diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
new file mode 100644
index 000000000..3da493f8e
--- /dev/null
+++ b/.github/pull_request_template.md
@@ -0,0 +1,13 @@
+## Goal
+<!-- What does this PR accomplish? 1 sentence. -->
+
+## Changes
+- 
+
+## Testing
+<!-- How did you verify it? -->
+
+## Checklist
+- [ ] Title is a clear sentence (<= 70 chars)
+- [ ] Commits are signed (`git log --show-signature`)
+- [ ] `submissions/labN.md` updated
diff --git a/submissions/lab4-docker-trace.pcap b/submissions/lab4-docker-trace.pcap
new file mode 100644
index 000000000..a322a76b4
Binary files /dev/null and b/submissions/lab4-docker-trace.pcap differ
diff --git a/submissions/lab4-docker-trace.txt b/submissions/lab4-docker-trace.txt
new file mode 100644
index 000000000..a06c8a29f
--- /dev/null
+++ b/submissions/lab4-docker-trace.txt
@@ -0,0 +1,50 @@
+Lab 4 annotated packet trace
+Environment: Linux container, loopback interface lo
+Capture file: submissions/lab4-docker-trace.pcap
+Decoded with: tcpdump -r submissions/lab4-docker-trace.pcap -nn -A
+
+reading from file submissions/lab4-docker-trace.pcap, link-type EN10MB (Ethernet), snapshot length 262144
+14:16:25.452682 IP 127.0.0.1.47304 > 127.0.0.1.8080: Flags [S], seq 4278554227, win 65495, options [mss 65495,sackOK,TS val 2462602185 ecr 0,nop,wscale 7], length 0
+E..<9.@.@..................s.........0.........
+..S.........
+14:16:25.452689 IP 127.0.0.1.8080 > 127.0.0.1.47304: Flags [S.], seq 1200757750, ack 4278554228, win 65483, options [mss 65495,sackOK,TS val 2462602185 ecr 2462602185,nop,wscale 7], length 0
+E..<..@.@.<.............G......t.....0.........
+..S...S.....
+14:16:25.452695 IP 127.0.0.1.47304 > 127.0.0.1.8080: Flags [.], ack 1, win 512, options [nop,nop,TS val 2462602185 ecr 2462602185], length 0
+E..49.@.@..................tG........(.....
+..S...S.
+14:16:25.452898 IP 127.0.0.1.47304 > 127.0.0.1.8080: Flags [P.], seq 1:176, ack 1, win 512, options [nop,nop,TS val 2462602185 ecr 2462602185], length 175: HTTP: POST /notes HTTP/1.1
+E...9.@.@..^...............tG..............
+..S...S.POST /notes HTTP/1.1
+Host: localhost:8080
+User-Agent: curl/7.88.1
+Accept: */*
+Content-Type: application/json
+Content-Length: 39
+
+{"title":"trace me","body":"in flight"}
+14:16:25.452912 IP 127.0.0.1.8080 > 127.0.0.1.47304: Flags [.], ack 176, win 511, options [nop,nop,TS val 2462602185 ecr 2462602185], length 0
+E..4.<@.@.y.............G......#.....(.....
+..S...S.
+14:16:25.453162 IP 127.0.0.1.8080 > 127.0.0.1.47304: Flags [P.], seq 1:207, ack 176, win 512, options [nop,nop,TS val 2462602185 ecr 2462602185], length 206: HTTP: HTTP/1.1 201 Created
+E....=@.@.x.............G......#...........
+..S...S.HTTP/1.1 201 Created
+Content-Type: application/json
+Date: Sun, 14 Jun 2026 14:16:25 GMT
+Content-Length: 93
+
+{"id":5,"title":"trace me","body":"in flight","created_at":"2026-06-14T14:16:25.453003253Z"}
+
+14:16:25.453165 IP 127.0.0.1.47304 > 127.0.0.1.8080: Flags [.], ack 207, win 511, options [nop,nop,TS val 2462602185 ecr 2462602185], length 0
+E..49.@.@..................#G........(.....
+..S...S.
+14:16:25.456667 IP 127.0.0.1.47304 > 127.0.0.1.8080: Flags [F.], seq 176, ack 207, win 512, options [nop,nop,TS val 2462602189 ecr 2462602185], length 0
+E..49.@.@..................#G........(.....
+..S...S.
+14:16:25.456716 IP 127.0.0.1.8080 > 127.0.0.1.47304: Flags [F.], seq 207, ack 177, win 512, options [nop,nop,TS val 2462602189 ecr 2462602189], length 0
+E..4.>@.@.y.............G......$.....(.....
+..S...S.
+14:16:25.456730 IP 127.0.0.1.47304 > 127.0.0.1.8080: Flags [.], ack 208, win 512, options [nop,nop,TS val 2462602189 ecr 2462602189], length 0
+E..49.@.@..
+...............$G........(.....
+..S...S.
diff --git a/submissions/lab4-linux-evidence.txt b/submissions/lab4-linux-evidence.txt
new file mode 100644
index 000000000..5b79a7232
--- /dev/null
+++ b/submissions/lab4-linux-evidence.txt
@@ -0,0 +1,141 @@
+# Lab 4 Linux Docker Evidence
+
+Date: 2026-06-14T14:16:21Z
+Kernel: Linux ae8db4a22f62 6.12.54-linuxkit #1 SMP Tue Nov  4 21:21:47 UTC 2025 aarch64 GNU/Linux
+Go: go version go1.24.13 linux/arm64
+Installed tools: iproute2 dnsutils mtr-tiny tcpdump curl procps iptables nftables jq systemd
+
+## QuickNotes startup
+2026/06/14 14:16:24 quicknotes listening on :8080 (notes loaded: 4)
+
+## Capture command
+tcpdump -i lo -nn -s 0 -A tcp port 8080 -w submissions/lab4-docker-trace.pcap
+
+## curl -v POST /notes
+Note: Unnecessary use of -X or --request, POST is already inferred.
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 127.0.0.1:8080...
+* Connected to localhost (127.0.0.1) port 8080 (#0)
+> POST /notes HTTP/1.1
+> Host: localhost:8080
+> User-Agent: curl/7.88.1
+> Accept: */*
+> Content-Type: application/json
+> Content-Length: 39
+> 
+} [39 bytes data]
+< HTTP/1.1 201 Created
+< Content-Type: application/json
+< Date: Sun, 14 Jun 2026 14:16:25 GMT
+< Content-Length: 93
+< 
+{ [93 bytes data]
+
100   132  100    93  100    39   8200   3438 --:--:-- --:--:-- --:--:-- 12000
+* Connection #0 to host localhost left intact
+{"id":5,"title":"trace me","body":"in flight","created_at":"2026-06-14T14:16:25.453003253Z"}
+
+## tcpdump capture log
+tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
+10 packets captured
+20 packets received by filter
+0 packets dropped by kernel
+
+## tcpdump decode
+reading from file submissions/lab4-docker-trace.pcap, link-type EN10MB (Ethernet), snapshot length 262144
+14:16:25.452682 IP 127.0.0.1.47304 > 127.0.0.1.8080: Flags [S], seq 4278554227, win 65495, options [mss 65495,sackOK,TS val 2462602185 ecr 0,nop,wscale 7], length 0
+E..<9.@.@..................s.........0.........
+..S.........
+14:16:25.452689 IP 127.0.0.1.8080 > 127.0.0.1.47304: Flags [S.], seq 1200757750, ack 4278554228, win 65483, options [mss 65495,sackOK,TS val 2462602185 ecr 2462602185,nop,wscale 7], length 0
+E..<..@.@.<.............G......t.....0.........
+..S...S.....
+14:16:25.452695 IP 127.0.0.1.47304 > 127.0.0.1.8080: Flags [.], ack 1, win 512, options [nop,nop,TS val 2462602185 ecr 2462602185], length 0
+E..49.@.@..................tG........(.....
+..S...S.
+14:16:25.452898 IP 127.0.0.1.47304 > 127.0.0.1.8080: Flags [P.], seq 1:176, ack 1, win 512, options [nop,nop,TS val 2462602185 ecr 2462602185], length 175: HTTP: POST /notes HTTP/1.1
+E...9.@.@..^...............tG..............
+..S...S.POST /notes HTTP/1.1
+Host: localhost:8080
+User-Agent: curl/7.88.1
+Accept: */*
+Content-Type: application/json
+Content-Length: 39
+
+{"title":"trace me","body":"in flight"}
+14:16:25.452912 IP 127.0.0.1.8080 > 127.0.0.1.47304: Flags [.], ack 176, win 511, options [nop,nop,TS val 2462602185 ecr 2462602185], length 0
+E..4.<@.@.y.............G......#.....(.....
+..S...S.
