Okay, that makes sense. What do you need the handshake keys for, though? Aren't the application keys enough to decrypt all of the data that you need to?
I think it's related to perfect forward secrecy. We used curl's SSLKEYLOGFILE environment variable to find out what tshark needed and then worked to reproduce what curl was producing.