Technical Deep-Dives

TLS 1.2 Deep Dive: Complete Handshake Breakdown

TLS 1.2 handshake process, key derivation, certificate trust model, and Wireshark packet analysis explained for security professionals.

RG&T
Rathnakara GN & Theertha
Cybersecify
9 min read

Article 2 of 6: Understanding TLS Security Series

TLS 1.2 (standardized in August 2008 via RFC 5246) uses a 2-RTT handshake, transmits the server certificate in plaintext, supports 37+ cipher suites including several weak legacy options, and makes forward secrecy optional (requires ECDHE cipher suite selection). It remains deployed as a fallback for legacy clients. By 2026, TLS 1.3 handles 90%+ of modern connections; keep TLS 1.2 enabled only for compatibility with older clients, always prefer TLS 1.3, and configure ECDHE-only cipher suites with AEAD modes (AES-GCM, ChaCha20-Poly1305). This deep dive walks the handshake, key derivation, certificate trust model, and Wireshark packet analysis.

Key findings

  • TLS 1.2 handshake is 2-RTT. Client Hello and Server Hello, then Certificate, Server Key Exchange, Client Key Exchange, Change Cipher Spec, and Finished. Two full round trips before application data flows. TLS 1.3 reduces this to 1-RTT.
  • The certificate is transmitted in plaintext. Any network observer sees which site you are connecting to. This is the privacy gap TLS 1.3 closes by encrypting the handshake.
  • Forward secrecy is optional in TLS 1.2. RSA key exchange (no forward secrecy) is still permitted by the spec. ECDHE cipher suites are required to guarantee forward secrecy. Configure server cipher preference to ECDHE-only.
  • Key derivation uses PRF with HMAC-SHA256. Pre-Master Secret combines with ClientRandom and ServerRandom to derive the Master Secret, which expands into the key block (MAC keys, encryption keys, IVs).
  • CBC mode cipher suites are vulnerable to padding oracle attacks (BEAST, Lucky13, POODLE downgrade). AEAD modes (AES-GCM, ChaCha20-Poly1305) are the only safe choice.
  • Certificate Transparency mitigates rogue CA issuance (DigiNotar 2011, Symantec 2017). Every publicly trusted certificate issued since 2018 must appear in CT logs.
  • Wireshark filter tls.handshake.type == 11 isolates Certificate messages for inspection. Self-signed certificates show Issuer = Subject; CA-issued certificates show the full chain.

Cybersecify is a founder-led penetration testing and security consulting firm based in Bengaluru, India, serving AI-first and API-first SaaS startups. We validate TLS configuration during pentest scoping, including protocol version enforcement, cipher suite hygiene, certificate chain completeness, and OCSP stapling posture. For an example of the pentest deliverable that documents these findings, see our SOC 2 + ISO 27001 ready pentest report sample.

In the previous article, we covered cryptographic primitives. Now we examine how TLS 1.2 combines these building blocks to establish secure connections.

TLS 1.2, standardized in August 2008 (RFC 5246), remains deployed as a fallback for legacy clients. This article provides a complete breakdown of the handshake, key derivation, certificate trust model, and Wireshark analysis.

2026 Update: TLS 1.2 is now legacy fallback only. TLS 1.3 handles 90%+ of connections on modern infrastructure. Keep TLS 1.2 enabled only for compatibility with older clients, and always prefer TLS 1.3.

TLS 1.2 Overview

PropertyTLS 1.2
RFCRFC 5246 (August 2008)
Handshake2-RTT (two round trips)
Forward SecrecyOptional (requires ECDHE cipher suites)
Certificate PrivacyNO - transmitted in plaintext
Key DerivationPRF (Pseudo Random Function) with HMAC-SHA256
Cipher Suites37+ available (many weak/legacy)

1. TLS 1.2 Handshake (2-RTT)

Theory: How It Works

The TLS 1.2 handshake is a 2-RTT process that negotiates cryptographic parameters, authenticates the server, and derives shared session keys.

