crypto/tls: reduce session ticket linkability

Ever since session ticket key rotation was introduced in CL 9072, we've
been including a prefix in every ticket to identify what key it's
encrypted with. It's a small privacy gain, but the cost of trial
decryptions is also small, especially since the first key is probably
the most frequently used.

Also reissue tickets on every resumption so that the next connection
can't be linked to all the previous ones. Again the privacy gain is
small but the performance cost is small and it comes with a reduction in
complexity.

For #60105

Change-Id: I852f297162d2b79a3d9bf61f6171e8ce94b2537a
Reviewed-on: https://go-review.googlesource.com/c/go/+/496817
Reviewed-by: Damien Neil <[email protected]>
Reviewed-by: Matthew Dempsky <[email protected]>
Run-TryBot: Damien Neil <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>

Author: FiloSottile

src/crypto/tls/common.go

@@ -748,10 +748,6 @@ type Config struct {
 }
 
 const (
-	// ticketKeyNameLen is the number of bytes of identifier that is prepended to
-	// an encrypted session ticket in order to identify the key used to encrypt it.
-	ticketKeyNameLen = 16
-
 	// ticketKeyLifetime is how long a ticket key remains valid and can be used to
 	// resume a client connection.
 	ticketKeyLifetime = 7 * 24 * time.Hour // 7 days
@@ -763,9 +759,6 @@ const (
 
 // ticketKey is the internal representation of a session ticket key.
 type ticketKey struct {
-	// keyName is an opaque byte string that serves to identify the session
-	// ticket key. It's exposed as plaintext in every session ticket.
-	keyName [ticketKeyNameLen]byte
 	aesKey  [16]byte
 	hmacKey [16]byte
 	// created is the time at which this ticket key was created. See Config.ticketKeys.
@@ -777,15 +770,18 @@ type ticketKey struct {
 // bytes and this function expands that into sufficient name and key material.
 func (c *Config) ticketKeyFromBytes(b [32]byte) (key ticketKey) {
 	hashed := sha512.Sum512(b[:])
-	copy(key.keyName[:], hashed[:ticketKeyNameLen])
-	copy(key.aesKey[:], hashed[ticketKeyNameLen:ticketKeyNameLen+16])
-	copy(key.hmacKey[:], hashed[ticketKeyNameLen+16:ticketKeyNameLen+32])
+	// The first 16 bytes of the hash used to be exposed on the wire as a ticket
+	// prefix. They MUST NOT be used as a secret. In the future, it would make
+	// sense to use a proper KDF here, like HKDF with a fixed salt.
+	const legacyTicketKeyNameLen = 16
+	copy(key.aesKey[:], hashed[legacyTicketKeyNameLen:])
+	copy(key.hmacKey[:], hashed[legacyTicketKeyNameLen+len(key.aesKey):])
 	key.created = c.time()
 	return key
 }
 
 // maxSessionTicketLifetime is the maximum allowed lifetime of a TLS 1.3 session
-// ticket, and the lifetime we set for tickets we send.
+// ticket, and the lifetime we set for all tickets we send.
 const maxSessionTicketLifetime = 7 * 24 * time.Hour
 
 // Clone returns a shallow clone of c or nil if c is nil. It is safe to clone a Config that is

src/crypto/tls/handshake_client_test.go

@@ -936,21 +936,20 @@ func testResumption(t *testing.T, version uint16) {
 	testResumeState("Handshake", false)
 	ticket := getTicket()
 	testResumeState("Resume", true)
-	if !bytes.Equal(ticket, getTicket()) && version != VersionTLS13 {
-		t.Fatal("first ticket doesn't match ticket after resumption")
-	}
-	if bytes.Equal(ticket, getTicket()) && version == VersionTLS13 {
+	if bytes.Equal(ticket, getTicket()) {
 		t.Fatal("ticket didn't change after resumption")
 	}
 
-	// An old session ticket can resume, but the server will provide a ticket encrypted with a fresh key.
+	// An old session ticket is replaced with a ticket encrypted with a fresh key.
+	ticket = getTicket()
 	serverConfig.Time = func() time.Time { return time.Now().Add(24*time.Hour + time.Minute) }
 	testResumeState("ResumeWithOldTicket", true)
-	if bytes.Equal(ticket[:ticketKeyNameLen], getTicket()[:ticketKeyNameLen]) {
+	if bytes.Equal(ticket, getTicket()) {
 		t.Fatal("old first ticket matches the fresh one")
 	}
 
