draft-ietf-tls-tls13-vectors-07.txt   rfc8448.txt 
TLS M. Thomson Internet Engineering Task Force (IETF) M. Thomson
Internet-Draft Mozilla Request for Comments: 8448 Mozilla
Intended status: Informational September 27, 2018 Category: Informational January 2019
Expires: March 31, 2019 ISSN: 2070-1721
Example Handshake Traces for TLS 1.3 Example Handshake Traces for TLS 1.3
draft-ietf-tls-tls13-vectors-07
Abstract Abstract
Examples of TLS 1.3 handshakes are shown. Private keys and inputs This document includes examples of TLS 1.3 handshakes. Private keys
are provided so that these handshakes might be reproduced. and inputs are provided so that these handshakes might be reproduced.
Intermediate values, including secrets, traffic keys and IVs are Intermediate values, including secrets, traffic keys, and IVs, are
shown so that implementations might be checked incrementally against shown so that implementations might be checked incrementally against
these values. these values.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This document is not an Internet Standards Track specification; it is
provisions of BCP 78 and BCP 79. published for informational purposes.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are candidates for any level of Internet
Standard; see Section 2 of RFC 7841.
This Internet-Draft will expire on March 31, 2019. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc8448.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Private Keys . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Private Keys . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Simple 1-RTT Handshake . . . . . . . . . . . . . . . . . . . 3 3. Simple 1-RTT Handshake . . . . . . . . . . . . . . . . . . . 3
4. Resumed 0-RTT Handshake . . . . . . . . . . . . . . . . . . . 16 4. Resumed 0-RTT Handshake . . . . . . . . . . . . . . . . . . . 16
5. HelloRetryRequest . . . . . . . . . . . . . . . . . . . . . . 29 5. HelloRetryRequest . . . . . . . . . . . . . . . . . . . . . . 29
6. Client Authentication . . . . . . . . . . . . . . . . . . . . 42 6. Client Authentication . . . . . . . . . . . . . . . . . . . . 43
7. Compatibility Mode . . . . . . . . . . . . . . . . . . . . . 55 7. Compatibility Mode . . . . . . . . . . . . . . . . . . . . . 55
8. Security Considerations . . . . . . . . . . . . . . . . . . . 66 8. Security Considerations . . . . . . . . . . . . . . . . . . . 67
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 66 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 67
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 66 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 67
10.1. Normative References . . . . . . . . . . . . . . . . . . 66 10.1. Normative References . . . . . . . . . . . . . . . . . . 67
10.2. Informative References . . . . . . . . . . . . . . . . . 66 10.2. Informative References . . . . . . . . . . . . . . . . . 67
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 67 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 68
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 67 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 68
1. Introduction 1. Introduction
TLS 1.3 [TLS13] defines a new key schedule and a number of new TLS 1.3 [TLS13] defines a new key schedule and a number of new
cryptographic operations. This document includes sample handshakes cryptographic operations. This document includes sample handshakes
that show all intermediate values. This allows an implementation to that show all intermediate values. This allows an implementation to
be verified incrementally, examining inputs and outputs of each be verified incrementally, examining inputs and outputs of each
cryptographic computation independently. cryptographic computation independently.
A private key is included with the traces so that implementations can A private key is included with the traces so that implementations can
be checked by importing these values and verifying that the same be checked by importing these values and verifying that the same
outputs are produced. outputs are produced.
Note: Invocations of HMAC-based Extract-and-Expand Key Derivation Note: Invocations of HMAC-based Extract-and-Expand Key Derivation
Function (HKDF) [RFC5869] are not labelled, but can be identified Function (HKDF) [RFC5869] are not labeled, but they can be
through the use of the labels used by HKDF. identified through the use of the labels used by HKDF.
2. Private Keys 2. Private Keys
Ephemeral private keys are shown as they are generated in the traces. Ephemeral private keys are shown as they are generated in the traces.
The server in most examples uses an RSA certificate with a private The server in most examples uses an RSA certificate with a private
key of: key of:
modulus (public): b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c modulus (public): b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c
0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab 0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab
skipping to change at page 4, line 5 skipping to change at page 4, line 5
resumed session. resumed session.
{client} create an ephemeral x25519 key pair: {client} create an ephemeral x25519 key pair:
private key (32 octets): 49 af 42 ba 7f 79 94 85 2d 71 3e f2 78 private key (32 octets): 49 af 42 ba 7f 79 94 85 2d 71 3e f2 78
4b cb ca a7 91 1d e2 6a dc 56 42 cb 63 45 40 e7 ea 50 05 4b cb ca a7 91 1d e2 6a dc 56 42 cb 63 45 40 e7 ea 50 05
public key (32 octets): 99 38 1d e5 60 e4 bd 43 d2 3d 8e 43 5a 7d public key (32 octets): 99 38 1d e5 60 e4 bd 43 d2 3d 8e 43 5a 7d
ba fe b3 c0 6e 51 c1 3c ae 4d 54 13 69 1e 52 9a af 2c ba fe b3 c0 6e 51 c1 3c ae 4d 54 13 69 1e 52 9a af 2c
{client} construct a ClientHello handshake message {client} construct a ClientHello handshake message:
ClientHello (196 octets): 01 00 00 c0 03 03 cb 34 ec b1 e7 81 63 ClientHello (196 octets): 01 00 00 c0 03 03 cb 34 ec b1 e7 81 63
ba 1c 38 c6 da cb 19 6a 6d ff a2 1a 8d 99 12 ec 18 a2 ef 62 83 ba 1c 38 c6 da cb 19 6a 6d ff a2 1a 8d 99 12 ec 18 a2 ef 62 83
02 4d ec e7 00 00 06 13 01 13 03 13 02 01 00 00 91 00 00 00 0b 02 4d ec e7 00 00 06 13 01 13 03 13 02 01 00 00 91 00 00 00 0b
00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00
12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 23 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 23
00 00 00 33 00 26 00 24 00 1d 00 20 99 38 1d e5 60 e4 bd 43 d2 00 00 00 33 00 26 00 24 00 1d 00 20 99 38 1d e5 60 e4 bd 43 d2
3d 8e 43 5a 7d ba fe b3 c0 6e 51 c1 3c ae 4d 54 13 69 1e 52 9a 3d 8e 43 5a 7d ba fe b3 c0 6e 51 c1 3c ae 4d 54 13 69 1e 52 9a
af 2c 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03 af 2c 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03
02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06
skipping to change at page 5, line 11 skipping to change at page 5, line 13
e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a
{server} create an ephemeral x25519 key pair: {server} create an ephemeral x25519 key pair:
private key (32 octets): b1 58 0e ea df 6d d5 89 b8 ef 4f 2d 56 private key (32 octets): b1 58 0e ea df 6d d5 89 b8 ef 4f 2d 56
52 57 8c c8 10 e9 98 01 91 ec 8d 05 83 08 ce a2 16 a2 1e 52 57 8c c8 10 e9 98 01 91 ec 8d 05 83 08 ce a2 16 a2 1e
public key (32 octets): c9 82 88 76 11 20 95 fe 66 76 2b db f7 c6 public key (32 octets): c9 82 88 76 11 20 95 fe 66 76 2b db f7 c6
72 e1 56 d6 cc 25 3b 83 3d f1 dd 69 b1 b0 4e 75 1f 0f 72 e1 56 d6 cc 25 3b 83 3d f1 dd 69 b1 b0 4e 75 1f 0f
{server} construct a ServerHello handshake message {server} construct a ServerHello handshake message:
ServerHello (90 octets): 02 00 00 56 03 03 a6 af 06 a4 12 18 60 ServerHello (90 octets): 02 00 00 56 03 03 a6 af 06 a4 12 18 60
dc 5e 6e 60 24 9c d3 4c 95 93 0c 8a c5 cb 14 34 da c1 55 77 2e dc 5e 6e 60 24 9c d3 4c 95 93 0c 8a c5 cb 14 34 da c1 55 77 2e
d3 e2 69 28 00 13 01 00 00 2e 00 33 00 24 00 1d 00 20 c9 82 88 d3 e2 69 28 00 13 01 00 00 2e 00 33 00 24 00 1d 00 20 c9 82 88
76 11 20 95 fe 66 76 2b db f7 c6 72 e1 56 d6 cc 25 3b 83 3d f1 76 11 20 95 fe 66 76 2b db f7 c6 72 e1 56 d6 cc 25 3b 83 3d f1
dd 69 b1 b0 4e 75 1f 0f 00 2b 00 02 03 04 dd 69 b1 b0 4e 75 1f 0f 00 2b 00 02 03 04
{server} derive secret for handshake "tls13 derived": {server} derive secret for handshake "tls13 derived":
PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
skipping to change at page 7, line 33 skipping to change at page 7, line 36
key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
key expanded (16 octets): 3f ce 51 60 09 c2 17 27 d0 f2 e4 e8 6e key expanded (16 octets): 3f ce 51 60 09 c2 17 27 d0 f2 e4 e8 6e
e4 03 bc e4 03 bc
iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
iv expanded (12 octets): 5d 31 3e b2 67 12 76 ee 13 00 0b 30 iv expanded (12 octets): 5d 31 3e b2 67 12 76 ee 13 00 0b 30
{server} construct a EncryptedExtensions handshake message {server} construct an EncryptedExtensions handshake message:
