1 | initial version |
In your example, the ChangeCipherSpec comes straight after the ServerHello. This means this is a resumed session (either cached on both client and server or there was a TLS ticket). In resumed sessions the authentication of the server certificate (and in case of mutual TLS, also the client certificate) has already taken place so the cetificate(s) will not be exchanged.
If this is a test with a browser, make sure you start your capture before you open your browser (and close all open browser windows before you start).