-	// Now the session tickey key is expired, so a full handshake should occur.
+	// Once the session master secret is expired, a full handshake should occur.
+	ticket = getTicket()
 	serverConfig.Time = func() time.Time { return time.Now().Add(24*8*time.Hour + time.Minute) }
 	testResumeState("ResumeWithExpiredTicket", false)
 	if bytes.Equal(ticket, getTicket()) {

src/crypto/tls/handshake_server.go

@@ -406,16 +406,19 @@ func (hs *serverHandshakeState) checkForResumption() bool {
 		return false
 	}
 
-	plaintext, usedOldKey := c.decryptTicket(hs.clientHello.sessionTicket)
+	plaintext := c.decryptTicket(hs.clientHello.sessionTicket)
 	if plaintext == nil {
 		return false
 	}
-	hs.sessionState = &sessionState{usedOldKey: usedOldKey}
+	hs.sessionState = &sessionState{}
 	ok := hs.sessionState.unmarshal(plaintext)
 	if !ok {
 		return false
 	}
 
+	// TLS 1.2 tickets don't natively have a lifetime, but we want to avoid
+	// re-wrapping the same master secret in different tickets over and over for
+	// too long, weakening forward secrecy.
 	createdAt := time.Unix(int64(hs.sessionState.createdAt), 0)
 	if c.config.time().Sub(createdAt) > maxSessionTicketLifetime {
 		return false
@@ -465,7 +468,10 @@ func (hs *serverHandshakeState) doResumeHandshake() error {
 	// We echo the client's session ID in the ServerHello to let it know
 	// that we're doing a resumption.
 	hs.hello.sessionId = hs.clientHello.sessionId
-	hs.hello.ticketSupported = hs.sessionState.usedOldKey
+	// We always send a new session ticket, even if it wraps the same master
+	// secret and it's potentially encrypted with the same key, to help the
+	// client avoid cross-connection tracking from a network observer.
+	hs.hello.ticketSupported = true
 	hs.finishedHash = newFinishedHash(c.vers, hs.suite)
 	hs.finishedHash.discardHandshakeBuffer()
 	if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil {
@@ -748,9 +754,6 @@ func (hs *serverHandshakeState) readFinished(out []byte) error {
 }
 
 func (hs *serverHandshakeState) sendSessionTicket() error {
-	// ticketSupported is set in a resumption handshake if the
-	// ticket from the client was encrypted with an old session
-	// ticket key and thus a refreshed ticket should be sent.
 	if !hs.hello.ticketSupported {
 		return nil
 	}

src/crypto/tls/handshake_server_tls13.go

@@ -275,7 +275,7 @@ func (hs *serverHandshakeStateTLS13) checkForResumption() error {
 			break
 		}
 
-		plaintext, _ := c.decryptTicket(identity.label)
+		plaintext := c.decryptTicket(identity.label)
 		if plaintext == nil {
 			continue
 		}