EncryptedExtensions (40 octets): 08 00 00 24 00 22 00 0a 00 14 00 EncryptedExtensions (40 octets): 08 00 00 24 00 22 00 0a 00 14 00
12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c
00 02 40 01 00 00 00 00 00 02 40 01 00 00 00 00
{server} construct a Certificate handshake message {server} construct a Certificate handshake message:
Certificate (445 octets): 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82 Certificate (445 octets): 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82
01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48 01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48
86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03
72 73 61 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17 72 73 61 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17
0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06
03 55 04 03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7 03 55 04 03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7
0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f
82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26
d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c
skipping to change at page 8, line 15 skipping to change at page 8, line 18
01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06
03 55 1d 0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 03 55 1d 0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01
01 0b 05 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 01 0b 05 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a
72 67 17 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea 72 67 17 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea
e8 f8 a5 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 e8 f8 a5 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01
51 56 72 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be 51 56 72 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be
c1 fc 63 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b c1 fc 63 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b
1c 3b 84 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 1c 3b 84 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8
96 12 29 ac 91 87 b4 2b 4d e1 00 00 96 12 29 ac 91 87 b4 2b 4d e1 00 00
{server} construct a CertificateVerify handshake message {server} construct a CertificateVerify handshake message:
CertificateVerify (136 octets): 0f 00 00 84 08 04 00 80 5a 74 7c CertificateVerify (136 octets): 0f 00 00 84 08 04 00 80 5a 74 7c
5d 88 fa 9b d2 e5 5a b0 85 a6 10 15 b7 21 1f 82 4c d4 84 14 5a 5d 88 fa 9b d2 e5 5a b0 85 a6 10 15 b7 21 1f 82 4c d4 84 14 5a
b3 ff 52 f1 fd a8 47 7b 0b 7a bc 90 db 78 e2 d3 3a 5c 14 1a 07 b3 ff 52 f1 fd a8 47 7b 0b 7a bc 90 db 78 e2 d3 3a 5c 14 1a 07
86 53 fa 6b ef 78 0c 5e a2 48 ee aa a7 85 c4 f3 94 ca b6 d3 0b 86 53 fa 6b ef 78 0c 5e a2 48 ee aa a7 85 c4 f3 94 ca b6 d3 0b
be 8d 48 59 ee 51 1f 60 29 57 b1 54 11 ac 02 76 71 45 9e 46 44 be 8d 48 59 ee 51 1f 60 29 57 b1 54 11 ac 02 76 71 45 9e 46 44
5c 9e a5 8c 18 1e 81 8e 95 b8 c3 fb 0b f3 27 84 09 d3 be 15 2a 5c 9e a5 8c 18 1e 81 8e 95 b8 c3 fb 0b f3 27 84 09 d3 be 15 2a
3d a5 04 3e 06 3d da 65 cd f5 ae a2 0d 53 df ac d4 2f 74 f3 3d a5 04 3e 06 3d da 65 cd f5 ae a2 0d 53 df ac d4 2f 74 f3
{server} calculate finished "tls13 finished": {server} calculate finished "tls13 finished":
skipping to change at page 8, line 41 skipping to change at page 8, line 44
info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
64 00 64 00
expanded (32 octets): 00 8d 3b 66 f8 16 ea 55 9f 96 b5 37 e8 85 expanded (32 octets): 00 8d 3b 66 f8 16 ea 55 9f 96 b5 37 e8 85
c3 1f c0 68 bf 49 2c 65 2f 01 f2 88 a1 d8 cd c1 9f c8 c3 1f c0 68 bf 49 2c 65 2f 01 f2 88 a1 d8 cd c1 9f c8
finished (32 octets): 9b 9b 14 1d 90 63 37 fb d2 cb dc e7 1d f4 finished (32 octets): 9b 9b 14 1d 90 63 37 fb d2 cb dc e7 1d f4
de da 4a b4 2c 30 95 72 cb 7f ff ee 54 54 b7 8f 07 18 de da 4a b4 2c 30 95 72 cb 7f ff ee 54 54 b7 8f 07 18
{server} construct a Finished handshake message {server} construct a Finished handshake message:
Finished (36 octets): 14 00 00 20 9b 9b 14 1d 90 63 37 fb d2 cb Finished (36 octets): 14 00 00 20 9b 9b 14 1d 90 63 37 fb d2 cb
dc e7 1d f4 de da 4a b4 2c 30 95 72 cb 7f ff ee 54 54 b7 8f 07 dc e7 1d f4 de da 4a b4 2c 30 95 72 cb 7f ff ee 54 54 b7 8f 07
18 18
{server} send handshake record: {server} send handshake record:
payload (657 octets): 08 00 00 24 00 22 00 0a 00 14 00 12 00 1d payload (657 octets): 08 00 00 24 00 22 00 0a 00 14 00 12 00 1d
00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c 00 02 40 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c 00 02 40
01 00 00 00 00 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82 01 ac 30 01 00 00 00 00 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82 01 ac 30
skipping to change at page 13, line 11 skipping to change at page 13, line 16
info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
64 00 64 00
expanded (32 octets): b8 0a d0 10 15 fb 2f 0b d6 5f f7 d4 da 5d expanded (32 octets): b8 0a d0 10 15 fb 2f 0b d6 5f f7 d4 da 5d
6b f8 3f 84 82 1d 1f 87 fd c7 d3 c7 5b 5a 7b 42 d9 c4 6b f8 3f 84 82 1d 1f 87 fd c7 d3 c7 5b 5a 7b 42 d9 c4
finished (32 octets): a8 ec 43 6d 67 76 34 ae 52 5a c1 fc eb e1 finished (32 octets): a8 ec 43 6d 67 76 34 ae 52 5a c1 fc eb e1
1a 03 9e c1 76 94 fa c6 e9 85 27 b6 42 f2 ed d5 ce 61 1a 03 9e c1 76 94 fa c6 e9 85 27 b6 42 f2 ed d5 ce 61
{client} construct a Finished handshake message {client} construct a Finished handshake message:
Finished (36 octets): 14 00 00 20 a8 ec 43 6d 67 76 34 ae 52 5a Finished (36 octets): 14 00 00 20 a8 ec 43 6d 67 76 34 ae 52 5a
c1 fc eb e1 1a 03 9e c1 76 94 fa c6 e9 85 27 b6 42 f2 ed d5 ce c1 fc eb e1 1a 03 9e c1 76 94 fa c6 e9 85 27 b6 42 f2 ed d5 ce
61 61
{client} send handshake record: {client} send handshake record:
payload (36 octets): 14 00 00 20 a8 ec 43 6d 67 76 34 ae 52 5a c1 payload (36 octets): 14 00 00 20 a8 ec 43 6d 67 76 34 ae 52 5a c1
fc eb e1 1a 03 9e c1 76 94 fa c6 e9 85 27 b6 42 f2 ed d5 ce 61 fc eb e1 1a 03 9e c1 76 94 fa c6 e9 85 27 b6 42 f2 ed d5 ce 61
skipping to change at page 14, line 28 skipping to change at page 14, line 32
da f8 6c c8 56 23 1f 2d 5a ba 46 c4 34 ec 19 6c da f8 6c c8 56 23 1f 2d 5a ba 46 c4 34 ec 19 6c
hash (2 octets): 00 00 hash (2 octets): 00 00
info (22 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 75 6d 70 74 info (22 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 75 6d 70 74
69 6f 6e 02 00 00 69 6f 6e 02 00 00
expanded (32 octets): 4e cd 0e b6 ec 3b 4d 87 f5 d6 02 8f 92 2c expanded (32 octets): 4e cd 0e b6 ec 3b 4d 87 f5 d6 02 8f 92 2c
a4 c5 85 1a 27 7f d4 13 11 c9 e6 2d 2c 94 92 e1 c4 f3 a4 c5 85 1a 27 7f d4 13 11 c9 e6 2d 2c 94 92 e1 c4 f3
{server} construct a NewSessionTicket handshake message {server} construct a NewSessionTicket handshake message:
NewSessionTicket (205 octets): 04 00 00 c9 00 00 00 1e fa d6 aa NewSessionTicket (205 octets): 04 00 00 c9 00 00 00 1e fa d6 aa
c5 02 00 00 00 b2 2c 03 5d 82 93 59 ee 5f f7 af 4e c9 00 00 00 c5 02 00 00 00 b2 2c 03 5d 82 93 59 ee 5f f7 af 4e c9 00 00 00
00 26 2a 64 94 dc 48 6d 2c 8a 34 cb 33 fa 90 bf 1b 00 70 ad 3c 00 26 2a 64 94 dc 48 6d 2c 8a 34 cb 33 fa 90 bf 1b 00 70 ad 3c
49 88 83 c9 36 7c 09 a2 be 78 5a bc 55 cd 22 60 97 a3 a9 82 11 49 88 83 c9 36 7c 09 a2 be 78 5a bc 55 cd 22 60 97 a3 a9 82 11
72 83 f8 2a 03 a1 43 ef d3 ff 5d d3 6d 64 e8 61 be 7f d6 1d 28 72 83 f8 2a 03 a1 43 ef d3 ff 5d d3 6d 64 e8 61 be 7f d6 1d 28
27 db 27 9c ce 14 50 77 d4 54 a3 66 4d 4e 6d a4 d2 9e e0 37 25 27 db 27 9c ce 14 50 77 d4 54 a3 66 4d 4e 6d a4 d2 9e e0 37 25
a6 a4 da fc d0 fc 67 d2 ae a7 05 29 51 3e 3d a2 67 7f a5 90 6c a6 a4 da fc d0 fc 67 d2 ae a7 05 29 51 3e 3d a2 67 7f a5 90 6c
5b 3f 7d 8f 92 f2 28 bd a4 0d da 72 14 70 f9 fb f2 97 b5 ae a6 5b 3f 7d 8f 92 f2 28 bd a4 0d da 72 14 70 f9 fb f2 97 b5 ae a6
17 64 6f ac 5c 03 27 2e 97 07 27 c6 21 a7 91 41 ef 5f 7d e6 50 17 64 6f ac 5c 03 27 2e 97 07 27 c6 21 a7 91 41 ef 5f 7d e6 50
skipping to change at page 16, line 18 skipping to change at page 16, line 20
complete record (24 octets): 17 03 03 00 13 b5 8f d6 71 66 eb f5 complete record (24 octets): 17 03 03 00 13 b5 8f d6 71 66 eb f5
99 d2 47 20 cf be 7e fa 7a 88 64 a9 99 d2 47 20 cf be 7e fa 7a 88 64 a9
4. Resumed 0-RTT Handshake 4. Resumed 0-RTT Handshake
This handshake resumes from the handshake in Section 3. Since the This handshake resumes from the handshake in Section 3. Since the
server provided a session ticket that permitted 0-RTT, and the client server provided a session ticket that permitted 0-RTT, and the client
is configured for 0-RTT, the client is able to send 0-RTT data. is configured for 0-RTT, the client is able to send 0-RTT data.
Note: The PSK binder uses the same construction as Finished and so is
labeled as finished here.
