How was the TLS 1.2 handshake different from TLS 1.3?

5 minintermediatetls-1.2tls-handshakecomparison

Quick Answer

TLS 1.2 needed two round trips before application data could be sent, because the client had to wait for the server's ServerHello and certificate before it knew which key-exchange method to use, and only then could it send its own key material. TLS 1.3 collapses this to one round trip by having the client guess the key-exchange method up front. TLS 1.2 also allowed weaker, insecure options that TLS 1.3 removed entirely.

Detailed Answer

The core difference is timing: in TLS 1.2, the client had to wait to hear from the server before it could send its half of the key exchange.

Client                                                    Server

ClientHello
+ supported cipher suites, TLS version
   ------------------------------------------------->

                                          ServerHello (picks cipher suite)
                                          Certificate
                                          ServerKeyExchange (server's key share)
                                          ServerHelloDone
   <-------------------------------------------------

ClientKeyExchange (client's key share)
ChangeCipherSpec
Finished
   ------------------------------------------------->

                                          ChangeCipherSpec
                                          Finished
   <-------------------------------------------------

Application Data (encrypted)
   ------------------------------------------------->

Why TLS 1.2 needed the extra round trip: the client's ClientHello only listed cipher suites it supported. It did not commit to one yet. The client had to wait for the server's ServerHello to find out which cipher suite the server actually chose, before it could generate and send a matching key share. That "wait, then respond" pattern costs a full extra round trip.

TLS 1.3 removes this wait: the client sends a guessed key share immediately, in the very first message, based on the key-exchange groups it expects most servers to support. If the guess is right (which it almost always is), no extra round trip is needed.

Besides the extra round trip, TLS 1.2 also permitted several things TLS 1.3 dropped entirely: RSA key exchange without forward secrecy, older weak ciphers, and compression (linked to security issues like the CRIME attack). The next question lists these improvements directly.