src/crypto/tls/testdata/Server-TLSv10-ExportKeyingMaterial

@@ -1,11 +1,10 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 00 67 01 00 00  63 03 01 41 69 16 b5 d5  |....g...c..Ai...|
-00000010  c2 9d 36 2b 95 8e e5 41  9b 92 82 27 2a cc 4e 6e  |..6+...A...'*.Nn|
-00000020  5d f1 1b 58 49 3c 95 1d  8b 61 35 00 00 04 c0 14  |]..XI<...a5.....|
-00000030  00 ff 01 00 00 36 00 00  00 0e 00 0c 00 00 09 31  |.....6.........1|
-00000040  32 37 2e 30 2e 30 2e 31  00 0b 00 04 03 00 01 02  |27.0.0.1........|
-00000050  00 0a 00 0c 00 0a 00 1d  00 17 00 1e 00 19 00 18  |................|
-00000060  00 23 00 00 00 16 00 00  00 17 00 00              |.#..........|
+00000000  16 03 01 00 55 01 00 00  51 03 01 f5 f3 42 9e 4a  |....U...Q....B.J|
+00000010  f4 5f cc c5 18 d0 77 f2  9f 1a 37 d7 44 6b f5 09  |._....w...7.Dk..|
+00000020  69 ab 8b ee d7 1c 63 8d  95 59 bc 00 00 04 c0 14  |i.....c..Y......|
+00000030  00 ff 01 00 00 24 00 0b  00 04 03 00 01 02 00 0a  |.....$..........|
+00000040  00 0c 00 0a 00 1d 00 17  00 1e 00 19 00 18 00 23  |...............#|
+00000050  00 00 00 16 00 00 00 17  00 00                    |..........|
 >>> Flow 2 (server to client)
 00000000  16 03 01 00 3b 02 00 00  37 03 01 00 00 00 00 00  |....;...7.......|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
@@ -51,43 +50,42 @@
 00000290  d4 db fe 3d 13 60 84 5c  21 d3 3b e9 fa e7 16 03  |...=.`.\!.;.....|
 000002a0  01 00 aa 0c 00 00 a6 03  00 1d 20 2f e5 7d a3 47  |.......... /.}.G|
 000002b0  cd 62 43 15 28 da ac 5f  bb 29 07 30 ff f6 84 af  |.bC.(.._.).0....|
-000002c0  c4 cf c2 ed 90 99 5f 58  cb 3b 74 00 80 c6 ad e2  |......_X.;t.....|
-000002d0  21 0d d7 30 42 da 08 52  d5 46 70 a3 e5 d6 40 ab  |!..0B..R.Fp...@.|
-000002e0  bf 52 f8 da a5 41 86 1d  48 e6 51 91 52 8d 3c 5d  |.R...A..H.Q.R.<]|
-000002f0  ca 36 4c 62 d1 6b c8 48  8c 99 50 89 a9 27 4b 21  |.6Lb.k.H..P..'K!|
-00000300  c9 9d a6 43 34 d2 47 a7  b3 1a 6d 98 b3 7f 37 94  |...C4.G...m...7.|
-00000310  60 ba 88 f1 b7 ed 34 2b  47 f4 80 27 d3 a0 74 6a  |`.....4+G..'..tj|
-00000320  c6 d6 49 e3 8a e5 5d f1  a7 54 8a b4 84 8d a8 6b  |..I...]..T.....k|
-00000330  3b 7a 3f eb 81 77 4b bf  be 1e ac cd aa f9 4b 79  |;z?..wK.......Ky|
-00000340  24 78 6c 67 14 13 ab f8  ad 33 7c 94 38 16 03 01  |$xlg.....3|.8...|
+000002c0  c4 cf c2 ed 90 99 5f 58  cb 3b 74 00 80 3f 8b 3e  |......_X.;t..?.>|
+000002d0  b0 29 ea c2 25 87 26 bb  69 0d b8 52 18 d4 82 19  |.)..%.&.i..R....|
+000002e0  90 3b e9 dc 77 94 61 fe  69 95 9f 50 85 34 c5 dd  |.;..w.a.i..P.4..|
