RFC 8448
Example Handshake Traces for TLS 1.3
7. Compatibility Mode
This example shows use of the handshake with the client requesting that the server use compatibility mode as defined in Appendix D.4 of [TLS13]. {client} create an ephemeral x25519 key pair: private key (32 octets): de a0 0b 45 69 5d c7 81 f1 9d 34 a6 2c 1a fd 31 ab 43 69 af 1e 85 5a 3b bb 25 8d 84 42 cd e6 d7 public key (32 octets): 8e 72 92 cf 30 56 db b0 d2 5f cb e5 5c 10 7d c9 bb f8 3d d9 70 8f 39 20 3b a3 41 24 9a 7d 9b 63 {client} construct a ClientHello handshake message: ClientHello (224 octets): 01 00 00 dc 03 03 4e 64 0a 3f 2c 27 38 f0 9c 94 18 bd 78 ed cc d7 55 9d 05 31 19 92 76 d4 d9 2a 0e 9e e9 d7 7d 09 20 a8 0c 16 55 81 a8 e0 d0 6c 00 18 d5 4d 3a 06 dd 32 cf d4 05 1e b0 26 fa d3 fd 0b a9 92 69 e6 ef 00 06 13 01 13
03 13 02 01 00 00 8d 00 00 00 0b 00 09 00 00 06 73 65 72 76 65
72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01
00 01 01 01 02 01 03 01 04 00 33 00 26 00 24 00 1d 00 20 8e 72
92 cf 30 56 db b0 d2 5f cb e5 5c 10 7d c9 bb f8 3d d9 70 8f 39
20 3b a3 41 24 9a 7d 9b 63 00 2b 00 03 02 03 04 00 0d 00 20 00
1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01
02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40
01
{client} send handshake record:
payload (224 octets): 01 00 00 dc 03 03 4e 64 0a 3f 2c 27 38 f0
9c 94 18 bd 78 ed cc d7 55 9d 05 31 19 92 76 d4 d9 2a 0e 9e e9
d7 7d 09 20 a8 0c 16 55 81 a8 e0 d0 6c 00 18 d5 4d 3a 06 dd 32
cf d4 05 1e b0 26 fa d3 fd 0b a9 92 69 e6 ef 00 06 13 01 13 03
13 02 01 00 00 8d 00 00 00 0b 00 09 00 00 06 73 65 72 76 65 72
ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00 17 00 18 00 19 01 00
01 01 01 02 01 03 01 04 00 33 00 26 00 24 00 1d 00 20 8e 72 92
cf 30 56 db b0 d2 5f cb e5 5c 10 7d c9 bb f8 3d d9 70 8f 39 20
3b a3 41 24 9a 7d 9b 63 00 2b 00 03 02 03 04 00 0d 00 20 00 1e
04 03 05 03 06 03 02 03 08 04 08 05 08 06 04 01 05 01 06 01 02
01 04 02 05 02 06 02 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01
complete record (229 octets): 16 03 01 00 e0 01 00 00 dc 03 03 4e
64 0a 3f 2c 27 38 f0 9c 94 18 bd 78 ed cc d7 55 9d 05 31 19 92
76 d4 d9 2a 0e 9e e9 d7 7d 09 20 a8 0c 16 55 81 a8 e0 d0 6c 00
18 d5 4d 3a 06 dd 32 cf d4 05 1e b0 26 fa d3 fd 0b a9 92 69 e6
ef 00 06 13 01 13 03 13 02 01 00 00 8d 00 00 00 0b 00 09 00 00
06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 00 1d 00
17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00 26 00 24
00 1d 00 20 8e 72 92 cf 30 56 db b0 d2 5f cb e5 5c 10 7d c9 bb
f8 3d d9 70 8f 39 20 3b a3 41 24 9a 7d 9b 63 00 2b 00 03 02 03
04 00 0d 00 20 00 1e 04 03 05 03 06 03 02 03 08 04 08 05 08 06
04 01 05 01 06 01 02 01 04 02 05 02 06 02 02 02 00 2d 00 02 01
01 00 1c 00 02 40 01
{server} extract secret "early":
salt: 0 (all zero octets)
IKM (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c
