Handshake flow

ClientHello with key share. ServerHello with key share + certificate + certificate verify (signature). Both derive keys via HKDF. Application data flows.

Advertisement

Key derivation

HKDF-Extract + HKDF-Expand chain. Separate keys per direction + purpose (traffic, exporter, resumption).

Advertisement

Cipher suites

Only AEAD ciphers: AES-GCM + ChaCha20-Poly1305. No CBC, no RC4, no static RSA.

0-RTT

Session ticket enables client sending encrypted data with first flight. Replay-vulnerable — only for idempotent GETs.