c e6 c6 37 17 56 1c 67 ee 7f 99 50 b2 ca 27 dc d0 0e

      output b7 ce 95 09 da

      expanded (32 octets):  a8 b8 89 78 fb a9  5c 74 f8 7d f0 42 25 db 0f 05 7c 52 c6 77 6a 01 1a
         d5 82 09 c9 de 64 bc
         29 e4 94 35 fd ef a7 ca d6 18 64 87 4d 38 ee 6c d7 45 4b a2 21 c2 89 10 08 7a 12 f3 1c fc 8d

   {server}  derive secret "tls13 exp master":

      PRK (32 octets):  a6  11 31 54 5d 0b af 79 dd ce 9b 87 f0 69 45 78 1a
         57 77 cf ab f2 b2 7d fc 68 75 6f 4e fd 2d dd 18 ef 37 8d cd 20 60 f8 f9
         a3 ff 0d c3 2e c3 0e 62 5f 2e a5 69 02 7e 18 14 a4 d2 b9 d8

      hash (32 octets):  6c 45 a9 b1 b6 a9 d8 18 94 52 79 25 8e cc  50 f6 3c bf 36 b0 dd 04 9e 7a 0b a2 7d 64 55 74
         5e a2 aa ac 54 bb 16 fa
         33 9c e6 c6 37 17 56 1c 67 ee 7f 99 50 b2 ca 27 dc d0 0e b7 ce 95 09 da

      info (52 octets):  00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73
         74 65 72 20 6c 45 a9 b1 b6 a9 d8 18 94 52 79 25 8e cc 50 f6 3c bf 36 b0 dd 04 9e 7a 0b a2 7d 64 55 74 5e
         a2 aa ac 54 bb 16 fa 33
         9c e6 c6 37 17 56 1c 67 ee 7f 99 50 b2 ca 27 dc d0 0e

      output b7 ce 95 09 da

      expanded (32 octets):  de e8 d9 7e ec e8 97 93 e4 5d 63 b4 10 18 88
         df  7c 06 a4 d3 63 c9 d8 ff af ef 2e bd ae 10 64 4d bc 42 6a 3a 37 4a ce 48 37 b3 98
         5c ac 67 78 0a 6e 2c 5c 04 b5 83 19 d5 84 df 09 d2 23

   {server}  derive write traffic keys for application data:

      PRK (32 octets):  a8 b8 89 78 fb a9 data:

      PRK (32 octets):  5c 74 f8 7d f0 42 25 db 0f 05 7c 52 c6 77 6a 01 1a d5 82 09 c9 de 64 bc 29 e4
         94 35 fd ef a7 ca d6 18 64 87 4d 38 ee 6c d7 45 4b a2 21 c2 89 10 08 7a 12 f3 1c fc 8d

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output expanded (16 octets):  df 25 5c 0d  f2 0f 01 26 2c 77 1c b8 74 67
         7b 4a 7a 5d 97 bd 25 55 0c 48 23 b0 f3 e5
         d2 93 88

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output expanded (12 octets):  90 89 9d 4b ab a4  0d d6 31 d1 e3 1b f7 02 b7 1c bb c7 97 c3 5f e7

   {server}  derive read traffic keys for handshake data:

      PRK (32 octets):  37 7b ec  15 8a a7 ab 88 55 07 35 82 b4 1d 67 4b 40 55 ca
         bc c5 34 72 bf e0 e9 8f 65 93 89 e5 e9 13 14 86 1b 4e 08 e2 b2 95 9b
         f6 22 13 87 0f fb da 69 25 ae 17 ce de 4b 0c 01 15 66

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output expanded (16 octets):  67 b6 7b 0d c0 12 44 92  2f 1f 91 86 63 d5 90 e7 42 dd ad ff c0 b1
         7c 7e 11 49 a2 9d
         94 b0 b6

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00
      iv output expanded (12 octets):  52 ac 28 15 2f f3 e1 26 02 60 08 cb  41 4d 54 85 23 5e 1a 68 87 93 bd 74

   {client}  extract secret "early":

      salt:  (absent)

      IKM (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c
         e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a "early" (same as server early secret)

   {client}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
         10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output

      expanded (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba
         b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

   {client}  extract secret "handshake":

      salt (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
         16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

      IKM (32 octets):  65 ab 95 4f 48 f4 18 7d bd 5f 83 6f 63 95 86 5b
         87 a4 39 98 ef ae 26 ad 24 4c ba d2 aa 2c e4 69

      secret (32 octets):  86 69 c5 a3 9b 4a fb fb 02 93 d4 a7 20 0f aa
         b7 a4 95 e9 3a 7a c3 3f 8a c5 16 24 20 04 df 28 7a "handshake" (same as server handshake
      secret)

   {client}  derive secret "tls13 c hs traffic" (same as server)

   {client}  derive secret "tls13 s hs traffic" (same as server)

   {client}  derive secret for master "tls13 derived" (same as server)

   {client}  extract secret "master" (same as server) server master secret)

   {client}  derive read traffic keys for handshake data:

      PRK (32 octets):  19 93 fc e3 6b d1 f0 4e c1 0d 14 b6 9d 3e 12 8e
         61 35 d5 1f 62 5e 14 b7 a6 c2 15 4c 63 80 21 a7

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  0d d2 f3 46 9c de 17 30 9f c3 0c 61 64 8d
         13 b4

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  9e 33 da a8 b6 e9 71 d3 ad 89 ce 2c keys for handshake data (same as server
      handshake data write traffic keys)

   {client}  calculate finished "tls13 finished" (same as server)

   {client}  derive secret "tls13 c ap traffic" (same as server)

   {client}  derive secret "tls13 s ap traffic" (same as server)

   {client}  derive secret "tls13 exp master" (same as server)

   {client}  derive write traffic keys for handshake data (same as
      server handshake data read traffic keys)

   {client}  derive read traffic keys for application data (same as
      server application data write traffic keys)

   {client}  calculate finished "tls13 finished":

      PRK (32 octets):  37 7b ec  15 8a a7 ab 88 55 07 35 82 b4 1d 67 4b 40 55 ca
         bc c5 34 72 bf e0 e9 8f 65 93 89 e5 e9 13 14 86 1b 4e 08 e2 b2 95 9b
         f6 22 13 87 0f fb da 69 25 ae 17 ce de 4b 0c 01 15 66

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      output

      expanded (32 octets):  19  81 be 41 31 fb b9 b6 f4 47 14 50 84 6f 74
         fd 1e 68 c5 22 4b 6b 62 a7 c2 a8 67 7f 5c 53 ad 22 6f dc 13

      finished (32 octets):  23 f5 2f db 07 09 a5 5b d7 f7 9b 99 1f 25
         48 40 87 bc fd 4d 43 80 b1 23 26 c8 11 3f e1 24 a5 2a 2b 08 9d 39
         9a 26 83 ee 49 28 b2 e3 68 d9 ff 9b de c3 dd df 25 83 a0 a6 e1

   {client}  send  construct a Finished handshake message

      Finished (36 octets):  14 00 00 20 23 f5 2f db 07 09 a5 5b d7 f7
         9b 99 1f 25 48 40 87 bc fd 4d 43 80 b1 23 26 a5 2a 28 b2 e3 68
         e1

   {client}  send handshake record:

      payload (36 octets):  14 00 00 20 a7 da 23 f5 2f db 07 09 8b a5 5b d7 f7 9b 26 83 71 64 64
         99 1f
         9d 0d 1b de c6 e8 eb 25 48 35 6b e7 c0 b1 7b 6d 19 4b 4b 8f a1 40 87 bc fd

      ciphertext 4d 43 80 b1 23 26 a5 2a 28 b2 e3 68 e1

      complete record (58 octets):  17 03 03 00 35 87 b5 65 69 20 5c c2 cc c4
         53 67 58 88 e4 d8 79 1c 5d cf f4 26 cf 1a 88 57 84 d7 4f 19 23 c6 62 fd
         34 13 7c 6f 50 54 bf 28
         37 2f 3d d2 b9 3d 95 1d 1b 3b 9a 8e d0 99 e1 e8 c9 7e 42 af e2 3c 31 77 fb da
         ab ea 92 fe 91 b4 74 99 9e 85 e3 b7 91 ce 25 b3 78 7a ae 3c e1 f1 a0
         a7 af 2f e8 c3 e9 f9 39
         a4 12 0c b2

   {client}  derive write traffic keys for application data:

      PRK (32 octets):  f3  75 ec f4 b9 72 b2 bf 29 76 71 90 a8 e0 fd 31 33 47 52 5a a0 dc d0 57 c9 94 4d 4c d5
         d8 15
         14 2c 37 76 3d c1 00 78 26 71 91 1f 7b 5c d8 84 31 0d 40 41 d7 dc 2a 4f f1 5a 21 dc 51

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output expanded (16 octets):  06 ea a9 34 99 1d 0b 76 0d 56 9f 8e bb 79
         22 8b  a7 eb 2a 05 25 eb 43 31 d5 8f cb f9 f7
         ca 2e 9c

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output expanded (12 octets):  87 c0 5d f1  86 e8 a1 87 ba 4f e3 28 be 22 7c 1b d2 b3 e3 9c b4 44

   {client}  derive secret "tls13 res master":

      PRK (32 octets):  a6  11 31 54 5d 0b af 79 dd ce 9b 87 f0 69 45 78 1a
         57 77 cf ab f2 b2 7d fc 68 75 6f 4e fd 2d dd 18 ef 37 8d cd 20 60 f8 f9
         a3 ff 0d c3 2e c3 0e 62 5f 2e a5 69 02 7e 18 14 a4 d2 b9 d8

      hash (32 octets):  f6 d2 e9 99 c9 ce 6e 62 67 b3 83 3d d9 10 cd  0e 8b 34 91
         92 4a f6 89 00 66 d8 51 bd 9e f2 58 b8 55 fd cd 0c 11 db bc 4e 83 e4
         3c aa 6e 48 3c 6c 65 df 53 15 18 88 e5 01 65 6c d6 c8 f4

      info (52 octets):  00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73
         74 65 72 20 f6 d2 e9 99 c9 ce 6e 62 67 b3 83 3d d9 10 cd 0e 8b 34 91 92
         4a f6 89 00 66 d8 51 bd 9e f2 58 b8 55 fd cd 0c 11 db bc 4e 83 e4 3c
         aa 6e 48 3c 6c 65 df 53 15 18 88 e5 01 65 6c d6 c8

      output f4

      expanded (32 octets):  1f 63 61 ef 0f  09 17 0c 6d 47 27 21 56 6f 9c f9 9b 08 69
         9d fe 19 ac 0f eb 5d 87 51 5f
         ad 41 92 67 6b 79 af f5 61 ea 85 fc 2b 31 ba a0 c1 1f fa ec 8f b2 2d 5a 32 c3 f9 4c e0 09 b6 99 75

   {server}  calculate finished "tls13 finished" (same as client)

   {server}  derive read traffic keys for application data (same as
      client application data write traffic keys)

   {server}  derive secret "tls13 res master" (same as client)

   {client}  send alert record:

      payload (2 octets):  01 00

      ciphertext (24 octets):  17

      complete record (24 octets):  17 03 03 00 13 2e a6 cd f7 49 19 60
         23 e2 b3 a4 94 91 69 55 36 42 60 47

   {server}  send alert record:

      payload (2 octets):  01 00

      complete record (24 octets):  17 03 03 00 13 51 9f c5 07 5c b0 88
         43 49 75 9f f9 ef 6f 01 1b b4 c6 f2

6.  Client Authentication

   In this example, the server requests client authentication.  The
   client uses a certificate with an RSA key, the server uses an ECDSA
   certificate with a P-256 key.  Note that private keys for the
   certificates used this example are not shown.

   {client}  create an ephemeral x25519 key pair:

      private key (32 octets):  c0 40 b2 bb 8f 3a dd d2 0f d4 05 8c 54
         70 03 a3 c6 f9 c1 cd 91 5d 5e 53 5c 87 d8 d1 91 aa f0 71

      public key (32 octets):  08 9c c2 67 1f 73 8d 9a 67 1e 5b 2e 46 49
         81 d0 5b 76 e3 61 aa 22 ae a9 1f 1d 49 ca 10 a7 a3 62

   {client}  construct a ClientHello handshake message
      ClientHello (192 octets):  01 00 00 bc 03 03 6a 47 22 36 32 8b 83
         af 40 38 6d 3a 3e 1f 1c e6 24 fa 4e d8 9a b8 65 a4 ff 0f 41 44
         ce 3a e2 33 00 00 06 13 01 13 03 13 02 01 00 00 8d 00 00 00 0b
         00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00
         12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33
         00 26 00 24 00 1d 00 20 08 9c c2 67 1f 73 8d 9a 67 1e 5b 2e 46
         49 81 d0 5b 76 e3 61 aa 22 ae a9 1f 1d 49 ca 10 a7 a3 62 00 2b
         00 03 02 03 04 00 13 a1 93 82 ba 6a cc c4 d0 df
         e3 46 c6 5b b3 ff 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04
         08 05 08 06 04 01 95 6f 26

   {server} 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00
         2d 00 02 01 01 00 1c 00 02 40 01

   {client}  send alert handshake record:

      payload (2 (192 octets):  01 00

      ciphertext (24 octets):  17 00 bc 03 03 6a 47 22 36 32 8b 83 af
         40 38 6d 3a 3e 1f 1c e6 24 fa 4e d8 9a b8 65 a4 ff 0f 41 44 ce
         3a e2 33 00 00 06 13 6a c7 95 b6 5c a3 01 13 33 30
         22 5c c3 a8 03 13 02 01 00 00 8d 00 00 00 0b 28 f2 39 d2 e9

6.  Client Authentication

   In this example, the server requests client authentication.  The
   client uses a certificate with an RSA key, the server uses an ECDSA
   certificate with a P-256 key.  Note that private keys for this
   example are not included in the draft.