e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a
{server} create an ephemeral x25519 key pair:
private key (32 octets): 01 7c 38 a3 64 79 21 ca 2d 9e d6 bd 7a
e7 13 2b 94 21 1b 13 31 bb 20 8c 8c cd d5 15 56 40 99 95
public key (32 octets): 3e 30 f0 f4 ba 55 1a fd 62 76 83 41 17 5f
52 65 e4 da f0 c8 84 16 17 aa 4f af dd 21 42 32 0c 22
{server} construct a ServerHello handshake message:
ServerHello (122 octets): 02 00 00 76 03 03 e5 dd 59 48 c4 35 f7
a3 8f 0f 01 30 70 8d c3 22 d9 df 09 ab d4 83 81 17 c1 83 a7 bb
6d 99 4f 2c 20 a8 0c 16 55 81 a8 e0 d0 6c 00 18 d5 4d 3a 06 dd
32 cf d4 05 1e b0 26 fa d3 fd 0b a9 92 69 e6 ef 13 01 00 00 2e
00 33 00 24 00 1d 00 20 3e 30 f0 f4 ba 55 1a fd 62 76 83 41 17
5f 52 65 e4 da f0 c8 84 16 17 aa 4f af dd 21 42 32 0c 22 00 2b
00 02 03 04
{server} send handshake record:
payload (122 octets): 02 00 00 76 03 03 e5 dd 59 48 c4 35 f7 a3
8f 0f 01 30 70 8d c3 22 d9 df 09 ab d4 83 81 17 c1 83 a7 bb 6d
99 4f 2c 20 a8 0c 16 55 81 a8 e0 d0 6c 00 18 d5 4d 3a 06 dd 32
cf d4 05 1e b0 26 fa d3 fd 0b a9 92 69 e6 ef 13 01 00 00 2e 00
33 00 24 00 1d 00 20 3e 30 f0 f4 ba 55 1a fd 62 76 83 41 17 5f
52 65 e4 da f0 c8 84 16 17 aa 4f af dd 21 42 32 0c 22 00 2b 00
02 03 04
complete record (127 octets): 16 03 03 00 7a 02 00 00 76 03 03 e5
dd 59 48 c4 35 f7 a3 8f 0f 01 30 70 8d c3 22 d9 df 09 ab d4 83
81 17 c1 83 a7 bb 6d 99 4f 2c 20 a8 0c 16 55 81 a8 e0 d0 6c 00
18 d5 4d 3a 06 dd 32 cf d4 05 1e b0 26 fa d3 fd 0b a9 92 69 e6
ef 13 01 00 00 2e 00 33 00 24 00 1d 00 20 3e 30 f0 f4 ba 55 1a
fd 62 76 83 41 17 5f 52 65 e4 da f0 c8 84 16 17 aa 4f af dd 21
42 32 0c 22 00 2b 00 02 03 04
{server} send change_cipher_spec record:
payload (1 octets): 01
complete record (6 octets): 14 03 03 00 01 01
{server} derive secret for handshake "tls13 derived":
PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a
hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55
info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
64 9b 93 4c a4 95 99 1b 78 52 b8 55
expanded (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba
b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba
{server} extract secret "handshake":
salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97
16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba
IKM (32 octets): ee f7 90 55 90 77 db 5b b6 3b 66 84 e4 16 9f 05
1e 8f b3 4c e5 9b af ce 2f 9c 8e e6 8c c4 eb 79
secret (32 octets): f9 17 61 35 4a 67 e9 b0 7c 6d cc 3a 55 70 7e
fa 69 c4 51 9d 80 40 e5 f2 15 12 1e 0d f6 9a fa 4a
{server} derive secret "tls13 c hs traffic":
PRK (32 octets): f9 17 61 35 4a 67 e9 b0 7c 6d cc 3a 55 70 7e fa
69 c4 51 9d 80 40 e5 f2 15 12 1e 0d f6 9a fa 4a
hash (32 octets): 74 5c 55 ba c3 99 31 0b 7b 5a 7c 81 a2 c1 30 b4
d5 6d ff 6f 68 c3 ab 47 78 57 60 1e 01 f1 f8 d1
info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 68 73 20 74 72