{client} create an ephemeral x25519 key pair: {client} create an ephemeral x25519 key pair:
private key (32 octets): bf f9 11 88 28 38 46 dd 6a 21 34 ef 71 private key (32 octets): bf f9 11 88 28 38 46 dd 6a 21 34 ef 71
80 ca 2b 0b 14 fb 10 dc e7 07 b5 09 8c 0d dd c8 13 b2 df 80 ca 2b 0b 14 fb 10 dc e7 07 b5 09 8c 0d dd c8 13 b2 df
public key (32 octets): e4 ff b6 8a c0 5f 8d 96 c9 9d a2 66 98 34 public key (32 octets): e4 ff b6 8a c0 5f 8d 96 c9 9d a2 66 98 34
6c 6b e1 64 82 ba dd da fe 05 1a 66 b4 f1 8d 66 8f 0b 6c 6b e1 64 82 ba dd da fe 05 1a 66 b4 f1 8d 66 8f 0b
{client} extract secret "early": {client} extract secret "early":
salt: 0 (all zero octets) salt: 0 (all zero octets)
IKM (32 octets): 4e cd 0e b6 ec 3b 4d 87 f5 d6 02 8f 92 2c a4 c5 IKM (32 octets): 4e cd 0e b6 ec 3b 4d 87 f5 d6 02 8f 92 2c a4 c5
85 1a 27 7f d4 13 11 c9 e6 2d 2c 94 92 e1 c4 f3 85 1a 27 7f d4 13 11 c9 e6 2d 2c 94 92 e1 c4 f3
secret (32 octets): 9b 21 88 e9 b2 fc 6d 64 d7 1d c3 29 90 0e 20 secret (32 octets): 9b 21 88 e9 b2 fc 6d 64 d7 1d c3 29 90 0e 20
bb 41 91 50 00 f6 78 aa 83 9c bb 79 7c b7 d8 33 2c bb 41 91 50 00 f6 78 aa 83 9c bb 79 7c b7 d8 33 2c
{client} construct a ClientHello handshake message {client} construct a ClientHello handshake message:
ClientHello (477 octets): 01 00 01 fc 03 03 1b c3 ce b6 bb e3 9c ClientHello (477 octets): 01 00 01 fc 03 03 1b c3 ce b6 bb e3 9c
ff 93 83 55 b5 a5 0a db 6d b2 1b 7a 6a f6 49 d7 b4 bc 41 9d 78 ff 93 83 55 b5 a5 0a db 6d b2 1b 7a 6a f6 49 d7 b4 bc 41 9d 78
76 48 7d 95 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 76 48 7d 95 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b
00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00
12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33
00 26 00 24 00 1d 00 20 e4 ff b6 8a c0 5f 8d 96 c9 9d a2 66 98 00 26 00 24 00 1d 00 20 e4 ff b6 8a c0 5f 8d 96 c9 9d a2 66 98
34 6c 6b e1 64 82 ba dd da fe 05 1a 66 b4 f1 8d 66 8f 0b 00 2a 34 6c 6b e1 64 82 ba dd da fe 05 1a 66 b4 f1 8d 66 8f 0b 00 2a
00 00 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03 00 00 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03
02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06
skipping to change at page 20, line 23 skipping to change at page 20, line 28
{client} send application_data record: {client} send application_data record:
payload (6 octets): 41 42 43 44 45 46 payload (6 octets): 41 42 43 44 45 46
complete record (28 octets): 17 03 03 00 17 ab 1d f4 20 e7 5c 45 complete record (28 octets): 17 03 03 00 17 ab 1d f4 20 e7 5c 45
7a 7c c5 d2 84 4f 76 d5 ae e4 b4 ed bf 04 9b e0 7a 7c c5 d2 84 4f 76 d5 ae e4 b4 ed bf 04 9b e0
{server} extract secret "early" (same as client early secret) {server} extract secret "early" (same as client early secret)
{server} calculate PSK binder (same as client) {server} calculate PSK binder (same as client):
{server} create an ephemeral x25519 key pair: {server} create an ephemeral x25519 key pair:
private key (32 octets): de 5b 44 76 e7 b4 90 b2 65 2d 33 8a cb private key (32 octets): de 5b 44 76 e7 b4 90 b2 65 2d 33 8a cb
f2 94 80 66 f2 55 f9 44 0e 23 b9 8f c6 98 35 29 8d c1 07 f2 94 80 66 f2 55 f9 44 0e 23 b9 8f c6 98 35 29 8d c1 07
public key (32 octets): 12 17 61 ee 42 c3 33 e1 b9 e7 7b 60 dd 57 public key (32 octets): 12 17 61 ee 42 c3 33 e1 b9 e7 7b 60 dd 57
c2 05 3c d9 45 12 ab 47 f1 15 e8 6e ff 50 94 2c ea 31 c2 05 3c d9 45 12 ab 47 f1 15 e8 6e ff 50 94 2c ea 31
{server} derive secret "tls13 c e traffic" (same as client) {server} derive secret "tls13 c e traffic" (same as client)
{server} derive secret "tls13 e exp master" (same as client) {server} derive secret "tls13 e exp master" (same as client)
{server} construct a ServerHello handshake message {server} construct a ServerHello handshake message:
ServerHello (96 octets): 02 00 00 5c 03 03 3c cf d2 de c8 90 22 ServerHello (96 octets): 02 00 00 5c 03 03 3c cf d2 de c8 90 22
27 63 47 2a e8 13 67 77 c9 d7 35 87 77 bb 66 e9 1e a5 12 24 95 27 63 47 2a e8 13 67 77 c9 d7 35 87 77 bb 66 e9 1e a5 12 24 95
f5 59 ea 2d 00 13 01 00 00 34 00 29 00 02 00 00 00 33 00 24 00 f5 59 ea 2d 00 13 01 00 00 34 00 29 00 02 00 00 00 33 00 24 00
1d 00 20 12 17 61 ee 42 c3 33 e1 b9 e7 7b 60 dd 57 c2 05 3c d9 1d 00 20 12 17 61 ee 42 c3 33 e1 b9 e7 7b 60 dd 57 c2 05 3c d9
45 12 ab 47 f1 15 e8 6e ff 50 94 2c ea 31 00 2b 00 02 03 04 45 12 ab 47 f1 15 e8 6e ff 50 94 2c ea 31 00 2b 00 02 03 04
{server} derive secret for handshake "tls13 derived": {server} derive secret for handshake "tls13 derived":
PRK (32 octets): 9b 21 88 e9 b2 fc 6d 64 d7 1d c3 29 90 0e 20 bb PRK (32 octets): 9b 21 88 e9 b2 fc 6d 64 d7 1d c3 29 90 0e 20 bb
skipping to change at page 23, line 4 skipping to change at page 23, line 11
00 00 33 00 24 00 1d 00 20 12 17 61 ee 42 c3 33 e1 b9 e7 7b 60 00 00 33 00 24 00 1d 00 20 12 17 61 ee 42 c3 33 e1 b9 e7 7b 60
dd 57 c2 05 3c d9 45 12 ab 47 f1 15 e8 6e ff 50 94 2c ea 31 00 dd 57 c2 05 3c d9 45 12 ab 47 f1 15 e8 6e ff 50 94 2c ea 31 00
2b 00 02 03 04 2b 00 02 03 04
{server} derive write traffic keys for handshake data: {server} derive write traffic keys for handshake data:
PRK (32 octets): fe 92 7a e2 71 31 2e 8b f0 27 5b 58 1c 54 ee f0 PRK (32 octets): fe 92 7a e2 71 31 2e 8b f0 27 5b 58 1c 54 ee f0
20 45 0d c4 ec ff aa 05 a1 a3 5d 27 51 8e 78 03 20 45 0d c4 ec ff aa 05 a1 a3 5d 27 51 8e 78 03
key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
key expanded (16 octets): 27 c6 bd c0 a3 dc ea 39 a4 73 26 d7 9b key expanded (16 octets): 27 c6 bd c0 a3 dc ea 39 a4 73 26 d7 9b
c9 e4 ee c9 e4 ee
iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
iv expanded (12 octets): 95 69 ec dd 4d 05 36 70 5e 9e f7 25 iv expanded (12 octets): 95 69 ec dd 4d 05 36 70 5e 9e f7 25
{server} construct a EncryptedExtensions handshake message {server} construct an EncryptedExtensions handshake message:
EncryptedExtensions (44 octets): 08 00 00 28 00 26 00 0a 00 14 00 EncryptedExtensions (44 octets): 08 00 00 28 00 26 00 0a 00 14 00
12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c
00 02 40 01 00 00 00 00 00 2a 00 00 00 02 40 01 00 00 00 00 00 2a 00 00
{server} calculate finished "tls13 finished": {server} calculate finished "tls13 finished":
PRK (32 octets): fe 92 7a e2 71 31 2e 8b f0 27 5b 58 1c 54 ee f0 PRK (32 octets): fe 92 7a e2 71 31 2e 8b f0 27 5b 58 1c 54 ee f0
20 45 0d c4 ec ff aa 05 a1 a3 5d 27 51 8e 78 03 20 45 0d c4 ec ff aa 05 a1 a3 5d 27 51 8e 78 03
skipping to change at page 23, line 33 skipping to change at page 23, line 41
info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
64 00 64 00
expanded (32 octets): 4b b7 4c ae 7a 5d c8 91 46 04 c0 bf be 2f expanded (32 octets): 4b b7 4c ae 7a 5d c8 91 46 04 c0 bf be 2f
0c 06 23 96 88 39 22 be c8 a1 5e 2a 9b 53 2a 5d 39 2c 0c 06 23 96 88 39 22 be c8 a1 5e 2a 9b 53 2a 5d 39 2c
finished (32 octets): 48 d3 e0 e1 b3 d9 07 c6 ac ff 14 5e 16 09 finished (32 octets): 48 d3 e0 e1 b3 d9 07 c6 ac ff 14 5e 16 09
03 88 c7 7b 05 c0 50 b6 34 ab 1a 88 bb d0 dd 1a 34 b2 03 88 c7 7b 05 c0 50 b6 34 ab 1a 88 bb d0 dd 1a 34 b2
{server} construct a Finished handshake message {server} construct a Finished handshake message:
Finished (36 octets): 14 00 00 20 48 d3 e0 e1 b3 d9 07 c6 ac ff Finished (36 octets): 14 00 00 20 48 d3 e0 e1 b3 d9 07 c6 ac ff
14 5e 16 09 03 88 c7 7b 05 c0 50 b6 34 ab 1a 88 bb d0 dd 1a 34 14 5e 16 09 03 88 c7 7b 05 c0 50 b6 34 ab 1a 88 bb d0 dd 1a 34
b2 b2
{server} send handshake record: {server} send handshake record:
payload (80 octets): 08 00 00 28 00 26 00 0a 00 14 00 12 00 1d 00 payload (80 octets): 08 00 00 28 00 26 00 0a 00 14 00 12 00 1d 00
17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c 00 02 40 01 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c 00 02 40 01
00 00 00 00 00 2a 00 00 14 00 00 20 48 d3 e0 e1 b3 d9 07 c6 ac 00 00 00 00 00 2a 00 00 14 00 00 20 48 d3 e0 e1 b3 d9 07 c6 ac
skipping to change at page 26, line 4 skipping to change at page 26, line 20
{client} derive secret "tls13 s hs traffic" (same as server) {client} derive secret "tls13 s hs traffic" (same as server)
{client} derive secret for master "tls13 derived" (same as server) {client} derive secret for master "tls13 derived" (same as server)
{client} extract secret "master" (same as server master secret) {client} extract secret "master" (same as server master secret)
{client} derive read traffic keys for handshake data (same as server {client} derive read traffic keys for handshake data (same as server
handshake data write traffic keys) handshake data write traffic keys)
{client} calculate finished "tls13 finished" (same as server) {client} calculate finished "tls13 finished" (same as server)
{client} derive secret "tls13 c ap traffic" (same as server) {client} derive secret "tls13 c ap traffic" (same as server)
{client} derive secret "tls13 s ap traffic" (same as server) {client} derive secret "tls13 s ap traffic" (same as server)
{client} derive secret "tls13 exp master" (same as server) {client} derive secret "tls13 exp master" (same as server)
{client} construct a EndOfEarlyData handshake message {client} construct an EndOfEarlyData handshake message:
EndOfEarlyData (4 octets): 05 00 00 00 EndOfEarlyData (4 octets): 05 00 00 00
{client} send handshake record: {client} send handshake record:
payload (4 octets): 05 00 00 00 payload (4 octets): 05 00 00 00
complete record (26 octets): 17 03 03 00 15 ac a6 fc 94 48 41 29 complete record (26 octets): 17 03 03 00 15 ac a6 fc 94 48 41 29
8d f9 95 93 72 5f 9b f9 75 44 29 b1 2f 09 8d f9 95 93 72 5f 9b f9 75 44 29 b1 2f 09
skipping to change at page 27, line 8 skipping to change at page 27, line 24
info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
64 00 64 00
expanded (32 octets): 5a ce 39 4c 26 98 0d 58 12 43 f6 27 d1 15 expanded (32 octets): 5a ce 39 4c 26 98 0d 58 12 43 f6 27 d1 15
0a e2 7e 37 fa 52 36 4e 0a 7f 20 ac 68 6d 09 cd 0e 8e 0a e2 7e 37 fa 52 36 4e 0a 7f 20 ac 68 6d 09 cd 0e 8e
finished (32 octets): 72 30 a9 c9 52 c2 5c d6 13 8f c5 e6 62 83 finished (32 octets): 72 30 a9 c9 52 c2 5c d6 13 8f c5 e6 62 83
08 c4 1c 53 35 dd 81 b9 f9 6b ce a5 0f d3 2b da 41 6d 08 c4 1c 53 35 dd 81 b9 f9 6b ce a5 0f d3 2b da 41 6d
{client} construct a Finished handshake message {client} construct a Finished handshake message:
Finished (36 octets): 14 00 00 20 72 30 a9 c9 52 c2 5c d6 13 8f Finished (36 octets): 14 00 00 20 72 30 a9 c9 52 c2 5c d6 13 8f
c5 e6 62 83 08 c4 1c 53 35 dd 81 b9 f9 6b ce a5 0f d3 2b da 41 c5 e6 62 83 08 c4 1c 53 35 dd 81 b9 f9 6b ce a5 0f d3 2b da 41
6d 6d
{client} send handshake record: {client} send handshake record:
payload (36 octets): 14 00 00 20 72 30 a9 c9 52 c2 5c d6 13 8f c5 payload (36 octets): 14 00 00 20 72 30 a9 c9 52 c2 5c d6 13 8f c5
e6 62 83 08 c4 1c 53 35 dd 81 b9 f9 6b ce a5 0f d3 2b da 41 6d e6 62 83 08 c4 1c 53 35 dd 81 b9 f9 6b ce a5 0f d3 2b da 41 6d
skipping to change at page 29, line 8 skipping to change at page 29, line 22
{server} send alert record: {server} send alert record:
payload (2 octets): 01 00 payload (2 octets): 01 00
complete record (24 octets): 17 03 03 00 13 5b 18 af 44 4e 8e 1e complete record (24 octets): 17 03 03 00 13 5b 18 af 44 4e 8e 1e
ec 71 58 fb 62 d8 f2 57 7d 37 ba 5d ec 71 58 fb 62 d8 f2 57 7d 37 ba 5d
5. HelloRetryRequest 5. HelloRetryRequest
In this example, the client initiates a handshake with an X25519 In this example, the client initiates a handshake with an X25519
[RFC7748] share. The server however prefers P-256 [FIPS186] and [RFC7748] share. The server, however, prefers P-256
sends a HelloRetryRequest that requires the client to generate a key [FIPS.186-4.2013] and sends a HelloRetryRequest that requires the
share on the P-256 curve. client to generate a key share on the P-256 curve.