   {client}  create an ephemeral x25519 key pair:

      private key (32 octets):  51 51 41 c1 11 7c f2 f1 81 f0 63 41 08
         da 12 41 26 df 69 36 21 2b b4 8c 00
         09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 48 b6 86 4d 00 14 8a 35

      public key (32 octets):  8e 61 95 b8 3b ea 47 57 fc 4f c5 c9 cc 73
         2b 87 10 c0 fe 00 12
         00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00
         26 00 24 00 1d 00 20 08 9c c2 67 1f dc 3b 73 8d 9a 67 1e 5b 2e 46 53 85 0e c0 68 bd 6a 49
         81 d0 5b 76 e3 61 aa 22 ae a9 1f 1d 49 ca 10 a7 a3 62 00 2b 00
         03

   {client}  send a ClientHello handshake message

   {client}  send handshake record:

      payload (192 octets):  01 02 03 04 00 0d 00 bc 20 00 1e 04 03 05 03 72 be 9e 06 03 79 d1 64 11
         d3 5d a6 b5 56 02 03 08 04 08
         05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d
         00 02 01 01 00 1c 00 02 40 01

      complete record (197 octets):  16 03 01 00 c0 01 00 00 bc 37 5d a6 03 03 6a
         47 22 36 32 8b 83 af 40 55 2b ca 71 9d ae 41 90 f3 94
         39 38 6d 3a 3e 1f 1c e6 24 fa 4e d8 5a 9a b8
         65 a4 ff 0f 41 44 ce 3a e2 33 00 00 06 13 01 13 03 13 02 01 00
         00 8d 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01
         00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02
         01 03 01 04 00 33 00 26 00 24 00 1d 00 20 8e 61 95 b8 3b ea 47 57 fc 4f c5 c9 cc 08 9c c2 67 1f 73
         2b 87 10 c0 fe 12 8d
         9a 67 1e 5b 2e 46 49 81 d0 5b 76 e3 61 aa 22 ae a9 1f dc 3b 46 53 85 0e c0 68 bd 6a 03 1d 49 ca
         10 a7 a3 62 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03
         06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05
         02 06 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01

      ciphertext (197

   {server}  extract secret "early":

      salt:  0 (all zero octets)

      IKM (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c
         e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

   {server}  create an ephemeral x25519 key pair:

      private key (32 octets):  73 82 a5 ad 1c dd 20 56 ae 18 cc 70 8b
         d0 07 d9 81 30 db e2 cd 4d 9e ad 9b 96 95 2b ec bb 08 88

      public key (32 octets):  6c 2e 50 e8 65 91 9a 6b 5a 12 df af 91 8f
         92 b4 42 56 7b 0f 89 bc 54 47 8c 69 21 36 66 58 f0 62

   {server}  construct a ServerHello handshake message

      ServerHello (90 octets):  02 00 00 56 03 03 3b 50 fd f1 c3 d5 72
         e4 0e 68 95 3e 7f ff 4e 27 58 45 9c 59 af a0 58 2c 0e a0 32 87
         42 55 fe 6e 00 13 01 00 00 2e 00 33 00 24 00 1d 00 20 6c 2e 50
         e8 65 91 9a 6b 5a 12 df af 91 8f 92 b4 42 56 7b 0f 89 bc 54 47
         8c 69 21 36 66 58 f0 62 00 2b 00 02 03 04

   {server}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
         10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      expanded (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba
         b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

   {server}  extract secret "handshake":

      salt (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
         16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

      IKM (32 octets):  7d c1 14 f6 47 5d fa 79 77 be 73 6e f7 cb eb c4
         8c 70 32 9e 8e 9a 74 b4 d7 03 3c 43 f9 59 7d 4f

      secret (32 octets):  16 03 01  d9 95 24 36 74 fb 64 00 d7 d3 7b c0 e9 86 1b
         db d9 ed 09 56 01 00 00 bc 03 03 72 be
         9e 03 79 d1 dc f2 99 48 74 f2 80 3d e2 2e 39

   {server}  derive secret "tls13 c hs traffic":

      PRK (32 octets):  d9 95 24 36 74 fb 64 11 00 d7 d3 5d a6 b5 7b c0 e9 86 1b db
         d9 ed 09 56 16 bc 37 5d a6 40 55 2b ca 71
         9d ae 41 90 f3 94 01 dc f2 99 48 74 f2 80 3d e2 2e 39 d8

      hash (32 octets):  88 eb c0 42 bd 0d 5a 64 3b 22 fc a7 a4 7d ef d4
         00 00 06 13 01 13 03 13 02 01 00 00
         8d 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00
         00 0a 00 14 00 12 00 1d 00 17 00 7d fe 18 00 19 01 00 01 01 01 02 01
         03 01 04 00 33 00 49 49 a6 26 1c 59 6c 4e 00 24 00 1d 2a 74 a2

      info (54 octets):  00 20 8e 61 95 b8 3b ea 47 57
         fc 4f c5 c9 cc 73 2b 87 10 c0 fe 12 1f dc 3b 46 53 85 0e c0 74 6c 73 31 33 20 63 20 68 73 20 74 72
         61 66 66 69 63 20 88 eb c0 42 bd 6a 03 00 2b 00 03 02 03 04 00 0d 5a 64 3b 22 fc a7 a4 7d ef
         d4 00 20 00 1e 04 03 05 03 06
         03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02
         06 02 02 02 00 2d 00 02 01 01 00 7d fe 18 49 49 a6 26 1c 59 6c 4e 00 02 40 01 2a 74 a2

      expanded (32 octets):  ce c7 a3 0c 68 72 07 0f 22 a7 ee b0 65 76
         8d b6 7c 45 e2 95 33 db 87 99 08 ce 6d c6 6f 59 11 de

   {server}  extract  derive secret "early":

      salt:  (absent)

      IKM "tls13 s hs traffic":

      PRK (32 octets):  d9 95 24 36 74 fb 64 00 d7 d3 7b c0 e9 86 1b db
         d9 ed 09 56 01 dc f2 99 48 74 f2 80 3d e2 2e 39

      hash (32 octets):  88 eb c0 42 bd 0d 5a 64 3b 22 fc a7 a4 7d ef d4
         00 7d fe 18 49 49 a6 26 1c 59 6c 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 2a 74 a2

      info (54 octets):  00 20 12 74 6c 73 31 33 ad 0a 1c 60 7e 20 73 20 68 73 20 74 72
         61 66 66 69 63 20 88 eb c0 42 bd 0d 5a 64 3b 09 e6 cd 98 93 68 0c
         e2 10 ad f3 22 fc a7 a4 7d ef
         d4 00 aa 1f 7d fe 18 49 49 a6 26 60 e1 b2 2e 10 f1 70 f9 2a

   {server}  create an ephemeral x25519 key pair:

      private key (32 octets):  82 0f ba 6b 13 3f a3 bb 45 1c 59 6c 4e a0 fe 61
         7e 50 3a 00 2a 74 c3 09 b3 82 28 07 71 7d e1 ee 3f ee 17 27 57

      public key a2

      expanded (32 octets):  23 dc 3e 49 2e c4 56 63 c3 ad b5 17 ec 8e
         ef a6 5b 76  8b 02 d3 c0 cf 21 21 f4 af f5 09 50 0c 05 19 7f 0a

   {server}  send a ServerHello handshake message 04 42 a2 72 2c 40 98 eb e8 67
         5b 23 e8 01 51 0f 0d 7e d7 78 d8 eb 0b 8f 42 a1 9a 5e

   {server}  derive secret for handshake master "tls13 derived":

      PRK (32 octets):  33 ad 0a 1c 60 7e  d9 95 24 36 74 fb 64 00 d7 d3 7b c0 3b e9 86 1b db
         d9 ed 09 e6 cd 98 93 68 0c 56 01 dc f2 99 48 74 f2 80 3d e2
         10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 39

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output

      expanded (32 octets):  6f  74 57 55 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 b0 7c 81 a9 c1 b1 7e 6b 34 e0
         e6 d0 84 74 7a 61 f3 96 f5 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c b9 2c 07 36 11 ba ec 60 e8

   {server}  extract secret "handshake": "master":

      salt (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
         16 c0 76 18 9c 48 25 0c eb ea c3  74 57 6c 36 11 ba

      IKM (32 octets):  b2 0d 9a cb a0 e0 38 1d 9f f5 1e 9d 55 26 b0 7c b8 ba 18 81 a9 ba 63 c1 b1 7e e5 93 08 13 da 7f f8 62 e6 62 44 45

      secret (32 octets):  ba c8 6b 34 e0 e6 23 e4 82 31 e5 f0 96 4f fc 3b f3 5a
         e4 bc 65 59 1a 9e 1a cf d0
         84 74 7a 61 f3 6d 18 3f d6 0a 26 bc e6

   {server}  derive secret "tls13 c hs traffic":

      PRK (32 octets):  ba c8 e6 23 e4 82 31 e5 f0 96 4f fc 3b f3 5a e4
         bc 65 59 1a 9e 1a cf f3 6d 18 3f d6 0a 26 bc e6

      hash (32 octets):  58 7e dd f9 47 f8 d1 4f e6 32 6b f5 97 eb b9 2c 07 c3 11 0c b7
         33 89 d7 ba ed de 2f e3 04 7d 77 20 19 90 2e 4c

      info (54 36 ec 60 e8

      IKM (32 octets):  00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72
         61 66 66 69 63 20 58 7e dd f9 47 f8 d1 4f e6 32 6b 07 c3 11 0c
         b7 33 89 d7 ba ed de 2f e3 04 7d 77 20 19 90 2e 4c

      output 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  23 03 a8 1a 55  57 c1 5d 7b 9d 44 1b 3d 40 a9 e2 92 d3 23 cd c8 9a b2 dd c6 ea 8a 3d 73
         0e 07 b3 a1 63 40 f8 ea 7a 33 39 ed 70 70 b9 a7 4a 3f 4f d9 dd 99 5c 72 50 c3 3e d3 82 b2 db 28

   {server}  derive secret "tls13 s hs traffic":

      PRK (32  send handshake record:

      payload (90 octets):  ba c8 e6 23 e4 82 31 e5 f0 96 4f fc  02 00 00 56 03 03 3b f3 5a 50 fd f1 c3 d5 72 e4
         bc 65 0e
         68 95 3e 7f ff 4e 27 58 45 9c 59 1a 9e 1a cf f3 6d 18 3f d6 0a 26 bc e6

      hash (32 octets): af a0 58 7e dd f9 47 f8 d1 4f e6 2c 0e a0 32 6b 07 c3 11 0c b7
         33 89 d7 ba ed de 2f e3 04 7d 77 20 19 90 87 42 55
         fe 6e 00 13 01 00 00 2e 4c

      info (54 octets): 00 20 12 74 6c 73 31 33 00 24 00 1d 00 20 73 20 68 73 20 74 72
         61 66 66 69 63 20 58 7e dd f9 47 f8 d1 4f e6 32 6c 2e 50 e8 65
         91 9a 6b 07 c3 11 0c
         b7 33 5a 12 df af 91 8f 92 b4 42 56 7b 0f 89 d7 ba ed de 2f e3 bc 54 47 8c 69
         21 36 66 58 f0 62 00 2b 00 02 03 04 7d 77 20 19 90 2e 4c

      output (32

      complete record (95 octets):  e9 9c 61 c4 f3 08 86 7b f9 7f 1d 30  16 03 03 00 5a 02 00 00 56 03 03 3b
         50 fd f1 c3 d5 72 e4 0e 68 95 3e 7f ff 11
         35 ad 33 f5 44 b5 c2 c6 79 4e 27 58 45 9c a2 c7 bd d8 bb 59 af a0
         58 2c 0e a0 32 87 42 55 fe 6e 00 13 01 00 00 2e 00 33 00 24 00
         1d 00 20 6c 2e 50 e8 65 91 9a 6b 5a 12 df af 91 8f 92 b4 42 56 d5
         7b 0f 89 bc 54 47 8c 69 21 36 66 58 f0 62 00 2b 00 02 03 04

   {server}  derive secret write traffic keys for master "tls13 derived": handshake data:

      PRK (32 octets):  ba c8 e6 23 e4 82 31 e5 f0 96 4f fc 3b f3 5a e4
         bc 65 59 1a 9e 1a cf f3 6d 18 3f d6 0a 26 bc e6

      hash (32 octets):  e3 b0 c4  8b 02 d3 c0 04 42 a2 72 2c 40 98 fc 1c 14 eb e8 67 5b 23
         e8 01 51 0f 0d 7e d7 78 d8 eb 0b 8f 42 a1 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 5e

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key expanded (16 octets):  6c b6 e6 06 19 d8 c7 35 5c 5d 4c a4 95 99 1b 78 52 b8 55 4b c2
         be 90 d5

      iv info (49 (12 octets):  00 20 0d 0c 08 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output (32 00

      iv expanded (12 octets):  cc c4 24 b2 2c e3 72 2a 86 5e 45 b8 fc 1c 98
         a6 36 9a 61 15 15 15 bb c8 4d f5 f7 3f e1 c5 e7 fe  64 f2 39 53 0c 3b 88 8f de 85 e0 be

   {server}  extract secret "master":

      salt (32 octets):  cc c4 24 b2 2c e3 72 2a 86 5e 45 b8 fc 1c 98 a6
         36 9a 61 15 15 15 bb c8 4d f5 f7 3f e1 c5 e7 fe

      IKM (32  construct a EncryptedExtensions handshake message

      EncryptedExtensions (40 octets):  08 00 00 24 00 22 00 0a 00 14 00
         12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c
         00 02 40 01 00 00 00 00

   {server}  construct a CertificateRequest handshake message

      CertificateRequest (43 octets):  0d 00 00 27 00 00 24 00 0d 00 20
         00 00 00 00 00 00 00 00 00

      secret (32 octets):  7a 50 b7 21 1f a2 3c 29 37 31 72 ad f8 50 39
         53 dc 76 53 af 95 0b 6b 61 9b 42 ce 1c a9 38 22 f1 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06
         01 02 01 04 02 05 02 06 02 02 02

   {server}  send  construct a Certificate handshake record:

      payload (90 message

      Certificate (319 octets):  02 00  0b 00 56 03 03 ed 01 3b 39 8e d9 27 26 f8 9e
         ac 52 ea 27 89 c1 00 9d d6 e2 5f 9f 3e c0 f4 00 3d a5 20 93 e4
         c9 34 00 13 01 37 00 00 2e 00 33 00 24 00 1d 00 20 23 dc 3e 49 01 32 30 82
         01 2e
         c4 56 63 c3 ad b5 17 ec 8e ef a6 5b 76 c0 cf 21 21 f4 af f5 09
         50 0c 05 19 7f 30 81 d5 a0 03 02 01 02 02 01 07 30 0a 00 2b 00 06 08 2a 86 48 ce
         3d 04 03 02 30 13 31 11 30 0f 06 03 55 04

      ciphertext (95 octets):  16 03 03 00 13 08 65 63 64 73
         61 32 35 36 30 1e 17 0d 31 36 30 37 33 30 30 31 32 34 30 30 5a 02 00 00 56
         17 0d 32 36 30 37 33 30 30 31 32 34 30 30 5a 30 13 31 11 30 0f
         06 03 55 04 03 ed 3b 39
         8e d9 27 26 f8 9e ac 52 ea 27 89 c1 00 9d d6 e2 5f 9f 3e c0 f4
         00 13 08 65 63 64 73 61 32 35 36 30 59 30 13 06 07
         2a 86 48 ce 3d 02 01 06 08 2a 86 48 ce 3d a5 20 93 e4 c9 34 00 13 03 01 07 03 42 00 04
         08 d5 30 16 15 75 f4 cf e7 f1 54 ee 34 48 18 00 2e 00 33 00 24 86 00 1d 1e 88 43
         1a 79 ee 62 ee 6e 2f 83 ef 38 ba 61 e9 fb 37 f3 4e 00
         20 23 dc 3e 49 2e c4 56 63 c3 ad 7a 7d f4
         d2 f5 b5 17 6d 1f 04 ec 8e ef a6 5b 76 c0 cf
         21 21 f4 af e4 5d 62 1f 46 84 06 f5 c3 a1 51 58 94 8d
         d0 a3 1a 30 18 30 09 50 0c 05 19 7f 0a 00 2b 00 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55
         1d 0f 04

   {server}  derive write traffic keys for handshake data:

      PRK (32 octets):  e9 9c 61 c4 f3 04 03 02 07 80 30 0a 06 08 2a 86 7b f9 7f 1d 48 ce 3d 04 03 02 03
         48 00 30 56 ff 11 35
         ad 33 f5 44 b5 c2 c6 79 9c a2 c7 bd d8 bb 56 d5

      key info (13 octets): 45 02 21 00 10 09 74 6c 73 31 33 20 6b 65 df 30 fd 45 07 f5 ed d2 2c 1a 6f f8 6d b4
         79 00

      key output (16 octets):  61 a2 08 ca 69 3f ee ca 3b 71 b3 f9 c7 7f 35 96 9e 7f 1e 0e a2 75
         4c 92

