Devii · Backend · 2026-04-18 · 8 min read
TLS 1.3 Handshake: Fewer Round Trips, Forward Secrecy, And AEAD
RFC 8446 changes in plain language: what encrypts when, and why older cipher suites disappeared.
**TLS 1.3** is defined in RFC 8446. It removes obsolete algorithms (no RSA key transport for handshake secrets, no static DH ciphersuites) and aims for a **1-RTT** full handshake in common cases, with **0-RTT** optional early data that must be used carefully (replay risk).
Handshake messages after the ServerHello are encrypted sooner than in TLS 1.2. **Forward secrecy** uses ephemeral Diffie-Hellman so compromise of a long-term key does not decrypt past sessions.
Application data uses **AEAD** ciphers (AES-GCM, ChaCha20-Poly1305). Certificate validation still depends on PKI trust stores and correct hostname verification in your HTTP client or library.
Operational tip: use tools like `openssl s_client` and SSL Labs tests against staging endpoints. Disable TLS 1.0/1.1 everywhere; they are deprecated in practice.