Note: The HelloRetryRequest uses the same handshake message type as Note: The HelloRetryRequest uses the same handshake message type as
a ServerHello and so is labeled as ServerHello here. a ServerHello and so is labeled as ServerHello here.
{client} create an ephemeral x25519 key pair: {client} create an ephemeral x25519 key pair:
private key (32 octets): 0e d0 2f 8e 81 17 ef c7 5c a7 ac 32 aa private key (32 octets): 0e d0 2f 8e 81 17 ef c7 5c a7 ac 32 aa
7e 34 ed a6 4c dc 0d da d1 54 a5 e8 52 89 f9 59 f6 32 04 7e 34 ed a6 4c dc 0d da d1 54 a5 e8 52 89 f9 59 f6 32 04
public key (32 octets): e8 e8 e3 f3 b9 3a 25 ed 97 a1 4a 7d ca cb public key (32 octets): e8 e8 e3 f3 b9 3a 25 ed 97 a1 4a 7d ca cb
8a 27 2c 62 88 e5 85 c6 48 4d 05 26 2f ca d0 62 ad 1f 8a 27 2c 62 88 e5 85 c6 48 4d 05 26 2f ca d0 62 ad 1f
{client} construct a ClientHello handshake message {client} construct a ClientHello handshake message:
ClientHello (180 octets): 01 00 00 b0 03 03 b0 b1 c5 a5 aa 37 c5 ClientHello (180 octets): 01 00 00 b0 03 03 b0 b1 c5 a5 aa 37 c5
91 9f 2e d1 d5 c6 ff f7 fc b7 84 97 16 94 5a 2b 8c ee 92 58 a3 91 9f 2e d1 d5 c6 ff f7 fc b7 84 97 16 94 5a 2b 8c ee 92 58 a3
46 67 7b 6f 00 00 06 13 01 13 03 13 02 01 00 00 81 00 00 00 0b 46 67 7b 6f 00 00 06 13 01 13 03 13 02 01 00 00 81 00 00 00 0b
00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00
06 00 1d 00 17 00 18 00 33 00 26 00 24 00 1d 00 20 e8 e8 e3 f3 06 00 1d 00 17 00 18 00 33 00 26 00 24 00 1d 00 20 e8 e8 e3 f3
b9 3a 25 ed 97 a1 4a 7d ca cb 8a 27 2c 62 88 e5 85 c6 48 4d 05 b9 3a 25 ed 97 a1 4a 7d ca cb 8a 27 2c 62 88 e5 85 c6 48 4d 05
26 2f ca d0 62 ad 1f 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 26 2f ca d0 62 ad 1f 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04
03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01
04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01
skipping to change at page 30, line 9 skipping to change at page 30, line 28
b1 c5 a5 aa 37 c5 91 9f 2e d1 d5 c6 ff f7 fc b7 84 97 16 94 5a b1 c5 a5 aa 37 c5 91 9f 2e d1 d5 c6 ff f7 fc b7 84 97 16 94 5a
2b 8c ee 92 58 a3 46 67 7b 6f 00 00 06 13 01 13 03 13 02 01 00 2b 8c ee 92 58 a3 46 67 7b 6f 00 00 06 13 01 13 03 13 02 01 00
00 81 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 81 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01
00 00 0a 00 08 00 06 00 1d 00 17 00 18 00 33 00 26 00 24 00 1d 00 00 0a 00 08 00 06 00 1d 00 17 00 18 00 33 00 26 00 24 00 1d
00 20 e8 e8 e3 f3 b9 3a 25 ed 97 a1 4a 7d ca cb 8a 27 2c 62 88 00 20 e8 e8 e3 f3 b9 3a 25 ed 97 a1 4a 7d ca cb 8a 27 2c 62 88
e5 85 c6 48 4d 05 26 2f ca d0 62 ad 1f 00 2b 00 03 02 03 04 00 e5 85 c6 48 4d 05 26 2f ca d0 62 ad 1f 00 2b 00 03 02 03 04 00
0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01
05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00
1c 00 02 40 01 1c 00 02 40 01
{server} construct a ServerHello handshake message {server} construct a ServerHello handshake message:
ServerHello (176 octets): 02 00 00 ac 03 03 cf 21 ad 74 e5 9a 61 ServerHello (176 octets): 02 00 00 ac 03 03 cf 21 ad 74 e5 9a 61
11 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c 5e 07 9e 09 e2 11 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c 5e 07 9e 09 e2
c8 a8 33 9c 00 13 01 00 00 84 00 33 00 02 00 17 00 2c 00 74 00 c8 a8 33 9c 00 13 01 00 00 84 00 33 00 02 00 17 00 2c 00 74 00
72 71 dc d0 4b b8 8b c3 18 91 19 39 8a 00 00 00 00 ee fa fc 76 72 71 dc d0 4b b8 8b c3 18 91 19 39 8a 00 00 00 00 ee fa fc 76
c1 46 b8 23 b0 96 f8 aa ca d3 65 dd 00 30 95 3f 4e df 62 56 36 c1 46 b8 23 b0 96 f8 aa ca d3 65 dd 00 30 95 3f 4e df 62 56 36
e5 f2 1b b2 e2 3f cc 65 4b 1b 5b 40 31 8d 10 d1 37 ab cb b8 75 e5 f2 1b b2 e2 3f cc 65 4b 1b 5b 40 31 8d 10 d1 37 ab cb b8 75
74 e3 6e 8a 1f 02 5f 7d fa 5d 6e 50 78 1b 5e da 4a a1 5b 0c 8b 74 e3 6e 8a 1f 02 5f 7d fa 5d 6e 50 78 1b 5e da 4a a1 5b 0c 8b
e7 78 25 7d 16 aa 30 30 e9 e7 84 1d d9 e4 c0 34 22 67 e8 ca 0c e7 78 25 7d 16 aa 30 30 e9 e7 84 1d d9 e4 c0 34 22 67 e8 ca 0c
af 57 1f b2 b7 cf f0 f9 34 b0 00 2b 00 02 03 04 af 57 1f b2 b7 cf f0 f9 34 b0 00 2b 00 02 03 04
skipping to change at page 31, line 7 skipping to change at page 31, line 26
{client} create an ephemeral P-256 key pair: {client} create an ephemeral P-256 key pair:
private key (32 octets): ab 54 73 46 7e 19 34 6c eb 0a 04 14 e4 private key (32 octets): ab 54 73 46 7e 19 34 6c eb 0a 04 14 e4
1d a2 1d 4d 24 45 bc 30 25 af e9 7c 4e 8d c8 d5 13 da 39 1d a2 1d 4d 24 45 bc 30 25 af e9 7c 4e 8d c8 d5 13 da 39
public key (65 octets): 04 a6 da 73 92 ec 59 1e 17 ab fd 53 59 64 public key (65 octets): 04 a6 da 73 92 ec 59 1e 17 ab fd 53 59 64
b9 98 94 d1 3b ef b2 21 b3 de f2 eb e3 83 0e ac 8f 01 51 81 26 b9 98 94 d1 3b ef b2 21 b3 de f2 eb e3 83 0e ac 8f 01 51 81 26
77 c4 d6 d2 23 7e 85 cf 01 d6 91 0c fb 83 95 4e 76 ba 73 52 83 77 c4 d6 d2 23 7e 85 cf 01 d6 91 0c fb 83 95 4e 76 ba 73 52 83
05 34 15 98 97 e8 06 57 80 05 34 15 98 97 e8 06 57 80
{client} construct a ClientHello handshake message {client} construct a ClientHello handshake message:
ClientHello (512 octets): 01 00 01 fc 03 03 b0 b1 c5 a5 aa 37 c5 ClientHello (512 octets): 01 00 01 fc 03 03 b0 b1 c5 a5 aa 37 c5
91 9f 2e d1 d5 c6 ff f7 fc b7 84 97 16 94 5a 2b 8c ee 92 58 a3 91 9f 2e d1 d5 c6 ff f7 fc b7 84 97 16 94 5a 2b 8c ee 92 58 a3
46 67 7b 6f 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 46 67 7b 6f 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b
00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 08 00
06 00 1d 00 17 00 18 00 33 00 47 00 45 00 17 00 41 04 a6 da 73 06 00 1d 00 17 00 18 00 33 00 47 00 45 00 17 00 41 04 a6 da 73
92 ec 59 1e 17 ab fd 53 59 64 b9 98 94 d1 3b ef b2 21 b3 de f2 92 ec 59 1e 17 ab fd 53 59 64 b9 98 94 d1 3b ef b2 21 b3 de f2
eb e3 83 0e ac 8f 01 51 81 26 77 c4 d6 d2 23 7e 85 cf 01 d6 91 eb e3 83 0e ac 8f 01 51 81 26 77 c4 d6 d2 23 7e 85 cf 01 d6 91
0c fb 83 95 4e 76 ba 73 52 83 05 34 15 98 97 e8 06 57 80 00 2b 0c fb 83 95 4e 76 ba 73 52 83 05 34 15 98 97 e8 06 57 80 00 2b
00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04
skipping to change at page 33, line 15 skipping to change at page 33, line 31
{server} create an ephemeral P-256 key pair: {server} create an ephemeral P-256 key pair:
private key (32 octets): 8c 51 06 01 f9 76 5b fb 8e d6 93 44 9a private key (32 octets): 8c 51 06 01 f9 76 5b fb 8e d6 93 44 9a
48 98 98 59 b5 cf a8 79 cb 9f 54 43 c4 1c 5f f1 06 34 ed 48 98 98 59 b5 cf a8 79 cb 9f 54 43 c4 1c 5f f1 06 34 ed
public key (65 octets): 04 58 3e 05 4b 7a 66 67 2a e0 20 ad 9d 26 public key (65 octets): 04 58 3e 05 4b 7a 66 67 2a e0 20 ad 9d 26
86 fc c8 5b 5a d4 1a 13 4a 0f 03 ee 72 b8 93 05 2b d8 5b 4c 8d 86 fc c8 5b 5a d4 1a 13 4a 0f 03 ee 72 b8 93 05 2b d8 5b 4c 8d
e6 77 6f 5b 04 ac 07 d8 35 40 ea b3 e3 d9 c5 47 bc 65 28 c4 31 e6 77 6f 5b 04 ac 07 d8 35 40 ea b3 e3 d9 c5 47 bc 65 28 c4 31
7d 29 46 86 09 3a 6c ad 7d 7d 29 46 86 09 3a 6c ad 7d
{server} construct a ServerHello handshake message {server} construct a ServerHello handshake message:
ServerHello (123 octets): 02 00 00 77 03 03 bb 34 1d 84 7f d7 89 ServerHello (123 octets): 02 00 00 77 03 03 bb 34 1d 84 7f d7 89
c4 7c 38 71 72 dc 0c 9b f1 47 fc ca cb 50 43 d8 6c a4 c5 98 d3 c4 7c 38 71 72 dc 0c 9b f1 47 fc ca cb 50 43 d8 6c a4 c5 98 d3
ff 57 1b 98 00 13 01 00 00 4f 00 33 00 45 00 17 00 41 04 58 3e ff 57 1b 98 00 13 01 00 00 4f 00 33 00 45 00 17 00 41 04 58 3e
05 4b 7a 66 67 2a e0 20 ad 9d 26 86 fc c8 5b 5a d4 1a 13 4a 0f 05 4b 7a 66 67 2a e0 20 ad 9d 26 86 fc c8 5b 5a d4 1a 13 4a 0f
03 ee 72 b8 93 05 2b d8 5b 4c 8d e6 77 6f 5b 04 ac 07 d8 35 40 03 ee 72 b8 93 05 2b d8 5b 4c 8d e6 77 6f 5b 04 ac 07 d8 35 40
ea b3 e3 d9 c5 47 bc 65 28 c4 31 7d 29 46 86 09 3a 6c ad 7d 00 ea b3 e3 d9 c5 47 bc 65 28 c4 31 7d 29 46 86 09 3a 6c ad 7d 00
2b 00 02 03 04 2b 00 02 03 04