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 ef 55 6b 29 37 c0 59 4d 02 20 69 62
         e2 a4 72 50 d3 20 fe a8 3c 7e 2d cb 5b 76 a5 0e 02 00

      iv output (12 octets):  08 a7 d2 c0 9a d2 4b bf db
         d1 3f ee 94 6e 51 1e a2 dd 45

   {server}  send a EncryptedExtensions handshake message

   {server}  send a CertificateRequest handshake message

   {server}  send a Certificate handshake message 3e 01 1d 11 00 00

   {server}  send  construct a CertificateVerify handshake message

      CertificateVerify (79 octets):  0f 00 00 4b 04 03 00 47 30 45 02
         21 00 d7 a4 d3 4b d5 4f 55 fe e1 a8 96 25 67 8c 3d d5 e5 f6 0d
         ac 73 ec 94 0c 5c 7b 93 04 a0 20 84 a9 02 20 28 9f 59 5e d4 88
         b9 ac 68 9a 3d 19 2b 1a 8b b3 8f 34 af 78 74 c0 59 c9 80 6a 1f
         38 26 93 53 e8

   {server}  calculate finished "tls13 finished":

      PRK (32 octets):  e9 9c 61 c4 f3 08 86 7b f9 7f 1d 30 56 ff 11 35
         ad 33 f5 44 b5 c2 c6 79 9c  8b 02 d3 c0 04 42 a2 c7 bd 72 2c 40 98 eb e8 67 5b 23
         e8 01 51 0f 0d 7e d7 78 d8 bb 56 d5 eb 0b 8f 42 a1 9a 5e

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      output

      expanded (32 octets):  9f 46 ac 32 80 c8 66 da b9 27 45 b6 af ec 7c
         b3 5a 58 1a 4a 6c 8e  4e 79 5c de 23 9d 5e 09 a4 9c 19 0e ae 44 1b 9e 71
         6e eb 13 85 49 05 8c db 76 fa 9a ee af 54 8a ef 56 3e

      finished (32 octets):  93 b7 0c df 47 81 98 5b 96 d0 ad 30 2e 34 5c aa c7 01
         b4 e7 50 d3 04 2d f1 a6 89 d8 fa ca 81 22 51 11 3c 11

   {server}  send  construct a Finished handshake message

      Finished (36 octets):  14 00 00 20 93 b7 0c df 47 81 98 5b 96 34
         5c aa c7 01 b4 e7 50 d3 04 2d f1 a6 89 d8 fa ca 81 22 51 11 3c
         11

   {server}  send handshake record:

      payload (516 (517 octets):  08 00 00 24 00 22 00 0a 00 14 00 12 00 1d
         00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c 00 02 40
         01 00 00 00 00 0d 00 00 27 00 00 24 00 0d 00 20 00 1e 04 03 05
         03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02
         05 02 06 02 02 02 0b 00 01 3b 00 00 01 37 00 01 32 30 82 01 2e
         30 81 d5 a0 03 02 01 02 02 01 07 30 0a 06 08 2a 86 48 ce 3d 04
         03 02 30 13 31 11 30 0f 06 03 55 04 03 13 08 65 63 64 73 61 32
         35 36 30 1e 17 0d 31 36 30 37 33 30 30 31 32 34 30 30 5a 17 0d
         32 36 30 37 33 30 30 31 32 34 30 30 5a 30 13 31 11 30 0f 06 03
         55 04 03 13 08 65 63 64 73 61 32 35 36 30 59 30 13 06 07 2a 86
         48 ce 3d 02 01 06 08 2a 86 48 ce 3d 03 01 07 03 42 00 04 08 d5
         30 16 15 75 f4 cf e7 f1 54 ee 34 48 18 00 86 00 1e 88 43 1a 79
         ee 62 ee 6e 2f 83 ef 38 ba 61 e9 fb 37 f3 4e 00 7a 7d f4 d2 f5
         b5 6d 1f 04 ec e4 5d 62 1f 46 84 06 f5 c3 a1 51 58 94 8d d0 a3
         1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d 0f
         04 04 03 02 07 80 30 0a 06 08 2a 86 48 ce 3d 04 03 02 03 48 00
         30 45 02 21 00 df 30 fd 45 07 f5 ed d2 2c 1a 6f f8 6d b4 79 ca
         69 3f ee ca 3b 71 b3 f9 ef 55 6b 29 37 c0 59 4d 02 20 62 e2 a4
         72 50 d3 20 fe a8 3c 7e 2d cb 5b 76 a5 0e 02 00 c0 9a db d1 3f
         ee 94 6e 51 3e 01 1d 11 00 00 0f 00 00 4a 4b 04 03 00 46 47 30 44 45 02
         20 4e c5 5a 94 22 b9 26 82 ac f6 01 da 8e ad dc
         21 00 d7 a4 d3 4b d5 4f 55 fe e1 a8 43 17 0c 52
         94 cb b0 92 64 60 09 a2 22 8f c6 96 25 67 8c 3d d5 e5 f6 0d
         ac 73 ec 94 0c 5c 7b 93 04 a0 20 84 a9 02 20 33 61 b0 28 9f 59 5e d4 88
         b9 ac 68 9a 3d 19 2b 1a 8b b3 8f 34 af 78 aa 74 c0 59 c9 80 6a 1f
         38 26 93 db
         6e 9c 22 ad f1 88 5b 9e 0a 3e d4 ec dd 5c ef dc ce 63 f9 99 84
         82 0b 23 ee 53 e8 14 00 00 20 65 0d bb 4b 5a 6a ce 4e 23 93 b7 0c df 47 81 98 5b 96 34 5c 3a 3a 39
         06 09 41 fc 25 37 58 6e 9b 56 27 2e 5f d1 31 aa
         c7 01 b4 e7 50 d3 04 2d f1 a6 89 d8 fa ca 1f d2 74

      ciphertext (538 81 22 51 11 3c 11

      complete record (539 octets):  17 03 03 02 15 3a cf 25 29 62 4c 10 c3
         30 42 26 01 83 6e f0 93 ef ff c9 21 c2 60 9e 77 58 42 c4 65 ea
         a3 2c ca 23 34 06 4c 8d d8 53 96 ba 07 a8 6b d0 83 28 bc 07 e1
         f8 96 9d 93 09 68 79 a8 ee d4 af 92 e3 e3 ea 74 63 28 d6 40 22
         04 a5 9c a9 9c a8 2d 42 18 f0 85 10 60 ab ca 1e d6 c9 24 d6 49
         a1 6f 4c 5f 59 37 a6 de dd 36 de aa b7 25 ff 5c ab 8d 05 10 cc
         4d a2 c4 b7 57 16 6d 0a 7a 06 2a f1 5a 89 f7 ca 9f 8e ae 62 cf ea 55 6c c0 51 be ed c6 db ac 7f b2 1d a9 10 e7 07 5b 39 7c 32 f7 a5 a5
         0c e7 e8 22 9a 7c f5 db 31 8e f9 be 79 b3 2a af 45 04 0d 15 96
         94 aa 72
         d7 99 81 3b 79 37 db 78 dc cc df 5c 1a b0 bb ad 95 29 34 f2 a8
         e3 0f 68 c4 e2 60 2b 72 d0 11 8e fb 24 02 0c 0f 35 b1 4c bd af 1a b6
         9e 89 3e 6b a9 8b d0 d3 c1 85 f5 1c db 02 9a 88 11 0d 97 59 26 af 49 c2 36 fb bc e3 d6 47
         f0 ba 32 b2 15
         1b a6 52 db 8f 3c 94 a2 bf 42 4d 87 08 88 36 05 ad 89 55 f9 77 18 b0 21 ed
         3d ea d1 3d fb 23 eb b8 38 1d a5 82 75 66 12 bc b5 a5 d4 08 47
         71 9f be 9f 17 9b fa e6 56 f3 ec fd 59 a4 6e ba 90 f0 d5 c0 d3 51 8c e1 1c 9e 48 61 34
         ee 18 6e 98 f2 0c 32 ce 41 8a
         7e 46 f6 b6 a6 06 67 93 19 5a 22 f8 a6 c0 6b 28 d8 33 60 16 7a 38 35 63 be 9c 37
         f9 ae 57 2d 66 4b 84
         46 09 36 ca f7 fd 83 7e b9 02 32 69 24 a7 2b 3e d8 c8 38 12 77 d1 58 33 0a 99 a0 41 b5 d6 1c ab 9c 37
         15 ac 24 01 39 84 67 ad 7e bf ab 3d db 52 2a e4 20
         bd 46 e0 7a b1 da 63 0c 34 19 e7 50 10 4f 43 d3 c2 d6 46 cf df 0d 07 cc 7d 62
         c5 02 79 01 f2 e4 cd 4c a5 b8 07 1e ed
         c7 98 a0 ad b0 3d 3c 73 2d 83 21 50 66
         df c4 d2 91 d4 c1 ff 3b 8d 7e 42 98 51 52 40 48 0c f6 77 d4 d5 1d ea 11 68 d8
         f1 6c b2 7b a4 02 13 66 31 3a 1f ed f9 e2 3c c7 7f 76 54 50 f9 e9
         6f 05 d0 8f 3d a2 45 b1 87 4d 49 46 f0 7e c8 1e ed 6d 56 f2 6b d5
         74 f0 b7 f7 c7 04 70 37 2d 8d c1 6f ce 3b 23 75 4e 66 2f ad 73 e2 b7
         21 3f 6a f2 96 76 9c 99 a1 d3 aa
         42 9f 8e 62 32 e0 ec 8d c4 f8 20 94 34 b0 a5 a1 44 8c d6 30 1e c6 37 5e 5f f6 d9 26
         55 d1 ae 13 49 97 ef 3b 97 34 f3 89 6e 5d 4d 6a a6
         f7 de 38 87 be 00 57 86 2f b4 ce 0c 90 d8 d9
         ea b9 18 e0 ab 39 67 da f2 0f 95 05 71 2e e3 6a 33 48 6f 05 72 2a 0b 9f a7
         d8 f6 77 bd 9b 2a b2 45 97 ff 68 0b aa 40 90 ab 5f
         2d 51 e7 20 f1 99 6a 58 fa
         7f 46 0a 1d 60 6d fb 7a e6 b1 22 ff 63 25 a5 57 e7 a0 9d a4 cc 92 55 dc 82 99
         15 32 0d 4e ff d4 6b b4 be db f1 f9 97 d1 63 20 7c ce
         66 2d 0f f4 56 22 65 29 4a a4 cf 75 0e 46 55 41 cd c6 32 e3 fe 37 ee 73 50 65 9e a5 50 d6 dc b6
         af 3c 51 88 52 c7 a1 e0 4c 07 2f e9 2d 32 9a 26 3f 67 62 be ad 3c c1 5b c3 2b 32 73 bd f1 75 1d a1 84
         20 31 65 92 b5 01 35 b1 17 d3 00 20 4f b1 2d 28
         07 58 ca 9a c3 4b 68 ec a2 12 17 ae 70 30
         83 34 59 00 f1 f4 cb 1c 2f 7a 77 05 27 20 60 fb 35
         12 86 16 4b 46 d2 a5 57 57 f6 3f e8 f6 e8 5a c4 74 69 e6 19 8d
         a8 8a ce d6 be 48 23 6a 64 58 6b c6 e6 88 f2 3c 69 59 0d e8 22 26 3b e7 5f d8 36 84 72 40
         c4 8f 8c 14 5c d6 bd 69 89 62 e7 ed c2 34 eb e5 92 31 35 1e ef
         8d 76 52 cf 3b 08 ab 3a f6 e5 ec 74 c5 8a 8d a3 4b 39 f9 b0 d6
         c4 27 9a 9a 1f 82 07 17 29 e7 05 9d 3a 09 3d d4 d7 f7 b9 5b 94 33 c4 68 4c
         e1 89 1a 6d 33 43 2d 52 ed db 0b 8c ee 91 81 d4 03 ec cc 12 99
         1f 1a d4 aa 62 c3 60 49 71 3a 7b b1 35 fd da 66 61 a0 5a 93 f8
         c1 6f

   {server}  derive secret "tls13 c ap traffic":

      PRK (32 octets):  57 c1 5d 7b 9d 44 1b 3d 40 a9 c6 ea 8a 3d 73 0e
         07 b3 a1 ea 7a 50 b7 21 1f a2 3c 29 37 31 72 ad f8 50 33 39 53
         dc 76 53 af 95 0b 6b 61 9b 42 ce 1c a9 38 22 f1 ed 70 70 b9 a7 4a 3f 4f 28

      hash (32 octets):  95 7f 54 ae 99 e3 22 ae  51 0d 51 4d 30 73 1b 0e 77 a2 9a f5 a1 7f f1 71 0f 69 0a 0b 0c 28 6a 66 0e c4 86 69 d7 9b 49 33 e4 31 85 1d 12 83
         45 36 6c 17 20 d3 8f 8f 04 65 ee ea e6 74 03 72

      info (54 octets):  00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72
         61 66 66 69 63 20 95 7f 54 ae 99 e3 22 ae 51 0d 51 4d 30 73 1b
         0e 77 a2 9a f5 a1 7f f1 71 0f 69 0a 0b 0c 28 6a 66 0e c4 86 69 d7

      output (32 octets):  e6 47 9b 49 33 e4 31 85 57 d7 f3 3b b2 77 01 be 1d 12
         83 45 36 6c 17 20 d3 8f 8f 04 65 ee ea e6 74 7f 03 72

      expanded (32 octets):  73 c2 e8 90 fa 8d 06 72 58 d6 d5 0f a9 2f bf
         e4 56 b0 98 cf 00 d9 72 e4 7e ed 91 4f 96 7a 8a b7 20 c9 36 7f f6 61 49 2a e8 89 2e f4 e6 f8 60

   {server}  derive secret "tls13 s ap traffic":

      PRK (32 octets):  7a 50 b7 21 1f a2 3c 29 37 31 72 ad f8 50 39 53
         dc 76 53 af 95 0b 6b 61 9b 42 ce 1c  57 c1 5d 7b 9d 44 1b 3d 40 a9 38 22 f1 c6 ea 8a 3d 73 0e
         07 b3 a1 ea 7a 33 39 ed 70 70 b9 a7 4a 3f 4f 28

      hash (32 octets):  95 7f 54 ae 99 e3 22 ae 51 0d  51 4d 30 73 1b 0e 77 a2 9a f5 a1 7f f1 71 0f 69 0a 0b 0c 28 6a 66 0e c4 86 69 d7 9b 49 33 e4 31 85 1d 12 83
         45 36 6c 17 20 d3 8f 8f 04 65 ee ea e6 74 03 72

      info (54 octets):  00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72
         61 66 66 69 63 20 95 7f 54 ae 99 e3 22 ae 51 0d 51 4d 30 73 1b
         0e 77 a2 9a f5 a1 7f f1 71 0f 69 0a 0b 0c 28 6a 66 0e c4 86 69 d7

      output 9b 49 33 e4 31 85 1d 12
         83 45 36 6c 17 20 d3 8f 8f 04 65 ee ea e6 74 03 72

      expanded (32 octets):  2e 5d c3 82 75 26 7f 49 ae bd 06 3b 4c 22 70
         5d 41  c4 9a 91 fa f5 7f 79 b0 4e 63 7c 93 d3 e3 2a 7d 8c 54 6e 5d 50 48 a0 15 bf
         84 9f f6 39 42 e4 a7 ed cd 31 9f 8b 43 8a 97 c5 2e b3 21

   {server}  derive secret "tls13 exp master":