+14:16:25.453162 IP 127.0.0.1.8080 > 127.0.0.1.47304: Flags [P.], seq 1:207, ack 176, win 512, options [nop,nop,TS val 2462602185 ecr 2462602185], length 206: HTTP: HTTP/1.1 201 Created
+E....=@.@.x.............G......#...........
+..S...S.HTTP/1.1 201 Created
+Content-Type: application/json
+Date: Sun, 14 Jun 2026 14:16:25 GMT
+Content-Length: 93
+
+{"id":5,"title":"trace me","body":"in flight","created_at":"2026-06-14T14:16:25.453003253Z"}
+
+14:16:25.453165 IP 127.0.0.1.47304 > 127.0.0.1.8080: Flags [.], ack 207, win 511, options [nop,nop,TS val 2462602185 ecr 2462602185], length 0
+E..49.@.@..................#G........(.....
+..S...S.
+14:16:25.456667 IP 127.0.0.1.47304 > 127.0.0.1.8080: Flags [F.], seq 176, ack 207, win 512, options [nop,nop,TS val 2462602189 ecr 2462602185], length 0
+E..49.@.@..................#G........(.....
+..S...S.
+14:16:25.456716 IP 127.0.0.1.8080 > 127.0.0.1.47304: Flags [F.], seq 207, ack 177, win 512, options [nop,nop,TS val 2462602189 ecr 2462602189], length 0
+E..4.>@.@.y.............G......$.....(.....
+..S...S.
+14:16:25.456730 IP 127.0.0.1.47304 > 127.0.0.1.8080: Flags [.], ack 208, win 512, options [nop,nop,TS val 2462602189 ecr 2462602189], length 0
+E..49.@.@..
+...............$G........(.....
+..S...S.
+
+## ss -tlnp | grep :8080
+LISTEN 0      4096               *:8080            *:*    users:(("quicknotes",pid=2698,fd=3))
+
+## ip route show
+default via 172.17.0.1 dev eth0 
+172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.2 
+
+## mtr -rwc 5 localhost
+Start: 2026-06-14T14:16:26+0000
+HOST: ae8db4a22f62 Loss%   Snt   Last   Avg  Best  Wrst StDev
+  1.|-- localhost     0.0%     5    0.0   0.1   0.0   0.2   0.1
+
+## dig +short example.com @1.1.1.1
+172.66.147.243
+104.20.23.154
+
+## journalctl --user -u quicknotes -n 20 || true
+No journal files were found.
+-- No entries --
+
+## Broken deploy: second ADDR=:8080 go run .
+2026/06/14 14:16:36 quicknotes listening on :8080 (notes loaded: 4)
+2026/06/14 14:16:36 listen: listen tcp :8080: bind: address already in use
+exit status 1
+
+## ps -ef | grep quicknotes
+root      2698   898  0 14:16 ?        00:00:00 /tmp/go-build1352676339/b001/exe/quicknotes
+
+## ss -tlnp | grep 8080
+LISTEN 0      4096               *:8080            *:*    users:(("quicknotes",pid=2698,fd=3))
+
+## curl health HTTP code
+200
+
+## iptables -L -n -v 2>/dev/null || nft list ruleset 2>/dev/null || true
+Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target     prot opt in     out     source               destination         
+
+Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target     prot opt in     out     source               destination         
+
+Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target     prot opt in     out     source               destination         
+
+## dig +short localhost
+127.0.0.1
+
+## Repair: kill conflicting first instance and restart
+2026/06/14 14:16:38 quicknotes listening on :8080 (notes loaded: 4)
+{"notes":4,"status":"ok"}
+
diff --git a/submissions/lab4-tls-certificate.txt b/submissions/lab4-tls-certificate.txt
new file mode 100644
index 000000000..f2643bf2d
--- /dev/null
+++ b/submissions/lab4-tls-certificate.txt
@@ -0,0 +1,41 @@
+Certificate chain from:
+
+  openssl s_client -connect localhost:8443 -servername localhost -showcerts </dev/null
+
+Summary:
+
+  Certificate chain
+   0 s:CN = localhost
+     i:CN = localhost
+     a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
+     v:NotBefore: Jun 14 15:06:32 2026 GMT; NotAfter: Jun 15 15:06:32 2026 GMT
+
+  Server certificate
+  subject=CN = localhost
+  issuer=CN = localhost
+
+  Server Temp Key: X25519, 253 bits
+  New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
+  Verify return code: 18 (self-signed certificate)
+
+PEM:
+
+-----BEGIN CERTIFICATE-----
+MIIDJTCCAg2gAwIBAgIUSP0k9s4R2iQyjbrVSNc/Vy65dl4wDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI2MDYxNDE1MDYzMloXDTI2MDYx
+NTE1MDYzMlowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAwWOkXbcSdQcoZpxk3/PB5/ev7TLg3NMW+vmQg5fRADME
+8Z0tiLrMwO4svyGFSPsjUhlFuaDk5/qzsFA1dimDOtDoJCd99Qr0tk4ZQTvoXg6D
+XSivPKcXpVrpWWb+9gVD8Z78FzROvwL+/wssEInpr6TQuK3CrChkIiIOIwsgaqZi
+/xWyCVeIfog5K1rHYWcP0PWbk8UXFl0swniZpOSXeNeyj4WfhFbBU5ZNU67QCBof
+sJq9jaH94taA9tVaFWD1l3S2eupqDhzMgcz0qjBCUJh2Ysp19wlmGaPfmjy0w/vz
+L2xTuEFWrf3XZPilXXoKplCAxRtj9fq9gDzD0KPVIwIDAQABo28wbTAdBgNVHQ4E
+FgQUGiRd6/5xAHzxOnIYW7Pkq+jFfLcwHwYDVR0jBBgwFoAUGiRd6/5xAHzxOnIY
+W7Pkq+jFfLcwDwYDVR0TAQH/BAUwAwEB/zAaBgNVHREEEzARgglsb2NhbGhvc3SH
+BH8AAAEwDQYJKoZIhvcNAQELBQADggEBAFc09g/xkV3RfFlurr6GQiYO+h5DMOYf
+6JkRfvOKyWnhvIMJRAtseQ7y2eIBU4kcYLjQYV5uKnVfVof09Iew6U6AZ+aw61Up
+5o24Qm2PqWcWBczkemKVdBeCvl/7M2DxbLyb0AfTHla9nGDIMx8yl1uXXARyKDlg
+7NEw6jI3mIIyAPafPQ3IgZpnss5iJ7b+gapv5Ryymz7hdV/I4yff9k0n5Z09ytwQ
+AVAbFdcfcnP1zU20jTaq2VxPaS+UXdafecbQ1dW4fejdOFBXm3oK/RU2TA5TdrcP
+EEEBxiB7FCGXmX1UFNuOtg0cjh9TF+tKQ+DPxPQlgJ19oNqGitSLSYU=
+-----END CERTIFICATE-----
diff --git a/submissions/lab4-tls-clienthello.txt b/submissions/lab4-tls-clienthello.txt
new file mode 100644
index 000000000..b88836c48
--- /dev/null
+++ b/submissions/lab4-tls-clienthello.txt
@@ -0,0 +1,286 @@
+Running as user "root" and group "root". This could be dangerous.
+Frame 4: 583 bytes on wire (4664 bits), 583 bytes captured (4664 bits)
+    Encapsulation type: Ethernet (1)
+    Arrival Time: Jun 14, 2026 15:06:37.058709000 UTC
+    [Time shift for this packet: 0.000000000 seconds]
+    Epoch Time: 1781449597.058709000 seconds
+    [Time delta from previous captured frame: 0.002167000 seconds]
+    [Time delta from previous displayed frame: 0.000000000 seconds]
+    [Time since reference or first frame: 0.002179000 seconds]
+    Frame Number: 4
+    Frame Length: 583 bytes (4664 bits)
+    Capture Length: 583 bytes (4664 bits)
+    [Frame is marked: False]
+    [Frame is ignored: False]
+    [Protocols in frame: eth:ethertype:ip:tcp:tls]
+Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
+    Destination: 00:00:00_00:00:00 (00:00:00:00:00:00)
+        Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
+        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
+        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
+    Source: 00:00:00_00:00:00 (00:00:00:00:00:00)
+        Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
+        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
+        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
+    Type: IPv4 (0x0800)
+Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
+    0100 .... = Version: 4
+    .... 0101 = Header Length: 20 bytes (5)
+    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
+        0000 00.. = Differentiated Services Codepoint: Default (0)
+        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
+    Total Length: 569
+    Identification: 0x64de (25822)
+    010. .... = Flags: 0x2, Don't fragment
+        0... .... = Reserved bit: Not set
+        .1.. .... = Don't fragment: Set
+        ..0. .... = More fragments: Not set
+    ...0 0000 0000 0000 = Fragment Offset: 0
+    Time to Live: 64
+    Protocol: TCP (6)
+    Header Checksum: 0xd5de [validation disabled]
+    [Header checksum status: Unverified]
+    Source Address: 127.0.0.1
+    Destination Address: 127.0.0.1
+Transmission Control Protocol, Src Port: 48542, Dst Port: 8443, Seq: 1, Ack: 1, Len: 517
+    Source Port: 48542
+    Destination Port: 8443
+    [Stream index: 0]
+    [Conversation completeness: Incomplete, ESTABLISHED (7)]
+    [TCP Segment Len: 517]
+    Sequence Number: 1    (relative sequence number)
+    Sequence Number (raw): 2445260132
+    [Next Sequence Number: 518    (relative sequence number)]
+    Acknowledgment Number: 1    (relative ack number)
+    Acknowledgment number (raw): 4134712766
+    1000 .... = Header Length: 32 bytes (8)
+    Flags: 0x018 (PSH, ACK)
+        000. .... .... = Reserved: Not set
+        ...0 .... .... = Accurate ECN: Not set
+        .... 0... .... = Congestion Window Reduced: Not set
+        .... .0.. .... = ECN-Echo: Not set
+        .... ..0. .... = Urgent: Not set
+        .... ...1 .... = Acknowledgment: Set
+        .... .... 1... = Push: Set
+        .... .... .0.. = Reset: Not set
+        .... .... ..0. = Syn: Not set
+        .... .... ...0 = Fin: Not set
+        [TCP Flags: .......AP...]