61 66 66 69 63 20 74 5c 55 ba c3 99 31 0b 7b 5a 7c 81 a2 c1 30
b4 d5 6d ff 6f 68 c3 ab 47 78 57 60 1e 01 f1 f8 d1
expanded (32 octets): 2c 3c b2 4a 10 81 ed b5 95 18 ee 68 61 e8
9a 6b 72 b3 80 1a fe 77 13 e4 cb bc 21 c0 79 5b f8 31
{server} derive secret "tls13 s hs traffic":
PRK (32 octets): f9 17 61 35 4a 67 e9 b0 7c 6d cc 3a 55 70 7e fa
69 c4 51 9d 80 40 e5 f2 15 12 1e 0d f6 9a fa 4a
hash (32 octets): 74 5c 55 ba c3 99 31 0b 7b 5a 7c 81 a2 c1 30 b4
d5 6d ff 6f 68 c3 ab 47 78 57 60 1e 01 f1 f8 d1
info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 68 73 20 74 72
61 66 66 69 63 20 74 5c 55 ba c3 99 31 0b 7b 5a 7c 81 a2 c1 30
b4 d5 6d ff 6f 68 c3 ab 47 78 57 60 1e 01 f1 f8 d1
expanded (32 octets): ca ce 3d 55 5c c1 c5 77 cf 97 0c ff 28 cf
97 8d 6a 98 00 08 54 42 e1 8d 69 5b 50 f3 15 1d 18 c8
{server} derive secret for master "tls13 derived":
PRK (32 octets): f9 17 61 35 4a 67 e9 b0 7c 6d cc 3a 55 70 7e fa
69 c4 51 9d 80 40 e5 f2 15 12 1e 0d f6 9a fa 4a
hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55
info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
64 9b 93 4c a4 95 99 1b 78 52 b8 55
expanded (32 octets): 5d a1 2d c4 78 35 ba 73 fd d9 94 b1 4a b7
e6 3c c6 3f 0d 79 16 2f 67 56 e9 a4 67 56 c8 b2 b6 42
{server} extract secret "master":
salt (32 octets): 5d a1 2d c4 78 35 ba 73 fd d9 94 b1 4a b7 e6 3c
c6 3f 0d 79 16 2f 67 56 e9 a4 67 56 c8 b2 b6 42
IKM (32 octets): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
secret (32 octets): 62 81 12 da e2 f7 02 48 80 63 e4 2d e6 c8 50
a5 c0 82 0b 90 90 3e 00 ab c3 18 75 da 03 d4 bc 5b
{server} derive write traffic keys for handshake data:
PRK (32 octets): ca ce 3d 55 5c c1 c5 77 cf 97 0c ff 28 cf 97 8d
6a 98 00 08 54 42 e1 8d 69 5b 50 f3 15 1d 18 c8
key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
key expanded (16 octets): 04 10 91 fd ab 29 f2 c8 ab fb 15 6d c5
fc 8d 54
iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
iv expanded (12 octets): 74 64 d7 91 68 5d e0 59 98 fc ba db
{server} construct an EncryptedExtensions handshake message:
EncryptedExtensions (40 octets): 08 00 00 24 00 22 00 0a 00 14 00
12 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c
00 02 40 01 00 00 00 00
{server} construct a Certificate handshake message:
Certificate (445 octets): 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82
01 ac 30 82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48
86 f7 0d 01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03
72 73 61 30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17
0d 32 36 30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06
03 55 04 03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7
0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f
82 79 30 3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26
d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c