      PRK (32 octets):  57 c1 5d 7b 9d 44 1b 3d 40 a9 c6 ea 8a 3d 73 0e
         07 b3 a1 ea 7a 50 b7 21 1f a2 3c 29 37 31 72 ad f8 50 33 39 53
         dc 76 53 af 95 0b 6b 61 9b 42 ce 1c a9 38 22 f1 ed 70 70 b9 a7 4a 3f 4f 28

      hash (32 octets):  95 7f 54 ae 99 e3 22 ae  51 0d 51 4d 30 73 1b 0e 77 a2 9a f5 a1 7f f1 71 0f 69 0a 0b 0c 28 6a 66 0e c4 86 69 d7 9b 49 33 e4 31 85 1d 12 83
         45 36 6c 17 20 d3 8f 8f 04 65 ee ea e6 74 03 72

      info (52 octets):  00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73
         74 65 72 20 95 7f 54 ae 99 e3 22 ae 51 0d 51 4d 30 73 1b 0e 77 a2 9a f5 a1 7f
         f1 71 0f 69 0a 0b 0c 28 6a 66 0e c4 86 69 d7

      output 9b 49 33 e4 31 85 1d 12 83 45
         36 6c 17 20 d3 8f 8f 04 65 ee ea e6 74 03 72

      expanded (32 octets):  c5 10 a7 cd 37 4a 95 c4 47 ba 18 53 71 7b a6
         02 25 11 6c 89 2f  05 2e 39 79 5e 5f 2b 62 86 26 28 a5 72 df 54 68 92 e6 e4 e0 97 4c fd d8
         6c 6a 7a fe 3e 57 e5 58 98 10 a3 cc cf 64 29 58 be b2

   {server}  derive write traffic keys for application data:

      PRK (32 octets):  2e 5d c3 82 75 26 7f 49 ae bd 06 3b 4c 22 70 5d
         41  c4 9a 91 fa f5 7f 79 b0 4e 63 7c 93 d3 e3 2a 7d 8c 54 6e 5d 50 48 a0 15 bf 84 9f
         f6 39 42 e4 a7 ed cd 31 9f 8b 43 8a 97 c5 2e b3 21

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00
      key output (16 octets):  3f d4 15 17 e6 ab 77 a2 e8 2d 51 f0 34 fc 31 33 20 6b 65 79 00

      key expanded (16 octets):  88 b3 12 3d de ca df 8c 21 1b a2 98 e2 c1
         81 76 b0

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output expanded (12 octets):  8f 51 67 7a  4e 55 3e ce e0 2c c3 48 09 78 51 3f 9d e8 32 7c 08 e4 f3

   {server}  derive read traffic keys for handshake data:

      PRK (32 octets):  23 03 a8 1a 55 a9 e2 92 d3 23 cd c8 9a b2 dd a1
         63 40 f8 4f d9 dd 99 5c  ce c7 a3 0c 68 72 50 c3 3e d3 82 b2 07 0f 22 a7 ee b0 65 76 8d b6
         7c 45 e2 95 33 db 87 99 08 ce 6d c6 6f 59 11 de

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output expanded (16 octets):  2f b3 45 4b aa 32  91 69 48 f7 28 d9 82 3f a4 1a 00 4d 08 04 f1 46 3b 6d 86 9e
         5c 6e
         3f 21 7f

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output expanded (12 octets):  8d 74 fa ab ae  64 15 3d cf 20 6d 04 dc f8 79 ba c9 ea 10 ca 5a 0a 88

   {client}  extract secret "early":

      salt:  (absent)

      IKM (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c
         e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a "early" (same as server early secret)

   {client}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
         10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output

      expanded (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba
         b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

   {client}  extract secret "handshake":

      salt (32 octets):  6f 26 15 57 6c 36 11 ba

   {client}  extract secret "handshake" (same as server handshake
      secret)

   {client}  derive secret "tls13 c hs traffic" (same as server)
   {client}  derive secret "tls13 s hs traffic" (same as server)

   {client}  derive secret for master "tls13 derived" (same as server)

   {client}  extract secret "master" (same as server master secret)

   {client}  derive read traffic keys for handshake data (same as server
      handshake data write traffic keys)

   {client}  calculate finished "tls13 finished" (same as server)

   {client}  derive secret "tls13 c ap traffic" (same as server)

   {client}  derive secret "tls13 s ap traffic" (same as server)

   {client}  derive secret "tls13 exp master" (same as server)

   {client}  derive write traffic keys for handshake data (same as
      server handshake data read traffic keys)

   {client}  derive read traffic keys for application data (same as
      server application data write traffic keys)

   {client}  construct a Certificate handshake message

      Certificate (451 octets):  0b 00 01 bf 00 00 01 bb 00 01 b6 30 82
         01 b2 30 82 01 1b a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48
         86 f7 0d 01 01 0b 05 00 30 11 31 0f 30 0d 06 03 55 04 03 13 06
         63 6c 69 65 6e 74 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35
         39 5a 17 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 11 31 0f
         30 0d 06 03 55 04 03 13 06 63 6c 69 65 6e 74 30 81 9f 30 0d 06
         09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81
         81 00 c3 81 75 e0 04 a6 8d 09 3f 82 3b 9c 37 9d 20 1f bc 0b b7
         a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
         16 c0 91 90 5e 3f bf 76 18 9c 48 25 0c 84 7e 44 e7 51 eb ea c3 57 6c 36 11 ba

      IKM (32 octets):  b2 0d 9a cb bc d3 60 bd 94 5c 81
         e5 22 2b cc 88 46 d3 a8 a0 e0 38 1d 9f f9 3e 9b f5 1e 9d 7c b8 ba 18
         a9 be ba 63 bd 92 ed f1 de 1f
         f1 90 21 70 3e 7a b6 c0 90 15 13 f9 7e e5 39 b1 11 f0 9c 93 08 13 da 7f f8 62 e6 62 44 48 97
         1c 7b 21 19 84 a7 54 cd 45

      secret (32 octets):  ba c8 e6 23 e4 82 31 e5 f0 96 4f fc 3b f3 fe 09 5a
         e4 bc 65 59 1a f0 ea 42 36 82 9b cc f7 a7
         fe 9b 28 88 e7 8a b4 77 69 0a 5b 9e 1c cb e9 1c 6a 4a 0f 97 a7
         e0 28 42 01 02 03 01 00 01 a3 1a cf f3 6d 30 18 3f d6 0a 26 bc e6

   {client}  derive secret "tls13 c hs traffic" (same as server)

   {client}  derive secret "tls13 s hs traffic" (same as server)

   {client}  derive secret for master "tls13 derived" (same as server)

   {client}  extract secret "master" (same as server)

   {client}  derive read traffic keys for handshake data:

      PRK (32 octets):  e9 9c 61 c4 f3 08 86 7b f9 7f 30 09 06 03 55 1d 13 04
         02 30 56 00 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 0d 06 09 2a
         86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 1a 7a 5a 01 85 32 b0
         22 af 07 67 d4 86 16 0c ff 11 2d 16 7a 19 15 d2 38 35
         ad 33 f5 44 b5 c2 45 94 91
         6d c6 79 9c a2 c7 bd d8 bb 56 80 be 5d 2e 62 60 76 c5 d5

      key info (13 octets): 27 22 eb cc 77 5d 7d 99 f9 80
         be 2f c9 4d 34 ac f6 cc 00 ba 90 cb cf b0 60 8a a1 e7 e3 97 1e
         f0 c0 7a 41 d4 7a d8 34 5d 1f 81 fe 41 8a 1c f4 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  61 a2 54 42 9f d2
         17 bd 77 7d c1 cf 08 f0 5d f9 c7 7f 35 96 9e 7f 1e 0e a2 75
         4c 92

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  08 a7 d2 9a d2 4b bf 51 07 99 c6 59 36 1e 0f 1a 8e e4 ac
         0f 78 97 42 0b db c8 23 da 80 a2 dd 45

   {client}  calculate finished "tls13 finished" (same as server)

   {client}  derive secret "tls13 c ap traffic" (same as server)

   {client}  derive secret "tls13 s ap traffic" (same as server)

   {client}  derive secret "tls13 exp master" (same as server)

   {client}  derive write traffic keys for handshake data (same as
      server read traffic keys)

   {client}  derive read traffic keys for application data (same as
      server write traffic keys)

   {client}  send a Certificate handshake message f2 ba 23 08 1c 00 00

   {client}  send  construct a CertificateVerify handshake message
   {client}  calculate finished "tls13 finished":

      PRK (32

      CertificateVerify (136 octets):  0f 00 00 84 08 04 00 80 18 6b 22
         23 b5 03 a8 1a 55 a9 e2 92 d3 23 cd c8 9a a7 59 c3 5d ba 0e 97 21 b4 b5 79 13 8d 5f 0f 5e 6e c7
         fe aa f2 7f 3a d7 f3 86 c2 c7 bd 7c b2 dd a1 be 52 fb f5 ed 83 93 f4
         06 ee 79 36 96 92 ec 7a c6 95 65 1d 85 82 19 e6 72 a8 eb 7b 2a
         67 7b 64 0b 46 ab 63 40 f8 4f 0e dc 5f 3f 2f 82 72 b9 c0 d9 06 f8 1f 84
         dd 99 5c 72 c5 b8 c7 bc f9 55 c7 8a 3c f9 9e 50 c3 16 f7 3e d3 82 04 eb 7d fc b2
         88 33 f1 3e 8f 75 ec 2f f3 58 1e 2f 09 8a d4 15 7f d6 d6 ad

   {client}  calculate finished "tls13 finished":

      PRK (32 octets):  ce c7 a3 0c 68 72 07 0f 22 a7 ee b0 65 76 8d b6
         7c 45 e2 95 33 db 87 99 08 ce 6d c6 6f 59 11 de

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      output

      expanded (32 octets):  9e 53 42 bd  4f dd d7 6b bc b8 e3 0c 72 61 b1 db 40 1b
         b1 36 ed 39 bc e6 a4 81 5a 21 24 47 6e 27 e6 cb cb f6

      finished (32 octets):  9a fe 2b a2 f6 3a 09 d2 29 d8 a4 29 e5 b3
         7f ac 99 c3 40 fd 9f cc 73 bd 4a 58 0f 63
         20 49 8a 4f 63 6a 61 da b5 91 1b 82 42 59 72 aa 28 92 7a a2 ef 20 75 e9 74 86 44 0f

   {client}  send  construct a Finished handshake message

      Finished (36 octets):  14 00 00 20 9a fe 2b a2 f6 3a 09 d2 29 d8
         a4 29 e5 b3 7f fd 9f cc 73 bd b5 91 1b 82 42 59 72 aa 28 92 44
         0f

   {client}  send handshake record:

      payload (623 octets):  0b 00 01 bf 00 00 01 bb 00 01 b6 30 82 01
         b2 30 82 01 1b a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86
         f7 0d 01 01 0b 05 00 30 11 31 0f 30 0d 06 03 55 04 03 13 06 63
         6c 69 65 6e 74 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39
         5a 17 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 11 31 0f 30
         0d 06 03 55 04 03 13 06 63 6c 69 65 6e 74 30 81 9f 30 0d 06 09
         2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81
         00 c3 81 75 e0 04 a6 8d 09 3f 82 3b 9c 37 9d 20 1f bc 0b b7 a1
         c7 91 90 5e 3f bf 76 84 7e 44 e7 51 eb bc d3 60 bd 94 5c 81 e5
         22 2b cc 88 46 d3 a8 a0 f9 3e 9b f5 be ba bd 92 ed f1 de 1f f1
         90 21 70 3e 7a b6 c0 90 15 13 f9 7e 39 b1 11 f0 9c 93 48 97 1c
         7b 21 19 84 a7 54 cd 45 fe 09 5a f0 ea 42 36 82 9b cc f7 a7 fe
         9b 28 88 e7 8a b4 77 69 0a 5b 9e 1c cb e9 1c 6a 4a 0f 97 a7 e0
         28 42 01 02 03 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02
         30 00 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 0d 06 09 2a 86
         48 86 f7 0d 01 01 0b 05 00 03 81 81 00 1a 7a 5a 01 85 32 b0 22
         af 07 67 d4 86 16 0c ff 2d 16 7a 19 15 d2 38 35 b5 45 94 91 6d
         c6 80 be 5d 2e 62 60 76 c5 d5 27 22 eb cc 77 5d 7d 99 f9 80 be
         2f c9 4d 34 ac f6 cc 00 ba 90 cb cf b0 60 8a a1 e7 e3 97 1e f0
         c0 7a 41 d4 7a d8 34 5d 1f 81 fe 41 8a 1c f4 10 54 42 9f d2 17
         bd 77 7d c1 cf 08 f0 5d f9 07 99 c6 59 36 1e 0f 1a 8e e4 ac 0f
         78 97 42 0b db c8 23 da 80 a2 f2 ba 23 08 1c 00 00 0f 00 00 84
         08 04 00 80 bc cd 87 0a 6d 51 75 ab 6a 18 6b 22 23 b5 03 a7 59 c3 5d ba 0e 97 3f 99 0f 44 33 b9 f4
         ed ea 6a a9 4c e5 c4 a9 0a 07 21 b4 b5 79
         13 8d 5f 0f eb b8 9e 1c f5 24 62 d6 a0 5e
         62 1b 81 96 24 eb 9b f7 57 3a 08 bb 75 3d 4a 19 43 34 59 62 19
         68 75 04 54 05 6f 3d 7c e1 22 6e c7 fe aa f2 7f c2 9e 12 31 36 3e 4e 3a d7 f3 86 c2 c7 bd 7c b2 be
         52 fb f5 ed 5f e0
         f4 93 83 7e f6 fe 4a 63 93 f4 06 ee 79 36 96 92 ec 7a c6 95 65 1d 85 82
         19 52 e6 72 a8 eb 7b 2a 67 7b 64 0b 46 ab 63 9a ff e7 75 ae 41 76 bb bf
         69 13 b3 a1 a6 77 a0 35 6f 0e dc 5f 3f 2f 82 72
         b9 c0 d9 06 f8 1f 84 dd c5 b8 c7 bc f9 55 c7 8a 3c 0f 95 3d 35 77 fb 53 76 13 f9 9e 50 16
         f7 3e 04 eb af
         84 8e 6a ee 7d fc b2 88 33 f1 3e 8f 75 ec 2f f3 58 1e 2f 09 8a
         d4 15 7f d6 d6 ad 14 00 00 20 97 96 f8 14 93 a1 49 f5 37 f9 9b
         3c 4c f8 55 a0 88 5c 64 10 ff a1 db 0e 25 f3 43 a5 ff 9a fe 2b a2 f6 3a 09 d2 29 d8 a4
         29 e5 b3 7f fd 9f cc 73 bd b5 1d 60