+    Window: 512
+    [Calculated window size: 65536]
+    [Window size scaling factor: 128]
+    Checksum: 0x002e [unverified]
+    [Checksum Status: Unverified]
+    Urgent Pointer: 0
+    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
+        TCP Option - No-Operation (NOP)
+            Kind: No-Operation (1)
+        TCP Option - No-Operation (NOP)
+            Kind: No-Operation (1)
+        TCP Option - Timestamps: TSval 3291739508, TSecr 3291739506
+            Kind: Time Stamp Option (8)
+            Length: 10
+            Timestamp value: 3291739508
+            Timestamp echo reply: 3291739506
+    [Timestamps]
+        [Time since first frame in this TCP stream: 0.002179000 seconds]
+        [Time since previous frame in this TCP stream: 0.002167000 seconds]
+    [SEQ/ACK analysis]
+        [iRTT: 0.000012000 seconds]
+        [Bytes in flight: 517]
+        [Bytes sent since last PSH flag: 517]
+    TCP payload (517 bytes)
+Transport Layer Security
+    TLSv1 Record Layer: Handshake Protocol: Client Hello
+        Content Type: Handshake (22)
+        Version: TLS 1.0 (0x0301)
+        Length: 512
+        Handshake Protocol: Client Hello
+            Handshake Type: Client Hello (1)
+            Length: 508
+            Version: TLS 1.2 (0x0303)
+            Random: 584f2542bd8c5964fbd68969308f0845eb605da2431bd052b1c5f8519f79e31c
+                GMT Unix Time: Dec 12, 2016 22:31:30.000000000 UTC
+                Random Bytes: bd8c5964fbd68969308f0845eb605da2431bd052b1c5f8519f79e31c
+            Session ID Length: 32
+            Session ID: b571efe8bef9079d29ebecaa49299fb59699e0485b2ef4ab30923af9ff9f169c
+            Cipher Suites Length: 62
+            Cipher Suites (31 suites)
+                Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
+                Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
+                Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
+                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
+                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
+                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
+                Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
+                Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
+                Cipher Suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xccaa)
+                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
+                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
+                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
+                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
+                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
+                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
+                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
+                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
+                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
+                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
+                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
+                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
+                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
+                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
+                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
+                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
+                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
+                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
+                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
+                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
+                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
+                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
+            Compression Methods Length: 1
+            Compression Methods (1 method)
+                Compression Method: null (0)
+            Extensions Length: 373
+            Extension: server_name (len=14)
+                Type: server_name (0)
+                Length: 14
+                Server Name Indication extension
+                    Server Name list length: 12
+                    Server Name Type: host_name (0)
+                    Server Name length: 9
+                    Server Name: localhost
+            Extension: ec_point_formats (len=4)
+                Type: ec_point_formats (11)
+                Length: 4
+                EC point formats Length: 3
+                Elliptic curves point formats (3)
+                    EC point format: uncompressed (0)
+                    EC point format: ansiX962_compressed_prime (1)
+                    EC point format: ansiX962_compressed_char2 (2)
+            Extension: supported_groups (len=22)
+                Type: supported_groups (10)
+                Length: 22
+                Supported Groups List Length: 20
+                Supported Groups (10 groups)
+                    Supported Group: x25519 (0x001d)
+                    Supported Group: secp256r1 (0x0017)
+                    Supported Group: x448 (0x001e)
+                    Supported Group: secp521r1 (0x0019)
+                    Supported Group: secp384r1 (0x0018)
+                    Supported Group: ffdhe2048 (0x0100)
+                    Supported Group: ffdhe3072 (0x0101)
+                    Supported Group: ffdhe4096 (0x0102)
+                    Supported Group: ffdhe6144 (0x0103)
+                    Supported Group: ffdhe8192 (0x0104)
+            Extension: application_layer_protocol_negotiation (len=14)
+                Type: application_layer_protocol_negotiation (16)
+                Length: 14
+                ALPN Extension Length: 12
+                ALPN Protocol
+                    ALPN string length: 2
+                    ALPN Next Protocol: h2
+                    ALPN string length: 8
+                    ALPN Next Protocol: http/1.1
+            Extension: encrypt_then_mac (len=0)
+                Type: encrypt_then_mac (22)
+                Length: 0
+            Extension: extended_master_secret (len=0)
+                Type: extended_master_secret (23)
+                Length: 0
+            Extension: post_handshake_auth (len=0)
+                Type: post_handshake_auth (49)
+                Length: 0
+            Extension: signature_algorithms (len=42)
+                Type: signature_algorithms (13)
+                Length: 42
+                Signature Hash Algorithms Length: 40
+                Signature Hash Algorithms (20 algorithms)
+                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
+                        Signature Hash Algorithm Hash: SHA256 (4)
+                        Signature Hash Algorithm Signature: ECDSA (3)
+                    Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
+                        Signature Hash Algorithm Hash: SHA384 (5)
+                        Signature Hash Algorithm Signature: ECDSA (3)
+                    Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
+                        Signature Hash Algorithm Hash: SHA512 (6)
+                        Signature Hash Algorithm Signature: ECDSA (3)
+                    Signature Algorithm: ed25519 (0x0807)
+                        Signature Hash Algorithm Hash: Unknown (8)
+                        Signature Hash Algorithm Signature: Unknown (7)
+                    Signature Algorithm: ed448 (0x0808)
+                        Signature Hash Algorithm Hash: Unknown (8)
+                        Signature Hash Algorithm Signature: Unknown (8)
+                    Signature Algorithm: rsa_pss_pss_sha256 (0x0809)
+                        Signature Hash Algorithm Hash: Unknown (8)
+                        Signature Hash Algorithm Signature: Unknown (9)
+                    Signature Algorithm: rsa_pss_pss_sha384 (0x080a)
+                        Signature Hash Algorithm Hash: Unknown (8)
+                        Signature Hash Algorithm Signature: Unknown (10)
+                    Signature Algorithm: rsa_pss_pss_sha512 (0x080b)
+                        Signature Hash Algorithm Hash: Unknown (8)
+                        Signature Hash Algorithm Signature: Unknown (11)
+                    Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
+                        Signature Hash Algorithm Hash: Unknown (8)
+                        Signature Hash Algorithm Signature: SM2 (4)
+                    Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
+                        Signature Hash Algorithm Hash: Unknown (8)
+                        Signature Hash Algorithm Signature: Unknown (5)
+                    Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
+                        Signature Hash Algorithm Hash: Unknown (8)
+                        Signature Hash Algorithm Signature: Unknown (6)
+                    Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
+                        Signature Hash Algorithm Hash: SHA256 (4)
+                        Signature Hash Algorithm Signature: RSA (1)
+                    Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
+                        Signature Hash Algorithm Hash: SHA384 (5)
+                        Signature Hash Algorithm Signature: RSA (1)
+                    Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
+                        Signature Hash Algorithm Hash: SHA512 (6)
+                        Signature Hash Algorithm Signature: RSA (1)
+                    Signature Algorithm: SHA224 ECDSA (0x0303)
+                        Signature Hash Algorithm Hash: SHA224 (3)
+                        Signature Hash Algorithm Signature: ECDSA (3)
+                    Signature Algorithm: SHA224 RSA (0x0301)
+                        Signature Hash Algorithm Hash: SHA224 (3)
+                        Signature Hash Algorithm Signature: RSA (1)
+                    Signature Algorithm: SHA224 DSA (0x0302)
+                        Signature Hash Algorithm Hash: SHA224 (3)
+                        Signature Hash Algorithm Signature: DSA (2)
+                    Signature Algorithm: SHA256 DSA (0x0402)
+                        Signature Hash Algorithm Hash: SHA256 (4)
+                        Signature Hash Algorithm Signature: DSA (2)
+                    Signature Algorithm: SHA384 DSA (0x0502)
+                        Signature Hash Algorithm Hash: SHA384 (5)
+                        Signature Hash Algorithm Signature: DSA (2)
+                    Signature Algorithm: SHA512 DSA (0x0602)
+                        Signature Hash Algorithm Hash: SHA512 (6)
+                        Signature Hash Algorithm Signature: DSA (2)
+            Extension: supported_versions (len=9)
+                Type: supported_versions (43)
+                Length: 9
+                Supported Versions length: 8
+                Supported Version: TLS 1.3 (0x0304)
+                Supported Version: TLS 1.2 (0x0303)
+                Supported Version: TLS 1.1 (0x0302)
+                Supported Version: TLS 1.0 (0x0301)
+            Extension: psk_key_exchange_modes (len=2)
+                Type: psk_key_exchange_modes (45)
+                Length: 2
+                PSK Key Exchange Modes Length: 1
+                PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1)
+            Extension: key_share (len=38)
+                Type: key_share (51)
+                Length: 38
+                Key Share extension
+                    Client Key Share Length: 36
+                    Key Share Entry: Group: x25519, Key Exchange length: 32
+                        Group: x25519 (29)
+                        Key Exchange Length: 32
+                        Key Exchange: 206549bc380e444cb61e31dc46c713cd7850c6357488aa620d7dbca82f9ae70a
+            Extension: padding (len=180)
+                Type: padding (21)
+                Length: 180
+                Padding Data: 000000000000000000000000000000000000000000000000000000000000000000000000...