1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52
4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74
80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93
ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03
01 00 01 a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06
03 55 1d 0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01
01 0b 05 00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a
72 67 17 06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea
e8 f8 a5 8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01
51 56 72 60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be
c1 fc 63 a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b
1c 3b 84 e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8
96 12 29 ac 91 87 b4 2b 4d e1 00 00
{server} construct a CertificateVerify handshake message:
CertificateVerify (136 octets): 0f 00 00 84 08 04 00 80 a2 30 1a
68 dd 1c ee e6 93 8f e9 d4 0c 46 b9 20 1b 34 d5 99 52 a3 7e 06
52 3a 39 cf 8b a6 c9 c8 b6 8a e9 44 92 af 78 05 16 ed 7b 73 c8
28 12 e9 9d d3 fa be a4 5e 09 d9 c6 84 87 21 c2 80 8c 61 50 1b
0c 75 e7 fc ab a5 f7 8b ef 68 a2 c2 b6 9b 19 55 8b 3e 40 38 7e
ea 93 d2 5c 77 81 c1 cc 00 e9 f5 19 f7 e2 e4 ad b7 3e 76 d6 60
89 00 0a 2d c8 66 c2 ed 30 bb a5 0a 0d 45 7f 19 dc 6e b9 f3
{server} calculate finished "tls13 finished":
PRK (32 octets): ca ce 3d 55 5c c1 c5 77 cf 97 0c ff 28 cf 97 8d
6a 98 00 08 54 42 e1 8d 69 5b 50 f3 15 1d 18 c8
hash (0 octets): (empty)
info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
64 00
expanded (32 octets): 2c 9f 72 f2 7b 81 e7 df 66 8c ac cd 49 37
1f 12 86 d4 11 e1 6c 8c cc 1c 0d 9a ed 72 cb bd c0 80
finished (32 octets): c8 c3 a8 f1 bf f5 27 40 61 f4 bc 3a 7c af
fb dc 96 16 09 4c a6 25 ca a6 5f 8e 76 ed 46 db 74 d3
{server} construct a Finished handshake message:
Finished (36 octets): 14 00 00 20 c8 c3 a8 f1 bf f5 27 40 61 f4
bc 3a 7c af fb dc 96 16 09 4c a6 25 ca a6 5f 8e 76 ed 46 db 74
d3
{server} send handshake record:
payload (657 octets): 08 00 00 24 00 22 00 0a 00 14 00 12 00 1d
00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 1c 00 02 40
01 00 00 00 00 0b 00 01 b9 00 00 01 b5 00 01 b0 30 82 01 ac 30
82 01 15 a0 03 02 01 02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d
01 01 0b 05 00 30 0e 31 0c 30 0a 06 03 55 04 03 13 03 72 73 61
30 1e 17 0d 31 36 30 37 33 30 30 31 32 33 35 39 5a 17 0d 32 36
30 37 33 30 30 31 32 33 35 39 5a 30 0e 31 0c 30 0a 06 03 55 04
03 13 03 72 73 61 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01
01 05 00 03 81 8d 00 30 81 89 02 81 81 00 b4 bb 49 8f 82 79 30
3d 98 08 36 39 9b 36 c6 98 8c 0c 68 de 55 e1 bd b8 26 d3 90 1a
24 61 ea fd 2d e4 9a 91 d0 15 ab bc 9a 95 13 7a ce 6c 1a f1 9e
aa 6a f9 8c 7c ed 43 12 09 98 e1 87 a8 0e e0 cc b0 52 4b 1b 01
8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f da 43 08 46 74 80 30 53