      ciphertext 91 1b 82 42 59 72 aa 28 92 44 0f

      complete record (645 octets):  17 03 03 02 80 b4 6a 63 93 4e 67 38 0f e4 54 42 85 14 4f
         66 58 7c 3f ee 90 97 e2 e5 f4 cf ad 97 31 dc 59
         41 ab af 26 74 03 bc 67 7f 6b 6d 2a 1e 2f 12 bb 5f 62 68 3b fe
         36 7e 0f 73
         ea a8 c3 16 26 73 f0 6d 62 87 dd d6 09 bc f2 f5 fd 32 25 92 3d 24 af
         3c 76 68 2c 18 0e e5 71 a1 7c a4 bf be 2f 51 cf 0d c9 a0 e1 fc da 0c 7f 2a 85 d7 46 36 85 7e 61 91 9e 7a
         3e a5
         cf f2 ce e8 7d 11 cb 53 1a dd 24 b1 d0 8f 37 35 04 36 6e f9 0b f5 d2 96 78 30 9a 6b 63 bb bc 0b 88
         ea 45 10 3a 43 6f 04 09 15 43 85 9f a1 1e c0 32 ed 87 34 44 cd 51
         85 ea d5 f6 a7 64 20 f0 f0 28 6a df 4e 4e
         46 f9 fb 0c 79 ce f8 02 c8 e4 78 8c 23 27 5f
         1b 06 da 40 cb 43 dd 82 50 a5 fa 60 0f 4a 7d ec d0 bc 61 59 d7 be f1 0e 64 9a e3 26 90 39
         7f c3 d4 ed 6f 30 f8 01 d8 cd 56 9b 71 ad 4f a0 5e a7 cf 2a c2
         df a1 50 d2 20 50 5d 40 11 b3 4d 09 d5 38 53 eb a6 1a 10 1e 4f
         8d ca 47 d8 17 1a 88 4b 19 25 9a 4c 3d
         31 59 6c e3 1b 4c a9 4c d4 8c 5a c1 41 98 3e dc 77 16
         81 4d 25 e7 f6 f8 0d 09 26 80 d6 ce 6b bb db 90 96 83 92 66 e0 65 61 82 8e cf b2 7e
         af d4 e9 e8 1a 0b 96 e3 bf e5 c5
         cc 0e 51 15 ff 10 a4 2d ae 5a d8 03 59 b9 a6 80 1d 82 07 f4 ec ea a8 82 66 14 02 e1 bd 55 ab
         b0 ec aa 4f 0e 41 af 70 54 e0 ff df 76 4a 84 cd 01 be
         c3 a2 0f d7
         b4 91 e5 c1 20 d9 93 31 4c bd 43 55 65 25 3f b2 4b 6e 67 85 ea
         79 8f 86 2c fe 0d 10 41 77 03 01 de 13 d5 f0 06 db d8 f3 f8 d2 75 5c 1b 4d 46 d1
         d6 a3 b2 43 ea 8b 45 12 f6 5b b6 a0 15 9d 51 2e aa 64 27 3a 84 36 3c cc 93 69 a5 b1 3a 0b 60 09 d4 47 23 a8 f5 aa 9d 8b c9 37 1f b0 da dc 45 16 fc f2
         2a 25 9f 84 2d 31 3b d5 8c 2e 21 fe 05 3d 89 15 39 3d 2b fa db 11 82 0f 74 2d 94 6a 2a fa
         01 4f df d7 da 08 1b 86 26 7c 3c 57 f2 a9 62 95 7e 91 83 b0 a4 ea 68 2c
         96 f7 0b 79 b5 60 13 3e d8 7f fe
         9e 88 3e 7b 69 8e f9 09 61 92 82 3b 27 be 6a 2f b7 b1 c7 51 cc c0
         e3 30 ad 93 b4 e6 36 15 54 14 85 b7 b3 07 b4 23 33 2c 11 ef a8 0b 72 bd ca 6d 77 e1 ed
         20 71 40 2b eb d8 f9 b8
         0a 53 e5 3f 4b 74 94 a8 02 df f2 ab d1 84 d8 c3 9e 6f
         c6 4a 94 85 a3 7b b3 8a 3a f4 c5 9f 80 08 ba d0 54 4e 56 14 e6 88
         ff 57 bc cd 69 35 f8 1f 44 7f 42 0c 1c 1b f4 05 88 18 e9 0b f5
         dc 71 6c ca e4 25 24 85 6d f8 25 0b cd bd 7a f6 8b cb 5f 82 dd 53 06
         1d 02 4f 6d 2f f5 c1 1e 37 92 a9 a7 0e 0e e2 a3 7d 9a c2 0a 1b 96 8a
         c3 91 f8 f9 8b 61 e7 b5 4b 28 31 13 5d 25 24 2a 48 71
         9d 41 41 9e 5b b7 03 98 49 3a e4 a4 7f 45 f1 61 22 53 15 4d da
         bd b8 c6 a3 2f e2 41 c2 65 3e c9 96 33
         9d fa 12 df ae 7a 33 73 df 88 b0 7c a2 7a ef 6d c2 66 a2 5f 13
         f7 1d d6 93 69 bd fe a1 af 5c b6 35 d1 8b 97 38 24
         8b cb 9c fc 61 08 e0 90 2b 86 f6 26 76 03 19 43 15 9c 1f 46 fd 7a 53 ae 51 d3 ac b1
         2d 06 b7 d9 86 14 bf 63 99 c9 99 f4 b2 ae e1 8e 93 f2 d4 d4 a5 48
         0d 6d 12 bf ae 22 6b bd c9 2a 6a d5 0b 4d 3b ac 7a bc 3b 36 51
         eb 5b e5 6f e8 2d 09 33 bf 41 12 e1 57 bc
         c5 28 7b 5f 1e f9 a9 db d8 a0 80 19 5f 6b 15 5a f9 16 7c ca 41
         45 35 4c 03 19 51 ab e3 73 3c a8 86 dc 71 4a 49 84 01 37 70 64 a0 d0 08 76 4d
         75 9f 50 d1 c8 ea 7b d3 49 03 57 bd
         40 d9 fd 6b ec a2 23 e4 86 fc e9 89 9c de fe a6 95
         ba 7d da f2 3f 80 6b 22 09 ff ef 81 47 87 c7 71 ba 60 90 08 13 a4 dd b9 eb b2 98 7e 29 f1 20 f0 58 14 61
         4d
         d4 51 1e 26 5f 78 b6 25 91 74 2c 79 32 00 15 b4 61 fe 73 24 44 76 42 7b 70 a1 af 5f 65 ca ed b7 9a 50 c3 b7 58 01
         07 5d 13 3f 2e 07 15 e7 1f c0 07 89 eb dc ce f6 b8 cd f2 5d a4
         19 bc 00 28
         b4 74 4a 75 ba ab 09 25 4a 2b b2 19 81 d1 15 64 64 22
         98 4f 79 eb c7 0a f1 39 7f aa 49 50 16 ad f8 08 e5 3b 94 ef 54 af bb 0e 0a b1 a2 ac 38 5c 6a d1 28 fd 9d e3 bf
         7d be e6 0f 3a
         27 32 ab 59 7f e6 d0 09 e7 ce d6 8b d3 7a 06 fd db 83 5f 8e 56
         fc eb 7d 59 4f 74 8a 1d a1 e7 7b ea 23 c7 73 86 aa 51 fb 24 73 1f 8c c7 3e 40 b7 b4 70 12 89 ef
         7b 37 3b
         34 1c 17 5a 45 49 39 a7 7a b6 43 13 c1 5c f3 fe 03 c4 f3 38 42
         56 49 76

   {client}  derive write traffic keys for application data:

      PRK (32 octets):  e6 47 85 57 d7 f3 3b b2 77 01 be 74 7f  73 c2 e8 90 fa 8d 06 72 58 d6 d5 0f a9 2f bf e4 56
         b0 98 cf 00 d9 72 e4 7e ed 91 4f 96 7a 8a b7 20 c9 36 7f f6 61 49 2a e8 89 2e f4 e6 f8 60

      key info (13 octets):  00 10 09 09 74 6c 73 31 33 20 6b 65 79 00

      key expanded (16 octets):  cd c0 9c 80 6a a8 f8 6d fc d5 1e fc 44
         a0 c0 39

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv expanded (12 octets):  6e f8 52 e7 8b 46 d9 13 66 8e 53 e7

   {client}  derive secret "tls13 res master":

      PRK (32 octets):  57 c1 5d 7b 9d 44 1b 3d 40 a9 c6 ea 8a 3d 73 0e
         07 b3 a1 ea 7a 33 39 ed 70 70 b9 a7 4a 3f 4f 28

      hash (32 octets):  39 1d 00 4b d8 4c 83 1b 15 82 44 44 14 b4 dc 80
         64 01 0e cc 76 f3 7f 88 bf eb 1e 88 fe 13 5c 25

      info (52 octets):  00 20 10 74 6c 73 31 33 20 6b 72 65 79 73 20 6d 61 73
         74 65 72 20 39 1d 00

      key output (16 4b d8 4c 83 1b 15 82 44 44 14 b4 dc 80 64
         01 0e cc 76 f3 7f 88 bf eb 1e 88 fe 13 5c 25

      expanded (32 octets):  db 34 ce df e4 fc db  10 06 dc cb f4 0e d7 b4 eb 97 8b ff 03 92 a9
         e4 52 a4 fb ad 58 aa 14 78 4d 5a 24 1c 6b 49 da cc fb

   {server}  calculate finished "tls13 finished" (same as client)

   {server}  derive read traffic keys for application data (same as
      client application data write traffic keys)

   {server}  derive secret "tls13 res master" (same as client)

   {client}  send alert record:

      payload (2 octets):  01 00 41 8f dd 96
         b2 c7

      iv info (12

      complete record (24 octets):  17 03 03 00 0c 08 74 6c 73 31 13 e4 ad 7d 44 c2 92 45
         33 20 69 76 9d 35 59 62 c7 79 b8 9e f4 4c 58

   {server}  send alert record:

      payload (2 octets):  01 00

      iv output (12

      complete record (24 octets):  e1 7e 53 1a ba 3c fa 7f 0f  17 03 03 00 13 1d ec 8b f5 c5 d6 e6 4b ba
         8a 6f 21 b4 fd 07 74 97 da 2a 90 cb

7.  Compatibility Mode

   This example shows use of the handshake with the client requesting
   that the server use compatibility mode as defined in Appendix D.4 of
   [TLS13].

   {client}  derive secret "tls13 res master":

      PRK  create an ephemeral x25519 key pair:

      private key (32 octets):  7a 50 b7 21 1f a2 3c 29 37  de a0 0b 45 69 5d c7 81 f1 9d 34 a6 2c
         1a fd 31 72 ad f8 50 39 53
         dc 76 53 ab 43 69 af 95 0b 6b 61 9b 1e 85 5a 3b bb 25 8d 84 42 ce 1c a9 38 22 f1

      hash cd e6 d7

      public key (32 octets):  8e 72 92 cf 30 56 db b0 d2 5f cb e5 5c 10
         7d c9 bb f8 3d d9 70 8f 39 20 3b a3 41 bf 98 c7 24 79 cf cf 1d 49 9a 7d 9b 63

   {client}  construct a ClientHello handshake message

      ClientHello (224 octets):  01 00 00 dc 03 03 4e 64 0a 3f 2c 27 38
         f0 9c 94 18 bd 78 ed cc d7 55 9d c2 d6 05 31 19 92 76 d4 d9 2a 0e 9e
         e9 d7 7d 09 20 a8 44 c1
         7f 49 0c 16 55 81 a8 e0 d0 6c 00 18 d5 4d 3a 06 dd
         32 cf d4 05 1e b9 a0 78 21 08 78 b5 5a e5 b0 26 29 94 60

      info (52 octets): fa d3 fd 0b a9 92 69 e6 ef 00 20 10 74 6c 06 13 01 13
         03 13 02 01 00 00 8d 00 00 00 0b 00 09 00 00 06 73 31 33 20 65 72 76 65 73
         72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01
         00 01 01 01 02 01 03 01 04 00 33 00 26 00 24 00 1d 00 20 6d 61 73
         74 65 8e 72
         92 cf 30 56 db b0 d2 5f cb e5 5c 10 7d c9 bb f8 3d d9 70 8f 39
         20 3b a3 41 bf 98 c7 24 79 cf cf 1d 49 9d c2 d6 a8 44 c1 7f
         49 9a 7d 9b 63 00 2b 00 03 02 03 04 00 0d 00 20 00
         1e b9 a0 78 21 04 03 05 03 06 03 02 03 08 78 b5 5a e5 26 29 94 60

      output (32 octets):  c4 11 50 3f ea fa f0 d7 0a 77 c6 81 3d b0 42
         4e f5 f4 ce f4 b5 e2 4d b7 65 f8 79 d3 7f c5 b6 af

   {server}  calculate finished "tls13 finished" (same as client)

   {server}  derive read traffic keys for application data (same as
      client write traffic keys)

   {server}  derive secret "tls13 res master" (same as client) 04 08 05 08 06 04 01 05 01 06 01
         02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40
         01

   {client}  send alert handshake record:

      payload (2 (224 octets):  01 00

      ciphertext (24 octets):  17 00 dc 03 03 00 13 d1 3c 7f 4e 64 0a 3f 2c 27 38 f0
         9c 94 18 bd 78 ed cc d7 55 9d 05 31 19 92 76 d4 d9 2a 0e 9e e9
         d7 7d 16 11 b4 09 df
         45 77 ca 2b e5 20 a8 a2 8f 33 30

   {server}  send alert record:

      payload (2 octets): 0c 16 55 81 a8 e0 d0 6c 00 18 d5 4d 3a 06 dd 32
         cf d4 05 1e b0 26 fa d3 fd 0b a9 92 69 e6 ef 00 06 13 01 13 03
         13 02 01 00

      ciphertext (24 octets): 00 8d 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72
         ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00
         01 01 01 02 01 03 03 01 04 00 13 37 bb 98 68 73 81 3c 79 25
         aa 29 51 e1 21 b0 58 57 f7 8f

7.  Compatibility Mode

   This example shows use of the handshake with the client requesting
   that the server use compatibility mode as defined in Appendix D.4 of
   [TLS13].

