where to find server certificate in a TLS1.3 handshake capture

Question

I captured with wireshark a TLSv1.3 handshake established between a client and server that both support TLSv1.3. I know that the certificate is being sent in an encrypted form but i can't find any field that indicate that here we find the encrypted certificate. Any help please?

Answer 1

In TLS 1.3 servers send their certificates encrypted.

In TLS 1.3 client and server exchange keys at the very beginning: client sends its choice in ClientHello, and the server sends its key_share in ServerHello. Everything after ServerHello is encrypted.

It differs drastically from SSL/TLS prior to TLS 1.3, where key exchange happened AFTER authentication. In SSL and TLS 1-1.2 certificates were sent as plain text.

If you open RFC 8446 on Page 11, you will see the message exchange diagram. Please find the server-side {Certificate*} message. The notation {*} means:

• asterisk (*) indicates this is an optional message,
• braces {} indicate that

messages protected using keys derived from a [sender]_handshake_traffic_secret

More formally RFC 8446 section 4.4 specifies:

As discussed in Section 2, TLS generally uses a common set of messages for authentication, key confirmation, and handshake integrity: Certificate, CertificateVerify, and Finished. ... These messages are encrypted under keys derived from the [sender]_handshake_traffic_secret.