0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0 3e 2b d1 93 ef f0 ab
9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e 3f 02 03 01 00 01
a3 1a 30 18 30 09 06 03 55 1d 13 04 02 30 00 30 0b 06 03 55 1d
0f 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05
00 03 81 81 00 85 aa d2 a0 e5 b9 27 6b 90 8c 65 f7 3a 72 67 17
06 18 a5 4c 5f 8a 7b 33 7d 2d f7 a5 94 36 54 17 f2 ea e8 f8 a5
8c 8f 81 72 f9 31 9c f3 6b 7f d6 c5 5b 80 f2 1a 03 01 51 56 72
60 96 fd 33 5e 5e 67 f2 db f1 02 70 2e 60 8c ca e6 be c1 fc 63
a4 2a 99 be 5c 3e b7 10 7c 3c 54 e9 b9 eb 2b d5 20 3b 1c 3b 84
e0 a8 b2 f7 59 40 9b a3 ea c9 d9 1d 40 2d cc 0c c8 f8 96 12 29
ac 91 87 b4 2b 4d e1 00 00 0f 00 00 84 08 04 00 80 a2 30 1a 68
dd 1c ee e6 93 8f e9 d4 0c 46 b9 20 1b 34 d5 99 52 a3 7e 06 52
3a 39 cf 8b a6 c9 c8 b6 8a e9 44 92 af 78 05 16 ed 7b 73 c8 28
12 e9 9d d3 fa be a4 5e 09 d9 c6 84 87 21 c2 80 8c 61 50 1b 0c
75 e7 fc ab a5 f7 8b ef 68 a2 c2 b6 9b 19 55 8b 3e 40 38 7e ea
93 d2 5c 77 81 c1 cc 00 e9 f5 19 f7 e2 e4 ad b7 3e 76 d6 60 89
00 0a 2d c8 66 c2 ed 30 bb a5 0a 0d 45 7f 19 dc 6e b9 f3 14 00
00 20 c8 c3 a8 f1 bf f5 27 40 61 f4 bc 3a 7c af fb dc 96 16 09
4c a6 25 ca a6 5f 8e 76 ed 46 db 74 d3
complete record (679 octets): 17 03 03 02 a2 48 de 89 1d 9c 36 24
a6 7a 6c 6f 06 01 ab 7a c2 0c 1f 6a 9e 14 d2 e6 00 7e 99 9e 13
03 67 a8 af 1b cf ea 94 98 fb ce 19 df 45 05 ee ce 3a 25 da 52
3c be 55 ea 1b 3b da 4e 91 99 5e 45 5d 50 0a 4f aa 62 27 b7 11
1e 1c 85 47 e2 d7 c1 79 db 21 53 03 d2 58 27 f3 cd 18 f4 8f 64
91 32 8c f5 c0 f8 14 d3 88 15 0b d9 e9 26 4a ae 49 1d b6 99 50
69 be a1 76 65 d5 e0 c8 17 28 4d 4a c2 18 80 05 4c 36 57 33 1e
23 a9 30 4d c8 8a 15 c0 4e c8 0b d3 85 2b f7 f9 d3 c6 61 5b 15
fa c8 3b bc a0 31 c6 d2 31 0d 9f 5d 7a 4b 02 0a 4f 7c 19 06 2b
65 c0 5a 1d 32 64 b5 57 ec 9d 8e 0f 7c ee 27 e3 6f 79 30 39 de
8d d9 6e df ca 90 09 e0 65 10 34 bf f3 1d 7f 34 9e ec e0 1d 99
fc b5 fc ab 84 0d 77 07 c7 22 99 c3 b5 d0 45 64 e8 80 a3 3c 5e
84 6c 76 2e 3d 92 2b b5 53 03 d1 d8 7c c0 f0 65 73 f1 7d cb 9b
8f fd 35 bb d8 83 c1 cb 3a a2 4f cc 32 50 05 f7 68 ce 2f b6 24
ca 97 b6 c4 d9 8e 17 f3 5b c2 c7 94 0a 06 10 0c 2d 44 8d b7 18
0b 2d 86 21 64 43 5c 9c 21 0e 98 60 39 4e 05 aa b2 3f f1 b0 20
3f 66 2c 58 8d a5 bc 44 11 47 7a 30 b4 11 36 c4 88 a0 a6 3f ca
b5 c1 5a c6 13 22 6d ae 82 7a 1d 1f e9 5e ce 6b 30 bc ee 15 60
a8 d4 08 d2 64 55 5e 76 0f 9b fc 62 4c 2c 87 fd 04 56 c9 bf b4
1b cd 1a 7b 21 27 86 d2 b6 7f d5 78 04 fa cf a1 ee f7 cf 29 19
d8 b9 98 c9 78 9f 76 3b 4d 9c aa 09 3a 9d ed 43 17 5d 46 a7 6b
4d 54 f0 ce 0c 5d 22 59 b6 07 e3 0a 9d 24 12 63 87 4f a5 9d 6f
57 0d c4 0d 83 a2 d8 3b f9 e9 85 0d 45 4c 57 80 65 35 a8 99 8a
e0 35 7d f9 2f 00 b9 66 73 44 c2 41 14 cc c9 ef 53 91 24 b2 04
e7 e6 e7 48 c3 0a 28 a3 d1 d1 83 99 72 43 ea cc bb d3 3b 0c 11
15 a0 32 71 06 a1 e6 a7 52 71 d4 98 30 86 f6 32 ff 0e b8 b4 c6
