TLS 1.3 Handshake and 0-RTT Resumption
Trace the TLS 1.3 handshake step by step, understand how it achieves forward secrecy by default, and evaluate the security trade-offs of 0-RTT session resumption.
Why TLS 1.3 Was Needed
TLS 1.3, released in 2018 (RFC 8446), was designed to fix the weaknesses accumulating in TLS 1.2 over a decade of real-world attacks. Earlier versions allowed negotiating weak cipher suites, supported export-grade cryptography, and required multiple round trips before data could flow. TLS 1.3 removes all deprecated algorithms and streamlines the handshake to a single round trip in the normal case, dramatically improving both security and performance.
Handshake Overview: One Round Trip
In TLS 1.3, the client and server complete the handshake in 1-RTT (one round trip). The client sends a ClientHello that includes supported cipher suites and a key share (using Diffie-Hellman). The server responds with a ServerHello, its own key share, a certificate, and the first encrypted application data — all in one flight. The client then verifies the certificate and sends a Finished message before exchanging application data.
# Trace TLS 1.3 handshake with openssl
openssl s_client -connect example.com:443 -tls1_3 -msg 2>&1 | grep -E 'ClientHello|ServerHello|Finished'