   {client}  create an ephemeral x25519 key pair:

      private key (32 octets):  ea e2 7f 11 4d a0 68 f8 b3 47 2e 62 88 33 00 e8 b9 c2 58 13 58 13 6e bb e7 74 38 cb 4f 4b e2 d1 b4

      public key (32 octets):  d5 15 42 62 26 00 24 00 1d 00 20 8e 72 92
         cf 30 56 db b0 d2 5f 25 a9 2d 44 cb e5 5c 10 7d c9 bb f8 3d d9 70 8f 39 20
         3b a3 aa de f5 9c
         a8 49 ad 2f 8e fa 9f 41 24 9a 7d 9b 63 00 2b 00 03 02 03 04 00 0d 00 20 00 1e
         04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 b8 f5 da b4 01 05 01 06 01 02 ac bc 57 1f 16

   {client}  send a ClientHello handshake message

   {client}  send handshake record:

      payload (224
         01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01

      complete record (229 octets):  16 03 01 00 e0 01 00 00 dc 03 03 37 b0 76 d2 fa 50 4e
         64 0a 3f 2c 27 38 f0 9c 94 39
         5e 99 71 18 bd 78 ed cc d7 53 c3 c4 cf 07 56 b9 40 70 13 cb ca c7 f4 4a c3 28
         13 f6 0f 55 9d 05 31 19 92
         76 d4 d9 2a 0e 9e e9 d7 7d 09 20 91 41 b7 89 83 d3 67 a0 fe 97 08 df a8 0c 16 55 81 a8 e0 d0 6c 00
         18 d5 4d 3a 06 dd 32 f5 b9 88 8f
         e5 9e de 4e 61 2c f6 bd b1 fb be cf d4 05 1e b0 26 fa d3 fd 0b a9 92 69 e6 f9
         ef fe 00 06 13 01 13 03 13 02 01 00 00 8d 00 00 00 0b 00 09 00 00
         06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00
         17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00 26 00 24
         00 1d 00 20 d5 15 42
         62 8e 72 92 cf 30 56 db b0 d2 5f 25 a9 2d 44 cb e5 5c 10 7d c9 bb
         f8 3d d9 70 8f 39 20 3b a3 aa de f5 9c a8 49 ad 2f 8e fa 9f 04 b8 f5
         da b4 02 ac bc 57 1f 16 41 24 9a 7d 9b 63 00 2b 00 03 02 03
         04 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06
         04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01
         01 00 1c 00 02 40 01

      ciphertext (229

   {server}  extract secret "early":

      salt:  0 (all zero octets)

      IKM (32 octets):  16 03 01  00 e0 01 00 00 dc 03 03 37 b0
         76 d2 fa 50 94 39 5e 99 71 d7 53 c3 c4 cf 07 56 b9 40 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c
         e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 13 cb f9 2a

   {server}  create an ephemeral x25519 key pair:

      private key (32 octets):  01 7c 38 a3 64 79 21 ca c7 f4 4a c3 28 2d 9e d6 bd 7a
         e7 13 f6 0f 2b 94 21 1b 13 31 bb 20 91 41 b7 89 8c 8c cd d5 15 56 40 99 95

      public key (32 octets):  3e 30 f0 f4 ba 55 1a fd 62 76 83 d3 67 a0 fe 97 08
         df 41 17 5f
         52 65 e4 da f0 c8 84 16 17 aa 4f af dd 21 42 32 f5 b9 88 8f 0c 22

   {server}  construct a ServerHello handshake message

      ServerHello (122 octets):  02 00 00 76 03 03 e5 9e de 4e 61 dd 59 48 c4 35 f7
         a3 8f 0f 01 30 70 8d c3 22 d9 df 09 ab d4 83 81 17 c1 83 a7 bb
         6d 99 4f 2c f6 bd b1 fb be 20 a8 0c 16 55 81 a8 e0 d0 6c 00 18 d5 4d 3a 06 dd
         32 cf d4 05 1e b0 26 fa d3 fd 0b a9 92 69 e6 f9 ef fe
         00 06 13 01 13 03 13 02 01 00 00 8d 00 00 2e
         00 0b 33 00 09 24 00 1d 00 06
         73 65 72 20 3e 30 f0 f4 ba 55 1a fd 62 76 83 41 17
         5f 52 65 72 ff 01 00 01 00 00 0a e4 da f0 c8 84 16 17 aa 4f af dd 21 42 32 0c 22 00 14 2b
         00 12 02 03 04

   {server}  send handshake record:

      payload (122 octets):  02 00 1d 00 76 03 03 e5 dd 59 48 c4 35 f7 a3
         8f 0f 01 30 70 8d c3 22 d9 df 09 ab d4 83 81 17 c1 83 a7 bb 6d
         99 4f 2c 20 a8 0c 16 55 81 a8 e0 d0 6c 00 18 00 19 d5 4d 3a 06 dd 32
         cf d4 05 1e b0 26 fa d3 fd 0b a9 92 69 e6 ef 13 01 00 01 01 01 02 01 03 01 04 00 33 2e 00 26
         33 00 24 00 1d 00 20 d5 15 42 3e 30 f0 f4 ba 55 1a fd 62 76 83 41 17 5f 25 a9 2d 44 a3 aa de f5 9c a8 49 ad 2f
         8e fa 9f 04 b8 f5
         52 65 e4 da b4 02 ac bc 57 1f f0 c8 84 16 17 aa 4f af dd 21 42 32 0c 22 00 2b 00 03
         02 03 04

      complete record (127 octets):  16 03 03 00 0d 7a 02 00 20 00 1e 04 03 05 03 06 76 03 02 03 08 04 08 05 08 06 04
         01 05 e5
         dd 59 48 c4 35 f7 a3 8f 0f 01 30 70 8d c3 22 d9 df 09 ab d4 83
         81 17 c1 83 a7 bb 6d 99 4f 2c 20 a8 0c 16 55 81 a8 e0 d0 6c 00
         18 d5 4d 3a 06 01 02 01 04 02 dd 32 cf d4 05 02 06 02 02 02 00 2d 00 02 01 01
         00 1c 00 02 40 1e b0 26 fa d3 fd 0b a9 92 69 e6
         ef 13 01

   {server}  extract secret "early":

      salt:  (absent)

      IKM (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 2e 00 33 00 24 00 1d 00 20 3e 30 f0 f4 ba 55 1a
         fd 62 76 83 41 17 5f 52 65 e4 da f0 c8 84 16 17 aa 4f af dd 21
         42 32 0c 22 00 2b 00 02 03 04

   {server}  send change_cipher_spec record:

      payload (1 octets):  01

      complete record (6 octets):  14 03 03 00 01 01

   {server}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
         10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

   {server}  create an ephemeral x25519 key pair:

      private key

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      expanded (32 octets):  6f fc 0f 52 26 15 a1 08 bb f6 73 4b 5f 95 23 7d
         3d c7 02 c5 67 8f 54 fc 9d ba
         b6 97 16 c0 76 18 9c 48 0a 25 0c eb ea c3 57 6c 36 11 ba

   {server}  extract secret "handshake":

      salt (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc e9 89 e6 1c 2f 4d 71 6b 9d ba b6 97
         16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

      IKM (32 octets):  ee f7 90 55 90 77 db 5b e4 4d b6 3b 66 90 7e

      public key 84 e4 16 9f 05
         1e 8f b3 4c e5 9b af ce 2f 9c 8e e6 8c c4 eb 79

      secret (32 octets):  ab 16 0e 03 51 0f a0 3f d5 bd 6e 7a 94 f4
         00 31 16  f9 17 61 35 cd 4a 67 e9 b0 7c 6d cc 3a 55 70 7e
         fa 69 87 2e a6 e4 8a 08 71 5e e3 f0 24 2e

   {server}  send a ServerHello handshake message c4 51 9d 80 40 e5 f2 15 12 1e 0d f6 9a fa 4a

   {server}  send handshake record:

      payload (122  derive secret "tls13 c hs traffic":

      PRK (32 octets):  02 00 00 76 03 03 32 a4 2f 56 c8 b8 59  f9 17 61 35 4a 67 e9 b0 7c 6d cc
         5d 3a 55 70 7e fa
         69 c4 51 9d 80 f2 7f 48 d0 f2 96 d3 a5 bb 8e 05 28 08 11 14 de 8c e3 84
         d7 e0 df 20 91 41 b7 89 83 d3 67 a0 fe 97 08 df 32 f5 b9 88 8f 40 e5 9e de 4e 61 2c f2 15 12 1e 0d f6 bd b1 fb be e6 f9 ef fe 13 9a fa 4a

      hash (32 octets):  74 5c 55 ba c3 99 31 0b 7b 5a 7c 81 a2 c1 30 b4
         d5 6d ff 6f 68 c3 ab 47 78 57 60 1e 01 00 00 2e 00
         33 00 24 00 1d f1 f8 d1

      info (54 octets):  00 20 ab 16 0e 03 51 0f a0 3f d5 bd 6e 7a 94 f4
         00 12 74 6c 73 31 16 35 cd 33 20 63 20 68 73 20 74 72
         61 66 66 69 87 2e a6 e4 8a 08 71 5e e3 f0 24 2e 00 2b 00
         02 03 04

      ciphertext (127 octets):  16 03 03 00 7a 02 00 00 76 03 03 32 a4
         2f 56 c8 b8 59 cc 5d 80 f2 7f 48 d0 f2 96 d3 a5 bb 8e 05 28 08
         11 14 de 8c e3 84 d7 e0 df 63 20 91 41 b7 89 83 d3 67 a0 fe 97 08
         df 32 f5 b9 88 8f e5 9e de 4e 74 5c 55 ba c3 99 31 0b 7b 5a 7c 81 a2 c1 30
         b4 d5 6d ff 6f 68 c3 ab 47 78 57 60 1e 01 f1 f8 d1

      expanded (32 octets):  2c 3c b2 4a 10 81 ed b5 95 18 ee 68 61 2c f6 bd b1 fb be e6 f9 ef e8
         9a 6b 72 b3 80 1a fe 77 13 01 00 00 2e 00 33 00 24 00 1d 00 20 ab 16 0e 03 51 0f a0 3f
         d5 bd 6e 7a 94 f4 00 e4 cb bc 21 c0 79 5b f8 31 16

   {server}  derive secret "tls13 s hs traffic":

      PRK (32 octets):  f9 17 61 35 cd 4a 67 e9 b0 7c 6d cc 3a 55 70 7e fa
         69 87 2e a6 e4 8a 08 71 5e e3
         f0 24 2e 00 2b 00 02 03 04

   {server}  send change_cipher_spec record:

      payload (1 c4 51 9d 80 40 e5 f2 15 12 1e 0d f6 9a fa 4a

      hash (32 octets):  74 5c 55 ba c3 99 31 0b 7b 5a 7c 81 a2 c1 30 b4
         d5 6d ff 6f 68 c3 ab 47 78 57 60 1e 01

      ciphertext (6 f1 f8 d1

      info (54 octets):  14 03 03  00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72
         61 66 66 69 63 20 74 5c 55 ba c3 99 31 0b 7b 5a 7c 81 a2 c1 30
         b4 d5 6d ff 6f 68 c3 ab 47 78 57 60 1e 01 01 f1 f8 d1

      expanded (32 octets):  ca ce 3d 55 5c c1 c5 77 cf 97 0c ff 28 cf
         97 8d 6a 98 00 08 54 42 e1 8d 69 5b 50 f3 15 1d 18 c8

   {server}  derive secret for handshake master "tls13 derived":

      PRK (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
         10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70  f9 2a 17 61 35 4a 67 e9 b0 7c 6d cc 3a 55 70 7e fa
         69 c4 51 9d 80 40 e5 f2 15 12 1e 0d f6 9a fa 4a

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output

      expanded (32 octets):  6f 26 15  5d a1 08 c7 02 c5 67 8f 54 fc 9d 2d c4 78 35 ba b6
         97 73 fd d9 94 b1 4a b7
         e6 3c c6 3f 0d 79 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 2f 67 56 e9 a4 67 56 c8 b2 b6 42

   {server}  extract secret "handshake": "master":

      salt (32 octets):  6f 26 15  5d a1 08 c7 02 c5 67 8f 54 fc 9d 2d c4 78 35 ba b6 97 73 fd d9 94 b1 4a b7 e6 3c
         c6 3f 0d 79 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba 2f 67 56 e9 a4 67 56 c8 b2 b6 42

      IKM (32 octets):  d6 ee 52 33 ce 08 89 3e a5 eb d5 0f 0d 8a 25 bf
         ed 5f fd 57 82 32 31 19 46 91 bd 89 2b 8f 9a 50

      secret (32 octets):  2e 91 52 b1 5c ec 8f 81 92 f3 d5 a0 72 08 ad  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  62 81 12 da e2 f7 02 48 a9 7b 4e 06 f2 b8 22 9d f6 7b 7d 47 80 63 e4 2d e6 c8 50
         a5 c0 82 0b 90 90 3e a8 42 d3 00 ab c3 18 75 da 03 d4 bc 5b

   {server}  derive secret "tls13 c hs traffic": write traffic keys for handshake data:

      PRK (32 octets):  2e 91 52 b1  ca ce 3d 55 5c ec 8f 81 92 f3 d5 a0 72 c1 c5 77 cf 97 0c ff 28 cf 97 8d
         6a 98 00 08 ad 48
         a9 7b 4e 06 f2 b8 22 9d f6 7b 7d 47 3e a8 54 42 d3

      hash (32 octets):  ef ee 6c 01 8a 0f a3 ac 4c 61 ac 11 9c c8 fd da
         17 5e b8 c4 bd 4d 11 98 53 59 ca 1a e1 8d 69 5b 50 f3 33 87 0b 15 1d 18 c8

      key info (54 (13 octets):  00 20 12 10 09 74 6c 73 31 33 20 63 20 68 6b 65 79 00

      key expanded (16 octets):  04 10 91 fd ab 29 f2 c8 ab fb 15 6d c5
         fc 8d 54

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 74 72
         61 66 66 69 63 20 ef ee 6c 76 00

      iv expanded (12 octets):  74 64 d7 91 68 5d e0 59 98 fc ba db

   {server}  construct a EncryptedExtensions handshake message

      EncryptedExtensions (40 octets):  08 00 00 24 00 22 00 0a 00 14 00
         12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c
         00 02 40 01 00 00 00 00

   {server}  construct a Certificate handshake message

      Certificate (445 octets):  0b 00 01 b9 00 00 01 b5 00 01 b0 30 82
         01 8a 0f a3 ac 4c 30 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48
         86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03
         72 73 61 ac 11 9c c8 fd
         da 30 1e 17 5e b8 c4 bd 4d 11 98 53 59 ca 1a f3 0d 31 36 30 37 33 87 0b

      output (32 octets):  1b 92 30 30 31 32 33 35 39 5a 17
         0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06
         03 55 04 03 13 03 72 16 73 61 30 81 91 bc c8 5e 46 45 96 e1 0b 79
         b8 9f 30 0d 06 09 a4 f6 36 2a 86 48 86 f7
         0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 e4 ad a5 81 81 00 b4 f2 c9 c0 b2 4d 27 37

   {server}  derive secret "tls13 s hs traffic":

      PRK (32 octets):  2e 91 52 b1 5c ec bb 49 8f 81 92 f3 d5 a0 72
         82 79 30 3d 98 08 ad 48
         a9 7b 4e 06 f2 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 22 9d f6 7b 7d 47 3e a8 42 26
         d3

      hash (32 octets):  ef ee 6c 01 8a 0f a3 ac 4c 90 1a 24 61 ac 11 9c c8 ea fd da
         17 5e b8 c4 bd 4d 11 98 53 59 ca 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c
         1a f3 33 f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52
         4b 1b 01 8c 3e 0b

      info (54 octets):  00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72
         61 66 66 69 63 20 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74
         80 30 53 0e f0 46 1c 8c a9 d9 ef ee 6c bf ae 8e a6 d1 d0 3e 2b d1 93
         ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03
         01 00 01 8a 0f a3 ac 4c 61 ac 11 9c c8 fd
         da 17 5e b8 c4 bd 4d 11 98 53 59 ca 1a f3 33 87 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b

      output (32 octets):  50 56 06
         03 55 1d 0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01
         01 0b ed 1e 47 38 91 2d 43 d3 15 99 e0 7d
         5e ad ea f2 05 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a
         72 67 17 06 18 9e a5 4c 5f 8a 7b 75 e9 87 6f 42 07 2f b0 33

   {server}  derive secret for master "tls13 derived":

      PRK (32 octets):  2e 91 52 b1 5c ec 7d 2d f7 a5 94 36 54 17 f2 ea
         e8 f8 a5 8c 8f 81 92 f3 d5 a0 72 08 ad 48
         a9 7b 4e 06 f2 b8 22 9d f6 7b 7d 47 3e a8 42 d3

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 f9 31 33 20 64 65 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01
         51 56 72 69 76 65 64
         20 e3 b0 c4 42 98 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be
         c1 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c 63 a4 95 2a 99 1b 78 52 b8 55

      output (32 octets):  ef 79 6e a9 37 7c f8 94 b0 52 52 2b 22 9f cd
         70 a1 d7 c3 a3 2d ca 6c f5 1d 62 95 04 ef 1e e1 25