31 02 cb ce f5 bb 72 da e1 27 9d 5d e8 eb 19 09 6d 8c db 07 fa
8e a9 89 78 8f ac 23 e6 6e 04 88 c1 93 f3 f3 fe a8 c8 83 88 96
bf 3a e4 b6 84 8d 42 ce d4 bd f4 1a be 6f c3 31 b4 42 25 e7 a1
f7 d3 56 41 47 d5 45 8e 71 aa 90 9c b0 2b e9 58 bb c4 2e 3a a5
a2 7c c6 ea f4 b6 fe 51 ae 44 95 69 4d 8a b6 32 0a ab 92 01 83
fd 5b 31 a3 59 04 2f bd 67 39 1e c5 e4 d1 89 2a 2e 52 10 14 1a
49 4e 93 01 b2 4a 11 3c 47 4c 7f 2a 73 45 78 47
{server} derive secret "tls13 c ap traffic":
PRK (32 octets): 62 81 12 da e2 f7 02 48 80 63 e4 2d e6 c8 50 a5
c0 82 0b 90 90 3e 00 ab c3 18 75 da 03 d4 bc 5b
hash (32 octets): 07 07 dc ac 7b 2f a4 28 cc 7f 69 16 94 a2 59 0c
80 6a aa 5c 0c f5 08 7e d5 38 50 12 e7 f9 6c d4
info (54 octets): 00 20 12 74 6c 73 31 33 20 63 20 61 70 20 74 72
61 66 66 69 63 20 07 07 dc ac 7b 2f a4 28 cc 7f 69 16 94 a2 59
0c 80 6a aa 5c 0c f5 08 7e d5 38 50 12 e7 f9 6c d4
expanded (32 octets): 74 3e 4c 6b 56 cf 39 09 d1 b0 6d 01 95 6c
cd 2c 4b 37 75 84 49 ae c4 1d 98 da e4 49 24 ea a2 99
{server} derive secret "tls13 s ap traffic":
PRK (32 octets): 62 81 12 da e2 f7 02 48 80 63 e4 2d e6 c8 50 a5
c0 82 0b 90 90 3e 00 ab c3 18 75 da 03 d4 bc 5b
hash (32 octets): 07 07 dc ac 7b 2f a4 28 cc 7f 69 16 94 a2 59 0c
80 6a aa 5c 0c f5 08 7e d5 38 50 12 e7 f9 6c d4
info (54 octets): 00 20 12 74 6c 73 31 33 20 73 20 61 70 20 74 72
61 66 66 69 63 20 07 07 dc ac 7b 2f a4 28 cc 7f 69 16 94 a2 59
0c 80 6a aa 5c 0c f5 08 7e d5 38 50 12 e7 f9 6c d4
expanded (32 octets): b6 b8 14 4a a3 35 ed 30 59 c0 c9 c8 f0 ec
ab f7 af c9 4a f6 64 3b de cd fd 92 10 18 8f ab 74 51
{server} derive secret "tls13 exp master":
PRK (32 octets): 62 81 12 da e2 f7 02 48 80 63 e4 2d e6 c8 50 a5
c0 82 0b 90 90 3e 00 ab c3 18 75 da 03 d4 bc 5b
hash (32 octets): 07 07 dc ac 7b 2f a4 28 cc 7f 69 16 94 a2 59 0c
80 6a aa 5c 0c f5 08 7e d5 38 50 12 e7 f9 6c d4
info (52 octets): 00 20 10 74 6c 73 31 33 20 65 78 70 20 6d 61 73
74 65 72 20 07 07 dc ac 7b 2f a4 28 cc 7f 69 16 94 a2 59 0c 80
6a aa 5c 0c f5 08 7e d5 38 50 12 e7 f9 6c d4
expanded (32 octets): fb 69 12 1c ea 33 4d b4 59 e1 22 72 d1 79
ba ca 23 69 b6 43 d1 1a 6a c7 2b 8b 27 a5 c9 64 fe b1
{server} derive write traffic keys for application data:
PRK (32 octets): b6 b8 14 4a a3 35 ed 30 59 c0 c9 c8 f0 ec ab f7
af c9 4a f6 64 3b de cd fd 92 10 18 8f ab 74 51
key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
key expanded (16 octets): ed c4 cb d0 04 1c 28 cc 71 67 44 1d 7c
a5 3e 6a
iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
iv expanded (12 octets): bf 6c 7d 8e 0a 95 45 b4 27 dc f1 39
{server} derive read traffic keys for handshake data:
PRK (32 octets): 2c 3c b2 4a 10 81 ed b5 95 18 ee 68 61 e8 9a 6b
72 b3 80 1a fe 77 13 e4 cb bc 21 c0 79 5b f8 31
key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
key expanded (16 octets): 62 d1 3c 13 ff d7 40 2f c1 c0 9e 3d 16
36 65 cb
iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