+000002f0  c0 a1 d5 d6 83 e4 e3 ba  8c f7 6e 39 e0 14 94 30  |..........n9...0|
+00000300  34 16 f0 5b c0 32 92 a3  21 8e 21 c8 57 05 16 a3  |4..[.2..!.!.W...|
+00000310  ea 66 0a 29 20 14 32 e2  f6 b2 7f 17 04 dc 8f 1b  |.f.) .2.........|
+00000320  2c 56 50 75 bf 84 c7 11  84 18 a3 05 08 1a 3a e4  |,VPu..........:.|
+00000330  16 ec f2 b5 1f 29 9b 56  8f 5c 9c f2 91 3e 09 5e  |.....).V.\...>.^|
+00000340  c7 59 45 12 37 39 06 c5  11 3c fc ee 49 16 03 01  |.YE.79...<..I...|
 00000350  00 04 0e 00 00 00                                 |......|
 >>> Flow 3 (client to server)
-00000000  16 03 01 00 25 10 00 00  21 20 f5 be 48 cb fb 0d  |....%...! ..H...|
-00000010  69 27 a8 ab 59 c4 9a ac  92 71 46 d1 17 7e 35 67  |i'..Y....qF..~5g|
-00000020  15 b1 ea 9f 53 48 a3 b5  f9 55 14 03 01 00 01 01  |....SH...U......|
-00000030  16 03 01 00 30 e1 79 95  7c ab 01 74 35 39 9b ce  |....0.y.|..t59..|
-00000040  79 5f 15 21 88 fc be fc  46 a9 31 ca 82 07 0c 1f  |y_.!....F.1.....|
-00000050  d8 2f 93 b5 5d 23 bf f9  10 40 bc b5 22 53 df d6  |./..]#...@.."S..|
-00000060  b1 10 b9 16 96                                    |.....|
+00000000  16 03 01 00 25 10 00 00  21 20 a1 f8 df c3 de d5  |....%...! ......|
+00000010  70 2f 18 10 4e 4e 86 18  ae 89 a5 4a 34 81 40 f8  |p/..NN.....J4.@.|
+00000020  9d a6 f4 cf b0 5b b5 43  54 08 14 03 01 00 01 01  |.....[.CT.......|
+00000030  16 03 01 00 30 86 24 e7  70 5c ea 25 e3 65 63 b5  |....0.$.p\.%.ec.|
+00000040  91 de 82 c3 23 ce b1 68  0c b4 a0 f3 ae 5d 46 cd  |....#..h.....]F.|
+00000050  90 ce 4f 4c b0 c7 14 13  60 17 32 b4 fc 2a 0b 49  |..OL....`.2..*.I|
+00000060  8d 0e 3d e8 2a                                    |..=.*|
 >>> Flow 4 (server to client)
-00000000  16 03 01 00 8b 04 00 00  87 00 00 00 00 00 81 50  |...............P|
-00000010  46 ad c1 db a8 38 86 7b  2b bb fd d0 c3 42 3e 00  |F....8.{+....B>.|
-00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 94  |................|
-00000030  6d ec a4 83 51 ed 14 ef  68 ca 42 c5 4c d2 34 08  |m...Q...h.B.L.4.|
-00000040  0b cc b9 32 8f 21 f7 50  c4 e1 28 9b 7d 5e ed de  |...2.!.P..(.}^..|
-00000050  0a df 30 0d 16 34 6b 6d  22 3c d3 c8 b2 99 84 8e  |..0..4km"<......|
-00000060  09 6d 3c 62 d4 0f f6 37  dc 53 ae 72 40 49 38 16  |.m<b...7.S.r@I8.|
-00000070  9c 30 34 bf 6e 34 bb 54  73 33 c0 c9 8c 12 ae bc  |.04.n4.Ts3......|
-00000080  e9 a8 80 23 de d0 e5 d3  46 d8 6a 86 c7 a5 6c 61  |...#....F.j...la|
-00000090  14 03 01 00 01 01 16 03  01 00 30 27 a7 5d e7 93  |..........0'.]..|