CLIENT                                          SERVER
  |                                               |
  |  1. Client Hello                              |
  |  ──────────────────────────────────────────►   |
  |  TLS versions, cipher suites, client random   |
  |                                               |
  |                          2. Server Hello      |
  |  ◄──────────────────────────────────────────   |
  |  Selected version, cipher, server random      |
  |                                               |
  |            3. Certificate (PLAINTEXT!)         |
  |  ◄──────────────────────────────────────────   |
  |  X.509 chain - VISIBLE to observers!          |
  |                                               |
  |            4. Server Key Exchange              |
  |  ◄──────────────────────────────────────────   |
  |  ECDHE public key (signed by cert)            |
  |                                               |
  |            5. Server Hello Done               |
  |  ◄──────────────────────────────────────────   |
  |                                               |
  |  6. Client Key Exchange                       |
  |  ──────────────────────────────────────────►   |
  |  Client ECDHE public key                      |
  |                                               |
  |  ═══════ ENCRYPTION STARTS ═══════            |
  |                                               |
  |  7. Change Cipher Spec + Finished             |
  |  ──────────────────────────────────────────►   |
  |  Encrypted with session keys                  |
  |                                               |
  |  8. Change Cipher Spec + Finished             |
  |  ◄──────────────────────────────────────────   |
  |  Handshake complete                           |
  |                                               |
  |  Application Data (Encrypted)                 |
  |  ◄────────────────────────────────────────►   |

              Total: 2 Round Trips (2-RTT)

Handshake Steps Explained:

  1. Client Hello: Client sends supported TLS versions, cipher suites (in preference order), 32-byte random, session ID, and extensions (SNI, ALPN, supported curves)
  2. Server Hello: Server selects TLS version and cipher suite, sends 32-byte server random and session ID
  3. Certificate: Server sends X.509 certificate chain IN PLAINTEXT. This is a major privacy issue. Any observer can see which site you are connecting to
  4. Server Key Exchange: For ECDHE, server sends ephemeral public key signed with certificate private key
  5. Server Hello Done: Signals server has finished its part
  6. Client Key Exchange: Client sends its ECDHE public key. Both can now compute Pre-Master Secret
  7. Change Cipher Spec + Finished: Both signal switch to encrypted mode and send encrypted verification

Practical: Real-World Implementation

Capture TLS 1.2 Handshake with OpenSSL:

# Connect and show handshake details
openssl s_client -connect example.com:443 -tls1_2 -state -debug

# Show certificate chain
openssl s_client -connect example.com:443 -showcerts

# Show negotiated cipher suite
openssl s_client -connect example.com:443 -tls1_2 | grep 'Cipher'

Wireshark Filters:

FilterShows
tls.handshakeAll handshake messages
tls.handshake.type == 1Client Hello only
tls.handshake.type == 2Server Hello only
tls.handshake.type == 11Certificate message
tls.handshake.type == 12Server Key Exchange
tls.handshake.type == 16Client Key Exchange

Reality: Security Risks

RiskImpactMitigation
Plaintext CertificatePassive observer sees which site you visitUse TLS 1.3 (encrypted cert)
Downgrade AttackMITM forces weak cipher/versionTLS_FALLBACK_SCSV, disable old versions
Weak Cipher SelectionServer picks vulnerable cipherConfigure server cipher preference
RSA Key ExchangeNo forward secrecy, past traffic exposedUse only ECDHE cipher suites
Session ResumptionSession tickets can be stolenRotate session ticket keys frequently

2. Key Derivation

Theory: How It Works

TLS 1.2 derives encryption keys using a PRF (Pseudo Random Function) based on HMAC-SHA256.

Key Derivation Process:

  1. Pre-Master Secret: Computed from ECDHE key exchange (or RSA encrypted)
  2. Master Secret: PRF(pre_master_secret, "master secret", ClientRandom + ServerRandom)
  3. Key Block: PRF(master_secret, "key expansion", ServerRandom + ClientRandom)

Key Block Contains:

  • client_write_MAC_key / server_write_MAC_key (integrity)
  • client_write_key / server_write_key (encryption)
  • client_write_IV / server_write_IV (initialization vectors)

Practical: Real-World Implementation

PRF Formula:

master_secret = PRF(pre_master_secret, "master secret",
                     ClientHello.random + ServerHello.random)[0..47]

