Handshake flow
ClientHello with key share. ServerHello with key share + certificate + certificate verify (signature). Both derive keys via HKDF. Application data flows.
Advertisement
Key derivation
HKDF-Extract + HKDF-Expand chain. Separate keys per direction + purpose (traffic, exporter, resumption).
Advertisement
Cipher suites
Only AEAD ciphers: AES-GCM + ChaCha20-Poly1305. No CBC, no RC4, no static RSA.
0-RTT
Session ticket enables client sending encrypted data with first flight. Replay-vulnerable — only for idempotent GETs.