   {server}  extract secret "master":

      salt (32 octets):  ef 79 6e a9 37 be 5c 3e b7 10 7c f8 94 b0 52 52 3c 54 e9 b9 eb 2b 22 9f cd 70
         a1 d7 c3 d5 20 3b
         1c 3b 84 e0 a8 b2 f7 59 40 9b a3 2d ca 6c f5 ea c9 d9 1d 62 95 04 ef 1e 40 2d cc 0c c8 f8
         96 12 29 ac 91 87 b4 2b 4d e1 25

      IKM (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00

   {server}  construct a CertificateVerify handshake message

      CertificateVerify (136 octets):  0f 00 00 84 08 04 00

      secret (32 octets):  63 7d 72 8c c3 81 21 92 85 68 0b 8a bd 98 9c
         a3 7a c7 36 80 a2 30 1a
         68 dd 1c ee e6 93 8f e9 d4 0c cb 47 46 b9 20 1b 34 d5 99 52 a3 7e 06
         52 3a 39 cf 8b a6 c9 c8 b6 8a 0f 28 11 07 2a 89 88 19

   {server}  derive write traffic keys for handshake data:

      PRK (32 octets):  50 56 0b e9 44 92 af 78 05 16 ed 1e 47 38 91 2d 43 d3 15 99 e0 7d 5e
         ad ea f2 6b 18 9e 7b 75 e9 87 6f 42 07 2f b0 33

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output (16 octets):  7d cd 41 e1 40 51 3f c8
         28 12 e9 9d d3 fa be 6a f5 22 a4 da 7f
         57 5b

      iv info (12 octets):  00 5e 09 d9 c6 84 87 21 c2 80 8c 61 50 1b
         0c 08 74 6c 73 31 33 20 69 75 e7 fc ab a5 f7 8b ef 68 a2 c2 b6 9b 19 55 8b 3e 40 38 7e
         ea 93 d2 5c 77 81 c1 cc 00 e9 f5 19 f7 e2 e4 ad b7 3e 76 d6 60
         89 00

      iv output (12 octets):  77 ee 98 da ae 5c 82 24 7d 0a 2d c8 66 c2 ed 30 40 bb a5 0a 0d 45 7f

   {server}  send a EncryptedExtensions handshake message

   {server}  send a Certificate handshake message

   {server}  send a CertificateVerify handshake message 19 dc 6e b9 f3

   {server}  calculate finished "tls13 finished":

      PRK (32 octets):  ca ce 3d 55 5c c1 c5 77 cf 97 0c ff 28 cf 97 8d
         6a 98 00 08 54 42 e1 8d 69 5b 50 56 0b ed 1e 47 38 91 2d 43 d3 f3 15 99 e0 7d 5e
         ad ea f2 6b 1d 18 9e 7b 75 e9 87 6f 42 07 2f b0 33 c8

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      output

      expanded (32 octets):  d1 61 e3 34 21  2c 9f 72 f2 7b 81 e7 df d7 05 aa 4c c8 bf a6 e4 4d
         42 66 8c ac cd 49 37
         1f 12 86 d4 11 e1 6c 8c cc 1c 0d 9a ed 72 cb bd c0 80

      finished (32 octets):  c8 b2 5b c3 a8 f1 c6 e4 e7 b4 bf f5 27 40 61 f4 bc 3a 7c af
         fb dc c6 cb de a9 c2 a3 a1 96 16 09 4c a6 25 ca a6 5f 8e 76 ed 46 db 74 d3

   {server}  send  construct a Finished handshake message

      Finished (36 octets):  14 00 00 20 c8 c3 a8 f1 bf f5 27 40 61 f4
         bc 3a 7c af fb dc 96 16 09 4c a6 25 ca a6 5f 8e 76 ed 46 db 74
         d3

   {server}  send handshake record:

      payload (657 octets):  08 00 00 24 00 22 00 0a 00 14 00 12 00 1d
         00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c 00 02 40
         01 00 00 00 00 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82 01 ac 30
         82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d
         01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61
         30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17 0d 32 36
         30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06 03 55 04
         03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01
         01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f 82 79 30
         3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 d3 90 1a
         24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1a f1 9e
         aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52 4b 1b 01
         8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74 80 30 53
         0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 ef f0 ab
         9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03 01 00 01
         a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d
         0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05
         00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 72 67 17
         06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea e8 f8 a5
         8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 51 56 72
         60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be c1 fc 63
         a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b 1c 3b 84
         e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 96 12 29
         ac 91 87 b4 2b 4d e1 00 00 0f 00 00 84 08 04 00 80 84 d9 e6 bb
         5f 60 86 63 13 c5 02 3b 34 5b b6 68 4a 63 6c 67 82 34 01 5d c8
         3b 80 3d 81 a2 30 1a 68 ba 48 03 e2 cc 26 7f f0 86 70 35
         dd 1c ee e6 93 8f e9 d4 b4 46 28
         64 4c 1e fb 90 82 0c 47 ce c2 14 23 98 c3 aa d3 46 b9 20 1b 34 d5 99 52 a3 7e 06 52
         3a 39 cf 9d 8b a6 2d d4
         c5 de 51 ac 82 0c 84 c9 c8 b6 8a e9 44 92 af 40 72 1b dd 67 bc 8b bd db 78 05 16 ed 7b 73 c8 28 3b 75 14
         25 62
         12 e9 9d d3 fa be a4 5e 09 d9 c6 84 87 21 c2 80 8c 61 50 1b 0c
         75 e7 fc ab a5 f7 8b ef 68 a2 c2 b6 9b 19 55 8b 3e 40 38 7e ea
         93 d2 5c 77 81 c1 cc 00 e9 f5 b2 19 f7 e2 e4 ad b7 3e 76 f2 32 c2 a0 5e 53 f1 6b 6a d6 cd cd a6 04 da
         f9 95 e6 f8 42 4a 1d fd 37 0c 58 d0 f7 b4 60 5f 1a 21 a9 89
         00 0a 2d c8 66 c2 ed 30 bb a5 0a 0d 45 7f 19 dc 6e b9 f3 14 00
         00 20 5b 6a d9 10 c8 c3 a8 f1 bf f5 27 40 61 f4 bc 48 94 47 7b 48 da 86 11 eb c4 de 20 3a 7c af fb dc 96 16 09
         4c a6 25 72
         63 ca a6 5f 9c 4a ac 81 a4 81 2e 82 bf c2 fd

      ciphertext 8e 76 ed 46 db 74 d3

      complete record (679 octets):  17 03 03 02 a2 28 cc 1b 2f 47 22 95 79
         9f 34 2e 49 90 56 09 07 73 a4 57 20 6f 79 a5 4b b8 ca 78 dc 42
         e7 54 e1 95 6d dd 1a 78 6e 4c e9 6f 8d a4 12 57 ce 53 17 b7 37
         60 48 de 89 1d 9c 36 24
         a6 7a c3 b6 f8 6d 6c 6f 6d 1d 71 06 01 af c5 61 0c d8 fb 16 7c 6a
         29 99 1e 50 a6 f4 83 7f ff 89 c2 d0 66 58 01 de 54 6e ab 7a c2 8c bf
         f1 d7 d5 c3 30 b0 60 48 4a 44 0c 54 1c b1 1f 58 88 4a 50 31 dd
         ae ac ac af ea 6c 34 5a 93 8b 8e ee 6a 57 10 68 05 79 52 a2 60
         f9 e4 d6 51 bc e2 d8 57 1c ec aa da 2d 9b 37 15 60 3f f4 77 dd
         3c cf bf e6 8f 3c 0c b1 4b 0f c0 60 9e 14 d2 e6 dc 3b 10 f0 1b 43 8f 22
         12 71 3a 4b 87 fb b1 0d fd 9c 5c 29 e7 8d bc 7f a6 00 7e 99 9e 13
         03 89 67 a8 af 1b cf ea 94 0f
         4e 3e 17 d9 79 f1 98 fb ce 19 df 45 73 4d 67 66 12 05 ee ce 3a 25 c1 15 fc da 0d f5 2c
         d2 35 95 77 fc b1 c2 47 e8 bf 90 0e 7a 59 0c 7e 33 f5 ff 1b 0e
         d0 d2 90 35 b5 f7 77 df d2 0f 02 41 40 61 7e e3 2d 6f 5a 7f 52
         3c be 55 ea 1b
         09 3b da 4e 60 d1 b1 78 2e 73 ca 22 ae c2 91 99 5e 45 5d 1d 5f d7 ac c8 f5 58 17
         df 92 fe 17 da 29 13 77 10 e7 50 0a 4f aa 2e bb 7c a8 45 6b de 8a dd e7
         88 24 19 62 27 b7 11
         1e 1c 85 47 e2 d7 c1 b1 8d ba d9 a9 70 54 30 bd 94 71 86 79 db 21 53 f3 03 d2 fb 78
         2c 62 f1 7b ef c3 24 73 58 27 f3 cd 18 f4 ec 5c 5d 73 39 e6 8f 64
         91 32 1c 8c f5 c0 f8 14 d3 88 15 0b d9 e9 26 4a ae 49 1d b6 99 50
         69 be a1 76 65 d7 a0 c8
         f3 c5 d5 c5 1b bb c3 a5 3d 16 60 c5 89 eb e5 dd 39 bd 1e 53 6f
         f3 ed 09 84 41 36 76 e0 c8 17 28 4d 4a b8 8d 51 71 db 6f bd 32 81 ec e9 e5 96
         07 c2 18 80 05 4c 36 57 33 1e
         23 a9 30 4d c8 8a 15 c0 4e c8 0b d3 85 56 2b f7 f9 d3 c6 61 5b 15
         fa c8 3b bc a0 31 c6 d2 31 0d 9f 5d 7a 4b 02 0a 4f 7c 19 06 2b
         65 c0 5a 1d 32 64 b5 57 ec 9d 8e 0f 7c ee 27 e3 6f 51 79 30 39 de
         8d d9 6e df ca 90 09 e0 65 10 34 bf f3 1d 7f 34 9e ec e0 1d 99
         fc f6 63 e8 b5 fc 82 bb 13 ab 84 0d 77 07 c7 22 99 c3 b5 d0 45 64 e8 80 a3 3c 5e
         84 6c 76 2e 3d 92 2b b5 53 03 d1 d8 7c c0 f0 65 73 f1 7d cb 9b 49 c4 56 bc
         8f fd 35 bb d8 83 c1
         16 32 6a 70 1f 22 cb 3a 19 d4 a4 5d a2 4f cc f6 87 b3 95 9a a0 36 dd 32 50 05 f7 68 ce 2f b6 24
         ca 97 b6 c4 d9 8e 17 f3
         58 30 98 87 4c d6 da 79 6f e1 29 26 c1 2a 5b c2 c7 94 0a 06 10 0c 2d 49 79 1b 44 8d b7 18
         0b 2d 86 21 64 43 5c 9c 21 0e 98 60 39 4e 05 aa b2 3f f1 b0 20
         3f 66 2c 58 8d a5 bc 44 11 47 7a 30 b4 11 36 c4 88 1f
         13 be c3 ec de a0 a6 3f ca
         b5 fb 69 50 b8 c1 5a 36 14 c6 13 7e ad 22 6d ae 82 7a 1d 1f e9 5e 26 9e 14 84 ce 6b 30 bc ee 26 2b ba 15 60
         a8 d4 b1 08 d2 64 55 5e 76 0f 9b fc 62 4c 2c 87 fd 04 56 c9 bf b4
         1b cd 35 09 69 85 75 f8 90 1a 7b 21 27 86 d2 b6 7f d5 78 04 fa cf a1 ee f7 cf 29 19 a9 28 05 81 5a
         ef 89 91 f8 63 6e
         d8 b9 98 c9 78 9f 76 3b 4d 9c aa 09 3a 9d ed 43 17 5d 46 a7 d4 6b
         4d 54 f0 ce 0c 5d 22 59 b6 07 e3 0a 9d 24 12 63 87 c1 1c 9c 4f a5 9d 6f
         57 0d c4 0d 83 a2 d8 3b f9 e9 85 0d 45 4c cb aa 91 1c 6c 57 b5 bb
         28 29 95 b7 80 65 35 a8 99 8a
         e0 35 7d f9 2f 00 b9 66 73 44 c2 41 14 cc c9 c7 33 3d 7d 8f b7 40 cd 5f 0b 55 85 cb 87 d8
         7c ef 53 91 4d 02 c0 f5 6a 93 88 73 03 24 b2 93 38 6b 8e fb 26 04
         e7 e6 e7 48 b4 e1
         10 be 9e bc f5 c0 76 92 41 79 da b2 b1 bc a2 ad 05 21 44 fa 3b
         eb 38 5c 5c c3 0a 28 f1 17 01 cc 78 3e 7c d8 f8 a3 d1 d1 83 99 72 43 ea cc 92 b9 26 93 af bb d3 3b 0c 11
         15 a0 32 71
         28 2d ec 09 64 29 66 1d 75 f7 06 a1 e6 a7 52 71 d4 98 30 86 f6 32 ff 0e b8 3d 69 b4 39 be 1b c6
         31 02 cb ce f5 4e 74 bb 72 da
         c8 3d e1 27 9d 5d e8 eb 19 09 6d 8c db 07 fa
         8e a9 89 78 8f ac 23 e6 62 c5 6e 04 88 c1 93 15 15 f3 f3 fe a8 c8 83 88 96
         bf ed 52 3a e4 cd 3c b6 84 8d 42 ce a8 de 9f b2 2a f9
         01 a3 40 af a3 3a 7b 06 d4 bd f4 1a be 6f c3 31 b4 42 25 e7 a1
         f7 d3 56 41 47 d5 a5 fd e5 ce 1d 45 8e 71 aa 90 9c b0 2b 7a 72 c7 e2 ee f5
         ff 46 25 d8 5b e9 58 bb 99 5f 39 25 da d8 66 c4 2e 3a a5
         a2 7c c6 5e

   {server}  derive secret "tls13 c ap traffic":

      PRK (32 octets):  63 7d 72 8c c3 81 21 92 85 68 0b ea f4 b6 fe 51 ae 44 95 69 4d 8a bd 98 9c b6 32 0a ab 92 01 83
         fd 5b 31 a3
         7a c7 36 68 0c cb 47 8a 0f 28 59 04 2f bd 67 39 1e c5 e4 d1 89 2a 2e 52 10 14 1a
         49 4e 93 01 b2 4a 11 07 3c 47 4c 7f 2a 89 88 19

      hash 73 45 78 47

   {server}  derive secret "tls13 c ap traffic":

      PRK (32 octets):  e4 72 ce 71 b4 9c c4 44 32 c4 09  62 81 12 da e2 f7 66 4b 84 02 48 80 63 e4 2d e6 c8 50 a5
         9d 7a 68 3d 3d d2 da 22 7c 9b 98 42
         c0 82 0b 90 90 3e 00 ab c3 18 75 da 03 d4 bc 5b

      hash (32 octets):  07 07 dc ac 7b 2f a4 28 cc 7f 69 16 94 a2 a1 45 59 0c
         80 6a aa 5c 0c f5 08 7e d5 38 50 12 e7 f9 6c d4

      info (54 octets):  00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72
         61 66 66 69 63 20 e4 72 ce 71 b4 9c c4 44 32 c4 09 f7 66 4b 84
         a5 9d 7a 68 3d 3d d2 da 22 7c 9b 98 42 3e 07 07 dc ac 7b 2f a4 28 cc 7f 69 16 94 a2 a1 45

      output 59
         0c 80 6a aa 5c 0c f5 08 7e d5 38 50 12 e7 f9 6c d4

      expanded (32 octets):  b3 59 c9 26 e6 22 56 e6 10  74 3e 70 fb bc f9 07
         cb 5e e7 4c 6b 56 20 f8 95 a8 cf 39 09 d1 b0 e8 c0 05 a4 df ff 75 6d 01 95 6c
         cd 2c 4b 37 75 84 49 ae c4 1d 98 da e4 49 24 ea a2 99

