Record Structure RFC 8446 0x16 content type 0x0303 version length 2 bytes fragment (encrypted payload) 0..16384 bytes
Content Type Value Description change_cipher_spec0x14Legacy, rarely used in TLS 1.3 alert0x15Error or warning messages handshake0x16Key exchange, authentication application_data0x17Encrypted application payload
Handshake Flow TLS 1.3 Client Server ClientHello random, cipher suites, extensions ServerHello random, selected cipher, extensions Certificate server certificate chain CertificateVerify signature over handshake Finished server handshake MAC Finished client handshake MAC encrypted ClientHello: TLS 1.3, cipher suites, key_share, supported_versions
ServerHello: selected cipher, key_share
{Certificate}: server cert chain (encrypted)
{Finished}: verify_data (encrypted)
Application Data: encrypted with derived keys Cipher Suite Structure TLS 1.3 TLS protocol _ AES_128 cipher _ GCM mode _ SHA256 hash/prf = 0x1301 identifier
Cipher Suite (TLS 1.3) ID Key Exchange TLS_AES_128_GCM_SHA2560x1301ECDHE / DHE TLS_AES_256_GCM_SHA3840x1302ECDHE / DHE TLS_CHACHA20_POLY1305_SHA2560x1303ECDHE / DHE
Certificate Chain X.509 Root CA self-signed, trusted signs Intermediate CA optional, can be multiple signs Server Certificate end-entity, contains public key Subject: CN=example.com
Issuer: CN=Let's Encrypt Authority X3
Validity: Not Before: Dec 01 2025, Not After: Feb 28 2026
Public Key: RSA 2048 bit / EC P-256
Extensions: subjectAltName=DNS:example.com, DNS:www.example.com TLS Versions supported_versions Version Wire Value Status Notes TLS 1.00x0301Deprecated RFC 8996 prohibits use TLS 1.10x0302Deprecated RFC 8996 prohibits use TLS 1.20x0303Supported Still widely used TLS 1.30x0304Current Default for modern clients
Property TLS 1.2 TLS 1.3 Round trips 2 RTT 1 RTT (0-RTT optional) Key exchange RSA, DHE, ECDHE ECDHE, DHE only Handshake encryption None After ServerHello Static RSA Allowed Removed
Default Ports IANA Protocol Port Description HTTPS443HTTP over TLS SMTPS465SMTP over TLS (implicit) IMAPS993IMAP over TLS POP3S995POP3 over TLS LDAPS636LDAP over TLS FTPS990FTP over TLS (implicit)