+            [JA3 Fullstring [truncated]: 771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47-255,0-11-10-16-22-23-49-13-43-45-51-21,29-23-30-25-24-256-2]
+            [JA3: 0149f47eabf9a20d0893e2a44e5a6323]
+
diff --git a/submissions/lab4-tls-evidence.txt b/submissions/lab4-tls-evidence.txt
new file mode 100644
index 000000000..bf6879437
--- /dev/null
+++ b/submissions/lab4-tls-evidence.txt
@@ -0,0 +1,225 @@
+# Lab 4 Bonus TLS Evidence
+
+Date: 2026-06-14T15:06:36Z
+Kernel: Linux ee606eb3ea99 6.12.54-linuxkit #1 SMP Tue Nov  4 21:21:47 UTC 2025 aarch64 GNU/Linux
+Go: go version go1.24.13 linux/arm64
+Reverse proxy: nginx with self-signed localhost certificate
+TLS protocols configured: TLSv1.2 TLSv1.3
+
+## QuickNotes startup
+2026/06/14 15:06:35 quicknotes listening on :8080 (notes loaded: 4)
+
+## nginx config
+worker_processes 1;
+events { worker_connections 1024; }
+http {
+  access_log /tmp/lab4-tls/access.log;
+  error_log /tmp/lab4-tls/error.log info;
+  server {
+    listen 8443 ssl;
+    server_name localhost;
+    ssl_certificate /tmp/lab4-tls/localhost.crt;
+    ssl_certificate_key /tmp/lab4-tls/localhost.key;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    location / {
+      proxy_pass http://127.0.0.1:8080;
+      proxy_set_header Host $host;
+      proxy_set_header X-Forwarded-Proto https;
+    }
+  }
+}
+
+## listeners
+LISTEN 0      511          0.0.0.0:8443      0.0.0.0:*    users:(("nginx",pid=2661,fd=5))
+LISTEN 0      4096               *:8080            *:*    users:(("quicknotes",pid=2686,fd=3))
+
+## curl -vk https://localhost:8443/health
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 127.0.0.1:8443...
+* Connected to localhost (127.0.0.1) port 8443 (#0)
+* ALPN: offers h2,http/1.1
+} [5 bytes data]
+* TLSv1.3 (OUT), TLS handshake, Client hello (1):
+} [512 bytes data]
+* TLSv1.3 (IN), TLS handshake, Server hello (2):
+{ [122 bytes data]
+* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
+{ [25 bytes data]
+* TLSv1.3 (IN), TLS handshake, Certificate (11):
+{ [822 bytes data]
+* TLSv1.3 (IN), TLS handshake, CERT verify (15):
+{ [264 bytes data]
+* TLSv1.3 (IN), TLS handshake, Finished (20):
+{ [52 bytes data]
+* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
+} [1 bytes data]
+* TLSv1.3 (OUT), TLS handshake, Finished (20):
+} [52 bytes data]
+* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
+* ALPN: server accepted http/1.1
+* Server certificate:
+*  subject: CN=localhost
+*  start date: Jun 14 15:06:32 2026 GMT
+*  expire date: Jun 15 15:06:32 2026 GMT
+*  issuer: CN=localhost
+*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
+* using HTTP/1.1
+} [5 bytes data]
+> GET /health HTTP/1.1
+> Host: localhost:8443
+> User-Agent: curl/7.88.1
+> Accept: */*
+> 
+{ [5 bytes data]
+* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
+{ [265 bytes data]
+* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
+{ [265 bytes data]
+* old SSL session ID is stale, removing
+{ [5 bytes data]
+< HTTP/1.1 200 OK
+< Server: nginx/1.22.1
+< Date: Sun, 14 Jun 2026 15:06:37 GMT
+< Content-Type: application/json
+< Content-Length: 26
+< Connection: keep-alive
+< 
+{ [26 bytes data]
+
100    26  100    26    0     0   1209      0 --:--:-- --:--:-- --:--:--  1238
+* Connection #0 to host localhost left intact
+{"notes":4,"status":"ok"}
+
+## tcpdump TLS capture log
+tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
+16 packets captured
+32 packets received by filter
+0 packets dropped by kernel
+
+## openssl s_client -connect localhost:8443 -showcerts </dev/null
+depth=0 CN = localhost
+verify error:num=18:self-signed certificate
+verify return:1
+depth=0 CN = localhost
+verify return:1
+CONNECTED(00000003)
+---
+Certificate chain
+ 0 s:CN = localhost
+   i:CN = localhost
+   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
+   v:NotBefore: Jun 14 15:06:32 2026 GMT; NotAfter: Jun 15 15:06:32 2026 GMT
+-----BEGIN CERTIFICATE-----
+MIIDJTCCAg2gAwIBAgIUSP0k9s4R2iQyjbrVSNc/Vy65dl4wDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI2MDYxNDE1MDYzMloXDTI2MDYx
+NTE1MDYzMlowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAwWOkXbcSdQcoZpxk3/PB5/ev7TLg3NMW+vmQg5fRADME
+8Z0tiLrMwO4svyGFSPsjUhlFuaDk5/qzsFA1dimDOtDoJCd99Qr0tk4ZQTvoXg6D
+XSivPKcXpVrpWWb+9gVD8Z78FzROvwL+/wssEInpr6TQuK3CrChkIiIOIwsgaqZi
+/xWyCVeIfog5K1rHYWcP0PWbk8UXFl0swniZpOSXeNeyj4WfhFbBU5ZNU67QCBof
+sJq9jaH94taA9tVaFWD1l3S2eupqDhzMgcz0qjBCUJh2Ysp19wlmGaPfmjy0w/vz
+L2xTuEFWrf3XZPilXXoKplCAxRtj9fq9gDzD0KPVIwIDAQABo28wbTAdBgNVHQ4E
+FgQUGiRd6/5xAHzxOnIYW7Pkq+jFfLcwHwYDVR0jBBgwFoAUGiRd6/5xAHzxOnIY
+W7Pkq+jFfLcwDwYDVR0TAQH/BAUwAwEB/zAaBgNVHREEEzARgglsb2NhbGhvc3SH
+BH8AAAEwDQYJKoZIhvcNAQELBQADggEBAFc09g/xkV3RfFlurr6GQiYO+h5DMOYf
+6JkRfvOKyWnhvIMJRAtseQ7y2eIBU4kcYLjQYV5uKnVfVof09Iew6U6AZ+aw61Up
+5o24Qm2PqWcWBczkemKVdBeCvl/7M2DxbLyb0AfTHla9nGDIMx8yl1uXXARyKDlg
+7NEw6jI3mIIyAPafPQ3IgZpnss5iJ7b+gapv5Ryymz7hdV/I4yff9k0n5Z09ytwQ
+AVAbFdcfcnP1zU20jTaq2VxPaS+UXdafecbQ1dW4fejdOFBXm3oK/RU2TA5TdrcP
+EEEBxiB7FCGXmX1UFNuOtg0cjh9TF+tKQ+DPxPQlgJ19oNqGitSLSYU=
+-----END CERTIFICATE-----
+---
+Server certificate
+subject=CN = localhost
+issuer=CN = localhost
+---
+No client certificate CA names sent
+Peer signing digest: SHA256
+Peer signature type: RSA-PSS
+Server Temp Key: X25519, 253 bits
+---
+SSL handshake has read 1369 bytes and written 395 bytes
+Verification error: self-signed certificate
+---
+New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
+Server public key is 2048 bit
+Secure Renegotiation IS NOT supported
+Compression: NONE
+Expansion: NONE
+No ALPN negotiated
+Early data was not sent
+Verify return code: 18 (self-signed certificate)
+---
+DONE
+---
+Post-Handshake New Session Ticket arrived:
+SSL-Session:
+    Protocol  : TLSv1.3
+    Cipher    : TLS_AES_256_GCM_SHA384
+    Session-ID: 80746FAE88E2F1652089A15733F344782E1D6337CE5A056BE2777533836D3C71
+    Session-ID-ctx: 
+    Resumption PSK: BDE2B278DD948C2B2A9178A421F7369EAD45262714D0E97C8FAA2A27CD1BDA5BF1E525AF69A033F5E05A9A6A039005C9
+    PSK identity: None
+    PSK identity hint: None
+    SRP username: None
+    TLS session ticket lifetime hint: 300 (seconds)
+    TLS session ticket:
+    0000 - ac 9b 15 10 7c 90 44 fb-3a 94 1d d2 9f ca d9 e9   ....|.D.:.......
