Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Semantic conventions for TLS/SSL encrypted communication #21

Merged
merged 22 commits into from
Nov 13, 2023
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
204 changes: 204 additions & 0 deletions semantic_conventions/trace/tls.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,204 @@
groups:
- id: tls
prefix: tls
type: span
lmolkova marked this conversation as resolved.
Show resolved Hide resolved
brief: "This document defines semantic conventions for TLS/SSL client and server Spans."
attributes:
- id: version
svrnm marked this conversation as resolved.
Show resolved Hide resolved
requirement_level: required
brief: >
Numeric part of the version parsed from the original string of the
negotiated [SSL/TLS protocol version](https://www.openssl.org/docs/man1.1.1/man3/SSL_get_version.html#RETURN-VALUES)
type: string
examples: ["1.2", "3"]
- id: version_protocol
svrnm marked this conversation as resolved.
Show resolved Hide resolved
requirement_level: required
svrnm marked this conversation as resolved.
Show resolved Hide resolved
brief: >
Normalized lowercase protocol name parsed from original string of the
negotiated [SSL/TLS protocol version](https://www.openssl.org/docs/man1.1.1/man3/SSL_get_version.html#RETURN-VALUES)
type:
allow_custom_values: false
svrnm marked this conversation as resolved.
Show resolved Hide resolved
members:
- id: ssl
value: ssl
- id: tls
value: tls
- id: unknown
value: unknown
svrnm marked this conversation as resolved.
Show resolved Hide resolved
- id: cipher
requirement_level: opt_in
brief: >
String indicating the [cipher](https://datatracker.ietf.org/doc/html/rfc5246#appendix-A.5)
used during the current connection.
type: string
examples:
[
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
]
- id: curve
requirement_level: opt_in
brief: "String indicating the curve used for the given cipher, when applicable"
type: string
examples: ["secp256r1"]
- id: established
requirement_level: opt_in
brief: "Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel."
type: boolean
examples: [true]
- id: next_protocol
requirement_level: opt_in
brief: >
String indicating the protocol being tunneled.
Per the values in the [IANA registry](https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids),
this string should be lower case.
type: string
examples: ["http/1.1"]
- id: resumed
requirement_level: opt_in
brief: "Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation."
type: boolean
examples: [true]
- id: tls.client
prefix: tls.client
type: span
brief: "The following additional attributes describe the client participating in secure communication."
attributes:
- id: certificate
type: string
requirement_level: opt_in
brief: >
PEM-encoded stand-alone certificate offered by the client.
This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list.
examples:
['MII...']
- id: certificate_chain
type: string[]
requirement_level: opt_in
brief: >
Array of PEM-encoded certificates that make up the certificate chain offered by the client.
This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain.
examples:
['MII...', 'MI...']
- id: issuer
type: string
requirement_level: opt_in
brief: "Distinguished name of [subject](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6) of the issuer of the x.509 certificate presented by the client."
examples:
["CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com"]
- id: ja3
type: string
requirement_level: opt_in
brief: "A hash that identifies clients based on how they perform an SSL/TLS handshake."
examples: ["d4e5b18d6b55c71272893221c96ba240"]
- id: not_after
type: string
requirement_level: opt_in
brief: "Date/Time indicating when client certificate is no longer considered valid."
examples: ["2021-01-01T00:00:00.000Z"]
- id: not_before
type: string
requirement_level: opt_in
brief: "Date/Time indicating when client certificate is first considered valid."
examples: ["1970-01-01T00:00:00.000Z"]
- id: server_name
type: string
requirement_level: opt_in
brief: 'Also called an SNI, this tells the server which hostname to which the client is attempting to connect to.'
examples: ["opentelemetry.io"]
- id: subject
type: string
requirement_level: opt_in
brief: "Distinguished name of subject of the x.509 certificate presented by the client."
examples: ["CN=myclient, OU=Documentation Team, DC=example, DC=com"]
- id: hash.md5
type: string
requirement_level: opt_in
brief: >
Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
For consistency with other hash values, this value should be formatted as an uppercase hash.
examples: ["0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC"]
- id: hash.sha1
type: string
requirement_level: opt_in
brief: >
Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
For consistency with other hash values, this value should be formatted as an uppercase hash.
examples: ["9E393D93138888D288266C2D915214D1D1CCEB2A"]
- id: hash.sha256
type: string
requirement_level: opt_in
brief: >
Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
For consistency with other hash values, this value should be formatted as an uppercase hash.
examples:
["0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0"]
- id: tls.server
prefix: tls.server
type: span
brief: "The following additional attributes describe the server participating in secure communication."
attributes:
- id: certificate
type: string
requirement_level: opt_in
brief: >
PEM-encoded stand-alone certificate offered by the server.
This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list.
examples:
['MII...']
- id: certificate_chain
type: string[]
requirement_level: opt_in
brief: >
Array of PEM-encoded certificates that make up the certificate chain offered by the server.
This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain.
examples:
['MII...', 'MI...']
- id: issuer
type: string
requirement_level: opt_in
brief: "Distinguished name of [subject](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6) of the issuer of the x.509 certificate presented by the client."
examples:
["CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com"]
- id: ja3s
type: string
requirement_level: opt_in
brief: "A hash that identifies servers based on how they perform an SSL/TLS handshake."
examples: ["d4e5b18d6b55c71272893221c96ba240"]
- id: not_after
type: string
requirement_level: opt_in
brief: "Date/Time indicating when server certificate is no longer considered valid."
examples: ["2021-01-01T00:00:00.000Z"]
- id: not_before
type: string
requirement_level: opt_in
brief: "Date/Time indicating when server certificate is first considered valid."
examples: ["1970-01-01T00:00:00.000Z"]
- id: subject
type: string
requirement_level: opt_in
brief: "Distinguished name of subject of the x.509 certificate presented by the server."
examples: ["CN=myserver, OU=Documentation Team, DC=example, DC=com"]
- id: hash.md5
type: string
requirement_level: opt_in
brief: >
Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
For consistency with other hash values, this value should be formatted as an uppercase hash.
examples: ["0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC"]
- id: hash.sha1
type: string
requirement_level: opt_in
brief: >
Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
For consistency with other hash values, this value should be formatted as an uppercase hash.
examples: ["9E393D93138888D288266C2D915214D1D1CCEB2A"]
- id: hash.sha256
type: string
requirement_level: opt_in
brief: >
Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
For consistency with other hash values, this value should be formatted as an uppercase hash.
examples:
["0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0"]
80 changes: 80 additions & 0 deletions specification/trace/semantic_conventions/tls.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
# Semantic conventions for TLS spans

