Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS Session Fields #452

Closed
peterpramb opened this issue May 9, 2019 · 7 comments
Closed

TLS Session Fields #452

peterpramb opened this issue May 9, 2019 · 7 comments

Comments

@peterpramb
Copy link

Is there already a consensus as to where to place session properties for TLS sessions? I found some reference to a tls subtree in #64, but nothing in the schema itself.

Will there be some session.tls group or the like with TLS session related fields, eg. protocol versions, ciphers, session identifier, and the like?
@webmat
Copy link
Contributor

webmat commented May 10, 2019

Yes, TLS is the next protocol in line after dns. So it's coming.

But I would recommend you proceed with custom fields for now. It would even be appreciated if you commented here (or opened a PR) with the way you've done it, or the way you think would make most sense.

Another thing you could consider is looking at how Packetbeat does it. We will likely start from this, see if it needs adjustments. If we determine we need to change things vs Packetbeat, we'll provide guidance on migration, which you may then be able to leverage for yourself :-)

@peterpramb
Copy link
Author

Thanks for the hint.

The field list in Packetbeat is fairly exhaustive. The only missing field for our use case is the verification result of the provided client certificate (which is really an application property and nothing available on network level), so for the sake of completeness something like:

- name: tls.client_certificate_verification_result
  type: keyword
  description: >
    The result of the server side verification of the provided client certificate.
    This is specific to the application terminating the TLS session. The value
    depends on the TLS library in use. With OpenSSL the resulting string is
    usually one of 'NONE', 'SUCCESS', 'GENEROUS', or 'FAILED:reason'.

And for the certificate attributes I specifically miss (L)ocality and Street, which can be ocasionally seen in the wild.

@webmat
Copy link
Contributor

webmat commented May 22, 2019

@peterpramb Thanks for the feedback! We'll be coming back to this, when we work on TLS

@webmat
Copy link
Contributor

webmat commented Mar 12, 2020

Closing, as #606 should address this.

@peterpramb
Copy link
Author

Unfortunately it still does not contain anything where I can put the client certificate's verification result (see my comment above) as provided by various TLS terminating applications like web servers...

@webmat
Copy link
Contributor

webmat commented Apr 23, 2020

@peterpramb We're getting there, tls.* was only the first part. The certs are coming #762, this will be good for TLS sessions, code signatures, eventually email and other things.

@peterpramb
Copy link
Author

Ok, fine for me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@webmat @peterpramb