iv expanded (12 octets): 71 66 f2 00 28 bf 14 6d cf bd 5a 40
{client} extract secret "early" (same as server early secret)
{client} derive secret for handshake "tls13 derived":
PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2
10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a
hash (32 octets): e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24
27 ae 41 e4 64 9b 93 4c a4 95 99 1b 78 52 b8 55
info (49 octets): 00 20 0d 74 6c 73 31 33 20 64 65 72 69 76 65 64
20 e3 b0 c4 42 98 fc 1c 14 9a fb f4 c8 99 6f b9 24 27 ae 41 e4
64 9b 93 4c a4 95 99 1b 78 52 b8 55
expanded (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba
b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba
{client} extract secret "handshake" (same as server handshake
secret)
{client} derive secret "tls13 c hs traffic" (same as server)
{client} derive secret "tls13 s hs traffic" (same as server)
{client} derive secret for master "tls13 derived" (same as server)
{client} extract secret "master" (same as server master secret)
{client} derive read traffic keys for handshake data (same as server
handshake data write traffic keys)
{client} calculate finished "tls13 finished" (same as server)
{client} derive secret "tls13 c ap traffic" (same as server)
{client} derive secret "tls13 s ap traffic" (same as server)
{client} derive secret "tls13 exp master" (same as server)
{client} send change_cipher_spec record:
payload (1 octets): 01
complete record (6 octets): 14 03 03 00 01 01
{client} derive write traffic keys for handshake data (same as
server handshake data read traffic keys)
{client} derive read traffic keys for application data (same as
server application data write traffic keys)
{client} calculate finished "tls13 finished":
PRK (32 octets): 2c 3c b2 4a 10 81 ed b5 95 18 ee 68 61 e8 9a 6b
72 b3 80 1a fe 77 13 e4 cb bc 21 c0 79 5b f8 31
hash (0 octets): (empty)
info (18 octets): 00 20 0e 74 6c 73 31 33 20 66 69 6e 69 73 68 65
64 00
expanded (32 octets): 77 34 1a bc 8c 0f fa b5 18 07 36 71 3e 41
d2 f6 65 c4 10 a4 04 c8 c2 1e dc d9 48 a4 44 0f d8 0c
finished (32 octets): 69 2c ab 15 5c c6 c1 00 ea d6 07 33 d0 61
7f 6f b0 9b 71 aa 1e 8c 9a cc bb bc 9e 8e d3 36 c1 dd
{client} construct a Finished handshake message:
Finished (36 octets): 14 00 00 20 69 2c ab 15 5c c6 c1 00 ea d6
07 33 d0 61 7f 6f b0 9b 71 aa 1e 8c 9a cc bb bc 9e 8e d3 36 c1
dd
{client} send handshake record:
payload (36 octets): 14 00 00 20 69 2c ab 15 5c c6 c1 00 ea d6 07
33 d0 61 7f 6f b0 9b 71 aa 1e 8c 9a cc bb bc 9e 8e d3 36 c1 dd
complete record (58 octets): 17 03 03 00 35 32 d0 30 e2 73 77 3a
86 96 c7 99 98 1a f6 ce d0 7f 87 48 2e 81 56 5e 39 4e 87 c8 67
f3 3d f3 d6 5b 75 06 f1 a6 26 af 91 d4 82 1d 5f 7a 1f 21 0e f8
dd 3c 6d 16
{client} derive write traffic keys for application data:
PRK (32 octets): 74 3e 4c 6b 56 cf 39 09 d1 b0 6d 01 95 6c cd 2c