-000000a0  54 9a 77 d5 43 aa e3 ec  21 00 fa d4 36 04 c3 82  |T.w.C...!...6...|
-000000b0  b0 b7 f5 b4 19 ce f9 58  0a b4 7f d6 bf 95 43 9d  |.......X......C.|
-000000c0  26 44 46 77 48 cd 77 82  e2 48 51 17 03 01 00 20  |&DFwH.w..HQ.... |
-000000d0  c0 9b b1 d3 9f e6 4f 55  59 17 5a dc e4 2f bc 04  |......OUY.Z../..|
-000000e0  6f eb 4d d9 22 6e 97 20  33 94 d4 91 aa 70 4d ab  |o.M."n. 3....pM.|
-000000f0  17 03 01 00 30 9b 0f 50  a8 95 f5 db 67 96 c2 3e  |....0..P....g..>|
-00000100  46 a7 41 99 d5 e2 ab 60  b1 eb 8d 68 2f 71 30 70  |F.A....`...h/q0p|
-00000110  75 cc b8 50 1a 58 3b 96  d3 5c 99 43 27 4f b1 4a  |u..P.X;..\.C'O.J|
-00000120  c8 8d 5b ab 49 15 03 01  00 20 34 a6 41 25 fd 23  |..[.I.... 4.A%.#|
-00000130  44 6d 60 7f 79 5d 27 23  f7 cb 77 d0 cd 81 c4 67  |Dm`.y]'#..w....g|
-00000140  0e 56 92 60 ac a1 32 a5  0d 94                    |.V.`..2...|
+00000000  16 03 01 00 7b 04 00 00  77 00 00 00 00 00 71 00  |....{...w.....q.|
+00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 94  |................|
+00000020  6d ec a4 83 51 ed 14 ef  68 ca 42 c5 4c fe ae 28  |m...Q...h.B.L..(|
+00000030  76 e9 99 d7 d3 45 dd ff  bd 64 54 a3 a8 bf 69 17  |v....E...dT...i.|
+00000040  28 b5 cb bb 13 1c e8 a8  9c f8 a7 43 81 9d 1d bc  |(..........C....|
+00000050  00 96 83 1d cc da 66 d7  20 e1 52 44 b4 49 38 16  |......f. .RD.I8.|
+00000060  56 c5 9e be 43 6c 3c 82  7a 50 fd d6 e6 00 99 27  |V...Cl<.zP.....'|
+00000070  49 a1 65 7b cb 82 3f 9a  74 17 08 2b fd 7b de db  |I.e{..?.t..+.{..|
+00000080  14 03 01 00 01 01 16 03  01 00 30 eb 9f f3 b2 32  |..........0....2|
+00000090  44 c2 58 ab 22 7f 41 a0  30 84 71 18 7a df 48 6b  |D.X.".A.0.q.z.Hk|
+000000a0  c7 2d 8b 8e 8f 8c 7f 5d  58 7c 2c 61 5d 0d bc ce  |.-.....]X|,a]...|
+000000b0  60 f0 47 b3 e2 86 5a 82  30 26 95 17 03 01 00 20  |`.G...Z.0&..... |
+000000c0  12 3e 23 0a f5 97 2a 6b  bf be f4 82 7b 31 92 9e  |.>#...*k....{1..|
+000000d0  32 c9 1f 4f 8e cc 74 5e  41 da ff 45 68 3c 82 07  |2..O..t^A..Eh<..|
+000000e0  17 03 01 00 30 31 73 bb  fd 8e ba 4d c3 74 14 9b  |....01s....M.t..|
+000000f0  81 c0 69 38 e6 32 86 35  b2 fb 2a af 2c 69 c1 ca  |..i8.2.5..*.,i..|
+00000100  0c 94 35 9a fa 7b ab b4  04 1e 56 6f 59 f9 40 38  |..5..{....VoY.@8|
+00000110  e6 a9 20 96 15 15 03 01  00 20 09 20 d5 0e cd 68  |.. ...... . ...h|
+00000120  79 de ea 6b 0e 84 98 e5  75 64 c4 e8 b1 9f c4 cc  |y..k....ud......|
+00000130  d6 4c b6 be cf 42 78 c6  6a 2e                    |.L...Bx.j.|

