TLS 1.2 vs TLS 1.3 Handshake

Comparing handshake efficiency and security improvements

TLS 1.2

2 round trips before application data

💻
CLIENT
🖥
SERVER
Round Trip 1
ClientHello
Ciphers, TLS version, client random
ServerHello
Chosen cipher, server random
Certificate
Server's X.509 cert chain
ServerKeyExchange
ECDH params + signature
ServerHelloDone
Round Trip 2
ClientKeyExchange
Client's ECDH public value
ChangeCipherSpec
Switching to encrypted
Finished
Verify handshake integrity
ChangeCipherSpec
Finished
Application Data
HTTP Request
Encrypted with session keys
🔒
2-RTT Handshake
All handshake messages sent in plaintext

TLS 1.3

1 round trip before application data

💻
CLIENT
🖥
SERVER
Round Trip 1
ClientHello
Ciphers, key_share (ECDH public)
ServerHello
Chosen cipher, key_share
🔒 Encrypted from here
EncryptedExtensions
Certificate
Server's X.509 cert chain
CertificateVerify
Signature proving key ownership
Finished
Handshake MAC
Application Data
Finished + HTTP Request
Client can send data immediately!
🔐
1-RTT Handshake
Server messages encrypted, 0-RTT resumption available
Feature TLS 1.2 TLS 1.3
Round trips (full handshake) 2-RTT 1-RTT
Session resumption 1-RTT 0-RTT (with caveats)
Handshake encryption Plaintext After ServerHello
Forward secrecy Optional (ECDHE) Mandatory
RSA key exchange Allowed (no PFS) Removed
Cipher suites ~40 options 5 secure options
Legacy algorithms MD5, SHA-1, RC4, DES... All removed
🔒
Encrypted messages (TLS 1.3 only)

TLS 1.3 reduces latency while improving security by removing legacy algorithms and encrypting more of the handshake.