I know I'm late looking at how TLS v1.3 works. Am I correct in understanding that older versions sent the certificate in the clear, then exchanged bulk encryption keys? But that v1.3 now exchanges keys first, and then sends the certificate encrypted?
1.3 is essentially C_HELLO, C_ECDHE, S_HELLO, S_ECDHE, S_CERT, S_SIGNATURE ... which saves an RTT and the cert can be encrypted under a key scheduled derived from the ECDHE exchange and transcript, with an RSA PSS signature for attestation. ECDSA still uncommon for any version.