**Status**: [Experimental](../../document-status.md)

This document defines semantic conventions for TLS/SSL client and server Spans.
svrnm marked this conversation as resolved.
Show resolved Hide resolved

<!-- Re-generate TOC with `markdown-toc --no-first-h1 -i` -->

<!-- toc -->

- [Common Attributes](#common-attributes)
- [Client attributes](#client-attributes)
- [Server attributes](#server-attributes)

<!-- tocstop -->

## Common Attributes

These attributes may be used for base information of any TLS/SSL encrypted communication.

<!-- semconv tls -->
| Attribute | Type | Description | Examples | Requirement Level |
|---|---|---|---|---|
| `tls.version` | string | Numeric part of the version parsed from the original string of the negotiated [SSL/TLS protocol version](https://www.openssl.org/docs/man1.1.1/man3/SSL_get_version.html#RETURN-VALUES) | `1.2`; `3` | Required |
| `tls.version_protocol` | string | Normalized lowercase protocol name parsed from original string of the negotiated [SSL/TLS protocol version](https://www.openssl.org/docs/man1.1.1/man3/SSL_get_version.html#RETURN-VALUES) | `ssl` | Required |
| `tls.cipher` | string | String indicating the [cipher](https://datatracker.ietf.org/doc/html/rfc5246#appendix-A.5) used during the current connection. | `TLS_RSA_WITH_3DES_EDE_CBC_SHA`; `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256` | Opt-In |
| `tls.curve` | string | String indicating the curve used for the given cipher, when applicable | `secp256r1` | Opt-In |
| `tls.established` | boolean | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | `True` | Opt-In |
| `tls.next_protocol` | string | String indicating the protocol being tunneled. Per the values in the [IANA registry](https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. | `http/1.1` | Opt-In |
| `tls.resumed` | boolean | Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. | `True` | Opt-In |

