TLS 1.3: build and break a hardened endpoint

Stand up a hardened TLS 1.3 endpoint (Nginx, Caddy, or a Go/Node server), capture and dissect cold, resumed, and 0-RTT handshakes, prove that a replayed 0-RTT mutation is contained, and surface the TLS health metrics — proving each claim with a capture, a log line, or a metric, not assertion.

• Serve one HTTPS endpoint over TLS 1.3 only, with a full certificate chain (leaf plus intermediate) and an ECDSA P-256 leaf. Verify with openssl s_client that the chain validates to a trusted root (verify return code 0).
• Capture a cold handshake with tshark/Wireshark (keylog via SSLKEYLOGFILE so you can decrypt). Identify in the capture: the ClientHello key_share groups, the chosen cipher suite, that Certificate and CertificateVerify are encrypted, and confirm the exchange is exactly one RTT.
• Enable session tickets and capture a warm PSK-resumption handshake. Show in the decrypted capture that no Certificate message is sent on resumption, and confirm the pre_shared_key extension is present in the second ClientHello.
• Enable 0-RTT early data. Issue an idempotent GET in early data and confirm it is accepted (Early-Data: 1 reaches the app); then attempt a POST to a mutating route in early data and show the server returns 425 Too Early.
• Demonstrate a 0-RTT replay: capture a 0-RTT ClientHello and resend it (e.g. replay the raw bytes). Show the second attempt is rejected by your anti-replay defense — ticket-age window or single-use cache — and that the mutating route never executed twice.
• Rotate the session-ticket encryption key (STEK) without dropping resumption: rotate the key, keep the previous key for decryption-only, and show that tickets issued just before rotation still resume.
• Expose or log four TLS metrics: handshake duration (p95), resumption ratio (resumed / total), early-data outcomes (accepted / rejected), and negotiated cipher-suite / version distribution.

• A decrypted handshake capture (or annotated screenshots) for all three modes — cold 1-RTT, warm PSK resumption, and 0-RTT — with the distinguishing message in each clearly called out.
• Evidence that an idempotent 0-RTT GET is accepted while a mutating 0-RTT POST returns 425 Too Early, and that a replayed 0-RTT request is rejected by the anti-replay layer — shown by logs or captures, not described.
• A before/after of an STEK rotation showing resumption ratio holding through the rotation because the old key was retained for decryption.
• A short write-up: which handshake mode each request used and why, where forward secrecy comes from, and which of the four metrics you would page on and at what threshold.