4b 37 75 84 49 ae c4 1d 98 da e4 49 24 ea a2 99
key info (13 octets): 00 10 09 74 6c 73 31 33 20 6b 65 79 00
key expanded (16 octets): 33 d7 f9 70 97 56 c9 66 48 8a d4 43 84
37 e6 73
iv info (12 octets): 00 0c 08 74 6c 73 31 33 20 69 76 00
iv expanded (12 octets): c5 f3 0d 34 b0 e9 1b 7d 6c 8e ea 65
{client} derive secret "tls13 res master":
PRK (32 octets): 62 81 12 da e2 f7 02 48 80 63 e4 2d e6 c8 50 a5
c0 82 0b 90 90 3e 00 ab c3 18 75 da 03 d4 bc 5b
hash (32 octets): a0 21 d3 a0 5b d4 18 a7 72 81 38 75 ef 79 b0 af
68 c5 12 32 15 42 7a b7 33 3f 8c 27 72 2a 9f d5
info (52 octets): 00 20 10 74 6c 73 31 33 20 72 65 73 20 6d 61 73
74 65 72 20 a0 21 d3 a0 5b d4 18 a7 72 81 38 75 ef 79 b0 af 68
c5 12 32 15 42 7a b7 33 3f 8c 27 72 2a 9f d5
expanded (32 octets): 0b 5d 44 07 ce a0 a4 2a 3a 81 dd 47 76 47
b7 fe 91 80 db 29 7e 51 14 f1 ad 87 96 b4 dc 47 50 04
{server} calculate finished "tls13 finished" (same as client)
{server} derive read traffic keys for application data (same as
client application data write traffic keys)
{server} derive secret "tls13 res master" (same as client)
{client} send alert record:
payload (2 octets): 01 00
complete record (24 octets): 17 03 03 00 13 0f 62 91 55 38 2d ba
23 c4 e2 c5 f7 f8 4e 6f 2e d3 08 3d
{server} send alert record:
payload (2 octets): 01 00
complete record (24 octets): 17 03 03 00 13 b7 25 7b 0f ec af 69
d4 f0 9e 3f 89 1e 2a 25 d1 e2 88 45
8. Security Considerations
It probably isn't a good idea to use the private key included in this document. In addition to the fact that it is too small to provide any meaningful security, it is now very well known.9. IANA Considerations
This document has no IANA actions.10. References
10.1. Normative References
[TLS13] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, <https://www.rfc-editor.org/info/rfc8446>.10.2. Informative References
[FIPS.186-4.2013] National Institute of Standards and Technology, "Digital Signature Standard (DSS)", FIPS 186-4, DOI 10.6028/NIST.FIPS.186-4, July 2013, <https://nvlpubs.nist.gov/nistpubs/fips/ nist.fips.186-4.pdf>. [NSS] Mozilla, "Network Security Services", November 2018, <https://developer.mozilla.org/en-US/docs/Mozilla/ Projects/NSS>. [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)", RFC 5869, DOI 10.17487/RFC5869, May 2010, <https://www.rfc-editor.org/info/rfc5869>. [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves for Security", RFC 7748, DOI 10.17487/RFC7748, January 2016, <https://www.rfc-editor.org/info/rfc7748>.
Acknowledgements
This document was generated using tests that were written for Network Security Services [NSS]. None of this would have been possible without Franziskus Kiefer, Eric Rescorla, and Tim Taubert, all of whom did a lot of the work in NSS.Author's Address
Martin Thomson Mozilla Email: martin.thomson@gmail.com