TLS 1.2 vs TLS 1.3 Handshake
Comparing handshake efficiency and security improvements
Laurent Goudet · January 20, 2026 · 4 min read
TLS 1.2
⏳ Client waited to learn which key exchange to use
TLS 1.3
🔑 Client’s ECDH key sent upfront (X25519/P-256)
🔒 Encrypted from here
| Feature | TLS 1.2 | TLS 1.3 |
|---|---|---|
| Round trips (full handshake) | 2-RTT | 1-RTT |
| Client key exchange | Waits for server's choice | Sent speculatively via key_share |
| Session resumption | 1-RTT | 0-RTT (with caveats) |
| Handshake encryption | ✗ Plaintext | ✓ After ServerHello |
| Forward secrecy | Optional (ECDHE) | ✓ Mandatory |
| RSA key exchange | ✗ Allowed (no PFS) | ✓ Removed |
| Cipher suites | ~40 options | 5 secure options |
| Legacy algorithms | MD5, SHA-1, RC4, DES... | All removed |
🔒
TLS 1.2: The client must wait to see which key exchange algorithm (RSA, DHE, ECDHE) and which curve the server selects before it can send its key. This forces a second round trip.
TLS 1.3: The client sends its key_share
speculatively in the first message, typically for X25519 or P-256. Since
TLS 1.3 removed RSA key exchange and reduced cipher suites from ~40 to 5,
these guesses almost always work.
What if the server doesn’t support the offered curves?
The server sends a HelloRetryRequest asking for a different
key share, falling back to 2-RTT. This happens in <1% of connections
since X25519/P-256 are nearly universal.
Real-World Deployment
Browser support. All modern browsers have supported TLS 1.3 since 2018-2019 (Chrome 70, Firefox 63, Safari 12.1, Edge 79). As of 2026, TLS 1.3 accounts for the majority of HTTPS connections on the public internet. The transition happened faster than any previous TLS version because the performance benefit (one fewer round trip) gave both clients and servers an incentive to upgrade.
The TLS 1.2 long tail. Despite broad TLS 1.3 adoption, TLS 1.2 remains necessary in several contexts. PCI DSS compliance environments often mandate specific cipher suites that map to TLS 1.2 configurations. Enterprise environments with legacy hardware (load balancers, HSMs, IoT gateways) may not support TLS 1.3. The practical advice: configure both TLS 1.2 and 1.3, prefer 1.3, and monitor which version clients actually negotiate.
Planning deprecation. TLS 1.0 and 1.1 are already deprecated (RFC 8996, March 2021). TLS 1.2 deprecation is not imminent but is on the horizon. Track your negotiation logs — if fewer than 1% of clients need TLS 1.2, you can safely require 1.3 and reduce your attack surface. Cloudflare, AWS, and GCP all offer configuration to set minimum TLS versions per endpoint.
TLS 1.3 reduces latency while improving security by removing legacy algorithms and encrypting more of the handshake.
Frequently Asked Questions
How many round trips does TLS 1.3 need vs TLS 1.2?
TLS 1.3 needs 1 round trip (1-RTT) for a full handshake vs 2 round trips (2-RTT) for TLS 1.2. TLS 1.3 also supports 0-RTT session resumption.
Why is TLS 1.3 faster than TLS 1.2?
TLS 1.3 sends the client's key share speculatively in ClientHello, eliminating the extra round trip TLS 1.2 requires to negotiate the key exchange algorithm.
Is TLS 1.3 more secure than TLS 1.2?
Yes. TLS 1.3 removes all legacy algorithms (MD5, SHA-1, RC4, DES), mandates forward secrecy, removes RSA key exchange, and encrypts more of the handshake.
What is 0-RTT in TLS 1.3 and what are the risks?
0-RTT allows clients to send encrypted application data in the very first message when resuming a previous session, using pre-shared keys. The risk is replay attacks: 0-RTT data is not protected by the server's random value, so an attacker can capture and resend it. Servers must only accept 0-RTT for idempotent requests (GET, not POST) and should use single-use session tickets to limit replay windows.
Other deep-dives
TLS vs mTLS Handshake
Comparing standard and mutual TLS authentication flows
Network EngineeringIPv6-Only Network with NAT64/464XLAT
Running an IPv6-only local network while maintaining IPv4 internet connectivity
CDN EngineeringThe Fastly VCL == false Trap
How using == false instead of ! in Fastly VCL compound conditions can silently break your logic
AI & IndustrySomething Big Is Happening — But It's Not What You Think
Why AI is an abstraction layer shift, not an extinction event — a practitioner's response to the viral AI essay
AI & IndustryAI Agent Orchestration at Scale — What Actually Works in Production
Patterns and hard lessons from running multi-agent systems at 80M+ user scale: routing, fallback chains, context management, and why most agent architectures fail.
Network SecurityDNSSEC: Chain of Trust from Root to This Domain
How DNSSEC builds a cryptographic chain of trust from the DNS root to this zone — with Pulumi setup and live dig verification
Network SecurityRolling Out DMARC Enforcement at Scale
A practical guide to deploying DMARC across a large platform — SPF, DKIM, and alignment fixes across AWS SES, Google Workspace, Postfix relays, and dozens of domains
Cloud SecurityYour Google Maps API Key Can Now Drain Your Bank Account
Google silently changed API key permissions so that keys meant for Maps can now call Gemini AI. Here's how to audit your GCP projects and lock down exposed keys before someone else finds them.