src/crypto/tls/testdata/Server-TLSv12-ALPN

@@ -1,7 +1,7 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 00 9d 01 00 00  99 03 03 53 49 69 68 95  |...........SIih.|
-00000010  b9 7b 2a 84 d2 03 93 d4  33 e7 b7 7e bc b5 97 b0  |.{*.....3..~....|
-00000020  4f 4f 6c d0 96 43 aa c8  6f da 90 00 00 04 cc a8  |OOl..C..o.......|
+00000000  16 03 01 00 9d 01 00 00  99 03 03 38 64 71 8a 57  |...........8dq.W|
+00000010  cb 23 9d ce 7c 41 93 09  c0 a9 47 ca 56 db 97 12  |.#..|A....G.V...|
+00000020  14 c8 8e 3a 5a 56 34 f7  ad a2 90 00 00 04 cc a8  |...:ZV4.........|
 00000030  00 ff 01 00 00 6c 00 0b  00 04 03 00 01 02 00 0a  |.....l..........|
 00000040  00 0c 00 0a 00 1d 00 17  00 1e 00 19 00 18 00 23  |...............#|
 00000050  00 00 00 10 00 10 00 0e  06 70 72 6f 74 6f 32 06  |.........proto2.|
@@ -56,37 +56,36 @@
 000002a0  3d 13 60 84 5c 21 d3 3b  e9 fa e7 16 03 03 00 ac  |=.`.\!.;........|
 000002b0  0c 00 00 a8 03 00 1d 20  2f e5 7d a3 47 cd 62 43  |....... /.}.G.bC|
 000002c0  15 28 da ac 5f bb 29 07  30 ff f6 84 af c4 cf c2  |.(.._.).0.......|
-000002d0  ed 90 99 5f 58 cb 3b 74  08 04 00 80 3b cd 7a 99  |..._X.;t....;.z.|
-000002e0  3f bf 03 5a 26 21 90 db  b4 8d 3b 69 14 82 1c ae  |?..Z&!....;i....|
-000002f0  7d 72 8f 4e eb ff c4 f0  13 fa 6f 69 48 e7 6d 3d  |}r.N......oiH.m=|
-00000300  fc b3 1c 54 60 54 cf 83  48 1d a3 50 55 28 3f 2c  |...T`T..H..PU(?,|
-00000310  db d3 dc c7 d9 58 74 de  eb 5e 21 26 2f 32 c6 b2  |.....Xt..^!&/2..|
-00000320  be 1b 08 fa d6 9f 3b b0  2b e8 c2 36 2f 9d c1 35  |......;.+..6/..5|
-00000330  c1 54 4b 37 5f ff 99 4f  c1 e4 ad 69 a0 c8 52 d3  |.TK7_..O...i..R.|
-00000340  01 23 0d 57 17 08 7c 07  9a 3a 6d c8 87 5d 7e 09  |.#.W..|..:m..]~.|
-00000350  7b 03 f9 5e de 83 4d 13  89 08 72 96 16 03 03 00  |{..^..M...r.....|
+000002d0  ed 90 99 5f 58 cb 3b 74  08 04 00 80 36 d7 55 53  |..._X.;t....6.US|
+000002e0  60 3e 9a ca 01 8e f9 f4  16 d0 66 30 12 29 ae 0d  |`>........f0.)..|
+000002f0  23 f4 73 c6 d2 74 03 79  b5 b9 27 f6 33 e3 35 2e  |#.s..t.y..'.3.5.|
+00000300  8e d8 d0 30 b6 9e cb 96  99 91 d7 3c 3e ec 1f b4  |...0.......<>...|
+00000310  b0 82 04 03 b3 f4 d6 60  38 9e d5 1a 38 fe ac ef  |.......`8...8...|
+00000320  10 e9 02 94 c5 8a b7 cd  69 cd 1d de 4f 61 5e eb  |........i...Oa^.|
+00000330  57 31 e7 de 6d 9a e4 d9  9a 09 c9 3d 3a a6 f1 65  |W1..m......=:..e|
+00000340  95 1a 54 c3 bf 7c a9 22  47 90 d4 09 65 14 54 cc  |..T..|."G...e.T.|
+00000350  05 1f 73 1a e0 b9 9e f9  9a 81 be 91 16 03 03 00  |..s.............|
 00000360  04 0e 00 00 00                                    |.....|
 >>> Flow 3 (client to server)
-00000000  16 03 03 00 25 10 00 00  21 20 fb eb 44 09 0e 62  |....%...! ..D..b|
-00000010  b0 ce d8 1f c5 f9 46 31  1e 1d e8 fb 02 5f 34 3b  |......F1....._4;|
-00000020  c1 6f 9a 38 6a 46 d2 cd  a0 53 14 03 03 00 01 01  |.o.8jF...S......|
-00000030  16 03 03 00 20 88 73 90  39 bc 9b 02 e4 c0 35 f0  |.... .s.9.....5.|
-00000040  ef 40 b0 08 ca b9 bd 25  6b cd 03 7d ec 58 73 65  |.@.....%k..}.Xse|
