Example Handshake Traces for TLS 1.3
RFC 8448

Document Type RFC - Informational (January 2019; No errata)
Last updated 2019-01-14
Replaces draft-thomson-tls-tls13-vectors
Stream IETF
Formats plain text pdf html bibtex
Reviews
Stream WG state Submitted to IESG for Publication
Document shepherd Sean Turner
Shepherd write-up Show (last changed 2018-05-29)
IESG IESG state RFC 8448 (Informational)
Consensus Boilerplate Yes
Telechat date
Responsible AD Benjamin Kaduk
Send notices to Sean Turner <sean@sn3rd.com>
IANA IANA review state IANA OK - No Actions Needed
IANA action state No IANA Actions
Internet Engineering Task Force (IETF)                        M. Thomson
Request for Comments: 8448                                       Mozilla
Category: Informational                                     January 2019
ISSN: 2070-1721

                  Example Handshake Traces for TLS 1.3

Abstract

   This document includes examples of TLS 1.3 handshakes.  Private keys
   and inputs are provided so that these handshakes might be reproduced.
   Intermediate values, including secrets, traffic keys, and IVs, are
   shown so that implementations might be checked incrementally against
   these values.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are candidates for any level of Internet
   Standard; see Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8448.

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Thomson                       Informational                     [Page 1]
RFC 8448                     TLS 1.3 Traces                 January 2019

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Private Keys  . . . . . . . . . . . . . . . . . . . . . . . .   2
   3.  Simple 1-RTT Handshake  . . . . . . . . . . . . . . . . . . .   3
   4.  Resumed 0-RTT Handshake . . . . . . . . . . . . . . . . . . .  16
   5.  HelloRetryRequest . . . . . . . . . . . . . . . . . . . . . .  29
   6.  Client Authentication . . . . . . . . . . . . . . . . . . . .  43
   7.  Compatibility Mode  . . . . . . . . . . . . . . . . . . . . .  55
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .  67
   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  67
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .  67
     10.1.  Normative References . . . . . . . . . . . . . . . . . .  67
     10.2.  Informative References . . . . . . . . . . . . . . . . .  67
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  68
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  68

1.  Introduction

   TLS 1.3 [TLS13] defines a new key schedule and a number of new
   cryptographic operations.  This document includes sample handshakes
   that show all intermediate values.  This allows an implementation to
   be verified incrementally, examining inputs and outputs of each
   cryptographic computation independently.

   A private key is included with the traces so that implementations can
   be checked by importing these values and verifying that the same
   outputs are produced.

   Note:  Invocations of HMAC-based Extract-and-Expand Key Derivation
      Function (HKDF) [RFC5869] are not labeled, but they can be
      identified through the use of the labels used by HKDF.

2.  Private Keys

   Ephemeral private keys are shown as they are generated in the traces.

   The server in most examples uses an RSA certificate with a private
   key of:

   modulus (public):  b4 bb 49 8f 82 79 30 3d 98 08 36 39 9b 36 c6 98 8c
      0c 68 de 55 e1 bd b8 26 d3 90 1a 24 61 ea fd 2d e4 9a 91 d0 15 ab
      bc 9a 95 13 7a ce 6c 1a f1 9e aa 6a f9 8c 7c ed 43 12 09 98 e1 87
      a8 0e e0 cc b0 52 4b 1b 01 8c 3e 0b 63 26 4d 44 9a 6d 38 e2 2a 5f
      da 43 08 46 74 80 30 53 0e f0 46 1c 8c a9 d9 ef bf ae 8e a6 d1 d0
      3e 2b d1 93 ef f0 ab 9a 80 02 c4 74 28 a6 d3 5a 8d 88 d7 9f 7f 1e
      3f

Thomson                       Informational                     [Page 2]
RFC 8448                     TLS 1.3 Traces                 January 2019

   public exponent:  01 00 01

   private exponent:  04 de a7 05 d4 3a 6e a7 20 9d d8 07 21 11 a8 3c 81
      e3 22 a5 92 78 b3 34 80 64 1e af 7c 0a 69 85 b8 e3 1c 44 f6 de 62
      e1 b4 c2 30 9f 61 26 e7 7b 7c 41 e9 23 31 4b bf a3 88 13 05 dc 12
      17 f1 6c 81 9c e5 38 e9 22 f3 69 82 8d 0e 57 19 5d 8c 84 88 46 02
      07 b2 fa a7 26 bc f7 08 bb d7 db 7f 67 9f 89 34 92 fc 2a 62 2e 08
Show full document text