{server} derive secret for handshake "tls13 derived": {server} derive secret for handshake "tls13 derived":
skipping to change at page 35, line 43 skipping to change at page 36, line 9
key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
key expanded (16 octets): 46 46 bf ac 17 12 c4 26 cd 78 d8 a2 4a key expanded (16 octets): 46 46 bf ac 17 12 c4 26 cd 78 d8 a2 4a
8a 6f 6b 8a 6f 6b
iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
iv expanded (12 octets): c7 d3 95 c0 8d 62 f2 97 d1 37 68 ea iv expanded (12 octets): c7 d3 95 c0 8d 62 f2 97 d1 37 68 ea
{server} construct a EncryptedExtensions handshake message {server} construct an EncryptedExtensions handshake message:
EncryptedExtensions (28 octets): 08 00 00 18 00 16 00 0a 00 08 00 EncryptedExtensions (28 octets): 08 00 00 18 00 16 00 0a 00 08 00
06 00 17 00 18 00 1d 00 1c 00 02 40 01 00 00 00 00 06 00 17 00 18 00 1d 00 1c 00 02 40 01 00 00 00 00
{server} construct a Certificate handshake message {server} construct a Certificate handshake message:
Certificate (445 octets): 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82 Certificate (445 octets): 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82
01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48 01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48
86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03
72 73 61 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17 72 73 61 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17
0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06
03 55 04 03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7 03 55 04 03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7
0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f
82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26
d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c
skipping to change at page 36, line 24 skipping to change at page 36, line 39
01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06
03 55 1d 0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 03 55 1d 0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01
01 0b 05 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 01 0b 05 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a
72 67 17 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea 72 67 17 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea
e8 f8 a5 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 e8 f8 a5 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01
51 56 72 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be 51 56 72 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be
c1 fc 63 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b c1 fc 63 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b
1c 3b 84 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 1c 3b 84 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8
96 12 29 ac 91 87 b4 2b 4d e1 00 00 96 12 29 ac 91 87 b4 2b 4d e1 00 00
{server} construct a CertificateVerify handshake message {server} construct a CertificateVerify handshake message:
CertificateVerify (136 octets): 0f 00 00 84 08 04 00 80 33 ab 13 CertificateVerify (136 octets): 0f 00 00 84 08 04 00 80 33 ab 13
d4 46 27 07 23 1b 5d ca e6 c8 19 0b 63 d1 da bc 74 f2 8c 39 53 d4 46 27 07 23 1b 5d ca e6 c8 19 0b 63 d1 da bc 74 f2 8c 39 53
70 da 0b 07 e5 b8 30 66 d0 24 6a 31 ac d9 5d f4 75 bf d7 99 a4 70 da 0b 07 e5 b8 30 66 d0 24 6a 31 ac d9 5d f4 75 bf d7 99 a4
a7 0d 33 ad 93 d3 a3 17 a9 b2 c0 d2 37 a5 68 5b 21 9e 77 41 12 a7 0d 33 ad 93 d3 a3 17 a9 b2 c0 d2 37 a5 68 5b 21 9e 77 41 12
e3 91 a2 47 60 7d 1a ef f1 bb d0 a3 9f 38 2e e1 a5 fe 88 ae 99 e3 91 a2 47 60 7d 1a ef f1 bb d0 a3 9f 38 2e e1 a5 fe 88 ae 99
ec 59 22 8e 64 97 e4 5d 48 ce 27 5a 6d 5e f4 0d 16 9f b6 f9 d3 ec 59 22 8e 64 97 e4 5d 48 ce 27 5a 6d 5e f4 0d 16 9f b6 f9 d3
3b 05 2e d3 dc dd 6b 5a 48 ba af ff bc b2 90 12 84 15 bd 38 3b 05 2e d3 dc dd 6b 5a 48 ba af ff bc b2 90 12 84 15 bd 38
{server} calculate finished "tls13 finished": {server} calculate finished "tls13 finished":
skipping to change at page 36, line 50 skipping to change at page 37, line 16
info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
64 00 64 00
expanded (32 octets): e7 f8 bb 3e a4 b6 c3 0c 47 10 b3 d0 9c 33 expanded (32 octets): e7 f8 bb 3e a4 b6 c3 0c 47 10 b3 d0 9c 33
13 65 81 17 e7 0b 09 7e 85 03 68 e2 51 0c a5 63 1f 74 13 65 81 17 e7 0b 09 7e 85 03 68 e2 51 0c a5 63 1f 74
finished (32 octets): 88 63 e6 bf b0 42 0a 92 7f a2 7f 34 33 6a finished (32 octets): 88 63 e6 bf b0 42 0a 92 7f a2 7f 34 33 6a
70 ae 42 6e 96 8e 3e b8 84 94 5b 96 85 6d ba 39 76 d1 70 ae 42 6e 96 8e 3e b8 84 94 5b 96 85 6d ba 39 76 d1
{server} construct a Finished handshake message {server} construct a Finished handshake message:
Finished (36 octets): 14 00 00 20 88 63 e6 bf b0 42 0a 92 7f a2 Finished (36 octets): 14 00 00 20 88 63 e6 bf b0 42 0a 92 7f a2
7f 34 33 6a 70 ae 42 6e 96 8e 3e b8 84 94 5b 96 85 6d ba 39 76 7f 34 33 6a 70 ae 42 6e 96 8e 3e b8 84 94 5b 96 85 6d ba 39 76
d1 d1
{server} send handshake record: {server} send handshake record:
payload (645 octets): 08 00 00 18 00 16 00 0a 00 08 00 06 00 17 payload (645 octets): 08 00 00 18 00 16 00 0a 00 08 00 06 00 17
00 18 00 1d 00 1c 00 02 40 01 00 00 00 00 0b 00 01 b9 00 00 01 00 18 00 1d 00 1c 00 02 40 01 00 00 00 00 0b 00 01 b9 00 00 01
b5 00 01 b0 30 82 01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30 b5 00 01 b0 30 82 01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30
0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06
skipping to change at page 41, line 19 skipping to change at page 41, line 32
info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
64 00 64 00
expanded (32 octets): 81 be 41 31 fb b9 b6 f4 47 14 50 84 6f 74 expanded (32 octets): 81 be 41 31 fb b9 b6 f4 47 14 50 84 6f 74
fd 1e 68 c5 22 4b a7 c2 a8 67 7f 5c 53 ad 22 6f dc 13 fd 1e 68 c5 22 4b a7 c2 a8 67 7f 5c 53 ad 22 6f dc 13
finished (32 octets): 23 f5 2f db 07 09 a5 5b d7 f7 9b 99 1f 25 finished (32 octets): 23 f5 2f db 07 09 a5 5b d7 f7 9b 99 1f 25
48 40 87 bc fd 4d 43 80 b1 23 26 a5 2a 28 b2 e3 68 e1 48 40 87 bc fd 4d 43 80 b1 23 26 a5 2a 28 b2 e3 68 e1
{client} construct a Finished handshake message {client} construct a Finished handshake message:
Finished (36 octets): 14 00 00 20 23 f5 2f db 07 09 a5 5b d7 f7 Finished (36 octets): 14 00 00 20 23 f5 2f db 07 09 a5 5b d7 f7
9b 99 1f 25 48 40 87 bc fd 4d 43 80 b1 23 26 a5 2a 28 b2 e3 68 9b 99 1f 25 48 40 87 bc fd 4d 43 80 b1 23 26 a5 2a 28 b2 e3 68
e1 e1
{client} send handshake record: {client} send handshake record:
payload (36 octets): 14 00 00 20 23 f5 2f db 07 09 a5 5b d7 f7 9b payload (36 octets): 14 00 00 20 23 f5 2f db 07 09 a5 5b d7 f7 9b
99 1f 25 48 40 87 bc fd 4d 43 80 b1 23 26 a5 2a 28 b2 e3 68 e1 99 1f 25 48 40 87 bc fd 4d 43 80 b1 23 26 a5 2a 28 b2 e3 68 e1
skipping to change at page 42, line 39 skipping to change at page 43, line 8
{server} send alert record: {server} send alert record:
payload (2 octets): 01 00 payload (2 octets): 01 00
complete record (24 octets): 17 03 03 00 13 51 9f c5 07 5c b0 88 complete record (24 octets): 17 03 03 00 13 51 9f c5 07 5c b0 88
43 49 75 9f f9 ef 6f 01 1b b4 c6 f2 43 49 75 9f f9 ef 6f 01 1b b4 c6 f2
6. Client Authentication 6. Client Authentication
In this example, the server requests client authentication. The In this example, the server requests client authentication. The
client uses a certificate with an RSA key, the server uses an ECDSA client uses a certificate with an RSA key, the server uses an
certificate with a P-256 key. Note that private keys for the Elliptic Curve Digital Signature Algorithm (ECDSA) certificate with a
certificates used this example are not shown. P-256 key. Note that private keys for the certificates used in this
example are not shown.
