EncryptedExtensions (TLS 1.3) in all TLS Handshakes, the server MUST send the EncryptedExtensions message immediately after the ServerHello message.

This is the first message that is encrypted under keys derived from the server_handshake_traffic_secret.

The EncryptedExtensions message contains TLS extensions that can be protected, i.e., any which are not needed to establish the cryptographic context, but which are not associated with individual certificates. The client MUST check EncryptedExtensions for the presence of any forbidden TLS extensions and if any are found MUST abort the TLS Handshake with an illegal_parameter TLS Alert Message.

Structure of the EncryptedExtensions message:

struct {
    Extension extensions<0..2^16-1>;
} EncryptedExtensions;

More Information#

There might be more information for this subject on one of the following: