lemon-tls 0.2.1 → 0.3.0

package/src/tls_session.js

@@ -4,15 +4,21 @@ import { EventEmitter } from 'node:events';
 import {
   TLS_CIPHER_SUITES,
   build_cert_verify_tbs,
+  build_cert_verify_tbs_with_hash,
   get_handshake_finished,
+  get_handshake_finished_with_hash,
   tls12_prf,
   derive_handshake_traffic_secrets,
+  derive_handshake_traffic_secrets_with_hash,
   derive_app_traffic_secrets,
+  derive_app_traffic_secrets_with_hash,
   derive_resumption_master_secret,
+  derive_resumption_master_secret_with_hash,
   derive_psk,
   derive_binder_key,
   compute_psk_binder,
   derive_handshake_traffic_secrets_psk,
+  derive_handshake_traffic_secrets_psk_with_hash,
   hkdf_expand_label,
   getHashFn,
 } from './crypto.js';
@@ -30,6 +36,17 @@ import { pick_scheme, sign_with_scheme } from './session/signing.js';
 import createSecureContext from './secure_context.js';
 import { x25519_get_public_key, x25519_get_shared_secret, p256_generate_keypair, p256_get_shared_secret, p384_generate_keypair, p384_get_shared_secret } from './session/ecdh.js';
 import { build_tls_message, parse_tls_message } from './session/message.js';
+import { encrypt_session_blob, decrypt_session_blob, encode_client_session, decode_client_session } from './session/ticket.js';
+
+// Debug logging — enabled via LEMON_DEBUG=1 env var
+const LEMON_DEBUG = typeof process !== 'undefined' && process.env && process.env.LEMON_DEBUG === '1';
+function dbg(tag, ...args) { if (LEMON_DEBUG) console.error('[LEMON ' + tag + ']', ...args); }
+function hexPreview(buf, max) {
+  if (!buf) return 'null';
+  let b = Buffer.isBuffer(buf) ? buf : Buffer.from(buf);
+  let n = Math.min(b.length, max || 32);
+  return b.slice(0, n).toString('hex') + (b.length > n ? `... (${b.length} bytes)` : ` (${b.length} bytes)`);
+}
 
 
 function TLSSession(options){
@@ -45,7 +62,9 @@ function TLSSession(options){
     ca: options.ca || null, // CA certificates (PEM strings or Buffers)
 
     SNICallback: options.SNICallback || null,
-    ticketKeys: options.ticketKeys || null, // 48 bytes for ticket encryption
+    ticketKeys: options.ticketKeys || null, // 48 bytes: [0:16]=key_name, [16:48]=AES-256-GCM key
+    ticketLifetime: options.ticketLifetime != null ? (options.ticketLifetime >>> 0) : 7200, // seconds
+    sessionTickets: options.sessionTickets !== false, // default true (was noTickets inverted)
 
     // Advanced options
     maxHandshakeSize: options.maxHandshakeSize || 0, // 0 = no limit
@@ -108,6 +127,19 @@ function TLSSession(options){
 
 
     transcript: [],
+    transcriptHook: null,  // DTLSSession sets this to transform transcript entries
+
+    // Incremental transcript hash — running crypto.Hash object that we update
+    // each time a handshake message is pushed. Replaces the previous pattern of
+    // `concatUint8Arrays(transcript)` + `hashFn(...)` on every key-derivation
+    // step, which re-hashed and re-allocated the entire transcript each time
+    // (~5 times per handshake, several KB each).
+    //
+    // The array `transcript` is still maintained in parallel for cases that
+    // need it (HRR rewind, TLS 1.2 EMS snapshot via transcript.length, logging).
+    // Only the HASH path uses this incremental object. Reset on HRR.
+    transcriptHash: null,          // crypto.Hash object (lazy init when hashName is known)
+    transcriptHashName: null,      // hash algorithm currently tracked ('sha256' / 'sha384')
 
 
     //both
@@ -162,17 +194,151 @@ function TLSSession(options){
     // HelloRetryRequest
     helloRetried: false,                      // true if HRR was sent/received
 
+    // DTLS cookie (set by DTLSSession via set_context)
+    dtls_cookie: undefined,                   // Uint8Array or undefined
+
     // TLS 1.3 resumption
     tls13_master_secret: null,
     resumption_master_secret: null,
     ticket_nonce_counter: 0,
     session_ticket_sent: false,
-    noTickets: !!options.noTickets,
     psk_offered: null,       // client: { identity, psk, cipher } offered in ClientHello
     psk_accepted: false,     // server accepted PSK → abbreviated handshake
-    isResumed: false,        // true if PSK was accepted
+    isResumed: false,        // true if PSK was accepted (1.3) or abbreviated handshake (1.2)
+
+    // TLS 1.2 resumption
+    tls12_abbreviated: false,         // doing abbreviated handshake (server side)
+    tls12_resume_state: null,         // loaded session state (from SessionID or Ticket): { version, cipher, master_secret, extended_master_secret, sni, alpn, timestamp }
+    tls12_session_ticket_requested: false,  // client sent SessionTicket extension (empty or with data)
+    tls12_session_ticket_offered: null,     // client sent non-empty SessionTicket (raw bytes) — server tries to decrypt
+    tls12_newsession_sent: false,           // server sent NewSessionTicket message (TLS 1.2)
+    tls12_session_id_for_store: null,       // session_id to emit with 'newSession' (32 bytes, server-generated)
+    tls12_session_id_emitted: false,        // 'newSession' event already fired
+    tls12_client_session_emitted: false,    // client-side 'session' event fired (TLS 1.2 Session ID or ticket)
+    tls12_resume_pending: false,            // waiting for 'resumeSession' async callback
+    tls12_client_session: null,             // client: saved session to resume with (parsed sessionData)
   };
 
+  /**
+   * Emit NSS SSLKEYLOGFILE lines on 'keylog' event (Node.js TLSSocket compat).
+   * Used by Wireshark and similar tools to decrypt TLS traffic.
+   *
+   * Format: "LABEL <client_random_hex> <secret_hex>\n"
+   *   - TLS 1.2: CLIENT_RANDOM <cr> <master_secret>
+   *   - TLS 1.3: CLIENT_HANDSHAKE_TRAFFIC_SECRET / SERVER_HANDSHAKE_TRAFFIC_SECRET
+   *              CLIENT_TRAFFIC_SECRET_0        / SERVER_TRAFFIC_SECRET_0
+   *
+   * All three functions are zero-allocation when no 'keylog' listeners are attached
+   * (single listenerCount check at entry), so leaving this infrastructure in place
+   * has no measurable cost in production.
+   */
+  function _emitKeylogPair(labelClient, labelServer, secretClient, secretServer) {
+    if (ev.listenerCount('keylog') === 0) return;
+    let clientRandom = context.isServer ? context.remote_random : context.local_random;
+    if (!clientRandom) return;
+    // Compute clientRandom hex once — both lines share it
+    let crHex = Buffer.from(clientRandom).toString('hex');
+    if (secretClient) {
+      let line = labelClient + ' ' + crHex + ' ' + Buffer.from(secretClient).toString('hex') + '\n';
+      ev.emit('keylog', Buffer.from(line));
+    }
+    if (secretServer) {
+      let line = labelServer + ' ' + crHex + ' ' + Buffer.from(secretServer).toString('hex') + '\n';
+      ev.emit('keylog', Buffer.from(line));
+    }
+  }
+
+  /** TLS 1.3: emit CLIENT_HANDSHAKE_TRAFFIC_SECRET + SERVER_HANDSHAKE_TRAFFIC_SECRET. */
+  function _emitHandshakeKeylog() {
+    _emitKeylogPair(
+      'CLIENT_HANDSHAKE_TRAFFIC_SECRET', 'SERVER_HANDSHAKE_TRAFFIC_SECRET',
+      context.isServer ? context.remote_handshake_traffic_secret : context.local_handshake_traffic_secret,
+      context.isServer ? context.local_handshake_traffic_secret  : context.remote_handshake_traffic_secret
+    );
+  }
+
+  /** TLS 1.3: emit CLIENT_TRAFFIC_SECRET_0 + SERVER_TRAFFIC_SECRET_0. */
+  function _emitAppKeylog() {
+    _emitKeylogPair(
+      'CLIENT_TRAFFIC_SECRET_0', 'SERVER_TRAFFIC_SECRET_0',
+      context.isServer ? context.remote_app_traffic_secret : context.local_app_traffic_secret,
+      context.isServer ? context.local_app_traffic_secret  : context.remote_app_traffic_secret
+    );
+  }
+
+  /** TLS 1.2: emit CLIENT_RANDOM <client_random> <master_secret>. */
+  function _emitKeylog(label, secret) {
+    if (ev.listenerCount('keylog') === 0) return;
+    let clientRandom = context.isServer ? context.remote_random : context.local_random;
+    if (!clientRandom || !secret) return;
+    let line = label + ' ' +
+      Buffer.from(clientRandom).toString('hex') + ' ' +
+      Buffer.from(secret).toString('hex') + '\n';
+    ev.emit('keylog', Buffer.from(line));
+  }
+
+  /**
+   * Push a handshake message to the transcript.
+   * If a transcriptHook is set (by DTLSSession), it transforms the data first.
+   * This allows DTLS 1.2 to store DTLS-format entries (with reconstruction data)
+   * while TLS and DTLS 1.3 store standard TLS-format entries.
+   *
+   * Also updates the incremental transcript hash if it's been initialized,
+   * so subsequent calls to get_transcript_hash() run in O(1) clone+digest time
+   * instead of re-hashing the entire transcript.
+   */
+  function pushTranscript(data) {
+    if (context.transcriptHook) {
+      data = context.transcriptHook(data);
+    }
+    context.transcript.push(data);
+    if (context.transcriptHash !== null) {
+      context.transcriptHash.update(data);
+    }
+  }
+
+  /**
+   * Returns the transcript hash using the incremental running hash object.
+   * Initializes the running hash on first call (replaying any pre-existing
+   * messages), then uses Hash.copy()+digest() on subsequent calls so the
+   * running hash keeps accepting more updates.
+   *
+   * Perf vs old pattern `getHashFn(h)(concatUint8Arrays(transcript))`:
+   *   - Avoids concat — which allocates a buffer holding ALL transcript bytes
+   *   - Avoids hashing the entire transcript from scratch every time
+   *   - Hash.copy() duplicates only the hash state (~hashLen bytes)
+   *
+   * For a typical handshake with 6-8 messages of a few KB total and ~5 hash
+   * computations during key derivation, this saves ~20KB of allocations and
+   * re-hashes the same bytes 4 fewer times.
+   */
+  function get_transcript_hash(hashName) {
+    if (context.transcriptHash !== null && context.transcriptHashName === hashName) {
+      return new Uint8Array(context.transcriptHash.copy().digest());
+    }
+    // Lazy init: create a fresh hash and replay existing transcript into it.
+    // After this, pushTranscript() updates the hash incrementally.
+    context.transcriptHash = crypto.createHash(hashName);
+    context.transcriptHashName = hashName;
+    for (let i = 0; i < context.transcript.length; i++) {
+      context.transcriptHash.update(context.transcript[i]);
+    }
+    return new Uint8Array(context.transcriptHash.copy().digest());
+  }
+
+  /**
+   * Reset the incremental transcript hash. Called after HRR reshape, where the
+   * transcript array is replaced with [message_hash(CH1), HRR] and the running
+   * hash must be restarted to match.
+   */
+  function reset_transcript_hash(hashName) {
+    context.transcriptHash = crypto.createHash(hashName);
+    context.transcriptHashName = hashName;
+    for (let i = 0; i < context.transcript.length; i++) {
+      context.transcriptHash.update(context.transcript[i]);
+    }
+  }
+
   function process_income_message(data){
 
     // Track handshake start time
@@ -185,14 +351,14 @@ function TLSSession(options){
       return;
     }
 
-    let message = parse_tls_message(data);
+    let message = parse_tls_message(data, context.selected_version);
 
     // Emit 'handshakeMessage' hook for every message
     ev.emit('handshakeMessage', message.type, data, message);
 
     if((context.isServer==false && message.type=='server_hello') || (context.isServer==true && message.type=='client_hello')){
 
-      context.transcript.push(data);
+      pushTranscript(data);
 
       // Save raw ClientHello + emit event (server side)
       if (context.isServer && message.type === 'client_hello') {
@@ -216,10 +382,20 @@ function TLSSession(options){
         let pskIdentity = message.pre_shared_key.identities[0];
         let pskBinder = message.pre_shared_key.binders ? message.pre_shared_key.binders[0] : null;
 
+        dbg('SRV-PSK', 'received identity:', hexPreview(pskIdentity.identity, 24),
+            'age:', (pskIdentity.age || 0) >>> 0,
+            'received binder:', hexPreview(pskBinder, 16));
+
         let pskResult = null;
-        ev.emit('psk', pskIdentity.identity, function(result) {
+        ev.emit('psk', {
+          identity: pskIdentity.identity,
+          obfuscatedAge: (pskIdentity.age || 0) >>> 0
+        }, function(result) {
           pskResult = result;
         });
+
+        dbg('SRV-PSK', 'pskResult:', pskResult ? `psk=${hexPreview(pskResult.psk, 8)} cipher=0x${pskResult.cipher?.toString(16)}` : 'null (decrypt failed)');
+
         if (pskResult && pskResult.psk) {
           let pskCipher = pskResult.cipher || 0x1301;
           let hashName = TLS_CIPHER_SUITES[pskCipher] ? TLS_CIPHER_SUITES[pskCipher].hash : 'sha256';
@@ -230,6 +406,12 @@ function TLSSession(options){
           let truncatedCH = data.slice(0, data.length - bindersSize);
           let expectedBinder = compute_psk_binder(hashName, binder_key, truncatedCH);
 
+          dbg('SRV-PSK', 'hash:', hashName, 'hashLen:', hashLen,
+              'truncatedCH len:', truncatedCH.length,
+              'full CH len:', data.length);
+          dbg('SRV-PSK', 'expected binder:', hexPreview(expectedBinder, 16));
+          dbg('SRV-PSK', 'received binder:', hexPreview(pskBinder, 16));
+
           let binderOk = pskBinder && expectedBinder.length === pskBinder.length;
           if (binderOk) {
             for (let bi = 0; bi < expectedBinder.length; bi++) {
@@ -237,6 +419,8 @@ function TLSSession(options){
             }
           }
 
+          dbg('SRV-PSK', binderOk ? '✓ BINDER MATCH — psk_accepted' : '✗ BINDER MISMATCH — full handshake');
+
           if (binderOk) {
             context.psk_accepted = true;
             context.isResumed = true;
@@ -251,9 +435,12 @@ function TLSSession(options){
       // Client: detect if server accepted PSK from ServerHello (BEFORE set_context)
       if (!context.isServer && message.pre_shared_key && typeof message.pre_shared_key.selected === 'number') {
         if (context.psk_offered) {
+          dbg('CLI-PSK', '✓ server accepted PSK, selected_identity:', message.pre_shared_key.selected);
           context.psk_accepted = true;
           context.isResumed = true;
         }
+      } else if (!context.isServer && context.psk_offered && message.type === 'server_hello') {
+        dbg('CLI-PSK', '✗ server did NOT include pre_shared_key in SH — full handshake');
       }
 
       // Client: detect HelloRetryRequest (ServerHello with magic random)
@@ -275,6 +462,11 @@ function TLSSession(options){
         let message_hash = wire.build_message(wire.TLS_MESSAGE_TYPE.MESSAGE_HASH, ch1_hash);
         context.transcript = [message_hash, hrrData]; // message_hash + HRR
 
+        // After HRR, the running hash must be restarted to match the reshaped
+        // transcript. If any existing running hash was tracking the old (CH1 + HRR)
+        // sequence, it's now stale — we rebuild from the new 2-entry transcript.
+        reset_transcript_hash(hashName);
+
         // Find the requested group from HRR key_share extension
         // After wire.js fix, key_groups contains [{group: N, key_exchange: empty}] for HRR
         let requestedGroup = null;
@@ -324,7 +516,7 @@ function TLSSession(options){
                   0x0401, 0x0501, 0x0601
               ] },
               { type: 'RENEGOTIATION_INFO', value: new Uint8Array(0) },
-              { type: 23, data: new Uint8Array(0) }, // extended_master_secret
+              { type: 'EXTENDED_MASTER_SECRET', value: null },
             ];
 
             // SNI (must be first)
@@ -350,11 +542,12 @@ function TLSSession(options){
               version: 0x0303,
               random: context.local_random,
               session_id: context.local_session_id,
+              cookie: context.dtls_cookie,
               cipher_suite: context.local_supported_cipher_suites,
               extensions: extensions,
             });
 
-            context.transcript.push(ch2);
+            pushTranscript(ch2);
             ev.emit('message', 0, context.message_sent_seq, 'hello', ch2);
             context.message_sent_seq++;
           }
@@ -368,7 +561,9 @@ function TLSSession(options){
         remote_random: message.random || null,
         remote_sni: message.sni || null,
         remote_session_id: message.session_id || null,
-        remote_supported_versions: message.supported_versions || [],
+        remote_supported_versions: (message.supported_versions && message.supported_versions.length > 0)
+          ? message.supported_versions
+          : (message.legacy_version ? [message.legacy_version] : []),
         remote_supported_alpns: message.alpn || [],
         remote_supported_cipher_suites: message.cipher_suites || [],
         remote_supported_signature_algorithms: message.signature_algorithms || [],
@@ -377,6 +572,122 @@ function TLSSession(options){
         add_remote_key_groups: message.key_groups || []
       });
 
+      // Server: TLS 1.2 resumption detection (only makes sense from ClientHello).
+      // This runs BEFORE set_context's reactive loop picks a version, so we mark state
+      // but defer the decision. The reactive loop will check tls12_abbreviated once
+      // TLS 1.2 is actually selected.
+      if (context.isServer && message.type === 'client_hello') {
+
+        // Was SessionTicket extension present? (empty or with data)
+        if (message.session_ticket_supported) {
+          context.tls12_session_ticket_requested = true;
+        }
+
+        // 1) Try ticket-based resumption (RFC 5077) — stateless, preferred over session_id
+        if (message.session_ticket && message.session_ticket.length > 0 && context.ticketKeys && context.sessionTickets) {
+          let state = decrypt_session_blob(message.session_ticket, context.ticketKeys);
+          if (state && state.v === 12 && state.master_secret) {
+            // Honor ticket-based resumption: we'll proceed as abbreviated handshake once TLS 1.2 is selected.
+            context.tls12_resume_state = state;
+            context.tls12_session_ticket_offered = message.session_ticket;
+          }
+        }
+
+        // 2) Try Session ID resumption — emit 'resumeSession' event (async-supported).
+        //    Only if ticket-based didn't already succeed. Works regardless of sessionTickets
+        //    setting: if the user registered a 'resumeSession' listener, they opted into
+        //    Session ID-based resumption.
+        if (!context.tls12_resume_state && message.session_id && message.session_id.length > 0) {
+          // Fire synchronously-first; listener may resolve immediately OR asynchronously.
+          // If async, the listener's callback ends up calling set_context via a helper below.
+          let offeredId = message.session_id;
+          let resolved = false;
+
+          let resumeCb = function(err, sessionData) {
+            if (resolved) return;
+            resolved = true;
+            context.tls12_resume_pending = false;
+
+            if (!err && sessionData) {
+              // sessionData may be a structured state (user returned a decoded state)
+              // or an encrypted Buffer (user returned what we gave them in 'newSession').
+              let state = null;
+              if (sessionData instanceof Uint8Array || Buffer.isBuffer(sessionData)) {
+                state = decrypt_session_blob(sessionData, context.ticketKeys);
+              } else if (typeof sessionData === 'object' && sessionData.master_secret) {
+                state = sessionData;
+              }
+              if (state && state.v === 12 && state.master_secret) {
+                set_context({
+                  tls12_resume_state: state,
+                });
+              }
+            }
+            // If no state resolved → full handshake. Reactive loop continues once pending clears.
+          };
+
+          context.tls12_resume_pending = true;
+          ev.emit('resumeSession', offeredId, resumeCb);
+
+          // If nobody listened (listenerCount === 0), immediately un-pend.
+          if (ev.listenerCount('resumeSession') === 0) {
+            resumeCb(null, null);
+          }
+        }
+      }
+
+      // Client: TLS 1.2 resumption detection.
+      // Two cases trigger abbreviated handshake:
+      //   (a) Session ID-based: server echoes the saved session_id
+      //   (b) Ticket-based: per RFC 5077 §3.4, if server accepts the ticket AND the CH
+      //       session_id is non-empty, it MUST echo the same session_id. So if our CH
+      //       session_id appears back in SH and we offered a ticket, ticket was accepted.
+      if (!context.isServer && context.tls12_client_session && message.type === 'server_hello' &&
+          message.session_id && message.session_id.length > 0) {
+
+        let abbreviatedDetected = false;
+        let savedSid = context.tls12_client_session.session_id;
+        let sentSid  = context.local_session_id;
+        let hasTicket = context.tls12_client_session.ticket && context.tls12_client_session.ticket.length > 0;
+
+        dbg('CLI-12RESUME', 'saved sid:', hexPreview(savedSid, 16),
+            'sent sid:', hexPreview(sentSid, 16),
+            'received sid:', hexPreview(message.session_id, 16),
+            'hasTicket:', hasTicket);
+
+        // Case (a): server's session_id equals the one we had stored from a prior connection
+        if (savedSid && savedSid.length > 0 && uint8Equal(message.session_id, savedSid)) {
+          abbreviatedDetected = true;
+          dbg('CLI-12RESUME', '✓ case (a) matched: SH echoes saved sid');
+        }
+
+        // Case (b): we offered a ticket and server echoed our CH session_id
+        if (!abbreviatedDetected && hasTicket && sentSid && sentSid.length > 0 &&
+            uint8Equal(message.session_id, sentSid)) {
+          abbreviatedDetected = true;
+          dbg('CLI-12RESUME', '✓ case (b) matched: SH echoes CH sid after ticket offer');
+        }
+
+        if (!abbreviatedDetected) {
+          dbg('CLI-12RESUME', '✗ no match — full handshake expected');
+        }
+
+        if (abbreviatedDetected) {
+          context.tls12_abbreviated = true;
+          context.isResumed = true;
+          // Load master_secret and EMS flag from saved session
+          set_context({
+            base_secret: context.tls12_client_session.master_secret,
+            use_extended_master_secret: !!context.tls12_client_session.extended_master_secret,
+            // Mark as if remote_hello_done arrived — we won't actually receive it in abbreviated flow,
+            // but the reactive loop uses this to gate CKE; we're skipping CKE anyway.
+            remote_hello_done: true,
+            // Pretend key_exchange_sent so Finished logic proceeds without real CKE
+            key_exchange_sent: true,
+          });
+        }
+      }
+
       ev.emit('hello');
 
       if(context.isServer==true){
@@ -396,21 +707,27 @@ function TLSSession(options){
 
     }else if(message.type=='client_key_exchange' || message.type=='server_key_exchange'){
 
-      context.transcript.push(data);
+      pushTranscript(data);
 
       if ([0xC02F,0xC02B,0xC030,0xC02C,0xC013,0xC014,0xC009,0xC00A].includes(context.selected_cipher_suite)==true) {//ECDHE
 
         // ServerKeyExchange carries the group; ClientKeyExchange does not (server already chose it)
         let kex_group = message.group || context.selected_group;
 
-        set_context({
+        let kex_updates = {
           add_remote_key_groups: [
             {
               group: kex_group,
               public_key: message.public_key
             }
           ],
-        });
+        };
+        // TLS 1.2 client: selected_group isn't set from ServerHello (no supported_groups ext).
+        // Set it from the SKE group so the reactive loop can generate a keypair and build CKE.
+        if (context.selected_group === null && kex_group) {
+          kex_updates.selected_group = kex_group;
+        }
+        set_context(kex_updates);
 
       }else if ([0x009E,0x009F,0x0033,0x0039,0x0067,0x006B].includes(context.selected_cipher_suite)==true) {//DHE
 
@@ -426,7 +743,7 @@ function TLSSession(options){
 
     }else if(message.type=='server_hello_done'){
 
-      context.transcript.push(data);
+      pushTranscript(data);
 
 
       set_context({
@@ -435,7 +752,7 @@ function TLSSession(options){
 
     }else if(message.type=='encrypted_extensions'){
 
-      context.transcript.push(data);
+      pushTranscript(data);
 
       set_context({
         remote_supported_groups: message.supported_groups || [],
@@ -443,7 +760,7 @@ function TLSSession(options){
 
     }else if(message.type=='certificate'){
 
-      context.transcript.push(data);
+      pushTranscript(data);
 
       set_context({
         remote_cert_chain: message.entries,
@@ -458,7 +775,7 @@ function TLSSession(options){
 
     }else if(message.type=='certificate_verify'){
 
-      context.transcript.push(data);
+      pushTranscript(data);
 
     }else if(message.type=='finished'){
 
@@ -468,26 +785,69 @@ function TLSSession(options){
 
     }else if(message.type=='new_session_ticket'){
 
-      // Client receives NewSessionTicket from server (post-handshake)
-      if(!context.isServer && context.resumption_master_secret){
-        let hashName = TLS_CIPHER_SUITES[context.selected_cipher_suite].hash;
-        let psk = derive_psk(hashName, context.resumption_master_secret, message.ticket_nonce);
-
-        ev.emit('session', {
-          ticket: message.ticket,
-          ticket_nonce: message.ticket_nonce,
-          psk: psk,
-          cipher: context.selected_cipher_suite,
-          lifetime: message.ticket_lifetime,
-          age_add: message.ticket_age_add,
-          maxEarlyDataSize: 0,
-        });
+      // Client receives NewSessionTicket from server (post-handshake in TLS 1.3, pre-CCS in TLS 1.2)
+      if(!context.isServer){
+        if ((context.selected_version === wire.TLS_VERSION.TLS1_3 || context.selected_version === wire.DTLS_VERSION.DTLS1_3) && context.resumption_master_secret) {
+          // TLS 1.3: derive PSK from resumption_master_secret + ticket_nonce
+          let hashName = TLS_CIPHER_SUITES[context.selected_cipher_suite].hash;
+          let psk = derive_psk(hashName, context.resumption_master_secret, message.ticket_nonce);
+
+          dbg('CLI-NST', 'received TLS 1.3 NST — cipher:', '0x' + context.selected_cipher_suite.toString(16),
+              'hash:', hashName,
+              'transcript len:', concatUint8Arrays(context.transcript).length);
+          dbg('CLI-NST', 'ticket_nonce:', hexPreview(message.ticket_nonce, 4),
+              'age_add:', message.ticket_age_add,
+              'lifetime:', message.ticket_lifetime);
+          dbg('CLI-NST', 'resumption_master_secret:', hexPreview(context.resumption_master_secret, 8),
+              'derived psk:', hexPreview(psk, 8));
+
+          // Encode opaque client-side session Buffer (JSON — user is responsible for secure storage)
+          let session_blob = encode_client_session({
+            v: 13,                                    // blob kind: TLS 1.3
+            version: context.selected_version,
+            cipher: context.selected_cipher_suite,
+            ticket: message.ticket,
+            psk: psk,
+            age_add: message.ticket_age_add,
+            lifetime: message.ticket_lifetime,
+            sni: context.local_sni || null,
+            alpn: context.selected_alpn || null,
+            created: Date.now(),
+          });
+
+          ev.emit('session', session_blob);
+        } else if (context.selected_version === wire.TLS_VERSION.TLS1_2 && context.base_secret) {
+          // TLS 1.2: NewSessionTicket is sent BEFORE server's CCS+Finished and is part of the
+          // handshake transcript (RFC 5077 §3.3). Server's Finished hash covers this message,
+          // so the client MUST include it in its transcript for verification to succeed.
+          pushTranscript(data);
+
+          // Save the raw ticket so getTLSTicket() can return it (Node compat).
+          context.tls12_received_ticket = message.ticket;
+
+          let session_blob = encode_client_session({
+            v: 12,                                    // blob kind: TLS 1.2
+            version: context.selected_version,
+            cipher: context.selected_cipher_suite,
+            master_secret: context.base_secret,
+            extended_master_secret: !!context.use_extended_master_secret,
+            ticket: message.ticket,
+            session_id: context.remote_session_id || null,  // store for Session ID fallback
+            lifetime: message.ticket_lifetime_hint || context.ticketLifetime,
+            sni: context.local_sni || null,
+            alpn: context.selected_alpn || null,
+            created: Date.now(),
+          });
+
+          ev.emit('session', session_blob);
+          context.tls12_client_session_emitted = true;
+        }
       }
 
     }else if(message.type=='key_update'){
 
       // Peer is updating their traffic secret (we update our read key)
-      if(context.state==='connected' && context.selected_version === wire.TLS_VERSION.TLS1_3){
+      if(context.state==='connected' && (context.selected_version === wire.TLS_VERSION.TLS1_3 || context.selected_version === wire.DTLS_VERSION.DTLS1_3)){
         let hashName = TLS_CIPHER_SUITES[context.selected_cipher_suite].hash;
         let hashLen = getHashLen(hashName);
         let newRemoteSecret = hkdf_expand_label(hashName, context.remote_app_traffic_secret, 'traffic upd', new Uint8Array(0), hashLen);
@@ -512,7 +872,7 @@ function TLSSession(options){
 
       // Server is requesting a client certificate (TLS 1.3)
       if(!context.isServer){
-        context.transcript.push(data);
+        pushTranscript(data);
         context.certificateRequested = true;
         context.certificateRequestContext = message.certificate_request_context || new Uint8Array(0);
         context.certificateRequestSigAlgs = message.signature_algorithms || [];
@@ -771,6 +1131,33 @@ function TLSSession(options){
         }
       }
 
+      if('tls12_resume_state' in options){
+        if(context.tls12_resume_state !== options.tls12_resume_state){
+          context.tls12_resume_state = options.tls12_resume_state;
+          has_changed=true;
+        }
+      }
+
+      if('tls12_abbreviated' in options){
+        if(context.tls12_abbreviated !== options.tls12_abbreviated){
+          context.tls12_abbreviated = options.tls12_abbreviated;
+          has_changed=true;
+        }
+      }
+
+      if('isResumed' in options){
+        if(context.isResumed !== options.isResumed){
+          context.isResumed = options.isResumed;
+          has_changed=true;
+        }
+      }
+
+      if('use_extended_master_secret' in options){
+        if(context.use_extended_master_secret !== options.use_extended_master_secret){
+          context.use_extended_master_secret = options.use_extended_master_secret;
+          has_changed=true;
+        }
+      }
       if('ecdhe_shared_secret' in options){
         if(context.ecdhe_shared_secret==null && options.ecdhe_shared_secret!==null){
           context.ecdhe_shared_secret=options.ecdhe_shared_secret;
@@ -783,6 +1170,11 @@ function TLSSession(options){
         if(options.base_secret !== context.base_secret){
           context.base_secret=options.base_secret;
           has_changed=true;
+          // TLS 1.2: base_secret IS the master_secret. Emit NSS SSLKEYLOGFILE line.
+          if (options.base_secret && (context.selected_version === wire.TLS_VERSION.TLS1_2 ||
+              context.selected_version === wire.DTLS_VERSION.DTLS1_2)) {
+            _emitKeylog('CLIENT_RANDOM', options.base_secret);
+          }
         }
       }
 
@@ -800,6 +1192,7 @@ function TLSSession(options){
           has_changed=true;
           if(context.local_handshake_traffic_secret!==null){
             ev.emit('handshakeSecrets', context.local_handshake_traffic_secret, context.remote_handshake_traffic_secret);
+            _emitHandshakeKeylog();
           }
         }
       }
@@ -810,6 +1203,7 @@ function TLSSession(options){
           has_changed=true;
           if(context.remote_handshake_traffic_secret!==null){
             ev.emit('handshakeSecrets', context.local_handshake_traffic_secret, context.remote_handshake_traffic_secret);
+            _emitHandshakeKeylog();
           }
         }
       }
@@ -820,6 +1214,7 @@ function TLSSession(options){
           has_changed=true;
           if(context.local_app_traffic_secret!==null){
             ev.emit('appSecrets', context.local_app_traffic_secret, context.remote_app_traffic_secret);
+            _emitAppKeylog();
           }
         }
       }
@@ -830,6 +1225,7 @@ function TLSSession(options){
           has_changed=true;
           if(context.remote_app_traffic_secret!==null){
             ev.emit('appSecrets', context.local_app_traffic_secret, context.remote_app_traffic_secret);
+            _emitAppKeylog();
           }
         }
       }
@@ -871,7 +1267,10 @@ function TLSSession(options){
         }
       }
 
-      
+      if('dtls_cookie' in options){
+        context.dtls_cookie=options.dtls_cookie;
+        has_changed=true;
+      }
 
 
     }
@@ -901,24 +1300,89 @@ function TLSSession(options){
 
         if('selected_version' in params_to_set==false || params_to_set.selected_version==null){
         }
+
+        // TLS 1.2: clear key_share groups from ClientHello.
+        // key_share is a TLS 1.3 extension; in TLS 1.2, keys come from CKE/SKE.
+        // Without this, the server would compute the shared secret too early
+        // (using CH key_share instead of waiting for CKE).
+        if (context.isServer && params_to_set.selected_version !== null &&
+            params_to_set.selected_version !== wire.TLS_VERSION.TLS1_3 &&
+            params_to_set.selected_version !== wire.DTLS_VERSION.DTLS1_3) {
+          context.remote_key_groups = {};
+        }
       }
 
       //select selected_cipher...
       if (context.selected_cipher_suite == null && context.local_supported_cipher_suites.length > 0 && context.remote_supported_cipher_suites.length > 0) {
         
-        for (let i2 = 0; i2 < context.local_supported_cipher_suites.length; i2++) {
-          let cs = context.local_supported_cipher_suites[i2] | 0;
-          for (let j2 = 0; j2 < context.remote_supported_cipher_suites.length; j2++) {
-            
-            if ((context.remote_supported_cipher_suites[j2] | 0) == cs) {
-              params_to_set['selected_cipher_suite'] = cs;
-              break;
+        // If resuming TLS 1.2, force cipher to match stored state (if client still offers it)
+        if (context.isServer && context.tls12_resume_state &&
+            context.selected_version !== wire.TLS_VERSION.TLS1_3 &&
+            context.selected_version !== wire.DTLS_VERSION.DTLS1_3) {
+          let storedCipher = context.tls12_resume_state.cipher | 0;
+          if (context.remote_supported_cipher_suites.indexOf(storedCipher) >= 0 &&
+              context.local_supported_cipher_suites.indexOf(storedCipher) >= 0) {
+            params_to_set['selected_cipher_suite'] = storedCipher;
+          } else {
+            // Client no longer offers this cipher → can't resume, drop state
+            context.tls12_resume_state = null;
+          }
+        }
+
+        // TLS 1.3 PSK resumption: per RFC 8446 §4.2.11, server MUST select a cipher compatible
+        // with the selected PSK (same hash algorithm). Since we accepted the PSK based on its
+        // stored cipher's hash (for binder verification), we force the same cipher here.
+        if (context.isServer && context.psk_accepted && context.psk_offered && context.psk_offered.cipher &&
+            (context.selected_version === wire.TLS_VERSION.TLS1_3 || context.selected_version === wire.DTLS_VERSION.DTLS1_3)) {
+          let pskCipher = context.psk_offered.cipher | 0;
+          if (context.remote_supported_cipher_suites.indexOf(pskCipher) >= 0 &&
+              context.local_supported_cipher_suites.indexOf(pskCipher) >= 0) {
+            params_to_set['selected_cipher_suite'] = pskCipher;
+          }
+          // If client no longer offers this cipher, PSK can't be used — but we already accepted it.
+          // This is an edge case; fall through to normal selection and hope for the best.
+        }
+
+        if (!('selected_cipher_suite' in params_to_set)) {
+          for (let i2 = 0; i2 < context.local_supported_cipher_suites.length; i2++) {
+            let cs = context.local_supported_cipher_suites[i2] | 0;
+            for (let j2 = 0; j2 < context.remote_supported_cipher_suites.length; j2++) {
+              
+              if ((context.remote_supported_cipher_suites[j2] | 0) == cs) {
+                params_to_set['selected_cipher_suite'] = cs;
+                break;
+              }
             }
+            if ('selected_cipher_suite' in params_to_set==true && params_to_set.selected_cipher_suite !== null) break;
+          }
+
+          if('selected_cipher_suite' in params_to_set==false || params_to_set.selected_cipher_suite==null){
           }
-          if ('selected_cipher_suite' in params_to_set==true && params_to_set.selected_cipher_suite !== null) break;
         }
+      }
+
+      // TLS 1.2 abbreviated handshake setup: validate EMS match, seed base_secret, set flags.
+      // Runs once when all prerequisites are met (version + cipher selected, resume state present).
+      if (context.isServer && context.tls12_resume_state && !context.tls12_abbreviated &&
+          params_to_set.selected_cipher_suite != null &&
+          (context.selected_version === wire.TLS_VERSION.TLS1_2 || params_to_set.selected_version === wire.TLS_VERSION.TLS1_2)) {
+
+        let storedEMS = !!context.tls12_resume_state.extended_master_secret;
+        let clientEMS = !!context.use_extended_master_secret;
 
-        if('selected_cipher_suite' in params_to_set==false || params_to_set.selected_cipher_suite==null){
+        if (storedEMS !== clientEMS) {
+          // EMS mismatch: per RFC 7627 can't resume. Fall through to full handshake.
+          context.tls12_resume_state = null;
+        } else {
+          // OK, we can do abbreviated. Use params_to_set for all state flags
+          // (triggers has_changed → reactive loop re-runs with new state).
+          params_to_set['tls12_abbreviated'] = true;
+          params_to_set['isResumed'] = true;
+          params_to_set['base_secret'] = context.tls12_resume_state.master_secret;
+          // Echo stored session_id if we had one from the client. Otherwise fresh.
+          // For ticket-based resume: client's CH session_id is usually non-empty "random" bytes —
+          // we echo it back (RFC 5077 §3.4). For ID-based: we already have context.remote_session_id.
+          params_to_set['selected_session_id'] = context.remote_session_id || new Uint8Array(0);
         }
       }
 
@@ -1050,7 +1514,7 @@ function TLSSession(options){
       if(context.isServer==true){
 
         // HelloRetryRequest: if we selected a group but client didn't send a key_share for it
-        if(context.hello_sent==false && !context.helloRetried && context.selected_version === wire.TLS_VERSION.TLS1_3 &&
+        if(context.hello_sent==false && !context.helloRetried && (context.selected_version === wire.TLS_VERSION.TLS1_3 || context.selected_version === wire.DTLS_VERSION.DTLS1_3) &&
            context.selected_group !== null && context.selected_cipher_suite !== null &&
            !(context.selected_group in context.remote_key_groups)){
 
@@ -1062,15 +1526,18 @@ function TLSSession(options){
           let message_hash = wire.build_message(wire.TLS_MESSAGE_TYPE.MESSAGE_HASH, ch1_hash);
           context.transcript = [message_hash];
 
+          // Rebuild the running hash to match the reshaped transcript.
+          reset_transcript_hash(hashName);
+
           // Build and send HRR (it's a ServerHello with magic random)
           let hrr_body = wire.build_hello_retry_request({
             cipher_suite: context.selected_cipher_suite,
-            selected_version: wire.TLS_VERSION.TLS1_3,
+            selected_version: context.selected_version,
             selected_group: context.selected_group,
             session_id: context.remote_session_id,
           });
           let hrr_data = wire.build_message(wire.TLS_MESSAGE_TYPE.SERVER_HELLO, hrr_body);
-          context.transcript.push(hrr_data);
+          pushTranscript(hrr_data);
 
           ev.emit('message', 0, context.message_sent_seq, 'hello_retry_request', hrr_data);
           context.message_sent_seq++;
@@ -1090,15 +1557,18 @@ function TLSSession(options){
         if(context.hello_sent==false){
           
           if(context.selected_version!==null && context.selected_cipher_suite!==null && context.selected_session_id!==null){
-            if(context.selected_version === wire.TLS_VERSION.TLS1_3){
+            if((context.selected_version === wire.TLS_VERSION.TLS1_3 || context.selected_version === wire.DTLS_VERSION.DTLS1_3)){
               if(context.selected_group in context.local_key_groups==true && context.local_key_groups[context.selected_group].public_key!==null){
                 // After HRR, don't send ServerHello until CH2 provides the requested key_share
                 if (!context.helloRetried || (context.selected_group in context.remote_key_groups)) {
                   can_send_hello=true;
                 }
               }
-            }else if(context.selected_version === wire.TLS_VERSION.TLS1_2){
-              can_send_hello=true;
+            }else if((context.selected_version === wire.TLS_VERSION.TLS1_2 || context.selected_version === wire.DTLS_VERSION.DTLS1_2)){
+              // Block ServerHello while waiting for async resumeSession decision
+              if (!context.tls12_resume_pending) {
+                can_send_hello=true;
+              }
             }
           }
         }
@@ -1111,12 +1581,12 @@ function TLSSession(options){
 
           let build_message_params=null;
 
-          if(context.selected_version==wire.TLS_VERSION.TLS1_3){
+          if((context.selected_version === wire.TLS_VERSION.TLS1_3 || context.selected_version === wire.DTLS_VERSION.DTLS1_3)){
 
             let shExtensions = [
               { 
                 type: 'SUPPORTED_VERSIONS', 
-                value: wire.TLS_VERSION.TLS1_3
+                value: context.selected_version
               },
               {
                 type: 'KEY_SHARE', 
@@ -1142,7 +1612,7 @@ function TLSSession(options){
             };
             
 
-          }else if(context.selected_version==wire.TLS_VERSION.TLS1_2){
+          }else if((context.selected_version === wire.TLS_VERSION.TLS1_2 || context.selected_version === wire.DTLS_VERSION.DTLS1_2)){
 
             
             // TLS 1.2 ServerHello: no SUPPORTED_VERSIONS or KEY_SHARE.
@@ -1155,19 +1625,44 @@ function TLSSession(options){
 
             // Only echo extended_master_secret if client sent it
             if (context.use_extended_master_secret) {
-              ext_list.push({ type: 23, data: new Uint8Array(0) });
+              ext_list.push({ type: 'EXTENDED_MASTER_SECRET', value: null });
             }
 
-            if (context.alpn_selected) {
+            if (context.selected_alpn) {
               // RFC 7301: ServerHello echoes a single selected protocol
-              ext_list.push({ type: 'ALPN', value: [ String(context.alpn_selected) ] });
+              ext_list.push({ type: 'ALPN', value: [ String(context.selected_alpn) ] });
+            }
+
+            // SESSION_TICKET: RFC 5077 §3.2 — server echoes empty extension to signal it will
+            // send a NewSessionTicket later. Skip for abbreviated handshake (per §3.3).
+            // Skip for DTLS — we don't emit NST in DTLS, so MUST NOT echo the ext either (§3.2).
+            let isDtls12Here = (context.selected_version === wire.DTLS_VERSION.DTLS1_2);
+            if (context.tls12_session_ticket_requested && !context.tls12_abbreviated && context.sessionTickets && !isDtls12Here) {
+              ext_list.push({ type: 'SESSION_TICKET', value: new Uint8Array(0) });
+            }
+
+            // Session ID: for abbreviated (resumed) handshake, MUST echo client's session_id
+            // (RFC 5077 §3.4). For TLS 1.2 full handshake, generate a fresh 32-byte session_id
+            // (matches OpenSSL/Node.js behavior for middlebox compatibility).
+            // For DTLS 1.2 full handshake: just echo client's session_id (no middlebox concern,
+            // and matches original lemon-tls behavior before my TLS 1.2 resumption changes).
+            let sid_to_send;
+            if (context.tls12_abbreviated) {
+              sid_to_send = context.remote_session_id || new Uint8Array(0);
+            } else if (context.selected_version === wire.DTLS_VERSION.DTLS1_2) {
+              sid_to_send = context.remote_session_id || new Uint8Array(0);
+            } else {
+              if (!context.tls12_session_id_for_store) {
+                context.tls12_session_id_for_store = new Uint8Array(crypto.randomBytes(32));
+              }
+              sid_to_send = context.tls12_session_id_for_store;
             }
 
             build_message_params = {
               type: 'server_hello',
               version: context.selected_version,
               random: context.local_random,
-              session_id: context.remote_session_id || new Uint8Array(0), // echo client session_id
+              session_id: sid_to_send,
               cipher_suite: context.selected_cipher_suite,  // e.g. 0xC02F
               // compression_method always 0
               extensions: ext_list
@@ -1176,7 +1671,6 @@ function TLSSession(options){
             
 
 
-
           }
           
           if(build_message_params!==null){
@@ -1184,7 +1678,7 @@ function TLSSession(options){
 
             let message_data = build_tls_message(build_message_params);
 
-            context.transcript.push(message_data);
+            pushTranscript(message_data);
 
             context.hello_sent=true;
 
@@ -1204,16 +1698,18 @@ function TLSSession(options){
 
       //get base_secret
       if (context.base_secret==null && context.selected_cipher_suite !== null){
-        if(context.selected_version == wire.TLS_VERSION.TLS1_3 && (context.ecdhe_shared_secret !== null)){
+        if((context.selected_version === wire.TLS_VERSION.TLS1_3 || context.selected_version === wire.DTLS_VERSION.DTLS1_3) && (context.ecdhe_shared_secret !== null)){
 
           let hashName = TLS_CIPHER_SUITES[context.selected_cipher_suite].hash;
           let result;
+          // Use incremental transcript hash — avoids concat+hash of full transcript
+          let tx_hash = get_transcript_hash(hashName);
           if (context.psk_accepted && context.psk_offered && context.psk_offered.psk) {
             // PSK + ECDHE key schedule
-            result = derive_handshake_traffic_secrets_psk(hashName, context.psk_offered.psk, context.ecdhe_shared_secret, concatUint8Arrays(context.transcript));
+            result = derive_handshake_traffic_secrets_psk_with_hash(hashName, context.psk_offered.psk, context.ecdhe_shared_secret, tx_hash);
           } else {
             // Standard key schedule (no PSK)
-            result = derive_handshake_traffic_secrets(hashName, context.ecdhe_shared_secret, concatUint8Arrays(context.transcript));
+            result = derive_handshake_traffic_secrets_with_hash(hashName, context.ecdhe_shared_secret, tx_hash);
           }
 
           params_to_set['base_secret']=result.handshake_secret;
@@ -1226,7 +1722,7 @@ function TLSSession(options){
             params_to_set['remote_handshake_traffic_secret']=result.server_handshake_traffic_secret;
           }
 
-        }else if(context.selected_version === wire.TLS_VERSION.TLS1_2 && context.local_random!==null && context.remote_random!==null){
+        }else if((context.selected_version === wire.TLS_VERSION.TLS1_2 || context.selected_version === wire.DTLS_VERSION.DTLS1_2) && context.local_random!==null && context.remote_random!==null){
           if(context.ecdhe_shared_secret !== null){
 
 
@@ -1246,7 +1742,11 @@ function TLSSession(options){
               if(context.isServer || context.key_exchange_sent){
                 let hashFn  = getHashFn(TLS_CIPHER_SUITES[context.selected_cipher_suite].hash);
 
-                let transcript_hash = hashFn(concatUint8Arrays(context.transcript));
+                // Use snapshot up to CKE if available (excludes CertificateVerify)
+                let emsTranscript = context._emsTranscriptLen
+                  ? context.transcript.slice(0, context._emsTranscriptLen)
+                  : context.transcript;
+                let transcript_hash = hashFn(concatUint8Arrays(emsTranscript));
 
                 let master_secret = tls12_prf(context.ecdhe_shared_secret, "extended master secret", transcript_hash, 48, TLS_CIPHER_SUITES[context.selected_cipher_suite].hash);
 
@@ -1270,7 +1770,7 @@ function TLSSession(options){
 
 
       //send encrypted_extensions...
-      if (context.isServer==true && context.selected_version === wire.TLS_VERSION.TLS1_3){
+      if (context.isServer==true && (context.selected_version === wire.TLS_VERSION.TLS1_3 || context.selected_version === wire.DTLS_VERSION.DTLS1_3)){
         if(context.encrypted_exts_sent==false && context.hello_sent==true && context.local_handshake_traffic_secret!==null){
 
           let extensions=[];
@@ -1288,7 +1788,7 @@ function TLSSession(options){
             extensions: extensions
           });
 
-          context.transcript.push(message_data);
+          pushTranscript(message_data);
 
           context.encrypted_exts_sent=true;
 
@@ -1302,31 +1802,31 @@ function TLSSession(options){
 
       //send certificate... (skip for PSK resumption — no cert needed)
       // But first: send CertificateRequest if requestCert is set (TLS 1.3 only, between EE and Cert)
-      if(context.isServer==true && context.requestCert==true && !context.certificateRequestSent && context.encrypted_exts_sent==true && context.local_handshake_traffic_secret!==null && context.selected_version === wire.TLS_VERSION.TLS1_3 && !context.psk_accepted){
+      if(context.isServer==true && context.requestCert==true && !context.certificateRequestSent && context.encrypted_exts_sent==true && context.local_handshake_traffic_secret!==null && (context.selected_version === wire.TLS_VERSION.TLS1_3 || context.selected_version === wire.DTLS_VERSION.DTLS1_3) && !context.psk_accepted){
         let cr_data = build_tls_message({
           type: 'certificate_request',
           certificate_request_context: new Uint8Array(0),
           signature_algorithms: context.local_supported_signature_algorithms,
         });
-        context.transcript.push(cr_data);
+        pushTranscript(cr_data);
         context.certificateRequestSent = true;
         ev.emit('message', 1, context.message_sent_seq, 'certificate_request', cr_data);
         context.message_sent_seq++;
       }
 
-      if(context.isServer==true && context.cert_sent==false && context.local_cert_chain!==null && !context.psk_accepted){
-        if((context.selected_version === wire.TLS_VERSION.TLS1_3 && context.encrypted_exts_sent==true && context.local_handshake_traffic_secret!==null) || (context.selected_version === wire.TLS_VERSION.TLS1_2 && context.hello_sent==true)){
+      if(context.isServer==true && context.cert_sent==false && context.local_cert_chain!==null && !context.psk_accepted && !context.tls12_abbreviated){
+        if(((context.selected_version === wire.TLS_VERSION.TLS1_3 || context.selected_version === wire.DTLS_VERSION.DTLS1_3) && context.encrypted_exts_sent==true && context.local_handshake_traffic_secret!==null) || ((context.selected_version === wire.TLS_VERSION.TLS1_2 || context.selected_version === wire.DTLS_VERSION.DTLS1_2) && context.hello_sent==true)){
 
           let message_data = build_tls_message({
             type: 'certificate',
             version: context.selected_version,
             entries: context.local_cert_chain
           });
-          context.transcript.push(message_data);
+          pushTranscript(message_data);
 
           context.cert_sent=true;
 
-          if (context.selected_version === wire.TLS_VERSION.TLS1_3){
+          if ((context.selected_version === wire.TLS_VERSION.TLS1_3 || context.selected_version === wire.DTLS_VERSION.DTLS1_3)){
             ev.emit('message',1,context.message_sent_seq,'certificate',message_data);
           }else{
             ev.emit('message',0,context.message_sent_seq,'certificate',message_data);
@@ -1344,10 +1844,11 @@ function TLSSession(options){
 
 
       //send certificate verify...
-      if (context.isServer==true && context.selected_version === wire.TLS_VERSION.TLS1_3){
+      if (context.isServer==true && (context.selected_version === wire.TLS_VERSION.TLS1_3 || context.selected_version === wire.DTLS_VERSION.DTLS1_3)){
         if(context.cert_sent==true && context.cert_verify_sent==false && context.local_cert_chain!==null && context.local_handshake_traffic_secret!==null && context.selected_cipher_suite!==null){
 
-          let tbs_data = build_cert_verify_tbs(TLS_CIPHER_SUITES[context.selected_cipher_suite].hash,true,concatUint8Arrays(context.transcript));
+          let tbsHashName = TLS_CIPHER_SUITES[context.selected_cipher_suite].hash;
+          let tbs_data = build_cert_verify_tbs_with_hash(tbsHashName, true, get_transcript_hash(tbsHashName));
 
           let cert_private_key_obj = crypto.createPrivateKey({
             key: Buffer.from(context.cert_private_key),
@@ -1454,7 +1955,7 @@ function TLSSession(options){
 
             
 
-            context.transcript.push(message_data);
+            pushTranscript(message_data);
 
             context.cert_verify_sent=true;
 
@@ -1477,26 +1978,90 @@ function TLSSession(options){
 
 
       // client/server key exchange - 1.2 only...
-      if (context.key_exchange_sent == false && context.selected_version == wire.TLS_VERSION.TLS1_2) {
+      if (context.key_exchange_sent == false && (context.selected_version === wire.TLS_VERSION.TLS1_2 || context.selected_version === wire.DTLS_VERSION.DTLS1_2)) {
         if(context.selected_group!==null && context.selected_group in context.local_key_groups==true && context.local_key_groups[context.selected_group].public_key!==null){
 
           if (context.isServer==false && context.remote_hello_done==true) {
 
+            // TLS 1.2: send Certificate before CKE if server requested client auth
+            if (context.certificateRequested && !context.clientCertSent) {
+              context.clientCertSent = true;
+
+              // Build TLS 1.2 Certificate message
+              let certEntries = [];
+              if (context.local_cert_chain && context.local_cert_chain.length > 0) {
+                certEntries = context.local_cert_chain;
+              }
+              // TLS 1.2 Certificate: certificate_list<0..2^24-1>
+              //   Each entry: cert_length<3> + cert_der
+              let totalLen = 0;
+              for (let ci = 0; ci < certEntries.length; ci++) {
+                totalLen += 3 + certEntries[ci].cert.length;
+              }
+              let certBody = new Uint8Array(3 + totalLen);
+              certBody[0] = (totalLen >> 16) & 0xff;
+              certBody[1] = (totalLen >> 8) & 0xff;
+              certBody[2] = totalLen & 0xff;
+              let off = 3;
+              for (let ci = 0; ci < certEntries.length; ci++) {
+                let der = certEntries[ci].cert;
+                certBody[off] = (der.length >> 16) & 0xff;
+                certBody[off+1] = (der.length >> 8) & 0xff;
+                certBody[off+2] = der.length & 0xff;
+                certBody.set(der, off + 3);
+                off += 3 + der.length;
+              }
+              let cert_data = wire.build_message(wire.TLS_MESSAGE_TYPE.CERTIFICATE, certBody);
+              pushTranscript(cert_data);
+              ev.emit('message', 0, context.message_sent_seq, 'certificate', cert_data);
+              context.message_sent_seq++;
+            }
+
             let public_key = context.local_key_groups[context.selected_group].public_key;
 
             let message_data = build_tls_message({
               type: 'client_key_exchange',
               public_key: public_key,
             });
-            context.transcript.push(message_data);
+            pushTranscript(message_data);
 
             // Set via params_to_set to trigger re-evaluation (EMS needs this)
             params_to_set['key_exchange_sent'] = true;
+
+            // Save transcript length for EMS: session_hash includes up to CKE only (RFC 7627)
+            context._emsTranscriptLen = context.transcript.length;
             
             ev.emit('message', 0, context.message_sent_seq, 'client_key_exchange', message_data);
 
             context.message_sent_seq++;
 
+            // TLS 1.2 CertificateVerify: if we sent a non-empty Certificate, prove we own the private key
+            if (context.certificateRequested && context.cert_private_key && context.local_cert_chain && context.local_cert_chain.length > 0) {
+              // sign_with_scheme hashes internally, so pass RAW transcript (not pre-hashed)
+              let transcript_data = concatUint8Arrays(context.transcript);
+
+              // Pick scheme matching our cert + server's requested algorithms
+              let cert_key_obj = crypto.createPrivateKey({ key: Buffer.from(context.cert_private_key), format: 'der', type: 'pkcs8' });
+              let reqAlgs = context.certificateRequestSigAlgs.length > 0
+                ? context.certificateRequestSigAlgs
+                : context.local_supported_signature_algorithms;
+              let scheme = pick_scheme(wire.TLS_VERSION.TLS1_2, cert_key_obj, reqAlgs);
+              let signature = sign_with_scheme(wire.TLS_VERSION.TLS1_2, scheme, transcript_data, cert_key_obj);
+
+              // Build CertificateVerify: scheme(2) + sig_length(2) + sig
+              let cvBody = new Uint8Array(2 + 2 + signature.length);
+              cvBody[0] = (scheme >> 8) & 0xff;
+              cvBody[1] = scheme & 0xff;
+              cvBody[2] = (signature.length >> 8) & 0xff;
+              cvBody[3] = signature.length & 0xff;
+              cvBody.set(signature, 4);
+
+              let cv_data = wire.build_message(wire.TLS_MESSAGE_TYPE.CERTIFICATE_VERIFY, cvBody);
+              pushTranscript(cv_data);
+              ev.emit('message', 0, context.message_sent_seq, 'certificate_verify', cv_data);
+              context.message_sent_seq++;
+            }
+
 
           }else if (context.isServer==true && context.cert_sent == true) {
 
@@ -1528,7 +2093,7 @@ function TLSSession(options){
               sig_alg: scheme12,
               signature: sig_data
             });
-            context.transcript.push(message_data);
+            pushTranscript(message_data);
 
             context.key_exchange_sent = true;
             
@@ -1541,16 +2106,16 @@ function TLSSession(options){
       }
 
       //server hello done - 1.2 only...
-      if(context.isServer==true && context.selected_version == wire.TLS_VERSION.TLS1_2){
+      if(context.isServer==true && (context.selected_version === wire.TLS_VERSION.TLS1_2 || context.selected_version === wire.DTLS_VERSION.DTLS1_2)){
         if(context.hello_done_sent==false && context.key_exchange_sent==true){
 
           let message_data = build_tls_message({
             type: 'server_hello_done'});
-          context.transcript.push(message_data);
+          pushTranscript(message_data);
 
           context.hello_done_sent=true;
 
-          ev.emit('message',0,context.message_sent_seq,'certificate',message_data);
+          ev.emit('message',0,context.message_sent_seq,'server_hello_done',message_data);
 
           context.message_sent_seq++;
 
@@ -1559,6 +2124,73 @@ function TLSSession(options){
       
       
 
+      // TLS 1.2 server: send NewSessionTicket (RFC 5077) BEFORE our Finished.
+      // Per RFC 5077 §3.3: "sent during the TLS handshake before the ChangeCipherSpec
+      // message, after the server has successfully verified the client's Finished message."
+      // Must run BEFORE the Finished send block below (which sets finished_sent=true).
+      // NOTE: Only for FULL handshake. In abbreviated handshake, we'd need to signal renewal
+      // via SESSION_TICKET ext in SH (which we don't add for abbreviated per RFC 5077 §3.2),
+      // so sending NST would cause "unexpected message" errors on strict clients (e.g. openssl).
+      // Renewal is optional per RFC 5077 §3.3 — safer to skip it in abbreviated.
+      // Excluded for DTLS 1.2 — implementations (e.g. openssl s_server -dtls1_2) don't always
+      // support it well. Revisit if needed.
+      if (context.selected_version === wire.TLS_VERSION.TLS1_2 &&
+          context.isServer && !context.tls12_newsession_sent && context.sessionTickets &&
+          context.tls12_session_ticket_requested && !context.tls12_abbreviated &&
+          context.base_secret) {
+
+        // Full handshake only: send NST after client's Finished verified, before server's Finished.
+        let can_send_nst = context.remote_finished_ok && !context.finished_sent;
+
+        if (can_send_nst) {
+          context.tls12_newsession_sent = true;
+
+          // Ensure ticketKeys is 48 bytes
+          if (!context.ticketKeys || context.ticketKeys.length !== 48) {
+            context.ticketKeys = crypto.randomBytes(48);
+          }
+
+          // Build session state to encrypt into ticket
+          let ticket = encrypt_session_blob({
+            v: 12,                                      // blob kind: TLS 1.2
+            version: context.selected_version,
+            cipher: context.selected_cipher_suite,
+            master_secret: context.base_secret,
+            extended_master_secret: !!context.use_extended_master_secret,
+            sni: context.selected_sni || context.remote_sni || null,
+            alpn: context.selected_alpn || null,
+            created: Date.now(),
+          }, context.ticketKeys);
+
+          let nst_data = build_tls_message({
+            type: 'new_session_ticket_tls12',
+            ticket_lifetime_hint: context.ticketLifetime,
+            ticket: ticket,
+          });
+
+          pushTranscript(nst_data);
+          // epoch 0 = cleartext (server hasn't sent its CCS yet)
+          ev.emit('message', 0, context.message_sent_seq, 'new_session_ticket', nst_data);
+          context.message_sent_seq++;
+
+          // Server-side 'session' event for monitoring / backward compat with lemon-tls
+          let server_session_blob = encode_client_session({
+            v: 12,
+            version: context.selected_version,
+            cipher: context.selected_cipher_suite,
+            master_secret: context.base_secret,
+            extended_master_secret: !!context.use_extended_master_secret,
+            ticket: ticket,
+            session_id: context.remote_session_id || null,
+            lifetime: context.ticketLifetime,
+            sni: context.selected_sni || context.remote_sni || null,
+            alpn: context.selected_alpn || null,
+            created: Date.now(),
+          });
+          ev.emit('session', server_session_blob);
+        }
+      }
+
       //send finished...
       // Client: send Certificate + CertificateVerify before Finished (if server requested)
       if(context.isServer==false && context.certificateRequested && !context.clientCertSent &&
@@ -1574,13 +2206,13 @@ function TLSSession(options){
             entries: certCtx.certificateChain,
             certificate_request_context: context.certificateRequestContext || new Uint8Array(0),
           });
-          context.transcript.push(cert_data);
+          pushTranscript(cert_data);
           ev.emit('message', 1, context.message_sent_seq, 'certificate', cert_data);
           context.message_sent_seq++;
 
           // Send CertificateVerify
           let hashName = TLS_CIPHER_SUITES[context.selected_cipher_suite].hash;
-          let transcript_hash = getHashFn(hashName)(concatUint8Arrays(context.transcript));
+          let transcript_hash = get_transcript_hash(hashName);
           let scheme = pick_scheme(context.certificateRequestSigAlgs.length > 0 ? context.certificateRequestSigAlgs : context.local_supported_signature_algorithms, certCtx.privateKey);
           let signature = sign_with_scheme(scheme, certCtx.privateKey, transcript_hash, false);
           let cv_data = build_tls_message({
@@ -1588,7 +2220,7 @@ function TLSSession(options){
             scheme: scheme,
             signature: signature,
           });
-          context.transcript.push(cv_data);
+          pushTranscript(cv_data);
           ev.emit('message', 1, context.message_sent_seq, 'certificate_verify', cv_data);
           context.message_sent_seq++;
         } else {
@@ -1599,7 +2231,7 @@ function TLSSession(options){
             entries: [],
             certificate_request_context: context.certificateRequestContext || new Uint8Array(0),
           });
-          context.transcript.push(cert_data);
+          pushTranscript(cert_data);
           ev.emit('message', 1, context.message_sent_seq, 'certificate', cert_data);
           context.message_sent_seq++;
         }
@@ -1609,11 +2241,12 @@ function TLSSession(options){
       // base_secret may be null after app secrets are derived, so we also check handshake secret.
       if (context.finished_sent==false && context.selected_cipher_suite!==null && (context.base_secret!==null || context.local_handshake_traffic_secret!==null)){
 
-        if(context.selected_version === wire.TLS_VERSION.TLS1_3 && context.local_handshake_traffic_secret!==null){
+        if((context.selected_version === wire.TLS_VERSION.TLS1_3 || context.selected_version === wire.DTLS_VERSION.DTLS1_3) && context.local_handshake_traffic_secret!==null){
 
           if((context.isServer==false && context.remote_finished_ok==true && context.local_app_traffic_secret!==null && context.remote_app_traffic_secret!==null) || (context.isServer==true && context.cert_verify_sent==true && context.local_cert_chain!==null) || (context.isServer==true && context.psk_accepted==true && context.encrypted_exts_sent==true)){
 
-            let finished_data=get_handshake_finished(TLS_CIPHER_SUITES[context.selected_cipher_suite].hash,context.local_handshake_traffic_secret,concatUint8Arrays(context.transcript));
+            let finHashName = TLS_CIPHER_SUITES[context.selected_cipher_suite].hash;
+            let finished_data=get_handshake_finished_with_hash(finHashName,context.local_handshake_traffic_secret,get_transcript_hash(finHashName));
             context.local_finished_data = finished_data;
 
             let message_data = build_tls_message({
@@ -1621,7 +2254,7 @@ function TLSSession(options){
               data: finished_data
             });
 
-            context.transcript.push(message_data);
+            pushTranscript(message_data);
 
             context.finished_sent=true;
 
@@ -1631,18 +2264,36 @@ function TLSSession(options){
 
           }
 
-        }else if(context.selected_version === wire.TLS_VERSION.TLS1_2){
+        }else if((context.selected_version === wire.TLS_VERSION.TLS1_2 || context.selected_version === wire.DTLS_VERSION.DTLS1_2)){
 
-          if((context.isServer==true && context.remote_finished_ok==true) || (context.isServer==false && context.key_exchange_sent==true)){
+          // Finished ordering differs between full and abbreviated handshake:
+          //   Full:        client sends first (after CKE), then server (after client's Finished).
+          //   Abbreviated: server sends first (after ServerHello), then client (after server's Finished).
+          let can_send_finished;
+          if (context.tls12_abbreviated) {
+            if (context.isServer) {
+              can_send_finished = context.hello_sent == true;                // after ServerHello
+            } else {
+              can_send_finished = context.remote_finished_ok == true;        // after server's Finished
+            }
+          } else {
+            if (context.isServer) {
+              can_send_finished = context.remote_finished_ok == true;
+            } else {
+              can_send_finished = context.key_exchange_sent == true;
+            }
+          }
 
-            let hashFn  = getHashFn(TLS_CIPHER_SUITES[context.selected_cipher_suite].hash);
-            let transcript_hash = hashFn(concatUint8Arrays(context.transcript));
+          if (can_send_finished) {
+
+            let finishedHashName = TLS_CIPHER_SUITES[context.selected_cipher_suite].hash;
+            let transcript_hash = get_transcript_hash(finishedHashName);
 
             let finished_data;
             if(context.isServer==true){
-              finished_data=tls12_prf(context.base_secret, "server finished", transcript_hash, 12, TLS_CIPHER_SUITES[context.selected_cipher_suite].hash);
+              finished_data=tls12_prf(context.base_secret, "server finished", transcript_hash, 12, finishedHashName);
             }else{
-              finished_data=tls12_prf(context.base_secret, "client finished", transcript_hash, 12, TLS_CIPHER_SUITES[context.selected_cipher_suite].hash);
+              finished_data=tls12_prf(context.base_secret, "client finished", transcript_hash, 12, finishedHashName);
             }
             context.local_finished_data = finished_data;
 
@@ -1651,7 +2302,7 @@ function TLSSession(options){
               data: finished_data
             });
 
-            context.transcript.push(message_data);
+            pushTranscript(message_data);
 
             context.finished_sent=true;
 
@@ -1666,12 +2317,13 @@ function TLSSession(options){
       }
 
       //get app traffic secret...
-      if (context.selected_version === wire.TLS_VERSION.TLS1_3){
+      if ((context.selected_version === wire.TLS_VERSION.TLS1_3 || context.selected_version === wire.DTLS_VERSION.DTLS1_3)){
         if(context.base_secret!==null && context.local_app_traffic_secret==null && context.remote_app_traffic_secret==null){
 
           if((context.isServer==true && context.finished_sent==true && context.remote_finished_ok==false) || (context.isServer==false && context.finished_sent==false && context.remote_finished_ok==true)){
 
-            let result2 = derive_app_traffic_secrets(TLS_CIPHER_SUITES[context.selected_cipher_suite].hash, context.base_secret, concatUint8Arrays(context.transcript));
+            let appHashName = TLS_CIPHER_SUITES[context.selected_cipher_suite].hash;
+            let result2 = derive_app_traffic_secrets_with_hash(appHashName, context.base_secret, get_transcript_hash(appHashName));
 
             // Save master_secret for resumption before clearing
             params_to_set['tls13_master_secret'] = result2.master_secret;
@@ -1692,26 +2344,27 @@ function TLSSession(options){
       //expected_remote_finished...
       if (context.expected_remote_finished==null && context.selected_cipher_suite!==null){
 
-        if(context.selected_version == wire.TLS_VERSION.TLS1_3 && context.remote_handshake_traffic_secret!==null){
+        if((context.selected_version === wire.TLS_VERSION.TLS1_3 || context.selected_version === wire.DTLS_VERSION.DTLS1_3) && context.remote_handshake_traffic_secret!==null){
 
           if((context.isServer==true && context.finished_sent==true) || (context.isServer==false && context.remote_finished !== null)){
 
-            params_to_set['expected_remote_finished']=get_handshake_finished(TLS_CIPHER_SUITES[context.selected_cipher_suite].hash,context.remote_handshake_traffic_secret,concatUint8Arrays(context.transcript));
+            let remoteFinHashName = TLS_CIPHER_SUITES[context.selected_cipher_suite].hash;
+            params_to_set['expected_remote_finished']=get_handshake_finished_with_hash(remoteFinHashName,context.remote_handshake_traffic_secret,get_transcript_hash(remoteFinHashName));
 
           }
 
-        }else if(context.selected_version === wire.TLS_VERSION.TLS1_2 && context.base_secret!==null){
+        }else if((context.selected_version === wire.TLS_VERSION.TLS1_2 || context.selected_version === wire.DTLS_VERSION.DTLS1_2) && context.base_secret!==null){
 
           if(context.remote_finished!==null){
 
 
-            let hashFn  = getHashFn(TLS_CIPHER_SUITES[context.selected_cipher_suite].hash);
-            let transcript_hash = hashFn(concatUint8Arrays(context.transcript));
+            let tls12FinHashName = TLS_CIPHER_SUITES[context.selected_cipher_suite].hash;
+            let transcript_hash = get_transcript_hash(tls12FinHashName);
 
             if(context.isServer==true){
-              params_to_set['expected_remote_finished']=tls12_prf(context.base_secret, "client finished", transcript_hash, 12, TLS_CIPHER_SUITES[context.selected_cipher_suite].hash);
+              params_to_set['expected_remote_finished']=tls12_prf(context.base_secret, "client finished", transcript_hash, 12, tls12FinHashName);
             }else{
-              params_to_set['expected_remote_finished']=tls12_prf(context.base_secret, "server finished", transcript_hash, 12, TLS_CIPHER_SUITES[context.selected_cipher_suite].hash);
+              params_to_set['expected_remote_finished']=tls12_prf(context.base_secret, "server finished", transcript_hash, 12, tls12FinHashName);
             }
 
             
@@ -1736,7 +2389,7 @@ function TLSSession(options){
             data: context.remote_finished
           });
 
-          context.transcript.push(message_data);
+          pushTranscript(message_data);
 
           params_to_set['remote_finished_ok']=true;
 
@@ -1755,54 +2408,61 @@ function TLSSession(options){
 
 
 
-      if(context.state!=='connected' && context.remote_finished_ok==true && ((context.selected_version === wire.TLS_VERSION.TLS1_3 && context.local_app_traffic_secret!==null && context.remote_app_traffic_secret!==null) || context.selected_version === wire.TLS_VERSION.TLS1_2)){
+      if(context.state!=='connected' && context.remote_finished_ok==true && (((context.selected_version === wire.TLS_VERSION.TLS1_3 || context.selected_version === wire.DTLS_VERSION.DTLS1_3) && context.local_app_traffic_secret!==null && context.remote_app_traffic_secret!==null) || (context.selected_version === wire.TLS_VERSION.TLS1_2 || context.selected_version === wire.DTLS_VERSION.DTLS1_2))){
         context.state='connected';
         context.handshakeEndTime = Date.now();
         ev.emit('secureConnect');
 
         // TLS 1.3: compute resumption_master_secret (both client and server need it)
-        if (context.selected_version === wire.TLS_VERSION.TLS1_3 && context.tls13_master_secret && !context.resumption_master_secret) {
+        if ((context.selected_version === wire.TLS_VERSION.TLS1_3 || context.selected_version === wire.DTLS_VERSION.DTLS1_3) && context.tls13_master_secret && !context.resumption_master_secret) {
           let hashName = TLS_CIPHER_SUITES[context.selected_cipher_suite].hash;
-          context.resumption_master_secret = derive_resumption_master_secret(
-            hashName, context.tls13_master_secret, concatUint8Arrays(context.transcript)
+          context.resumption_master_secret = derive_resumption_master_secret_with_hash(
+            hashName, context.tls13_master_secret, get_transcript_hash(hashName)
           );
         }
 
         // TLS 1.3 server: send NewSessionTicket
-        if (context.selected_version === wire.TLS_VERSION.TLS1_3 && context.isServer && !context.session_ticket_sent && !context.noTickets && context.resumption_master_secret) {
+        if ((context.selected_version === wire.TLS_VERSION.TLS1_3 || context.selected_version === wire.DTLS_VERSION.DTLS1_3) && context.isServer && !context.session_ticket_sent && context.sessionTickets && context.resumption_master_secret) {
           context.session_ticket_sent = true;
 
           let hashName = TLS_CIPHER_SUITES[context.selected_cipher_suite].hash;
           let ticket_nonce = new Uint8Array([context.ticket_nonce_counter++]);
           let psk = derive_psk(hashName, context.resumption_master_secret, ticket_nonce);
           let ticket_age_add = crypto.randomBytes(4).readUInt32BE(0);
-          let ticket_lifetime = 7200; // 2 hours
-
-          // Ticket = encrypted PSK + metadata using ticketKeys (or random fallback)
-          // Format: iv(12) || encrypted_json || tag(16)
-          // ticketKeys: 48 bytes = name(16) + aes_key(16) + hmac_key(16)
-          // We use first 32 bytes as AES-256-GCM key for simplicity
-          let tk = context.ticketKeys || crypto.randomBytes(48);
-          let ticket_enc_key = tk.length >= 32 ? tk.slice(0, 32) : Buffer.concat([tk, crypto.randomBytes(32 - tk.length)]);
-          let ticket_iv = crypto.randomBytes(12);
-          let ticket_plaintext = Buffer.from(JSON.stringify({
-            psk: Buffer.from(psk).toString('base64'),
+          let ticket_lifetime = context.ticketLifetime;
+
+          dbg('SRV-NST', 'issuing TLS 1.3 NST — cipher:', '0x' + context.selected_cipher_suite.toString(16),
+              'hash:', hashName,
+              'transcript len:', concatUint8Arrays(context.transcript).length);
+          dbg('SRV-NST', 'ticket_nonce:', hexPreview(ticket_nonce, 4),
+              'age_add:', ticket_age_add,
+              'lifetime:', ticket_lifetime);
+          dbg('SRV-NST', 'resumption_master_secret:', hexPreview(context.resumption_master_secret, 8),
+              'derived psk:', hexPreview(psk, 8));
+
+          // Ensure ticketKeys is 48 bytes (key_name + aes_key)
+          if (!context.ticketKeys || context.ticketKeys.length !== 48) {
+            context.ticketKeys = crypto.randomBytes(48);
+          }
+
+          // Encrypt session state into opaque ticket (unified format: key_name(16) | IV(12) | CT | Tag(16))
+          let ticket = encrypt_session_blob({
+            v: 13,                                      // blob kind: TLS 1.3 PSK
+            version: context.selected_version,
             cipher: context.selected_cipher_suite,
+            psk: psk,
             age_add: ticket_age_add,
-            created: Date.now()
-          }));
-          let ticket_cipher = crypto.createCipheriv('aes-256-gcm', ticket_enc_key, ticket_iv);
-          let ticket_ct = ticket_cipher.update(ticket_plaintext);
-          ticket_cipher.final();
-          let ticket_tag = ticket_cipher.getAuthTag();
-          let ticket = Buffer.concat([ticket_iv, ticket_ct, ticket_tag]);
+            sni: context.selected_sni || context.remote_sni || null,
+            alpn: context.selected_alpn || null,
+            created: Date.now(),
+          }, context.ticketKeys);
 
           let nst_data = wire.build_message(wire.TLS_MESSAGE_TYPE.NEW_SESSION_TICKET,
             wire.build_new_session_ticket({
               ticket_lifetime: ticket_lifetime,
               ticket_age_add: ticket_age_add,
               ticket_nonce: ticket_nonce,
-              ticket: new Uint8Array(ticket),
+              ticket: ticket,
               extensions: []
             })
           );
@@ -1810,15 +2470,85 @@ function TLSSession(options){
           ev.emit('message', 2, context.message_sent_seq, 'new_session_ticket', nst_data);
           context.message_sent_seq++;
 
-          ev.emit('session', {
-            ticket: new Uint8Array(ticket),
-            ticket_nonce: ticket_nonce,
-            psk: psk,
+          // Emit 'session' event on server side too — lets users track when tickets are
+          // issued (e.g. for monitoring or metrics). Not part of Node.js API but useful.
+          // Emits the same Buffer the client would receive via their 'session' event,
+          // so server-side apps could also persist it if they want.
+          let server_session_blob = encode_client_session({
+            v: 13,
+            version: context.selected_version,
             cipher: context.selected_cipher_suite,
-            lifetime: ticket_lifetime,
+            ticket: ticket,
+            psk: psk,
             age_add: ticket_age_add,
-            maxEarlyDataSize: 0,
+            lifetime: ticket_lifetime,
+            sni: context.selected_sni || context.remote_sni || null,
+            alpn: context.selected_alpn || null,
+            created: Date.now(),
           });
+          ev.emit('session', server_session_blob);
+        }
+
+        // TLS 1.2 server: emit 'newSession' for Session ID-based resumption.
+        // Fires whenever we generated a session_id for this connection AND didn't issue
+        // a NewSessionTicket (so the client can only resume via Session ID — we need the
+        // user to store the session state). TLS 1.2 only (DTLS 1.2 excluded for now).
+        if (context.selected_version === wire.TLS_VERSION.TLS1_2 &&
+            context.isServer && !context.tls12_abbreviated && !context.tls12_newsession_sent &&
+            context.tls12_session_id_for_store && !context.tls12_session_id_emitted && context.base_secret &&
+            context.remote_finished_ok) {
+
+          context.tls12_session_id_emitted = true;
+
+          // Ensure ticketKeys is 48 bytes (used to encrypt stored session data)
+          if (!context.ticketKeys || context.ticketKeys.length !== 48) {
+            context.ticketKeys = crypto.randomBytes(48);
+          }
+
+          let stored_blob = encrypt_session_blob({
+            v: 12,
+            version: context.selected_version,
+            cipher: context.selected_cipher_suite,
+            master_secret: context.base_secret,
+            extended_master_secret: !!context.use_extended_master_secret,
+            sni: context.selected_sni || context.remote_sni || null,
+            alpn: context.selected_alpn || null,
+            created: Date.now(),
+          }, context.ticketKeys);
+
+          // User stores this; returns it on next handshake via 'resumeSession' callback.
+          ev.emit('newSession', context.tls12_session_id_for_store, stored_blob, function() {
+            // Callback is advisory — we don't block on it in lemon-tls.
+            // (Node.js blocks the handshake until callback is invoked, but our reactive
+            // model decouples this: the session is marked for storage and we continue.)
+          });
+        }
+
+        // TLS 1.2 client: emit 'session' for Session ID-only resumption (no ticket received).
+        // Fires at secureConnect when the server gave us a non-empty session_id but no
+        // NewSessionTicket — the client's only way to resume is via Session ID, so we must
+        // give the user a blob containing session_id + master_secret to pass back later.
+        // TLS 1.2 only (DTLS 1.2 excluded for now).
+        if (context.selected_version === wire.TLS_VERSION.TLS1_2 &&
+            !context.isServer && !context.tls12_abbreviated && !context.tls12_client_session_emitted &&
+            context.remote_session_id && context.remote_session_id.length > 0 &&
+            context.base_secret && context.remote_finished_ok) {
+
+          context.tls12_client_session_emitted = true;
+
+          let session_blob = encode_client_session({
+            v: 12,                                    // blob kind: TLS 1.2
+            version: context.selected_version,
+            cipher: context.selected_cipher_suite,
+            master_secret: context.base_secret,
+            extended_master_secret: !!context.use_extended_master_secret,
+            ticket: null,                             // no ticket — Session ID only
+            session_id: context.remote_session_id,
+            sni: context.local_sni || null,
+            alpn: context.selected_alpn || null,
+            created: Date.now(),
+          });
+          ev.emit('session', session_blob);
         }
       }
 
@@ -1986,7 +2716,7 @@ function TLSSession(options){
         },
         // TLS 1.2 compatibility
         { type: 'RENEGOTIATION_INFO', value: new Uint8Array(0) },
-        { type: 23, data: new Uint8Array(0) } // extended_master_secret
+        { type: 'EXTENDED_MASTER_SECRET', value: null }
       ];
 
       // Add SNI if servername was provided
@@ -2004,35 +2734,47 @@ function TLSSession(options){
         extensions.push(context.local_extensions[i]);
       }
 
-      // PSK resumption: check if session/psk was provided
-      let pskData = options.session || options.psk || null;
+      // Resumption: check if session was provided (opaque Buffer) — decode to structured data
+      let sessionData = null;
+      if (options.session) {
+        // options.session may be a Buffer/Uint8Array (Node.js style) or a plain object (legacy)
+        if (options.session instanceof Uint8Array || Buffer.isBuffer(options.session)) {
+          sessionData = decode_client_session(options.session);
+        } else if (typeof options.session === 'object') {
+          sessionData = options.session; // legacy: already-structured object
+        }
+      } else if (options.psk) {
+        sessionData = options.psk; // legacy path
+      }
+
       let message_data;
 
-      if (pskData && pskData.psk && pskData.ticket && pskData.cipher) {
+      // TLS 1.3 PSK resumption (sessionData contains psk)
+      if (sessionData && sessionData.psk && sessionData.ticket && sessionData.cipher) {
         // Add PSK key exchange modes (psk_dhe_ke = 1)
         extensions.push({ type: 'PSK_KEY_EXCHANGE_MODES', value: [1] });
 
         // Save PSK for later verification
         context.psk_offered = {
-          identity: pskData.ticket,
-          psk: pskData.psk instanceof Uint8Array ? pskData.psk : new Uint8Array(pskData.psk),
-          cipher: pskData.cipher,
-          age_add: pskData.age_add || 0,
+          identity: sessionData.ticket,
+          psk: sessionData.psk instanceof Uint8Array ? sessionData.psk : new Uint8Array(sessionData.psk),
+          cipher: sessionData.cipher,
+          age_add: sessionData.age_add || 0,
         };
 
         // Compute obfuscated ticket age
-        let ticketAge = pskData.lifetime ? Math.min((Date.now() - (pskData.created || Date.now())) / 1000, pskData.lifetime) * 1000 : 0;
-        let obfuscatedAge = ((ticketAge + (pskData.age_add || 0)) & 0xFFFFFFFF) >>> 0;
+        let ticketAge = sessionData.lifetime ? Math.min((Date.now() - (sessionData.created || Date.now())) / 1000, sessionData.lifetime) * 1000 : 0;
+        let obfuscatedAge = ((ticketAge + (sessionData.age_add || 0)) & 0xFFFFFFFF) >>> 0;
 
         // Build ClientHello with placeholder binder to compute truncated hash
-        let hashName = TLS_CIPHER_SUITES[pskData.cipher] ? TLS_CIPHER_SUITES[pskData.cipher].hash : 'sha256';
+        let hashName = TLS_CIPHER_SUITES[sessionData.cipher] ? TLS_CIPHER_SUITES[sessionData.cipher].hash : 'sha256';
         let hashLen = getHashFn(hashName).outputLen;
         let placeholderBinder = new Uint8Array(hashLen);
 
         let pskExt = {
           type: 'PRE_SHARED_KEY',
           value: {
-            identities: [{ identity: pskData.ticket, age: obfuscatedAge }],
+            identities: [{ identity: sessionData.ticket, age: obfuscatedAge }],
             binders: [placeholderBinder]
           }
         };
@@ -2044,6 +2786,7 @@ function TLSSession(options){
           version: 0x0303,
           random: context.local_random,
           session_id: context.local_session_id,
+          cookie: context.dtls_cookie,
           cipher_suite: context.local_supported_cipher_suites,
           extensions: extensions
         };
@@ -2057,24 +2800,76 @@ function TLSSession(options){
         let binder_key = derive_binder_key(hashName, context.psk_offered.psk, false);
         let binder = compute_psk_binder(hashName, binder_key, truncatedMessage);
 
+        dbg('CLI-PSK', 'ticket:', hexPreview(sessionData.ticket, 24),
+            'cipher:', '0x' + sessionData.cipher.toString(16),
+            'hash:', hashName);
+        dbg('CLI-PSK', 'psk:', hexPreview(sessionData.psk, 8),
+            'age_add:', sessionData.age_add,
+            'lifetime:', sessionData.lifetime,
+            'ticketAge (ms):', ticketAge,
+            'obfuscatedAge:', obfuscatedAge);
+        dbg('CLI-PSK', 'truncatedMessage len:', truncatedMessage.length,
+            'full CH len (after real binder):', 'see next');
+        dbg('CLI-PSK', 'sent binder:', hexPreview(binder, 16));
+
         // Rebuild with real binder
         pskExt.value.binders = [binder];
         message_data = build_tls_message(build_message_params);
 
+      } else if (sessionData && sessionData.v === 12 && sessionData.master_secret) {
+        // TLS 1.2 resumption: session ID and/or SessionTicket
+        // Save for later verification when ServerHello arrives
+        context.tls12_client_session = sessionData;
+
+        // Only advertise SESSION_TICKET ext if we actually have a ticket to present.
+        // If we only have a session_id (no ticket), don't include empty SESSION_TICKET ext:
+        // servers with SSL_OP_NO_TICKET can behave inconsistently when the extension appears
+        // alongside a session_id resumption attempt — they may skip the session_id lookup.
+        if (sessionData.ticket && sessionData.ticket.length > 0) {
+          extensions.push({ type: 'SESSION_TICKET', value: sessionData.ticket });
+        }
+
+        // If we have a session_id → put it in ClientHello.session_id (overrides the random one)
+        let sid = context.local_session_id;
+        if (sessionData.session_id && sessionData.session_id.length > 0) {
+          sid = sessionData.session_id;
+          context.local_session_id = sid;
+        }
+
+        let build_message_params = {
+          type: 'client_hello',
+          version: 0x0303,
+          random: context.local_random,
+          session_id: sid,
+          cookie: context.dtls_cookie,
+          cipher_suite: context.local_supported_cipher_suites,
+          extensions: extensions
+        };
+        message_data = build_tls_message(build_message_params);
+
       } else {
-        // No PSK — standard ClientHello
+        // No resumption — advertise empty SessionTicket extension to offer support.
+        // Skip for DTLS (DTLS clients/servers often don't implement RFC 5077 fully,
+        // and adding it caused interop issues with openssl s_server -dtls1_2).
+        let isDtls = context.local_supported_versions && context.local_supported_versions.some(v => (v & 0xFF00) === 0xFE00);
+        if (!isDtls && context.sessionTickets) {
+          extensions.push({ type: 'SESSION_TICKET', value: new Uint8Array(0) });
+        }
+
+        // Standard ClientHello
         let build_message_params = {
           type: 'client_hello',
           version: 0x0303,
           random: context.local_random,
           session_id: context.local_session_id,
+          cookie: context.dtls_cookie,
           cipher_suite: context.local_supported_cipher_suites,
           extensions: extensions
         };
         message_data = build_tls_message(build_message_params);
       }
 
-      context.transcript.push(message_data);
+      pushTranscript(message_data);
 
       context.hello_sent=true;
 
@@ -2140,7 +2935,7 @@ function TLSSession(options){
 
     /** Returns the negotiated ALPN protocol string (e.g. 'h2'), or null. */
     getALPN: function(){
-      return context.alpn_selected || null;
+      return context.selected_alpn || null;
     },
 
     /** Returns the remote certificate chain, or null. */
@@ -2218,7 +3013,7 @@ function TLSSession(options){
       let cipherInfo = context.selected_cipher_suite ? TLS_CIPHER_SUITES[context.selected_cipher_suite] : null;
       return {
         version: context.selected_version,
-        versionName: context.selected_version === 0x0304 ? 'TLSv1.3' : context.selected_version === 0x0303 ? 'TLSv1.2' : null,
+        versionName: context.selected_version === 0x0304 ? 'TLSv1.3' : context.selected_version === 0xFEFC ? 'DTLSv1.3' : context.selected_version === 0x0303 ? 'TLSv1.2' : context.selected_version === 0xFEFD ? 'DTLSv1.2' : null,
         cipher: context.selected_cipher_suite,
         cipherName: cipherInfo ? cipherInfo.name : null,
         group: context.selected_group,
@@ -2255,7 +3050,7 @@ function TLSSession(options){
 
     /** Request a TLS 1.3 Key Update. requestPeer=true means ask the other side to update too. */
     requestKeyUpdate: function(requestPeer){
-      if (context.state !== 'connected' || context.selected_version !== wire.TLS_VERSION.TLS1_3) return;
+      if (context.state !== 'connected' || (context.selected_version !== wire.TLS_VERSION.TLS1_3 && context.selected_version !== wire.DTLS_VERSION.DTLS1_3)) return;
       let hashName = TLS_CIPHER_SUITES[context.selected_cipher_suite].hash;
       let hashLen = getHashLen(hashName);