{client} create an ephemeral x25519 key pair: {client} create an ephemeral x25519 key pair:
private key (32 octets): c0 40 b2 bb 8f 3a dd d2 0f d4 05 8c 54 private key (32 octets): c0 40 b2 bb 8f 3a dd d2 0f d4 05 8c 54
70 03 a3 c6 f9 c1 cd 91 5d 5e 53 5c 87 d8 d1 91 aa f0 71 70 03 a3 c6 f9 c1 cd 91 5d 5e 53 5c 87 d8 d1 91 aa f0 71
public key (32 octets): 08 9c c2 67 1f 73 8d 9a 67 1e 5b 2e 46 49 public key (32 octets): 08 9c c2 67 1f 73 8d 9a 67 1e 5b 2e 46 49
81 d0 5b 76 e3 61 aa 22 ae a9 1f 1d 49 ca 10 a7 a3 62 81 d0 5b 76 e3 61 aa 22 ae a9 1f 1d 49 ca 10 a7 a3 62
{client} construct a ClientHello handshake message {client} construct a ClientHello handshake message:
ClientHello (192 octets): 01 00 00 bc 03 03 6a 47 22 36 32 8b 83 ClientHello (192 octets): 01 00 00 bc 03 03 6a 47 22 36 32 8b 83
af 40 38 6d 3a 3e 1f 1c e6 24 fa 4e d8 9a b8 65 a4 ff 0f 41 44 af 40 38 6d 3a 3e 1f 1c e6 24 fa 4e d8 9a b8 65 a4 ff 0f 41 44
ce 3a e2 33 00 00 06 13 01 13 03 13 02 01 00 00 8d 00 00 00 0b ce 3a e2 33 00 00 06 13 01 13 03 13 02 01 00 00 8d 00 00 00 0b
00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 00 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00
12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33
00 26 00 24 00 1d 00 20 08 9c c2 67 1f 73 8d 9a 67 1e 5b 2e 46 00 26 00 24 00 1d 00 20 08 9c c2 67 1f 73 8d 9a 67 1e 5b 2e 46
49 81 d0 5b 76 e3 61 aa 22 ae a9 1f 1d 49 ca 10 a7 a3 62 00 2b 49 81 d0 5b 76 e3 61 aa 22 ae a9 1f 1d 49 ca 10 a7 a3 62 00 2b
00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04
08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00
2d 00 02 01 01 00 1c 00 02 40 01 2d 00 02 01 01 00 1c 00 02 40 01
skipping to change at page 44, line 11 skipping to change at page 44, line 27
e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a
{server} create an ephemeral x25519 key pair: {server} create an ephemeral x25519 key pair:
private key (32 octets): 73 82 a5 ad 1c dd 20 56 ae 18 cc 70 8b private key (32 octets): 73 82 a5 ad 1c dd 20 56 ae 18 cc 70 8b
d0 07 d9 81 30 db e2 cd 4d 9e ad 9b 96 95 2b ec bb 08 88 d0 07 d9 81 30 db e2 cd 4d 9e ad 9b 96 95 2b ec bb 08 88
public key (32 octets): 6c 2e 50 e8 65 91 9a 6b 5a 12 df af 91 8f public key (32 octets): 6c 2e 50 e8 65 91 9a 6b 5a 12 df af 91 8f
92 b4 42 56 7b 0f 89 bc 54 47 8c 69 21 36 66 58 f0 62 92 b4 42 56 7b 0f 89 bc 54 47 8c 69 21 36 66 58 f0 62
{server} construct a ServerHello handshake message {server} construct a ServerHello handshake message:
ServerHello (90 octets): 02 00 00 56 03 03 3b 50 fd f1 c3 d5 72 ServerHello (90 octets): 02 00 00 56 03 03 3b 50 fd f1 c3 d5 72
e4 0e 68 95 3e 7f ff 4e 27 58 45 9c 59 af a0 58 2c 0e a0 32 87 e4 0e 68 95 3e 7f ff 4e 27 58 45 9c 59 af a0 58 2c 0e a0 32 87
42 55 fe 6e 00 13 01 00 00 2e 00 33 00 24 00 1d 00 20 6c 2e 50 42 55 fe 6e 00 13 01 00 00 2e 00 33 00 24 00 1d 00 20 6c 2e 50
e8 65 91 9a 6b 5a 12 df af 91 8f 92 b4 42 56 7b 0f 89 bc 54 47 e8 65 91 9a 6b 5a 12 df af 91 8f 92 b4 42 56 7b 0f 89 bc 54 47
8c 69 21 36 66 58 f0 62 00 2b 00 02 03 04 8c 69 21 36 66 58 f0 62 00 2b 00 02 03 04
{server} derive secret for handshake "tls13 derived": {server} derive secret for handshake "tls13 derived":
PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
skipping to change at page 46, line 33 skipping to change at page 47, line 5
key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
key expanded (16 octets): 6c b6 e6 06 19 d8 c7 35 5c 5d 4c 4b c2 key expanded (16 octets): 6c b6 e6 06 19 d8 c7 35 5c 5d 4c 4b c2
be 90 d5 be 90 d5
iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
iv expanded (12 octets): 64 f2 39 53 0c 3b 88 8f de 85 e0 be iv expanded (12 octets): 64 f2 39 53 0c 3b 88 8f de 85 e0 be
{server} construct a EncryptedExtensions handshake message {server} construct an EncryptedExtensions handshake message:
EncryptedExtensions (40 octets): 08 00 00 24 00 22 00 0a 00 14 00 EncryptedExtensions (40 octets): 08 00 00 24 00 22 00 0a 00 14 00
12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c
00 02 40 01 00 00 00 00 00 02 40 01 00 00 00 00
{server} construct a CertificateRequest handshake message {server} construct a CertificateRequest handshake message:
CertificateRequest (43 octets): 0d 00 00 27 00 00 24 00 0d 00 20 CertificateRequest (43 octets): 0d 00 00 27 00 00 24 00 0d 00 20
00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06
01 02 01 04 02 05 02 06 02 02 02 01 02 01 04 02 05 02 06 02 02 02
{server} construct a Certificate handshake message {server} construct a Certificate handshake message:
Certificate (319 octets): 0b 00 01 3b 00 00 01 37 00 01 32 30 82 Certificate (319 octets): 0b 00 01 3b 00 00 01 37 00 01 32 30 82
01 2e 30 81 d5 a0 03 02 01 02 02 01 07 30 0a 06 08 2a 86 48 ce 01 2e 30 81 d5 a0 03 02 01 02 02 01 07 30 0a 06 08 2a 86 48 ce
3d 04 03 02 30 13 31 11 30 0f 06 03 55 04 03 13 08 65 63 64 73 3d 04 03 02 30 13 31 11 30 0f 06 03 55 04 03 13 08 65 63 64 73
61 32 35 36 30 1e 17 0d 31 36 30 37 33 30 30 31 32 34 30 30 5a 61 32 35 36 30 1e 17 0d 31 36 30 37 33 30 30 31 32 34 30 30 5a
17 0d 32 36 30 37 33 30 30 31 32 34 30 30 5a 30 13 31 11 30 0f 17 0d 32 36 30 37 33 30 30 31 32 34 30 30 5a 30 13 31 11 30 0f
06 03 55 04 03 13 08 65 63 64 73 61 32 35 36 30 59 30 13 06 07 06 03 55 04 03 13 08 65 63 64 73 61 32 35 36 30 59 30 13 06 07
2a 86 48 ce 3d 02 01 06 08 2a 86 48 ce 3d 03 01 07 03 42 00 04 2a 86 48 ce 3d 02 01 06 08 2a 86 48 ce 3d 03 01 07 03 42 00 04
08 d5 30 16 15 75 f4 cf e7 f1 54 ee 34 48 18 00 86 00 1e 88 43 08 d5 30 16 15 75 f4 cf e7 f1 54 ee 34 48 18 00 86 00 1e 88 43
1a 79 ee 62 ee 6e 2f 83 ef 38 ba 61 e9 fb 37 f3 4e 00 7a 7d f4 1a 79 ee 62 ee 6e 2f 83 ef 38 ba 61 e9 fb 37 f3 4e 00 7a 7d f4
d2 f5 b5 6d 1f 04 ec e4 5d 62 1f 46 84 06 f5 c3 a1 51 58 94 8d d2 f5 b5 6d 1f 04 ec e4 5d 62 1f 46 84 06 f5 c3 a1 51 58 94 8d
d0 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 d0 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55
1d 0f 04 04 03 02 07 80 30 0a 06 08 2a 86 48 ce 3d 04 03 02 03 1d 0f 04 04 03 02 07 80 30 0a 06 08 2a 86 48 ce 3d 04 03 02 03
48 00 30 45 02 21 00 df 30 fd 45 07 f5 ed d2 2c 1a 6f f8 6d b4 48 00 30 45 02 21 00 df 30 fd 45 07 f5 ed d2 2c 1a 6f f8 6d b4
79 ca 69 3f ee ca 3b 71 b3 f9 ef 55 6b 29 37 c0 59 4d 02 20 62 79 ca 69 3f ee ca 3b 71 b3 f9 ef 55 6b 29 37 c0 59 4d 02 20 62
e2 a4 72 50 d3 20 fe a8 3c 7e 2d cb 5b 76 a5 0e 02 00 c0 9a db e2 a4 72 50 d3 20 fe a8 3c 7e 2d cb 5b 76 a5 0e 02 00 c0 9a db
d1 3f ee 94 6e 51 3e 01 1d 11 00 00 d1 3f ee 94 6e 51 3e 01 1d 11 00 00
{server} construct a CertificateVerify handshake message {server} construct a CertificateVerify handshake message:
CertificateVerify (79 octets): 0f 00 00 4b 04 03 00 47 30 45 02 CertificateVerify (79 octets): 0f 00 00 4b 04 03 00 47 30 45 02
21 00 d7 a4 d3 4b d5 4f 55 fe e1 a8 96 25 67 8c 3d d5 e5 f6 0d 21 00 d7 a4 d3 4b d5 4f 55 fe e1 a8 96 25 67 8c 3d d5 e5 f6 0d
ac 73 ec 94 0c 5c 7b 93 04 a0 20 84 a9 02 20 28 9f 59 5e d4 88 ac 73 ec 94 0c 5c 7b 93 04 a0 20 84 a9 02 20 28 9f 59 5e d4 88
b9 ac 68 9a 3d 19 2b 1a 8b b3 8f 34 af 78 74 c0 59 c9 80 6a 1f b9 ac 68 9a 3d 19 2b 1a 8b b3 8f 34 af 78 74 c0 59 c9 80 6a 1f
38 26 93 53 e8 38 26 93 53 e8
{server} calculate finished "tls13 finished": {server} calculate finished "tls13 finished":
PRK (32 octets): 8b 02 d3 c0 04 42 a2 72 2c 40 98 eb e8 67 5b 23 PRK (32 octets): 8b 02 d3 c0 04 42 a2 72 2c 40 98 eb e8 67 5b 23
skipping to change at page 47, line 39 skipping to change at page 48, line 11
info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
64 00 64 00
expanded (32 octets): 4e 79 5c de 23 9d 5e 19 0e ae 44 1b 9e 71 expanded (32 octets): 4e 79 5c de 23 9d 5e 19 0e ae 44 1b 9e 71
6e eb 13 85 49 05 8c db 76 fa 9a ee af 54 8a ef 56 3e 6e eb 13 85 49 05 8c db 76 fa 9a ee af 54 8a ef 56 3e
finished (32 octets): 93 b7 0c df 47 81 98 5b 96 34 5c aa c7 01 finished (32 octets): 93 b7 0c df 47 81 98 5b 96 34 5c aa c7 01
b4 e7 50 d3 04 2d f1 a6 89 d8 fa ca 81 22 51 11 3c 11 b4 e7 50 d3 04 2d f1 a6 89 d8 fa ca 81 22 51 11 3c 11
{server} construct a Finished handshake message {server} construct a Finished handshake message:
Finished (36 octets): 14 00 00 20 93 b7 0c df 47 81 98 5b 96 34 Finished (36 octets): 14 00 00 20 93 b7 0c df 47 81 98 5b 96 34
5c aa c7 01 b4 e7 50 d3 04 2d f1 a6 89 d8 fa ca 81 22 51 11 3c 5c aa c7 01 b4 e7 50 d3 04 2d f1 a6 89 d8 fa ca 81 22 51 11 3c
11 11
{server} send handshake record: {server} send handshake record:
payload (517 octets): 08 00 00 24 00 22 00 0a 00 14 00 12 00 1d payload (517 octets): 08 00 00 24 00 22 00 0a 00 14 00 12 00 1d
00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c 00 02 40 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c 00 02 40
01 00 00 00 00 0d 00 00 27 00 00 24 00 0d 00 20 00 1e 04 03 05 01 00 00 00 00 0d 00 00 27 00 00 24 00 0d 00 20 00 1e 04 03 05
skipping to change at page 51, line 27 skipping to change at page 51, line 47
{client} derive secret "tls13 s ap traffic" (same as server) {client} derive secret "tls13 s ap traffic" (same as server)
{client} derive secret "tls13 exp master" (same as server) {client} derive secret "tls13 exp master" (same as server)
{client} derive write traffic keys for handshake data (same as {client} derive write traffic keys for handshake data (same as
server handshake data read traffic keys) server handshake data read traffic keys)