Decrypt TLS with Wireshark (for debugging):

# Set SSLKEYLOGFILE environment variable
export SSLKEYLOGFILE=/tmp/keys.log

# In Wireshark: Edit > Preferences > Protocols > TLS
# Set (Pre)-Master-Secret log filename to /tmp/keys.log

Reality: Security Risks

RiskImpactMitigation
RSA Pre-MasterIf RSA key stolen, decrypt all past sessionsUse ECDHE (ephemeral keys)
Weak RandomPredictable random = predictable keysUse cryptographic RNG (e.g., /dev/urandom)
Key LoggingSSLKEYLOGFILE exposes all session keysDisable in production, audit access

3. Certificate Trust Model

Theory: How It Works

X.509 certificates bind a public key to an identity (domain name). The trust model uses a hierarchy of Certificate Authorities (CAs).

Certificate Chain (3 Levels):

  1. Root CA Certificate: Self-signed, pre-installed in browsers/OS trust store
  2. Intermediate CA Certificate: Signed by Root CA, signs server certificates
  3. Server (Leaf) Certificate: Contains server public key, domain name, validity period

Certificate Validation Steps:

  1. Verify signature chain up to trusted root
  2. Check certificate not expired (validity period)
  3. Verify domain name matches (CN or SAN)
  4. Check revocation status (CRL or OCSP)

Practical: Real-World Implementation

Certificate Types:

TypeValidationUse Case
Self-SignedNone (Issuer = Subject)Testing, dev only
DVDomain ownership (HTTP/DNS challenge)Basic websites
OVOrganization identity verifiedBusiness sites
EVExtended verification of legal entityBanks, e-commerce

OpenSSL Certificate Commands:

# View certificate details
openssl x509 -in cert.pem -text -noout

# Verify certificate chain
openssl verify -CAfile ca-bundle.crt cert.pem

# Check certificate expiry
openssl x509 -in cert.pem -noout -dates

# Generate self-signed certificate (testing only)
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

Reality: Certificate Attacks

RiskReal IncidentDefense
Rogue CADigiNotar 2011, fake Google certsCertificate Transparency (CT)
CA CompromiseComodo 2011, fraudulent certs issuedCAA DNS records, CT monitoring
Misissued CertSymantec 2017, trust removedCT logs, browser policies
Expired CertEricsson 2018, 32M users offlineAutomated renewal (Let’s Encrypt)
Self-Signed ProdUsers trained to click through warningsNever use self-signed in production

4. Wireshark Packet Analysis

TLS 1.2 with Self-Signed Certificate

When analyzing a TLS 1.2 connection with a self-signed certificate in Wireshark:

  • Wireshark Filter: tls.handshake.type == 11
  • Visible Packets: Client Hello, Server Hello, Certificate, Server Key Exchange, Client Key Exchange, Finished
  • Certificate Details: Issuer = Subject (self-signed indicator), no CA chain, full cert visible in plaintext
  • Browser Behavior: Security warning: “Your connection is not private” (NET::ERR_CERT_AUTHORITY_INVALID)

Key Observations:

  • Expand the Certificate packet to show Issuer = Subject
  • Full certificate details are readable by any network observer
  • Negotiated cipher visible (e.g., TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
  • Encrypted communication but NO identity verification

TLS 1.2 with CA-Issued Certificate

  • Wireshark Filter: tls.handshake.type == 11
  • Visible Packets: Client Hello, Server Hello, Certificate (with chain), Server Key Exchange, Finished
  • Certificate Details: Full chain visible: Server Cert → R3 (Intermediate) → ISRG Root X1
  • Browser Behavior: Padlock icon, no warnings. Trusted connection

Key Observations:

  • Issuer field shows trusted CA (e.g., “CN=R3, O=Let’s Encrypt”)
  • Subject field shows actual domain
  • Certificate chain transmitted IN PLAINTEXT (privacy concern)

5. TLS 1.2 Security Considerations

LimitationImpact
Certificate in plaintextPassive observers see which site you visit
Forward secrecy optionalMust explicitly choose ECDHE cipher suites
Legacy cipher supportRC4, 3DES, CBC modes still available
2-RTT handshakeHigher latency than TLS 1.3
Complex cipher negotiation37+ cipher suites, misconfiguration risk

