Key exchange
The key exchange messages, ClientHello and ServerHello, determine the security capabilities of the client and the server and establish shared secrets, including the traffic keys used to protect the rest of the handshake and the application data.
ClientHello
The TLS handshake begins with the client sending a ClientHello message to the server. This message contains the following fields:
Note: TLS messages may contain additional fields than the ones listed here; see the TLS 1.3
specification for full details about TLS messages and their fields.
cipher_suites: This field contains a list of the symmetric cipher options supported by the client, specifically the record protection algorithm (including secret key length) and a hash to be used with Keyed-Hash Message Code (HMAC)-based Extract-and-Expand Key Derivation Function (HKDF).extensions: Extensions facilitates the addition of new features to the TLS protocol with minimal impact to existing clients. Extensions that the ClientHello message may contain, but are not limited to, the following:supported_versions: This extension indicates which versions of TLS the client supports. The ClientHello message must contain this message.status_request: This extension indicates that client wants to use a certificate status protocol; the server may not agree to use it. An example of a certificate status protocol is Online Certificate Status Protocol (OCSP). See Determine X.509 certificate revocation status with OCSP.supported_groups: This extension indicates the named groups that the client supports for key exchange. These named groups include elliptic curve groups (ECDHE) and finite field groups (DHE). The ClientHello message must include this message if it’s using ECDHE or DHE key exchange.key_share: This extension contains a list of cryptographic parameters for key exchange. It contains a field named client_shares that contains this list. Each item in this list contains the following fields:group: The name of the group on which the key exchange cryptographic method is based.key_exchange: Key exchange information, which is determined by the value of the group field.
pre_shared_key: A pre-shared key (PSK) is a shared secret that was previously shared between the two parties using some secure channel before it needs to be used. PSKs can be established in a previous connection and then used to establish a new connection. Once a handshake has completed, the server can send to the client a PSK identity that corresponds to a unique key derived from the initial handshake. See Session resumption with a pre-shared key.cookie: When a server sends a HelloRetryRequest message, it can include this extension to the client. (The server sends a HelloRetryRequest message in response to a ClientHello message if it can find an acceptable set of parameters, but the ClientHello message doesn’t have enough information to proceed with the handshake.) One purpose of this extension is to enable the server to force the client to demonstrate reachability at their apparent network address (which provides some denial-of-service attack (DoS) protection. When the client sends a new ClientHello message, it must copy the contents received in the HelloRetryRequest into a cookie extension in this new ClientHello message.server_name: TLS 1.3 doesn’t provide a mechanism for a client to tell a server the name of the server it is contacting. Clients can use this extension to provide this information to facilitate connections to servers that host multiple virtual servers at a single network address. Note that some servers may require clients to send this extension.
ServerHello
The server responds to the client’s ClientHello message with a ServerHello message if it’s able
to negotiate an acceptable set of handshake parameters. This message contains the following fields:
cipher_suite: This field contains the single cipher suite selected by the server from the list in the ClientHello.cipher_suites field.extensions: This field contains extensions that are required to establish the cryptographic context and negotiate the protocol version. The extensions that the SeverHello may contain include the following:supported_versions: Indicates which version of TLS the server is using. The ServerHello message must contain this extension.key_share: This extension contains a list of cryptographic parameters for key exchange.pre_shared_key: This extension contains the pre-shared key the server agreed to use. See Session resumption with a pre-shared key for information about pre-shared keys.