{client} derive read traffic keys for application data (same as {client} derive read traffic keys for application data (same as
server application data write traffic keys) server application data write traffic keys)
{client} construct a Certificate handshake message {client} construct a Certificate handshake message:
Certificate (451 octets): 0b 00 01 bf 00 00 01 bb 00 01 b6 30 82 Certificate (451 octets): 0b 00 01 bf 00 00 01 bb 00 01 b6 30 82
01 b2 30 82 01 1b a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 01 b2 30 82 01 1b a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48
86 f7 0d 01 01 0b 05 00 30 11 31 0f 30 0d 06 03 55 04 03 13 06 86 f7 0d 01 01 0b 05 00 30 11 31 0f 30 0d 06 03 55 04 03 13 06
63 6c 69 65 6e 74 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 63 6c 69 65 6e 74 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35
39 5a 17 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 11 31 0f 39 5a 17 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 11 31 0f
30 0d 06 03 55 04 03 13 06 63 6c 69 65 6e 74 30 81 9f 30 0d 06 30 0d 06 03 55 04 03 13 06 63 6c 69 65 6e 74 30 81 9f 30 0d 06
09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81
81 00 c3 81 75 e0 04 a6 8d 09 3f 82 3b 9c 37 9d 20 1f bc 0b b7 81 00 c3 81 75 e0 04 a6 8d 09 3f 82 3b 9c 37 9d 20 1f bc 0b b7
a1 c7 91 90 5e 3f bf 76 84 7e 44 e7 51 eb bc d3 60 bd 94 5c 81 a1 c7 91 90 5e 3f bf 76 84 7e 44 e7 51 eb bc d3 60 bd 94 5c 81
skipping to change at page 52, line 5 skipping to change at page 52, line 24
e0 28 42 01 02 03 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 e0 28 42 01 02 03 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04
02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 0d 06 09 2a 02 30 00 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 0d 06 09 2a
86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 1a 7a 5a 01 85 32 b0 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 1a 7a 5a 01 85 32 b0
22 af 07 67 d4 86 16 0c ff 2d 16 7a 19 15 d2 38 35 b5 45 94 91 22 af 07 67 d4 86 16 0c ff 2d 16 7a 19 15 d2 38 35 b5 45 94 91
6d c6 80 be 5d 2e 62 60 76 c5 d5 27 22 eb cc 77 5d 7d 99 f9 80 6d c6 80 be 5d 2e 62 60 76 c5 d5 27 22 eb cc 77 5d 7d 99 f9 80
be 2f c9 4d 34 ac f6 cc 00 ba 90 cb cf b0 60 8a a1 e7 e3 97 1e be 2f c9 4d 34 ac f6 cc 00 ba 90 cb cf b0 60 8a a1 e7 e3 97 1e
f0 c0 7a 41 d4 7a d8 34 5d 1f 81 fe 41 8a 1c f4 10 54 42 9f d2 f0 c0 7a 41 d4 7a d8 34 5d 1f 81 fe 41 8a 1c f4 10 54 42 9f d2
17 bd 77 7d c1 cf 08 f0 5d f9 07 99 c6 59 36 1e 0f 1a 8e e4 ac 17 bd 77 7d c1 cf 08 f0 5d f9 07 99 c6 59 36 1e 0f 1a 8e e4 ac
0f 78 97 42 0b db c8 23 da 80 a2 f2 ba 23 08 1c 00 00 0f 78 97 42 0b db c8 23 da 80 a2 f2 ba 23 08 1c 00 00
{client} construct a CertificateVerify handshake message {client} construct a CertificateVerify handshake message:
CertificateVerify (136 octets): 0f 00 00 84 08 04 00 80 18 6b 22 CertificateVerify (136 octets): 0f 00 00 84 08 04 00 80 18 6b 22
23 b5 03 a7 59 c3 5d ba 0e 97 21 b4 b5 79 13 8d 5f 0f 5e 6e c7 23 b5 03 a7 59 c3 5d ba 0e 97 21 b4 b5 79 13 8d 5f 0f 5e 6e c7
fe aa f2 7f 3a d7 f3 86 c2 c7 bd 7c b2 be 52 fb f5 ed 83 93 f4 fe aa f2 7f 3a d7 f3 86 c2 c7 bd 7c b2 be 52 fb f5 ed 83 93 f4
06 ee 79 36 96 92 ec 7a c6 95 65 1d 85 82 19 e6 72 a8 eb 7b 2a 06 ee 79 36 96 92 ec 7a c6 95 65 1d 85 82 19 e6 72 a8 eb 7b 2a
67 7b 64 0b 46 ab 63 0e dc 5f 3f 2f 82 72 b9 c0 d9 06 f8 1f 84 67 7b 64 0b 46 ab 63 0e dc 5f 3f 2f 82 72 b9 c0 d9 06 f8 1f 84
dd c5 b8 c7 bc f9 55 c7 8a 3c f9 9e 50 16 f7 3e 04 eb 7d fc b2 dd c5 b8 c7 bc f9 55 c7 8a 3c f9 9e 50 16 f7 3e 04 eb 7d fc b2
88 33 f1 3e 8f 75 ec 2f f3 58 1e 2f 09 8a d4 15 7f d6 d6 ad 88 33 f1 3e 8f 75 ec 2f f3 58 1e 2f 09 8a d4 15 7f d6 d6 ad
{client} calculate finished "tls13 finished": {client} calculate finished "tls13 finished":
skipping to change at page 52, line 31 skipping to change at page 53, line 5
info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
64 00 64 00
expanded (32 octets): 4f dd d7 6b bc b8 e3 0c 72 61 b1 db 40 1b expanded (32 octets): 4f dd d7 6b bc b8 e3 0c 72 61 b1 db 40 1b
b1 36 ed 39 bc e6 a4 81 5a 21 24 47 6e 27 e6 cb cb f6 b1 36 ed 39 bc e6 a4 81 5a 21 24 47 6e 27 e6 cb cb f6
finished (32 octets): 9a fe 2b a2 f6 3a 09 d2 29 d8 a4 29 e5 b3 finished (32 octets): 9a fe 2b a2 f6 3a 09 d2 29 d8 a4 29 e5 b3
7f fd 9f cc 73 bd b5 91 1b 82 42 59 72 aa 28 92 44 0f 7f fd 9f cc 73 bd b5 91 1b 82 42 59 72 aa 28 92 44 0f
{client} construct a Finished handshake message {client} construct a Finished handshake message:
Finished (36 octets): 14 00 00 20 9a fe 2b a2 f6 3a 09 d2 29 d8 Finished (36 octets): 14 00 00 20 9a fe 2b a2 f6 3a 09 d2 29 d8
a4 29 e5 b3 7f fd 9f cc 73 bd b5 91 1b 82 42 59 72 aa 28 92 44 a4 29 e5 b3 7f fd 9f cc 73 bd b5 91 1b 82 42 59 72 aa 28 92 44
0f 0f
{client} send handshake record: {client} send handshake record:
payload (623 octets): 0b 00 01 bf 00 00 01 bb 00 01 b6 30 82 01 payload (623 octets): 0b 00 01 bf 00 00 01 bb 00 01 b6 30 82 01
b2 30 82 01 1b a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86 b2 30 82 01 1b a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86
f7 0d 01 01 0b 05 00 30 11 31 0f 30 0d 06 03 55 04 03 13 06 63 f7 0d 01 01 0b 05 00 30 11 31 0f 30 0d 06 03 55 04 03 13 06 63
skipping to change at page 55, line 24 skipping to change at page 55, line 47
[TLS13]. [TLS13].
{client} create an ephemeral x25519 key pair: {client} create an ephemeral x25519 key pair:
private key (32 octets): de a0 0b 45 69 5d c7 81 f1 9d 34 a6 2c private key (32 octets): de a0 0b 45 69 5d c7 81 f1 9d 34 a6 2c
1a fd 31 ab 43 69 af 1e 85 5a 3b bb 25 8d 84 42 cd e6 d7 1a fd 31 ab 43 69 af 1e 85 5a 3b bb 25 8d 84 42 cd e6 d7
public key (32 octets): 8e 72 92 cf 30 56 db b0 d2 5f cb e5 5c 10 public key (32 octets): 8e 72 92 cf 30 56 db b0 d2 5f cb e5 5c 10
7d c9 bb f8 3d d9 70 8f 39 20 3b a3 41 24 9a 7d 9b 63 7d c9 bb f8 3d d9 70 8f 39 20 3b a3 41 24 9a 7d 9b 63
{client} construct a ClientHello handshake message {client} construct a ClientHello handshake message:
ClientHello (224 octets): 01 00 00 dc 03 03 4e 64 0a 3f 2c 27 38 ClientHello (224 octets): 01 00 00 dc 03 03 4e 64 0a 3f 2c 27 38
f0 9c 94 18 bd 78 ed cc d7 55 9d 05 31 19 92 76 d4 d9 2a 0e 9e f0 9c 94 18 bd 78 ed cc d7 55 9d 05 31 19 92 76 d4 d9 2a 0e 9e
e9 d7 7d 09 20 a8 0c 16 55 81 a8 e0 d0 6c 00 18 d5 4d 3a 06 dd e9 d7 7d 09 20 a8 0c 16 55 81 a8 e0 d0 6c 00 18 d5 4d 3a 06 dd
32 cf d4 05 1e b0 26 fa d3 fd 0b a9 92 69 e6 ef 00 06 13 01 13 32 cf d4 05 1e b0 26 fa d3 fd 0b a9 92 69 e6 ef 00 06 13 01 13
03 13 02 01 00 00 8d 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 03 13 02 01 00 00 8d 00 00 00 0b 00 09 00 00 06 73 65 72 76 65
72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01
00 01 01 01 02 01 03 01 04 00 33 00 26 00 24 00 1d 00 20 8e 72 00 01 01 01 02 01 03 01 04 00 33 00 26 00 24 00 1d 00 20 8e 72
92 cf 30 56 db b0 d2 5f cb e5 5c 10 7d c9 bb f8 3d d9 70 8f 39 92 cf 30 56 db b0 d2 5f cb e5 5c 10 7d c9 bb f8 3d d9 70 8f 39
20 3b a3 41 24 9a 7d 9b 63 00 2b 00 03 02 03 04 00 0d 00 20 00 20 3b a3 41 24 9a 7d 9b 63 00 2b 00 03 02 03 04 00 0d 00 20 00
skipping to change at page 56, line 36 skipping to change at page 57, line 13
e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a
{server} create an ephemeral x25519 key pair: {server} create an ephemeral x25519 key pair:
private key (32 octets): 01 7c 38 a3 64 79 21 ca 2d 9e d6 bd 7a private key (32 octets): 01 7c 38 a3 64 79 21 ca 2d 9e d6 bd 7a
e7 13 2b 94 21 1b 13 31 bb 20 8c 8c cd d5 15 56 40 99 95 e7 13 2b 94 21 1b 13 31 bb 20 8c 8c cd d5 15 56 40 99 95
public key (32 octets): 3e 30 f0 f4 ba 55 1a fd 62 76 83 41 17 5f public key (32 octets): 3e 30 f0 f4 ba 55 1a fd 62 76 83 41 17 5f
52 65 e4 da f0 c8 84 16 17 aa 4f af dd 21 42 32 0c 22 52 65 e4 da f0 c8 84 16 17 aa 4f af dd 21 42 32 0c 22
{server} construct a ServerHello handshake message {server} construct a ServerHello handshake message:
ServerHello (122 octets): 02 00 00 76 03 03 e5 dd 59 48 c4 35 f7 ServerHello (122 octets): 02 00 00 76 03 03 e5 dd 59 48 c4 35 f7
a3 8f 0f 01 30 70 8d c3 22 d9 df 09 ab d4 83 81 17 c1 83 a7 bb a3 8f 0f 01 30 70 8d c3 22 d9 df 09 ab d4 83 81 17 c1 83 a7 bb
6d 99 4f 2c 20 a8 0c 16 55 81 a8 e0 d0 6c 00 18 d5 4d 3a 06 dd 6d 99 4f 2c 20 a8 0c 16 55 81 a8 e0 d0 6c 00 18 d5 4d 3a 06 dd
32 cf d4 05 1e b0 26 fa d3 fd 0b a9 92 69 e6 ef 13 01 00 00 2e 32 cf d4 05 1e b0 26 fa d3 fd 0b a9 92 69 e6 ef 13 01 00 00 2e
00 33 00 24 00 1d 00 20 3e 30 f0 f4 ba 55 1a fd 62 76 83 41 17 00 33 00 24 00 1d 00 20 3e 30 f0 f4 ba 55 1a fd 62 76 83 41 17
5f 52 65 e4 da f0 c8 84 16 17 aa 4f af dd 21 42 32 0c 22 00 2b 5f 52 65 e4 da f0 c8 84 16 17 aa 4f af dd 21 42 32 0c 22 00 2b
00 02 03 04 00 02 03 04
{server} send handshake record: {server} send handshake record:
skipping to change at page 59, line 22 skipping to change at page 59, line 48
key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00 key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
key expanded (16 octets): 04 10 91 fd ab 29 f2 c8 ab fb 15 6d c5 key expanded (16 octets): 04 10 91 fd ab 29 f2 c8 ab fb 15 6d c5
fc 8d 54 fc 8d 54
iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00 iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
iv expanded (12 octets): 74 64 d7 91 68 5d e0 59 98 fc ba db iv expanded (12 octets): 74 64 d7 91 68 5d e0 59 98 fc ba db
{server} construct a EncryptedExtensions handshake message {server} construct an EncryptedExtensions handshake message:
