If the Client Hello request is somehow intercepted before it gets to the real server and this malicious server replies with it's own certificate (not sure if this is possible, like maybe the malicious server has an actual valid certificate issued by a CA). So from here onwards, the malicious server can simply receive, process and forward the requests from the client to the real server. When the actual server responds, it sends it to the malicious server. The malicious server inspects the message, repackages it with its own shared key with the client and sends it back to the client? Am I missing something?
What I have tried:
Not code, I've tried googling but didn't find exact answer or similar question