`tls.version_protocol` MUST be one of the following:

| Value | Description |
|---|---|
| `ssl` | ssl |
| `tls` | tls |
| `unknown` | unknown |
<!-- endsemconv -->

The values allowed for `tls.cipher` MUST be one of the `Descriptions` of the [registered TLS Cipher Suits](https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#table-tls-parameters-4).

## Client attributes

The following additional attributes describe the client participating in secure communication.

<!-- semconv tls.client -->
| Attribute | Type | Description | Examples | Requirement Level |
|---|---|---|---|---|
| `tls.client.certificate` | string | PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. | `MII...` | Opt-In |
| `tls.client.certificate_chain` | string[] | Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. | `[MII..., MI...]` | Opt-In |
| `tls.client.issuer` | string | Distinguished name of [subject](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6) of the issuer of the x.509 certificate presented by the client. | `CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com` | Opt-In |
| `tls.client.ja3` | string | A hash that identifies clients based on how they perform an SSL/TLS handshake. | `d4e5b18d6b55c71272893221c96ba240` | Opt-In |
| `tls.client.not_after` | string | Date/Time indicating when client certificate is no longer considered valid. | `2021-01-01T00:00:00.000Z` | Opt-In |
| `tls.client.not_before` | string | Date/Time indicating when client certificate is first considered valid. | `1970-01-01T00:00:00.000Z` | Opt-In |
| `tls.client.server_name` | string | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. | `opentelemetry.io` | Opt-In |
| `tls.client.subject` | string | Distinguished name of subject of the x.509 certificate presented by the client. | `CN=myclient, OU=Documentation Team, DC=example, DC=com` | Opt-In |
| `tls.client.hash.md5` | string | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | `0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC` | Opt-In |
| `tls.client.hash.sha1` | string | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | `9E393D93138888D288266C2D915214D1D1CCEB2A` | Opt-In |
| `tls.client.hash.sha256` | string | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | `0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0` | Opt-In |
<!-- endsemconv -->

## Server attributes

The following additional attributes describe the server participating in secure communication.

<!-- semconv tls.server -->
| Attribute | Type | Description | Examples | Requirement Level |
|---|---|---|---|---|
| `tls.server.certificate` | string | PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. | `MII...` | Opt-In |
| `tls.server.certificate_chain` | string[] | Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. | `[MII..., MI...]` | Opt-In |
| `tls.server.issuer` | string | Distinguished name of [subject](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6) of the issuer of the x.509 certificate presented by the client. | `CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com` | Opt-In |
| `tls.server.ja3s` | string | A hash that identifies servers based on how they perform an SSL/TLS handshake. | `d4e5b18d6b55c71272893221c96ba240` | Opt-In |
| `tls.server.not_after` | string | Date/Time indicating when server certificate is no longer considered valid. | `2021-01-01T00:00:00.000Z` | Opt-In |
| `tls.server.not_before` | string | Date/Time indicating when server certificate is first considered valid. | `1970-01-01T00:00:00.000Z` | Opt-In |
| `tls.server.subject` | string | Distinguished name of subject of the x.509 certificate presented by the server. | `CN=myserver, OU=Documentation Team, DC=example, DC=com` | Opt-In |
| `tls.server.hash.md5` | string | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | `0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC` | Opt-In |
| `tls.server.hash.sha1` | string | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | `9E393D93138888D288266C2D915214D1D1CCEB2A` | Opt-In |
| `tls.server.hash.sha256` | string | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | `0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0` | Opt-In |
<!-- endsemconv -->