EncryptedExtensions (40 octets): 08 00 00 24 00 22 00 0a 00 14 00 EncryptedExtensions (40 octets): 08 00 00 24 00 22 00 0a 00 14 00
12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c 12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c
00 02 40 01 00 00 00 00 00 02 40 01 00 00 00 00
{server} construct a Certificate handshake message {server} construct a Certificate handshake message:
Certificate (445 octets): 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82 Certificate (445 octets): 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82
01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48 01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48
86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03
72 73 61 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17 72 73 61 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17
0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06 0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06
03 55 04 03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7 03 55 04 03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7
0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f
82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26
d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c
skipping to change at page 60, line 5 skipping to change at page 60, line 30
01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06
03 55 1d 0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 03 55 1d 0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01
01 0b 05 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 01 0b 05 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a
72 67 17 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea 72 67 17 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea
e8 f8 a5 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 e8 f8 a5 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01
51 56 72 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be 51 56 72 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be
c1 fc 63 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b c1 fc 63 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b
1c 3b 84 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 1c 3b 84 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8
96 12 29 ac 91 87 b4 2b 4d e1 00 00 96 12 29 ac 91 87 b4 2b 4d e1 00 00
{server} construct a CertificateVerify handshake message {server} construct a CertificateVerify handshake message:
CertificateVerify (136 octets): 0f 00 00 84 08 04 00 80 a2 30 1a CertificateVerify (136 octets): 0f 00 00 84 08 04 00 80 a2 30 1a
68 dd 1c ee e6 93 8f e9 d4 0c 46 b9 20 1b 34 d5 99 52 a3 7e 06 68 dd 1c ee e6 93 8f e9 d4 0c 46 b9 20 1b 34 d5 99 52 a3 7e 06
52 3a 39 cf 8b a6 c9 c8 b6 8a e9 44 92 af 78 05 16 ed 7b 73 c8 52 3a 39 cf 8b a6 c9 c8 b6 8a e9 44 92 af 78 05 16 ed 7b 73 c8
28 12 e9 9d d3 fa be a4 5e 09 d9 c6 84 87 21 c2 80 8c 61 50 1b 28 12 e9 9d d3 fa be a4 5e 09 d9 c6 84 87 21 c2 80 8c 61 50 1b
0c 75 e7 fc ab a5 f7 8b ef 68 a2 c2 b6 9b 19 55 8b 3e 40 38 7e 0c 75 e7 fc ab a5 f7 8b ef 68 a2 c2 b6 9b 19 55 8b 3e 40 38 7e
ea 93 d2 5c 77 81 c1 cc 00 e9 f5 19 f7 e2 e4 ad b7 3e 76 d6 60 ea 93 d2 5c 77 81 c1 cc 00 e9 f5 19 f7 e2 e4 ad b7 3e 76 d6 60
89 00 0a 2d c8 66 c2 ed 30 bb a5 0a 0d 45 7f 19 dc 6e b9 f3 89 00 0a 2d c8 66 c2 ed 30 bb a5 0a 0d 45 7f 19 dc 6e b9 f3
{server} calculate finished "tls13 finished": {server} calculate finished "tls13 finished":
skipping to change at page 60, line 31 skipping to change at page 61, line 8
info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
64 00 64 00
expanded (32 octets): 2c 9f 72 f2 7b 81 e7 df 66 8c ac cd 49 37 expanded (32 octets): 2c 9f 72 f2 7b 81 e7 df 66 8c ac cd 49 37
1f 12 86 d4 11 e1 6c 8c cc 1c 0d 9a ed 72 cb bd c0 80 1f 12 86 d4 11 e1 6c 8c cc 1c 0d 9a ed 72 cb bd c0 80
finished (32 octets): c8 c3 a8 f1 bf f5 27 40 61 f4 bc 3a 7c af finished (32 octets): c8 c3 a8 f1 bf f5 27 40 61 f4 bc 3a 7c af
fb dc 96 16 09 4c a6 25 ca a6 5f 8e 76 ed 46 db 74 d3 fb dc 96 16 09 4c a6 25 ca a6 5f 8e 76 ed 46 db 74 d3
{server} construct a Finished handshake message {server} construct a Finished handshake message:
Finished (36 octets): 14 00 00 20 c8 c3 a8 f1 bf f5 27 40 61 f4 Finished (36 octets): 14 00 00 20 c8 c3 a8 f1 bf f5 27 40 61 f4
bc 3a 7c af fb dc 96 16 09 4c a6 25 ca a6 5f 8e 76 ed 46 db 74 bc 3a 7c af fb dc 96 16 09 4c a6 25 ca a6 5f 8e 76 ed 46 db 74
d3 d3
{server} send handshake record: {server} send handshake record:
payload (657 octets): 08 00 00 24 00 22 00 0a 00 14 00 12 00 1d payload (657 octets): 08 00 00 24 00 22 00 0a 00 14 00 12 00 1d
00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c 00 02 40 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c 00 02 40
01 00 00 00 00 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82 01 ac 30 01 00 00 00 00 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82 01 ac 30
skipping to change at page 65, line 8 skipping to change at page 65, line 32
info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65 info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
64 00 64 00
expanded (32 octets): 77 34 1a bc 8c 0f fa b5 18 07 36 71 3e 41 expanded (32 octets): 77 34 1a bc 8c 0f fa b5 18 07 36 71 3e 41
d2 f6 65 c4 10 a4 04 c8 c2 1e dc d9 48 a4 44 0f d8 0c d2 f6 65 c4 10 a4 04 c8 c2 1e dc d9 48 a4 44 0f d8 0c
finished (32 octets): 69 2c ab 15 5c c6 c1 00 ea d6 07 33 d0 61 finished (32 octets): 69 2c ab 15 5c c6 c1 00 ea d6 07 33 d0 61
7f 6f b0 9b 71 aa 1e 8c 9a cc bb bc 9e 8e d3 36 c1 dd 7f 6f b0 9b 71 aa 1e 8c 9a cc bb bc 9e 8e d3 36 c1 dd
{client} construct a Finished handshake message {client} construct a Finished handshake message:
Finished (36 octets): 14 00 00 20 69 2c ab 15 5c c6 c1 00 ea d6 Finished (36 octets): 14 00 00 20 69 2c ab 15 5c c6 c1 00 ea d6
07 33 d0 61 7f 6f b0 9b 71 aa 1e 8c 9a cc bb bc 9e 8e d3 36 c1 07 33 d0 61 7f 6f b0 9b 71 aa 1e 8c 9a cc bb bc 9e 8e d3 36 c1
dd dd
{client} send handshake record: {client} send handshake record:
payload (36 octets): 14 00 00 20 69 2c ab 15 5c c6 c1 00 ea d6 07 payload (36 octets): 14 00 00 20 69 2c ab 15 5c c6 c1 00 ea d6 07
33 d0 61 7f 6f b0 9b 71 aa 1e 8c 9a cc bb bc 9e 8e d3 36 c1 dd 33 d0 61 7f 6f b0 9b 71 aa 1e 8c 9a cc bb bc 9e 8e d3 36 c1 dd
skipping to change at page 66, line 28 skipping to change at page 67, line 7
{server} send alert record: {server} send alert record:
payload (2 octets): 01 00 payload (2 octets): 01 00
complete record (24 octets): 17 03 03 00 13 b7 25 7b 0f ec af 69 complete record (24 octets): 17 03 03 00 13 b7 25 7b 0f ec af 69
d4 f0 9e 3f 89 1e 2a 25 d1 e2 88 45 d4 f0 9e 3f 89 1e 2a 25 d1 e2 88 45
8. Security Considerations 8. Security Considerations
It probably isn't a good idea to use the private key here. If it It probably isn't a good idea to use the private key included in this
weren't for the fact that it is too small to provide any meaningful document. In addition to the fact that it is too small to provide
security, it is now very well known. any meaningful security, it is now very well known.
9. IANA Considerations 9. IANA Considerations
This document makes no requests of IANA. This document has no IANA actions.
10. References 10. References
10.1. Normative References 10.1. Normative References
[TLS13] Rescorla, E., "The Transport Layer Security (TLS) Protocol [TLS13] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
10.2. Informative References 10.2. Informative References
[FIPS186] National Institute of Standards and Technology (NIST), [FIPS.186-4.2013]
"Digital Signature Standard (DSS)", NIST PUB 186-4 , July National Institute of Standards and Technology, "Digital
2013. Signature Standard (DSS)", FIPS 186-4,
DOI 10.6028/NIST.FIPS.186-4, July 2013,
<https://nvlpubs.nist.gov/nistpubs/fips/
nist.fips.186-4.pdf>.
[NSS] Mozilla, "Network Security Services", November 2018,
<https://developer.mozilla.org/en-US/docs/Mozilla/
Projects/NSS>.
[RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
Key Derivation Function (HKDF)", RFC 5869, Key Derivation Function (HKDF)", RFC 5869,
DOI 10.17487/RFC5869, May 2010, DOI 10.17487/RFC5869, May 2010,
<https://www.rfc-editor.org/info/rfc5869>. <https://www.rfc-editor.org/info/rfc5869>.
[RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves
for Security", RFC 7748, DOI 10.17487/RFC7748, January for Security", RFC 7748, DOI 10.17487/RFC7748, January
2016, <https://www.rfc-editor.org/info/rfc7748>. 2016, <https://www.rfc-editor.org/info/rfc7748>.
10.3. URIs Acknowledgements
[1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS
Appendix A. Acknowledgements
This draft is generated using tests that were written for NSS [1]. This document was generated using tests that were written for Network
None of this would have been possible without Franziskus Kiefer, Eric Security Services [NSS]. None of this would have been possible
Rescorla and Tim Taubert, who did a lot of the work in NSS. without Franziskus Kiefer, Eric Rescorla, and Tim Taubert, all of
whom did a lot of the work in NSS.
Author's Address Author's Address
Martin Thomson Martin Thomson
Mozilla Mozilla
Email: martin.thomson@gmail.com Email: martin.thomson@gmail.com
 End of changes. 61 change blocks. 
93 lines changed or deleted 103 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/