TLS Handshake

What the handshake achieves

• Negotiation — agree on a protocol version and cipher suite both ends support.
• Authentication — verify the server's identity (and optionally the client's) via certificates.
• Key exchange — derive symmetric keys without exposing them to passive observers.
• Confirmation — confirm both sides arrived at the same keys before sending application data.

TLS 1.3 handshake (1-RTT)

Client                                          Server

ClientHello
  + key_share
  + supported_versions
  + signature_algorithms          ───────────►

                                                ServerHello
                                                  + key_share
                                                {EncryptedExtensions}
                                                {Certificate}
                                                {CertificateVerify}
                                                {Finished}
                                  ◄───────────  [Application Data]

{Finished}                        ───────────►
[Application Data]                ───────────►  [Application Data]

Notation:
{}  = encrypted with handshake traffic key
[]  = encrypted with application traffic key

By the second flight, the server is already sending encrypted application data. With a session resumption ticket and 0-RTT data, an established client can send a request in the very first flight — though 0-RTT data has replay considerations.

What changed from TLS 1.2

Key concepts

• Forward secrecy. Even if the server's long-term private key is later compromised, past sessions cannot be decrypted because session keys come from ephemeral Diffie-Hellman.
• AEAD ciphers. Authenticated Encryption with Associated Data — encryption and integrity in one primitive (AES-GCM, ChaCha20-Poly1305).
• SNI. Server Name Indication lets a client tell a multi-tenant server which certificate to present. Encrypted SNI/ECH closes the metadata leak.