+    0010 - 5b 8d 32 0e 7a 01 dd f9-9b 34 80 bd 37 99 1c 8c   [.2.z....4..7...
+    0020 - ba 71 c9 ef 5c 50 fa e7-8c 88 81 31 27 c6 a1 66   .q..\P.....1'..f
+    0030 - 47 e8 2e 53 64 3d 39 c9-ed a5 61 bd 1e d7 87 6c   G..Sd=9...a....l
+    0040 - 0c e8 9d 4c 0c 09 11 a7-73 6b 57 16 ab a0 40 34   ...L....skW...@4
+    0050 - 9f 97 b2 a6 99 58 68 5c-dd 9d a4 d4 f1 d1 5b 28   .....Xh\......[(
+    0060 - e3 03 be d6 83 93 81 9c-18 25 5e d0 2d 33 4a 23   .........%^.-3J#
+    0070 - 66 4d 76 92 d1 69 a6 dd-42 8f 57 cb dd 53 0e 90   fMv..i..B.W..S..
+    0080 - c8 fa aa 78 04 8a 87 59-3f be 09 65 54 34 48 de   ...x...Y?..eT4H.
+    0090 - db 12 e0 5c fa ec f1 2a-06 49 0a 14 cc 91 df 01   ...\...*.I......
+    00a0 - 13 ec 29 05 01 d4 4f bc-f6 1a b6 0a 62 06 0e 5f   ..)...O.....b.._
+    00b0 - 77 57 bd c0 5f b2 9a ff-34 39 7f b2 06 f1 7d 81   wW.._...49....}.
+    00c0 - 22 b2 87 a3 e1 82 3d a6-97 6e ea 70 4d 37 27 0e   ".....=..n.pM7'.
+    00d0 - f1 13 a0 7e 24 30 27 29-51 b4 bd 5a 45 4b 54 cf   ...~$0')Q..ZEKT.
+    00e0 - 91 2f 6d 98 53 2a ac 96-ee f1 be 54 6a 9f 04 f8   ./m.S*.....Tj...
+
+    Start Time: 1781449598
+    Timeout   : 7200 (sec)
+    Verify return code: 18 (self-signed certificate)
+    Extended master secret: no
+    Max Early Data: 0
+---
+read R BLOCK
+---
+Post-Handshake New Session Ticket arrived:
+SSL-Session:
+    Protocol  : TLSv1.3
+    Cipher    : TLS_AES_256_GCM_SHA384
+    Session-ID: C93087742DE883F575FA4AC83D6398F3A5FDFF750CA74B5446049C5BD330195E
+    Session-ID-ctx: 
+    Resumption PSK: C74960E1CD6471602D264F227BE3C3CA3AC701ECD0342CEE3A3EB4A998B3CF1F30CCD1E73222ADBF129FAA9B85BAC627
+    PSK identity: None
+    PSK identity hint: None
+    SRP username: None
+    TLS session ticket lifetime hint: 300 (seconds)
+    TLS session ticket:
+    0000 - ac 9b 15 10 7c 90 44 fb-3a 94 1d d2 9f ca d9 e9   ....|.D.:.......
+    0010 - 42 ac d7 97 db 85 69 55-f7 c0 5a f2 a5 61 bf c8   B.....iU..Z..a..
+    0020 - 90 cb ba a4 aa dd 8e cf-7b 26 43 06 8f 41 9d 3e   ........{&C..A.>
+    0030 - 03 8c 28 97 b8 82 c3 89-2a 48 d5 0d 98 b0 36 56   ..(.....*H....6V
+    0040 - 8c f8 8a bd 18 91 bd b2-16 7a 35 56 d4 7e ac 53   .........z5V.~.S
+    0050 - a9 28 68 fc 79 5f 69 39-03 a8 e8 dd 71 3e b9 e3   .(h.y_i9....q>..
+    0060 - b7 de 7e c7 0f 40 45 15-28 4b 50 0f bd 39 74 50   ..~..@E.(KP..9tP
+    0070 - 80 c7 d8 c0 5d 33 9e 73-0f 0c fb 6c 2c 1e c3 d4   ....]3.s...l,...
+    0080 - d3 64 5c d5 08 e0 71 7e-e1 58 43 d7 49 57 4b 1c   .d\...q~.XC.IWK.
+    0090 - 84 99 b9 48 18 72 58 d2-f3 4f 9d 39 12 35 ea 4b   ...H.rX..O.9.5.K
+    00a0 - b0 77 41 53 7e cd ec f6-1f b4 9b 4c 47 72 44 19   .wAS~......LGrD.
+    00b0 - c4 be f4 65 07 76 68 db-68 ee da 49 1b 1a 33 31   ...e.vh.h..I..31
+    00c0 - 9f 37 68 69 e1 94 25 2c-85 15 b9 23 fe 04 6f f4   .7hi..%,...#..o.
+    00d0 - 68 07 86 35 dc 81 6e aa-08 cc d0 e2 cd 0b a1 2d   h..5..n........-
+    00e0 - 5e d8 8c 88 5c 81 84 e1-d8 f4 3e 74 28 60 78 17   ^...\.....>t(`x.
+
+    Start Time: 1781449598
+    Timeout   : 7200 (sec)
+    Verify return code: 18 (self-signed certificate)
+    Extended master secret: no
+    Max Early Data: 0
+---
+read R BLOCK
diff --git a/submissions/lab4-tls-serverhello.txt b/submissions/lab4-tls-serverhello.txt
new file mode 100644
index 000000000..745db2f33
--- /dev/null
+++ b/submissions/lab4-tls-serverhello.txt
@@ -0,0 +1,147 @@
+Running as user "root" and group "root". This could be dangerous.
+Frame 6: 1450 bytes on wire (11600 bits), 1450 bytes captured (11600 bits)
+    Encapsulation type: Ethernet (1)
+    Arrival Time: Jun 14, 2026 15:06:37.060423000 UTC
+    [Time shift for this packet: 0.000000000 seconds]
+    Epoch Time: 1781449597.060423000 seconds
+    [Time delta from previous captured frame: 0.001696000 seconds]
+    [Time delta from previous displayed frame: 0.000000000 seconds]
+    [Time since reference or first frame: 0.003893000 seconds]
+    Frame Number: 6
+    Frame Length: 1450 bytes (11600 bits)
+    Capture Length: 1450 bytes (11600 bits)
+    [Frame is marked: False]
+    [Frame is ignored: False]
+    [Protocols in frame: eth:ethertype:ip:tcp:tls]
+Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 00:00:00_00:00:00 (00:00:00:00:00:00)
+    Destination: 00:00:00_00:00:00 (00:00:00:00:00:00)
+        Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
+        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
+        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
+    Source: 00:00:00_00:00:00 (00:00:00:00:00:00)
+        Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
+        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
+        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
+    Type: IPv4 (0x0800)
+Internet Protocol Version 4, Src: 127.0.0.1, Dst: 127.0.0.1
+    0100 .... = Version: 4
+    .... 0101 = Header Length: 20 bytes (5)
+    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
+        0000 00.. = Differentiated Services Codepoint: Default (0)
+        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
+    Total Length: 1436
+    Identification: 0x545a (21594)
+    010. .... = Flags: 0x2, Don't fragment
+        0... .... = Reserved bit: Not set
+        .1.. .... = Don't fragment: Set
+        ..0. .... = More fragments: Not set
+    ...0 0000 0000 0000 = Fragment Offset: 0
+    Time to Live: 64
+    Protocol: TCP (6)
+    Header Checksum: 0xe2ff [validation disabled]
+    [Header checksum status: Unverified]
+    Source Address: 127.0.0.1
+    Destination Address: 127.0.0.1
+Transmission Control Protocol, Src Port: 8443, Dst Port: 48542, Seq: 1, Ack: 518, Len: 1384
+    Source Port: 8443
+    Destination Port: 48542
+    [Stream index: 0]
+    [Conversation completeness: Incomplete, DATA (15)]
+    [TCP Segment Len: 1384]
+    Sequence Number: 1    (relative sequence number)
+    Sequence Number (raw): 4134712766
+    [Next Sequence Number: 1385    (relative sequence number)]
+    Acknowledgment Number: 518    (relative ack number)
+    Acknowledgment number (raw): 2445260649
+    1000 .... = Header Length: 32 bytes (8)
+    Flags: 0x018 (PSH, ACK)
+        000. .... .... = Reserved: Not set
+        ...0 .... .... = Accurate ECN: Not set
+        .... 0... .... = Congestion Window Reduced: Not set
+        .... .0.. .... = ECN-Echo: Not set
+        .... ..0. .... = Urgent: Not set
+        .... ...1 .... = Acknowledgment: Set
+        .... .... 1... = Push: Set
+        .... .... .0.. = Reset: Not set
+        .... .... ..0. = Syn: Not set
+        .... .... ...0 = Fin: Not set
+        [TCP Flags: .......AP...]
