In revision.
Crisp5 min readGo deeper →

TLS 1.3 handshake

TLS 1.3 is 1 RTT on cold start, 0 RTT on resume. Drops every weak cipher and round trip from TLS 1.2.

TLS 1.3 (RFC 8446) takes 1 RTT to establish a fresh secure connection. On a resumed session, it can deliver data in 0 RTT. Compared to TLS 1.2 which took 2 RTTs, that is a 50% latency cut on the handshake.

The 1 RTT handshake

TLS 1.3 1-RTT handshake
  1. Client sends ClientHello with its supported cipher suites, supported groups (curves), and a key_share guess for the most likely group.
  2. Server picks a cipher, completes the key exchange with its own key_share, sends its cert, signs the transcript, sends Finished. All but ServerHello is encrypted.
  3. Client verifies, sends Finished, immediately sends application data.

Total: 1 RTT before the client can send encrypted data. The server can also send encrypted application data in its first flight if it chooses.

What TLS 1.3 removed

TLS 1.2 had decades of cruft. TLS 1.3 removed:

  • RSA key exchange (no forward secrecy).
  • Static Diffie-Hellman.
  • MD5, SHA-1.
  • RC4, DES, 3DES, CBC mode ciphers.
  • Compression (CRIME attack).
  • Renegotiation.
  • Custom DH groups (now fixed groups only).
  • The cipher suite explosion (down from 300+ to 5).

What is left is a small number of AEAD ciphers (AES-GCM, ChaCha20-Poly1305) and a small number of curves (X25519, P-256, P-384). Easier to reason about, harder to misconfigure.

0-RTT resumption

On a previous connection, the server issued a session ticket containing a resumption secret. On the next connection, the client can:

  1. Send ClientHello + early_data with application data, encrypted under the resumption secret.
  2. Server processes the early data immediately.

This is 0 RTT to first byte. But early data can be replayed by an attacker who captures it, since there is no fresh server nonce. Only use for idempotent operations (GET requests, not POSTs).

Forward secrecy

TLS 1.3 forces ephemeral key exchange (X25519 or P-256). Even if an attacker records traffic and later steals the server's private key, they cannot decrypt past sessions. The session keys were derived from ephemeral DH and are gone.

Certificate flow

Server presents a chain: leaf cert, then intermediates, terminating in a root the client trusts. The client validates the chain, checks expiry, checks revocation (CRL, OCSP, or stapled OCSP), and verifies the leaf matches the SNI.

Numbers worth knowing

  • TLS 1.3 cold start: 1 RTT.
  • TLS 1.3 resume: 0 RTT (if early data) or 1 RTT (without).
  • TLS 1.2 cold start: 2 RTT.
  • Typical cert size: 1-3 KB per cert in the chain.
  • AEAD overhead per record: 16-21 bytes.

Learn more