6. Best Practices for TLS 1.2 Deployment

  • Use only ECDHE cipher suites for forward secrecy
  • Disable RSA key exchange entirely
  • Use only AEAD ciphers (AES-GCM, ChaCha20-Poly1305)
  • Disable CBC mode (padding oracle vulnerabilities)
  • Use strong key sizes (RSA 2048+, ECDSA P-256+)
  • Enable HSTS to prevent downgrade attacks
  • Enable OCSP Stapling for efficient revocation checking
  • Plan migration to TLS 1.3 where client compatibility allows

Key Takeaways

  • TLS 1.2 uses 2-RTT handshake, slower than TLS 1.3
  • Certificate is transmitted in PLAINTEXT, a privacy concern
  • Forward secrecy requires ECDHE and is not automatic
  • Key derivation uses PRF with HMAC-SHA256
  • Disable CBC, RSA key exchange, and legacy ciphers
  • Use CA-issued certificates, never self-signed in production

Previous: Article 1: Cryptography Fundamentals

Next: Article 3: TLS 1.3: The Modern Standard

This is part of our 6-article series on Understanding TLS Security.

We test TLS configuration as part of every Web Application Pentest and IoT Pentest. Weak ciphers, protocol downgrade risks, and certificate issues are caught during our assessment. Get a free security snapshot or view pricing.

Related: TLS 1.3: The Modern Standard, MITM Attacks: How to Detect and Stop Them in 2026, SOC 2 + ISO 27001 ready pentest report sample.

Frequently Asked Questions

Is TLS 1.2 still secure to use?

TLS 1.2 is still supported but should only be used as a legacy fallback for older clients. It requires careful cipher suite configuration to remain secure, specifically ECDHE key exchange for forward secrecy and AEAD cipher modes. TLS 1.3 is the recommended default for all new deployments.

What is the difference between the TLS 1.2 and TLS 1.3 handshake?

TLS 1.2 requires two round trips (2-RTT) to establish a secure connection, sends certificates in plaintext visible to network observers, and supports over 37 cipher suites including many weak ones. TLS 1.3 completes in one round trip (1-RTT), encrypts the entire handshake, and only allows strong cipher suites by design.

How many round trips does the TLS 1.2 handshake require?

TLS 1.2 needs a full 2-RTT (two round trips) to complete a handshake before any application data can flow. The flow is: Client Hello, then Server Hello plus Certificate plus Server Key Exchange plus Server Hello Done, then Client Key Exchange plus Change Cipher Spec plus Finished, then Server Change Cipher Spec plus Finished. Two complete round trips before the first HTTP byte. TLS 1.3 cuts this to 1-RTT by sending the client key share speculatively in the first message, with 0-RTT possible on session resumption. For a user 200ms from the server, 2-RTT is 400ms of pure protocol latency on top of TCP setup. This is one of the practical reasons TLS 1.3 adoption accelerates page load on mobile and high-latency networks.

What cipher suites should I configure on TLS 1.2?

ECDHE key exchange only (for forward secrecy), AEAD cipher modes only (AES-GCM or ChaCha20-Poly1305), and SHA-256 or stronger MAC. Specifically: ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256. Disable everything else. Specifically remove RSA key exchange (no forward secrecy), CBC mode ciphers (POODLE, Lucky13, BEAST padding-oracle attacks), 3DES (Sweet32 birthday attack), RC4 (broken since 2013), MD5 and SHA-1 in signatures, and all export-grade ciphers (Logjam, FREAK). Mozilla SSL Configuration Generator Modern profile gives current copy-paste configs for Nginx, Apache, HAProxy.

Is RSA key exchange in TLS 1.2 still safe to use?

No. RSA key exchange in TLS 1.2 has no forward secrecy. The client encrypts the pre-master secret with the server's RSA public key. Anyone who captures the encrypted traffic today and later compromises the server's RSA private key can decrypt all past sessions. This is the harvest-now-decrypt-later attack pattern. ECDHE key exchange does not have this property: each session uses ephemeral keys that are not stored anywhere, so future key compromise does not decrypt past traffic. Configure your server to disable RSA key exchange in TLS 1.2 entirely. Use ECDHE-only cipher suites. TLS 1.3 removed RSA key exchange completely, which is one of the structural reasons it is considered stronger.