+    Window: 512
+    [Calculated window size: 65536]
+    [Window size scaling factor: 128]
+    Checksum: 0x0391 [unverified]
+    [Checksum Status: Unverified]
+    Urgent Pointer: 0
+    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
+        TCP Option - No-Operation (NOP)
+            Kind: No-Operation (1)
+        TCP Option - No-Operation (NOP)
+            Kind: No-Operation (1)
+        TCP Option - Timestamps: TSval 3291739510, TSecr 3291739508
+            Kind: Time Stamp Option (8)
+            Length: 10
+            Timestamp value: 3291739510
+            Timestamp echo reply: 3291739508
+    [Timestamps]
+        [Time since first frame in this TCP stream: 0.003893000 seconds]
+        [Time since previous frame in this TCP stream: 0.001696000 seconds]
+    [SEQ/ACK analysis]
+        [iRTT: 0.000012000 seconds]
+        [Bytes in flight: 1384]
+        [Bytes sent since last PSH flag: 1384]
+    TCP payload (1384 bytes)
+Transport Layer Security
+    TLSv1.2 Record Layer: Handshake Protocol: Server Hello
+        Content Type: Handshake (22)
+        Version: TLS 1.2 (0x0303)
+        Length: 122
+        Handshake Protocol: Server Hello
+            Handshake Type: Server Hello (2)
+            Length: 118
+            Version: TLS 1.2 (0x0303)
+            Random: 185e18aa2feb7fb42c8b5cd604ade65c1aae48b96ac0c55740e5f4df5e94f643
+            Session ID Length: 32
+            Session ID: b571efe8bef9079d29ebecaa49299fb59699e0485b2ef4ab30923af9ff9f169c
+            Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
+            Compression Method: null (0)
+            Extensions Length: 46
+            Extension: supported_versions (len=2)
+                Type: supported_versions (43)
+                Length: 2
+                Supported Version: TLS 1.3 (0x0304)
+            Extension: key_share (len=36)
+                Type: key_share (51)
+                Length: 36
+                Key Share extension
+                    Key Share Entry: Group: x25519, Key Exchange length: 32
+                        Group: x25519 (29)
+                        Key Exchange Length: 32
+                        Key Exchange: bedf3f432d666011c453973d39c4017d7ec44ce59d8000b8a2024c2b5812f97c
+            [JA3S Fullstring: 771,4866,43-51]
+            [JA3S: 15af977ce25de452b96affa2addb1036]
+    TLSv1.3 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
+        Content Type: Change Cipher Spec (20)
+        Version: TLS 1.2 (0x0303)
+        Length: 1
+        Change Cipher Spec Message
+    TLSv1.3 Record Layer: Application Data Protocol: Application Data
+        Opaque Type: Application Data (23)
+        Version: TLS 1.2 (0x0303)
+        Length: 42
+        Encrypted Application Data: ff9f7e3446ce3007c07ef94af8535b4f6bbcec7120e4534a60747a6cd111a546bc2451ce...
+    TLSv1.3 Record Layer: Application Data Protocol: Application Data
+        Opaque Type: Application Data (23)
+        Version: TLS 1.2 (0x0303)
+        Length: 839
+        Encrypted Application Data: 7d02b720f7a6f9caaf7b79fd09336e052e58733f106eabcf7fe3b900e461d8d04d03b6ba...
+    TLSv1.3 Record Layer: Application Data Protocol: Application Data
+        Opaque Type: Application Data (23)
+        Version: TLS 1.2 (0x0303)
+        Length: 281
+        Encrypted Application Data: 0a237e28e00a8d8f255ef10871ed827eef504f6363ea555663053d37e7bb1160beb345ef...
+    TLSv1.3 Record Layer: Application Data Protocol: Application Data
+        Opaque Type: Application Data (23)
+        Version: TLS 1.2 (0x0303)
+        Length: 69
+        Encrypted Application Data: f87fd63a7e6b20ec031e8011237eadce12692e27287739c6ddd9005883f9f7d1c4aa8fa7...
+
diff --git a/submissions/lab4-tls-summary.txt b/submissions/lab4-tls-summary.txt
new file mode 100644
index 000000000..1a2a21667
--- /dev/null
+++ b/submissions/lab4-tls-summary.txt
@@ -0,0 +1,73 @@
+# TLS handshake summary
+
+Environment: Linux container
+Proxy: nginx on https://localhost:8443
+Upstream: QuickNotes on http://127.0.0.1:8080
+Capture: submissions/lab4-tls.pcap
+Decoder: tshark (Wireshark CLI)
+
+## curl result
+
+curl negotiated TLS 1.3 and successfully reached QuickNotes through nginx:
+
+  SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
+  Server certificate: subject: CN=localhost
+  issuer: CN=localhost
+  HTTP/1.1 200 OK
+  {"notes":4,"status":"ok"}
+
+## ClientHello
+
+Full decode: submissions/lab4-tls-clienthello.txt
+
+Important fields:
+
+  SNI: localhost
+  Cipher suites offered include:
+    TLS_AES_256_GCM_SHA384 (0x1302)
+    TLS_CHACHA20_POLY1305_SHA256 (0x1303)
+    TLS_AES_128_GCM_SHA256 (0x1301)
+    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
+    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
+
+  supported_versions extension:
+    TLS 1.3 (0x0304)
+    TLS 1.2 (0x0303)
+    TLS 1.1 (0x0302)
+    TLS 1.0 (0x0301)
+
+## ServerHello
+
+Full decode: submissions/lab4-tls-serverhello.txt
+
+Important fields:
+
+  selected cipher suite:
+    TLS_AES_256_GCM_SHA384 (0x1302)
+
+  supported_versions extension:
+    TLS 1.3 (0x0304)
+
+  key share group:
+    x25519
+
+## Certificate chain
+
+Full openssl output: submissions/lab4-tls-evidence.txt
+Certificate excerpt: submissions/lab4-tls-certificate.txt
+
+  subject=CN = localhost
+  issuer=CN = localhost
+  self-signed certificate
+  public key: RSA 2048
+  signature algorithm: RSA-SHA256
+
+## TLS 1.0 / 1.1 deprecation note
+
+The decisive negotiation step is ServerHello. The client offered several protocol
+versions in the supported_versions extension, including TLS 1.0 and TLS 1.1, but
+nginx was configured with only TLSv1.2 and TLSv1.3 enabled. The server selected
+TLS 1.3 in ServerHello's supported_versions extension, so TLS 1.0 and TLS 1.1
+were not chosen. If a client only supported TLS 1.0/1.1, the server would reject
+the handshake during protocol version negotiation before any HTTP request could
+be sent.
diff --git a/submissions/lab4-tls.pcap b/submissions/lab4-tls.pcap
new file mode 100644
index 000000000..f1a70b6ad
Binary files /dev/null and b/submissions/lab4-tls.pcap differ
diff --git a/submissions/lab4-trace.pcap b/submissions/lab4-trace.pcap
new file mode 100644
index 000000000..083a24f41
Binary files /dev/null and b/submissions/lab4-trace.pcap differ
diff --git a/submissions/lab4-trace.txt b/submissions/lab4-trace.txt
new file mode 100644
index 000000000..6dc852542
--- /dev/null
+++ b/submissions/lab4-trace.txt
@@ -0,0 +1,50 @@
+Lab 4 annotated packet trace
+Environment: Linux container, loopback interface lo
+Capture file: submissions/lab4-trace.pcap
+Decoded with: tcpdump -r submissions/lab4-trace.pcap -nn -A
+
+reading from file submissions/lab4-trace.pcap, link-type EN10MB (Ethernet), snapshot length 262144
+14:16:25.452682 IP 127.0.0.1.47304 > 127.0.0.1.8080: Flags [S], seq 4278554227, win 65495, options [mss 65495,sackOK,TS val 2462602185 ecr 0,nop,wscale 7], length 0
+E..<9.@.@..................s.........0.........
