diff --git a/internal/client/TLS.go b/internal/client/TLS.go
index 1a27a9d..5bdbf61 100644
--- a/internal/client/TLS.go
+++ b/internal/client/TLS.go
@@ -66,9 +66,12 @@ func PrepareConnection(sta *State, conn net.Conn) (sessionKey []byte, err error)
 		return
 	}
 
-	_, err = util.ReadTLS(conn, buf)
-	if err != nil {
-		return
+	for i := 0; i < 2; i++ {
+		// ChangeCipherSpec and EncryptedCert (in the format of application data)
+		_, err = util.ReadTLS(conn, buf)
+		if err != nil {
+			return
+		}
 	}
 
 	return sessionKey, nil
diff --git a/internal/server/TLS.go b/internal/server/TLS.go
index a787397..7302141 100644
--- a/internal/server/TLS.go
+++ b/internal/server/TLS.go
@@ -212,7 +212,11 @@ func composeReply(ch *ClientHello, sharedSecret []byte, sessionKey []byte) ([]by
 	}
 	shBytes := addRecordLayer(sh, []byte{0x16}, TLS12)
 	ccsBytes := addRecordLayer([]byte{0x01}, []byte{0x14}, TLS12)
+	cert := make([]byte, 68) // this is always 68 bytes
+	rand.Read(cert)
+	encryptedCertBytes := addRecordLayer(cert, []byte{0x17}, TLS12)
 	ret := append(shBytes, ccsBytes...)
+	ret = append(ret, encryptedCertBytes...)
 	return ret, nil
 }