   {server}  derive secret "tls13 s ap traffic":

      PRK (32 octets):  63 7d 72 8c c3  62 81 21 92 85 68 12 da e2 f7 02 48 80 63 e4 2d e6 c8 50 a5
         c0 82 0b 8a bd 98 9c a3
         7a c7 36 68 0c cb 47 8a 0f 28 11 07 2a 89 88 19 90 90 3e 00 ab c3 18 75 da 03 d4 bc 5b

      hash (32 octets):  e4 72 ce 71 b4 9c c4 44 32 c4 09 f7 66 4b 84 a5
         9d 7a 68 3d 3d d2 da 22 7c 9b 98 42 3e  07 07 dc ac 7b 2f a4 28 cc 7f 69 16 94 a2 a1 45 59 0c
         80 6a aa 5c 0c f5 08 7e d5 38 50 12 e7 f9 6c d4

      info (54 octets):  00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72
         61 66 66 69 63 20 e4 72 ce 71 b4 9c c4 44 32 c4 09 f7 66 4b 84
         a5 9d 7a 68 3d 3d d2 da 22 7c 9b 98 42 3e a2 a1 45

      output (32 octets): 07 07 dc ac 7b 2f a4 28 cc 7f 64 01 84 e5 99 d2 8e c8 18 84 1c ff 13 92
         30 d5 16 9f 69 16 3b 1f 52 70 94 a2 59
         0c 80 6a aa 5c 0c f5 08 7e d5 38 50 12 a3 8e 5d b8 1f 7b 4e

   {server}  derive secret "tls13 exp master":

      PRK e7 f9 6c d4

      expanded (32 octets):  63 7d 72 8c c3 81 21 92 85 68 0b 8a bd 98 9c  b6 b8 14 4a a3
         7a c7 36 68 0c cb 47 8a 0f 28 11 07 2a 89 88 19

      hash 35 ed 30 59 c0 c9 c8 f0 ec
         ab f7 af c9 4a f6 64 3b de cd fd 92 10 18 8f ab 74 51

   {server}  derive secret "tls13 exp master":

      PRK (32 octets):  e4 72 ce 71 b4 9c c4 44 32 c4 09  62 81 12 da e2 f7 66 4b 84 02 48 80 63 e4 2d e6 c8 50 a5
         9d 7a 68 3d 3d d2 da 22 7c 9b 98 42
         c0 82 0b 90 90 3e 00 ab c3 18 75 da 03 d4 bc 5b

      hash (32 octets):  07 07 dc ac 7b 2f a4 28 cc 7f 69 16 94 a2 a1 45 59 0c
         80 6a aa 5c 0c f5 08 7e d5 38 50 12 e7 f9 6c d4

      info (52 octets):  00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73
         74 65 72 20 e4 72 ce 71 b4 9c c4 44 32 c4 09 f7 66 4b 84 a5 9d
         7a 68 3d 3d d2 da 22 7c 9b 98 42 3e a2 a1 45

      output (32 octets):  92 a0 34 07 bc bd c9 8d 26 ae 38 07 dc ac 7b 2f a4 28 cc 7f 69 16 94 a2 59 0c 80 8b d6 f1
         6a aa 5c 0c d0 47 14 2e c7 ef ac b8 f3 f5 08 9a 7e 3e 52 87 d6 d5 38 50 12 e7 f9 6c d4

      expanded (32 octets):  fb 69 12 1c ea 33 4d b4 59 e1 22 72 d1 79
         ba ca 23 69 b6 43 d1 1a 6a c7 2b 8b 27 a5 c9 64 fe b1

   {server}  derive write traffic keys for application data:

      PRK (32 octets):  7f 64 01 84 e5 99 d2 8e c8 18 84 1c ff 13 92  b6 b8 14 4a a3 35 ed 30
         d5 16 9f 16 59 c0 c9 c8 f0 ec ab f7
         af c9 4a f6 64 3b 1f 52 70 12 a3 8e 5d b8 1f 7b 4e de cd fd 92 10 18 8f ab 74 51

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output expanded (16 octets):  9a 33 b7 ff 19 01 80 b3 05 47 fe 9f e3 12
         74 09  ed c4 cb d0 04 1c 28 cc 71 67 44 1d 7c
         a5 3e 6a

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output expanded (12 octets):  a1 18 3b 47 0d 16 7f 63 62 8d 8b 32  bf 6c 7d 8e 0a 95 45 b4 27 dc f1 39

   {server}  derive read traffic keys for handshake data:

      PRK (32 octets):  1b 92 72 16  2c 3c b2 4a 10 81 91 bc c8 5e 46 45 96 e1 0b 79 b8
         09 a4 f6 36 02 ed b5 95 18 ee 68 61 e8 9a 6b
         72 b3 80 1a fe 77 13 e4 ad a5 b4 f2 c9 cb bc 21 c0 b2 4d 27 37 79 5b f8 31

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output expanded (16 octets):  e7 37 b9 b1  62 d1 3c 13 ff d7 40 2f 31 56 81 54 fd 6b f2 53 22
         ac 53 c1 c0 9e 3d 16
         36 65 cb

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output expanded (12 octets):  4a a7 80 6d 4f 81 d5 93 7b 99 3b 26

   {client}  extract secret "early":

      salt:  (absent)
      IKM (32 octets):  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

      secret (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c
         e2 10 ad f3  71 66 f2 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a 28 bf 14 6d cf bd 5a 40

   {client}  extract secret "early" (same as server early secret)

   {client}  derive secret for handshake "tls13 derived":

      PRK (32 octets):  33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
         10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a

      hash (32 octets):  e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
         27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55

      info (49 octets):  00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
         20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
         64 9b 93 4c a4 95 99 1b 78 52 b8 55

      output

      expanded (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba
         b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

   {client}  extract secret "handshake":

      salt (32 octets):  6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
         16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba

      IKM (32 octets):  d6 ee 52 33 ce 08 89 3e a5 eb d5 0f 0d 8a 25 bf
         ed 5f fd 57 82 32 31 19 46 91 bd 89 2b 8f 9a 50

      secret (32 octets):  2e 91 52 b1 5c ec 8f 81 92 f3 d5 a0 72 08 ad
         48 a9 7b 4e 06 f2 b8 22 9d f6 7b 7d 47 3e a8 42 d3 "handshake" (same as server handshake
      secret)

   {client}  derive secret "tls13 c hs traffic" (same as server)

   {client}  derive secret "tls13 s hs traffic" (same as server)

   {client}  derive secret for master "tls13 derived" (same as server)

   {client}  extract secret "master" (same as server) server master secret)

   {client}  derive read traffic keys for handshake data:

      PRK (32 octets):  50 56 0b ed 1e 47 38 91 2d 43 d3 15 99 e0 7d 5e
         ad ea f2 6b 18 9e 7b 75 e9 87 6f 42 07 2f b0 33

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00
      key output (16 octets):  7d cd 41 e1 40 51 3f be 6a f5 22 a4 da 7f
         57 5b

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output (12 octets):  77 ee 98 da ae 5c 82 24 7d 30 40 7f data (same as server
      handshake data write traffic keys)

   {client}  calculate finished "tls13 finished" (same as server)

   {client}  derive secret "tls13 c ap traffic" (same as server)

   {client}  derive secret "tls13 s ap traffic" (same as server)

   {client}  derive secret "tls13 exp master" (same as server)

   {client}  send change_cipher_spec record:

      payload (1 octets):  01

      ciphertext

      complete record (6 octets):  14 03 03 00 01 01

   {client}  derive write traffic keys for handshake data (same as
      server handshake data read traffic keys)

   {client}  derive read traffic keys for application data (same as
      server application data write traffic keys)

   {client}  calculate finished "tls13 finished":

      PRK (32 octets):  1b 92 72 16  2c 3c b2 4a 10 81 91 bc c8 5e 46 45 96 e1 0b 79 b8
         09 a4 f6 36 02 ed b5 95 18 ee 68 61 e8 9a 6b
         72 b3 80 1a fe 77 13 e4 ad a5 b4 f2 c9 cb bc 21 c0 b2 4d 27 37 79 5b f8 31

      hash (0 octets):  (empty)

      info (18 octets):  00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
         64 00

      output

      expanded (32 octets):  89 90 6b c2 96 20 2c dc 3c 10 2a 87 ff fe 99
         cc cd b9 2c b1 94  77 34 1a bc 8c 0f fa b5 18 07 36 71 3e 41
         d2 7a 8b 2b 21 f6 65 c4 10 e6 8b 41 a4 04 c8 c2 1e dc d9 48 a4 44 0f d8 0c 78

      finished (32 octets):  69 2c ab 15 5c c6 c1 00 ea d6 07 33 d0 61
         7f 6f b0 9b 71 aa 1e 8c 9a cc bb bc 9e 8e d3 36 c1 dd

   {client}  send  construct a Finished handshake message

      Finished (36 octets):  14 00 00 20 69 2c ab 15 5c c6 c1 00 ea d6
         07 33 d0 61 7f 6f b0 9b 71 aa 1e 8c 9a cc bb bc 9e 8e d3 36 c1
         dd

   {client}  send handshake record:

      payload (36 octets):  14 00 00 20 ed 87 35 55 93 d3 ef 08 33 0b 32 69 13 0f e9 5f cd e6 3e 60 1d b1 85 88 35 e5 5b 45 c4 08 e5 c5

      ciphertext (58 octets):  17 03 03 2c ab 15 5c c6 c1 00 35 9a b0 af 58 6e 95 81 22 3d
         c2 bb 71 4d 5b e3 9f c2 eb 04 31 35 84 82 25 23 6d 39 24 ea d6 07
         33 d0 61 7f 6f b0 9b 71 5e
         f9 10 aa 1e 8c 9a cc bb bc 81 4c 59 9e 8e d3 36 c1 dd

      complete record (58 octets):  17 03 03 00 35 32 d0 30 e2 73 77 3a
         86 96 c7 99 98 1a f6 d8 5a d2 a9 22 d5 c4 18 ba bc ce d0 7f 87 48 fb 6b 3a
         bc 2e 81 56 5e 39 4e 87 c8 67
         f3 3d f3 d6 5b 75 06 f1 a6 26 af 91 d4 82 1d 5f 7a 1f 21 0e f8
         dd 3c 6d 16

   {client}  derive write traffic keys for application data:

      PRK (32 octets):  b3 59 c9 26 e6 22 56 e6 10  74 3e 70 fb bc f9 07 cb
         5e e7 4c 6b 56 20 f8 95 a8 cf 39 09 d1 b0 e8 c0 05 a4 df ff 75 6d 01 95 6c cd 2c
         4b 37 75 84 49 ae c4 1d 98 da e4 49 24 ea a2 99

      key info (13 octets):  00 10 09 74 6c 73 31 33 20 6b 65 79 00

      key output expanded (16 octets):  de ef 7b 47 f8 c6 cd d2 dc 85 7a cf 80 a4
         67 5d  33 d7 f9 70 97 56 c9 66 48 8a d4 43 84
         37 e6 73

      iv info (12 octets):  00 0c 08 74 6c 73 31 33 20 69 76 00

      iv output expanded (12 octets):  af  c5 f3 0d 34 b0 ec 8b 9a d9 04 61 f1 ec 04 b2 e9 1b 7d 6c 8e ea 65

   {client}  derive secret "tls13 res master":

      PRK (32 octets):  63 7d 72 8c c3  62 81 21 92 85 68 12 da e2 f7 02 48 80 63 e4 2d e6 c8 50 a5
         c0 82 0b 8a bd 98 9c a3
         7a c7 36 68 0c cb 47 8a 0f 28 11 07 2a 89 88 19 90 90 3e 00 ab c3 18 75 da 03 d4 bc 5b

      hash (32 octets):  e8 2a  a0 21 d3 a0 5b d4 18 a7 72 81 38 75 ef 79 f7 32 a4 90 44 12 3b 22 ce f3 54 b0 af
         68 fb
         db ab 49 f4 b3 a3 ae 5c 5d 34 e0 f1 c5 12 a3 7c 01 32 15 42 7a b7 33 3f 8c 27 72 2a 9f d5

      info (52 octets):  00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73
         74 65 72 20 e8 2a a0 21 d3 a0 5b d4 18 a7 72 81 38 75 ef 79 f7 b0 af 68
         c5 12 32 a4 90 15 42 7a b7 33 3f 8c 27 72 2a 9f d5

      expanded (32 octets):  0b 5d 44 12 3b 22 07 ce f3 54 68 fb a0 a4 2a 3a 81 dd 47 76 47
         b7 fe 91 80 db
         ab 49 f4 b3 a3 ae 5c 5d 34 e0 29 7e 51 14 f1 12 a3 7c 01

      output (32 octets): ad 87 33 e8 d1 4e 96 b4 de f0 0b bb e3 f1 65 92 68
         73 44 5f 2b c0 23 3d e0 98 2b 59 35 ec 89 ca dc 47 50 78 04

   {server}  calculate finished "tls13 finished" (same as client)

   {server}  derive read traffic keys for application data (same as
      client application data write traffic keys)

   {server}  derive secret "tls13 res master" (same as client)

   {client}  send alert record:

      payload (2 octets):  01 00

      ciphertext

      complete record (24 octets):  17 03 03 00 13 5e 7e 60 d9 0f 62 91 55 38 04 1b 9a fd
         34 c2 ad ef 72 cb 00 a8 63 43 2d ba
         23 c4 e2 c5 f7 f8 4e 6f 2e d3 08 3d

   {server}  send alert record:

      payload (2 octets):  01 00

      ciphertext

      complete record (24 octets):  17 03 03 00 13 f8 11 03 38 e0 0b 60 4c f8
         82 5f 93 d6 10 ee b7 25 7b 0f ec af 43 91 f8 69
         d4 f0 9e 3f 89 1e 2a 25 d1 e2 88 45

8.  Security Considerations

   It probably isn't a good idea to use the private key here.  If it
   weren't for the fact that it is too small to provide any meaningful
   security, it is now very well known.

9.  IANA Considerations

   This document makes no requests of IANA.

10.  References

10.1.  Normative References

   [TLS13]    Rescorla, E., "The Transport Layer Security (TLS) Protocol
              Version 1.3", draft-ietf-tls-tls13-28 (work in progress),
              March 2018. RFC 8446, DOI 10.17487/RFC8446, August 2018,
              <https://www.rfc-editor.org/info/rfc8446>.

10.2.  Informative References

   [FIPS186]  National Institute of Standards and Technology (NIST),
              "Digital Signature Standard (DSS)", NIST PUB 186-4 , July
              2013.

   [RFC5869]  Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
              Key Derivation Function (HKDF)", RFC 5869,
              DOI 10.17487/RFC5869, May 2010,
              <https://www.rfc-editor.org/info/rfc5869>.

   [RFC7748]  Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
              for Security", RFC 7748, DOI 10.17487/RFC7748, January
              2016, <https://www.rfc-editor.org/info/rfc7748>.

10.3.  URIs

   [1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS

Appendix A.  Acknowledgements

   This draft is generated using tests that were written for NSS [1].
   None of this would have been possible without Franziskus Kiefer, Eric
   Rescorla and Tim Taubert, who did a lot of the work in NSS.

Author's Address

   Martin Thomson
   Mozilla

   Email: martin.thomson@gmail.com