+..S.........
+14:16:25.452689 IP 127.0.0.1.8080 > 127.0.0.1.47304: Flags [S.], seq 1200757750, ack 4278554228, win 65483, options [mss 65495,sackOK,TS val 2462602185 ecr 2462602185,nop,wscale 7], length 0
+E..<..@.@.<.............G......t.....0.........
+..S...S.....
+14:16:25.452695 IP 127.0.0.1.47304 > 127.0.0.1.8080: Flags [.], ack 1, win 512, options [nop,nop,TS val 2462602185 ecr 2462602185], length 0
+E..49.@.@..................tG........(.....
+..S...S.
+14:16:25.452898 IP 127.0.0.1.47304 > 127.0.0.1.8080: Flags [P.], seq 1:176, ack 1, win 512, options [nop,nop,TS val 2462602185 ecr 2462602185], length 175: HTTP: POST /notes HTTP/1.1
+E...9.@.@..^...............tG..............
+..S...S.POST /notes HTTP/1.1
+Host: localhost:8080
+User-Agent: curl/7.88.1
+Accept: */*
+Content-Type: application/json
+Content-Length: 39
+
+{"title":"trace me","body":"in flight"}
+14:16:25.452912 IP 127.0.0.1.8080 > 127.0.0.1.47304: Flags [.], ack 176, win 511, options [nop,nop,TS val 2462602185 ecr 2462602185], length 0
+E..4.<@.@.y.............G......#.....(.....
+..S...S.
+14:16:25.453162 IP 127.0.0.1.8080 > 127.0.0.1.47304: Flags [P.], seq 1:207, ack 176, win 512, options [nop,nop,TS val 2462602185 ecr 2462602185], length 206: HTTP: HTTP/1.1 201 Created
+E....=@.@.x.............G......#...........
+..S...S.HTTP/1.1 201 Created
+Content-Type: application/json
+Date: Sun, 14 Jun 2026 14:16:25 GMT
+Content-Length: 93
+
+{"id":5,"title":"trace me","body":"in flight","created_at":"2026-06-14T14:16:25.453003253Z"}
+
+14:16:25.453165 IP 127.0.0.1.47304 > 127.0.0.1.8080: Flags [.], ack 207, win 511, options [nop,nop,TS val 2462602185 ecr 2462602185], length 0
+E..49.@.@..................#G........(.....
+..S...S.
+14:16:25.456667 IP 127.0.0.1.47304 > 127.0.0.1.8080: Flags [F.], seq 176, ack 207, win 512, options [nop,nop,TS val 2462602189 ecr 2462602185], length 0
+E..49.@.@..................#G........(.....
+..S...S.
+14:16:25.456716 IP 127.0.0.1.8080 > 127.0.0.1.47304: Flags [F.], seq 207, ack 177, win 512, options [nop,nop,TS val 2462602189 ecr 2462602189], length 0
+E..4.>@.@.y.............G......$.....(.....
+..S...S.
+14:16:25.456730 IP 127.0.0.1.47304 > 127.0.0.1.8080: Flags [.], ack 208, win 512, options [nop,nop,TS val 2462602189 ecr 2462602189], length 0
+E..49.@.@..
+...............$G........(.....
+..S...S.
diff --git a/submissions/lab4.md b/submissions/lab4.md
new file mode 100644
index 000000000..23e7399c9
--- /dev/null
+++ b/submissions/lab4.md
@@ -0,0 +1,394 @@
+# Lab 4 - OS & Networking: Trace, Debug, and Read the Substrate
+
+## Environment
+
+I completed the lab in a disposable Linux container so the Linux networking tools from the task were available.
+
+```text
+Image: golang:1.24-bookworm
+Kernel: Linux ae8db4a22f62 6.12.54-linuxkit #1 SMP Tue Nov 4 21:21:47 UTC 2025 aarch64 GNU/Linux
+Go: go version go1.24.13 linux/arm64
+Installed tools: iproute2 dnsutils mtr-tiny tcpdump curl procps iptables nftables jq systemd
+```
+
+QuickNotes startup:
+
+```bash
+ADDR=:8080 DATA_PATH=/tmp/quicknotes-lab4-docker.json SEED_PATH=seed.json go run .
+```
+
+```text
+2026/06/14 14:16:24 quicknotes listening on :8080 (notes loaded: 4)
+```
+
+Full raw Linux output is also saved in `submissions/lab4-linux-evidence.txt`.
+
+## Task 1 - Trace a Request End-to-End
+
+### 1.1 Start QuickNotes and capture
+
+I captured loopback traffic inside the Linux container:
+
+```bash
+tcpdump -i lo -nn -s 0 -A 'tcp port 8080' -w submissions/lab4-trace.pcap
+```
+
+```text
+tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
+10 packets captured
+20 packets received by filter
+0 packets dropped by kernel
+```
+
+Then I sent one request:
+
+```bash
+curl -v -X POST http://localhost:8080/notes \
+  -H 'Content-Type: application/json' \
+  -d '{"title":"trace me","body":"in flight"}'
+```
+
+```text
+*   Trying 127.0.0.1:8080...
+* Connected to localhost (127.0.0.1) port 8080 (#0)
+> POST /notes HTTP/1.1
+> Host: localhost:8080
+> User-Agent: curl/7.88.1
+> Accept: */*
+> Content-Type: application/json
+> Content-Length: 39
+>
+} [39 bytes data]
+< HTTP/1.1 201 Created
+< Content-Type: application/json
+< Date: Sun, 14 Jun 2026 14:16:25 GMT
+< Content-Length: 93
+<
+{"id":5,"title":"trace me","body":"in flight","created_at":"2026-06-14T14:16:25.453003253Z"}
+```
+
+### 1.2 Decode the capture
+
+The decoded trace is saved in `submissions/lab4-trace.txt`, and the Linux pcap is saved as `submissions/lab4-trace.pcap`.
+
+TCP three-way handshake:
+
+```text
+14:16:25.452682 IP 127.0.0.1.47304 > 127.0.0.1.8080: Flags [S], seq 4278554227, length 0
+14:16:25.452689 IP 127.0.0.1.8080 > 127.0.0.1.47304: Flags [S.], seq 1200757750, ack 4278554228, length 0
+14:16:25.452695 IP 127.0.0.1.47304 > 127.0.0.1.8080: Flags [.], ack 1, length 0
+```
+
+HTTP request:
+
+```text
+14:16:25.452898 IP 127.0.0.1.47304 > 127.0.0.1.8080: Flags [P.], seq 1:176, ack 1, length 175: HTTP: POST /notes HTTP/1.1
+
+POST /notes HTTP/1.1
+Host: localhost:8080
+User-Agent: curl/7.88.1
+Accept: */*
+Content-Type: application/json
+Content-Length: 39
+
+{"title":"trace me","body":"in flight"}
+```
+
+HTTP response:
+
+```text
+14:16:25.453162 IP 127.0.0.1.8080 > 127.0.0.1.47304: Flags [P.], seq 1:207, ack 176, length 206: HTTP: HTTP/1.1 201 Created
+
+HTTP/1.1 201 Created
+Content-Type: application/json
+Date: Sun, 14 Jun 2026 14:16:25 GMT
+Content-Length: 93
+
+{"id":5,"title":"trace me","body":"in flight","created_at":"2026-06-14T14:16:25.453003253Z"}
+```
+
+Connection close:
+
+```text
+14:16:25.456667 IP 127.0.0.1.47304 > 127.0.0.1.8080: Flags [F.], seq 176, ack 207, length 0
+14:16:25.456716 IP 127.0.0.1.8080 > 127.0.0.1.47304: Flags [F.], seq 207, ack 177, length 0
+14:16:25.456730 IP 127.0.0.1.47304 > 127.0.0.1.8080: Flags [.], ack 208, length 0
+```
+
+Conclusion: the TCP connection opened cleanly, the request reached QuickNotes, the app returned `201 Created`, and the connection closed normally with FIN/ACK rather than RST.
+
+### 1.3 Five debugging commands
+
+#### 1. What is listening?
+
+```bash
+ss -tlnp | grep :8080
+```
+
+```text
+LISTEN 0      4096               *:8080            *:*    users:(("quicknotes",pid=2698,fd=3))
+```
+
+Decision: QuickNotes is listening on port `8080`.