-00000050  d5 89 f2 f1 70                                    |....p|
+00000000  16 03 03 00 25 10 00 00  21 20 79 2b 97 00 d7 66  |....%...! y+...f|
+00000010  f9 ca 21 3c 1a 2b 60 7a  e1 32 73 2b 7f f7 65 19  |..!<.+`z.2s+..e.|
+00000020  08 ad 52 39 aa a9 8a 0b  9f 44 14 03 03 00 01 01  |..R9.....D......|
+00000030  16 03 03 00 20 6e f1 de  c4 b0 35 42 12 37 f2 e1  |.... n....5B.7..|
+00000040  36 d7 4c 4e 11 98 72 ec  12 6c 2d 5e 11 3b c4 a4  |6.LN..r..l-^.;..|
+00000050  9a 35 d5 5d 1c                                    |.5.].|
 >>> Flow 4 (server to client)
-00000000  16 03 03 00 8b 04 00 00  87 00 00 00 00 00 81 50  |...............P|
-00000010  46 ad c1 db a8 38 86 7b  2b bb fd d0 c3 42 3e 00  |F....8.{+....B>.|
-00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 94  |................|
-00000030  6f e0 18 83 51 ed 14 ef  68 ca 42 c5 4c cd 0b 21  |o...Q...h.B.L..!|
-00000040  a5 29 ef 62 07 a5 11 b9  1f 4e 54 c3 66 4c 1e d3  |.).b.....NT.fL..|
-00000050  1a 00 52 34 67 2b af 73  02 5f c9 6c 7c 6e ba f2  |..R4g+.s._.l|n..|
-00000060  e6 38 bd 23 97 3f 80 6a  3b 8e bb 98 29 49 38 16  |.8.#.?.j;...)I8.|
-00000070  77 74 2a a1 c7 36 80 de  c9 91 cd b2 7d bc 6c 64  |wt*..6......}.ld|
-00000080  6c 06 57 22 d1 f2 51 5f  84 ad 30 85 3a c0 4f e7  |l.W"..Q_..0.:.O.|
-00000090  14 03 03 00 01 01 16 03  03 00 20 32 71 5a d3 94  |.......... 2qZ..|
-000000a0  d5 17 e4 8c 3a 78 d1 48  4e 1b f5 83 36 f1 5a 38  |....:x.HN...6.Z8|
-000000b0  e4 b5 6d ab 46 89 e0 24  74 87 80 17 03 03 00 1d  |..m.F..$t.......|
-000000c0  69 4c a6 24 67 79 18 59  92 4f 9a d0 2d 1d 57 e0  |iL.$gy.Y.O..-.W.|
-000000d0  ec 0c 00 25 6f 2f 3a be  8a aa 80 94 ac 15 03 03  |...%o/:.........|
-000000e0  00 12 ef 86 3e 93 42 bb  72 f1 1b 90 df 9a d3 ed  |....>.B.r.......|
-000000f0  d8 74 35 23                                       |.t5#|
+00000000  16 03 03 00 7b 04 00 00  77 00 00 00 00 00 71 00  |....{...w.....q.|
+00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 94  |................|
+00000020  6f e0 18 83 51 ed 14 ef  68 ca 42 c5 4c 8f d6 48  |o...Q...h.B.L..H|
+00000030  3e 65 16 36 87 11 c3 53  8c 8f 44 1a f5 6e 92 65  |>e.6...S..D..n.e|
+00000040  22 87 99 5f 58 18 48 86  79 d9 36 1e 23 4a 87 42  |".._X.H.y.6.#J.B|
+00000050  18 45 f6 03 2b e5 a5 55  b4 59 62 b4 db 49 38 16  |.E..+..U.Yb..I8.|
+00000060  2d d9 6b d5 66 55 c7 b9  d8 f1 03 6a 78 ea b9 93  |-.k.fU.....jx...|
+00000070  f4 1a 8c d3 79 91 b4 37  42 e9 84 0f ea d1 04 ce  |....y..7B.......|
+00000080  14 03 03 00 01 01 16 03  03 00 20 f4 ff 37 5f 7c  |.......... ..7_||
+00000090  c6 6a b3 31 5f 06 51 62  f2 76 a2 cf da a3 a5 60  |.j.1_.Qb.v.....`|
+000000a0  de 5b 6b bf 0d 03 2e ce  de 9e 90 17 03 03 00 1d  |.[k.............|
+000000b0  7e 9f a9 87 fc e1 e8 84  7a 81 77 70 4a d1 52 cf  |~.......z.wpJ.R.|
+000000c0  ba c2 0b f6 99 2f 99 cb  fb 73 25 c7 1d 15 03 03  |...../...s%.....|
+000000d0  00 12 ac 41 7f af d0 87  25 e3 82 f4 c9 e5 fa ef  |...A....%.......|
+000000e0  d2 89 53 e6                                       |..S.|