What is the PRF in TLS 1.2 and how does it work?

PRF stands for Pseudo-Random Function. In TLS 1.2 it is HMAC-based (typically HMAC-SHA256, sometimes HMAC-SHA384 for stronger cipher suites). The PRF derives the Master Secret from the Pre-Master Secret combined with the Client Random and Server Random values exchanged during the handshake. The Master Secret then expands into the key block (MAC keys, encryption keys, IVs for both directions). TLS 1.3 replaced PRF with HKDF (HMAC-based Key Derivation Function, RFC 5869), which uses a three-stage key schedule (Extract then Expand) and has been formally verified. The PRF in TLS 1.2 is considered safe when used with SHA-256 or stronger but lacks the clean cryptographic separation HKDF provides.

Why is the certificate visible in plaintext during the TLS 1.2 handshake?

Because the TLS 1.2 handshake was designed before encryption-of-handshake-data was considered a privacy requirement. The Server Hello and Certificate messages travel in cleartext, which means any network observer (ISP, transit provider, surveillance system) can see exactly which website you are connecting to, the certificate chain, the cipher suite chosen, and the server's identity. TLS 1.3 fixed this by encrypting the entire handshake after the initial key exchange. The certificate, the cipher selected, and most extensions are sent under encryption. Encrypted Client Hello (ECH) further hides the SNI hostname in the very first message. For SaaS startups concerned about traffic analysis or geographic censorship, TLS 1.3 plus ECH is the upgrade path.

What is Certificate Transparency and why does it matter for TLS 1.2?

Certificate Transparency (CT, RFC 6962) is a public log system that records every certificate issued by trusted certificate authorities. Browsers refuse to trust certificates issued after 2018 that do not appear in CT logs. This mitigates rogue CA issuance (DigiNotar 2011, Symantec 2017 distrust) by making mis-issuance publicly auditable. For TLS 1.2 deployments, ensure your CA submits to CT logs by default (Let's Encrypt, DigiCert, Sectigo all do). Monitor your own domain in CT logs (crt.sh, Censys) to detect unauthorised certificate issuance for your domain. CT is a defence-in-depth layer that works the same for TLS 1.2 and TLS 1.3 connections.

How do I inspect a TLS 1.2 handshake with Wireshark?

Capture traffic on the relevant interface, filter with `tls` or `tcp.port == 443`, locate the handshake messages by type. Filter `tls.handshake.type == 1` for Client Hello, `tls.handshake.type == 2` for Server Hello, `tls.handshake.type == 11` for Certificate, `tls.handshake.type == 16` for Client Key Exchange. To decrypt session data, set SSLKEYLOGFILE environment variable in the browser to capture session keys, then in Wireshark go to Edit then Preferences then Protocols then TLS and point Pre-Master-Secret log filename at the captured file. For server-side decryption with RSA key exchange you can use the server's private key directly (only works for RSA key exchange, not ECDHE because no key material is exchanged that the private key can derive).

Should I disable TLS 1.2 entirely if my clients support TLS 1.3?

If 99 percent or more of your client traffic is TLS 1.3, yes. Disable TLS 1.2 to reduce attack surface (no downgrade attacks, no weak cipher negotiation, no CBC oracle vectors). Measure your TLS version distribution from your load balancer or CDN logs before disabling. Cloudflare, AWS ALB, and Nginx all expose per-connection TLS version metrics. For consumer SaaS with modern browser users only, TLS 1.3-only is safe. For B2B SaaS with enterprise customers running older corporate proxies or middleboxes, keep TLS 1.2 enabled with hardened cipher suites (ECDHE plus AEAD only). For IoT and embedded device APIs, TLS 1.2 is often still required.

Got a question or counter-take?

Email contact@cybersecify.com, WhatsApp +91 9986 998 333, or DM Rathnakara GN on LinkedIn.

Share this article
TLSTLS 1.2handshakecertificatesX.509key derivationWireshark