+
+#### 2. Routes from the host/container
+
+```bash
+ip route show
+```
+
+```text
+default via 172.17.0.1 dev eth0
+172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.2
+```
+
+Decision: the container has a default route through the Docker bridge gateway. The request to `localhost` stays on loopback.
+
+#### 3. Reachability
+
+```bash
+mtr -rwc 5 localhost
+```
+
+```text
+Start: 2026-06-14T14:16:26+0000
+HOST: ae8db4a22f62 Loss%   Snt   Last   Avg  Best  Wrst StDev
+  1.|-- localhost     0.0%     5    0.0   0.1   0.0   0.2   0.1
+```
+
+Decision: localhost is reachable in one hop with no loss.
+
+#### 4. DNS works
+
+```bash
+dig +short example.com @1.1.1.1
+```
+
+```text
+172.66.147.243
+104.20.23.154
+```
+
+Decision: external DNS resolution through `1.1.1.1` works.
+
+#### 5. Logs
+
+```bash
+journalctl --user -u quicknotes -n 20 || true
+```
+
+```text
+No journal files were found.
+-- No entries --
+```
+
+Decision: QuickNotes was started manually with `go run`, not installed as a user systemd service, so there were no journal entries. The process logs were visible in the terminal output.
+
+### 1.4 If QuickNotes returned 502
+
+If QuickNotes returned `502 Bad Gateway`, I would start at the proxy or load balancer because 502 usually means the proxy could not get a valid response from its upstream. My outside-in order would be: confirm that the proxy routes to the expected host and port, check that QuickNotes is listening with `ss -tlnp`, call `/health` directly with `curl -v`, and then inspect service logs for crashes, bind failures, or timeouts. If the direct health check worked, I would look at proxy timeout settings, upstream DNS resolution, and firewall/network rules between the proxy and QuickNotes.
+
+## Task 2 - Outside-In Debugging on a Broken Deploy
+
+### 2.1 Broken instance
+
+To reproduce the broken deploy, I left one QuickNotes process running on `:8080` and started a second copy on the same port:
+
+```bash
+ADDR=:8080 DATA_PATH=/tmp/quicknotes-lab4-broken.json SEED_PATH=seed.json go run .
+```
+
+```text
+2026/06/14 14:16:36 quicknotes listening on :8080 (notes loaded: 4)
+2026/06/14 14:16:36 listen: listen tcp :8080: bind: address already in use
+exit status 1
+```
+
+Root cause: the second process could not bind `:8080` because the first process already owned that port.
+
+### 2.2 Outside-in chain
+
+#### 1. Is it running?
+
+```bash
+ps -ef | grep quicknotes
+```
+
+```text
+root      2698   898  0 14:16 ?        00:00:00 /tmp/go-build1352676339/b001/exe/quicknotes
+```
+
+Decision: one QuickNotes process was still running.
+
+#### 2. Is it listening?
+
+```bash
+ss -tlnp | grep 8080
+```
+
+```text
+LISTEN 0      4096               *:8080            *:*    users:(("quicknotes",pid=2698,fd=3))
+```
+
+Decision: PID `2698` already owned port `8080`.
+
+#### 3. Reachable from host/container?
+
+```bash
+curl -s -o /dev/null -w "%{http_code}\n" http://localhost:8080/health
+```
+
+```text
+200
+```
+
+Decision: the already-running instance was healthy, so the failed deploy was a bind conflict, not a total app outage.
+
+#### 4. Firewall blocking?
+
+```bash
+iptables -L -n -v 2>/dev/null || nft list ruleset 2>/dev/null || true
+```
+
+```text
+Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target     prot opt in     out     source               destination
+
+Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target     prot opt in     out     source               destination
+
+Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
+ pkts bytes target     prot opt in     out     source               destination
+```
+
+Decision: the firewall policy was accepting traffic. Since `/health` returned `200`, the failure was not caused by a firewall block.
+
+#### 5. DNS?
+
+```bash
+dig +short localhost
+```
+
+```text
+127.0.0.1
+```
+
+Decision: `localhost` resolved correctly.
+
+### 2.3 Repair and re-verify
+
+I killed the conflicting instance, restarted QuickNotes, and checked `/health`:
+
+```bash
+ADDR=:8080 DATA_PATH=/tmp/quicknotes-lab4-repaired.json SEED_PATH=seed.json go run .
+curl -s http://localhost:8080/health
+```
+
+```text
+2026/06/14 14:16:38 quicknotes listening on :8080 (notes loaded: 4)
+{"notes":4,"status":"ok"}
+```
+
+Decision: after removing the port conflict, QuickNotes started and served health checks correctly.
+
+### 2.4 Mini-postmortem
+
+The outage was caused by two QuickNotes processes trying to own the same fixed port. This is a systemic failure because port ownership is hidden shared state: a deploy script can start a new process while an old one still exists, or a service manager can retry without cleaning up the previous instance. Better tooling would make the state explicit before deploy: a systemd unit with a clear restart policy, preflight checks for the target port, health checks that distinguish "old instance healthy" from "new instance started", and deployment automation that stops or drains the old process before binding the new one. Nobody needs blame for the bind error; the process model should make double-starts hard to create and easy to diagnose.
+
+## Bonus - TLS Handshake
+
+I attempted the bonus task with nginx as the TLS-terminating reverse proxy. QuickNotes still served plain HTTP on `:8080`, and nginx served HTTPS on `:8443` with a self-signed localhost certificate.
+
+### B.1 HTTPS layer
+
+I generated a self-signed certificate and configured nginx to proxy HTTPS traffic to QuickNotes:
+
+```nginx
+server {
+  listen 8443 ssl;
+  server_name localhost;
+  ssl_certificate /tmp/lab4-tls/localhost.crt;
+  ssl_certificate_key /tmp/lab4-tls/localhost.key;
+  ssl_protocols TLSv1.2 TLSv1.3;
+
+  location / {
+    proxy_pass http://127.0.0.1:8080;
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Proto https;
+  }
+}
+```
+
+Listeners:
+
+```text
+LISTEN 0      511          0.0.0.0:8443      0.0.0.0:*    users:(("nginx",pid=2661,fd=5))
+LISTEN 0      4096               *:8080            *:*    users:(("quicknotes",pid=2686,fd=3))
+```
+
+### B.2 Capture the TLS handshake
+
+```bash
+tcpdump -i lo -nn -s 0 -w submissions/lab4-tls.pcap 'tcp port 8443'
+curl -vk https://localhost:8443/health
+```
+
+```text
+* TLSv1.3 (OUT), TLS handshake, Client hello (1):
+* TLSv1.3 (IN), TLS handshake, Server hello (2):
+* TLSv1.3 (IN), TLS handshake, Certificate (11):
+* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
+* Server certificate:
+*  subject: CN=localhost
+*  issuer: CN=localhost
+< HTTP/1.1 200 OK
+{"notes":4,"status":"ok"}
+```
+
+The TLS capture is saved as `submissions/lab4-tls.pcap`.
+
+### B.3 Decode the handshake
+
+I decoded the pcap with `tshark`:
+
+- `submissions/lab4-tls-clienthello.txt` - ClientHello decode.
+- `submissions/lab4-tls-serverhello.txt` - ServerHello decode.
+- `submissions/lab4-tls-certificate.txt` - certificate chain from `openssl s_client`.
+- `submissions/lab4-tls-summary.txt` - concise summary.
+- `submissions/lab4-tls-evidence.txt` - full command output.
+
+ClientHello highlights:
+
+```text
+Server Name: localhost
+Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
+Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
+Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
+Supported Version: TLS 1.3 (0x0304)
+Supported Version: TLS 1.2 (0x0303)
+Supported Version: TLS 1.1 (0x0302)
+Supported Version: TLS 1.0 (0x0301)
+```
+
+ServerHello highlights:
+
+```text
+Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
+Extension: supported_versions (len=2)
+Supported Version: TLS 1.3 (0x0304)
+Key Share Entry: Group: x25519
+```
+
+Certificate chain:
+
+```text
+Certificate chain
+ 0 s:CN = localhost
+   i:CN = localhost
+   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
+   v:NotBefore: Jun 14 15:06:32 2026 GMT; NotAfter: Jun 15 15:06:32 2026 GMT
+
+Verify return code: 18 (self-signed certificate)
+```
+
+The negotiation step that kills TLS 1.0 and TLS 1.1 is the protocol version negotiation in ServerHello. The client advertised multiple supported versions, including TLS 1.0 and 1.1, but nginx was configured with only `TLSv1.2 TLSv1.3`. The server selected `TLS 1.3 (0x0304)` in the `supported_versions` extension. A client that only supported TLS 1.0 or 1.1 would be rejected before any HTTP request was sent.