Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Semantic conventions for TLS/SSL encrypted communication #21

Merged
merged 22 commits into from
Nov 13, 2023
Merged

Add Semantic conventions for TLS/SSL encrypted communication #21

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
e6cc5ba
Add Semantic conventions for TLS/SSL encrypted communication
svrnm May 15, 2023
9e54d14
Merge branch 'open-telemetry:main' into add-tls-semconv
svrnm Jun 6, 2023
be49177
Apply suggestions from code review
svrnm Jul 28, 2023
bee3613
Merge branch 'main' into add-tls-semconv
svrnm Jul 28, 2023
7c6be30
fix structure, apply suggestions
svrnm Jul 28, 2023
e722aeb
Apply suggestions from code review
svrnm Oct 16, 2023
0265ae7
Apply suggestions from code review
svrnm Oct 16, 2023
b0ed806
Merge branch 'main' into add-tls-semconv
svrnm Oct 16, 2023
8908b9e
Update docs/tls/tls-spans.md
svrnm Oct 16, 2023
f628503
Refactor TLS into registry
svrnm Oct 16, 2023
6c6542b
Sort tls attributes alphabetically
svrnm Oct 16, 2023
7e44549
Fix YAML
svrnm Oct 16, 2023
d67a887
Merge branch 'main' into add-tls-semconv
svrnm Oct 23, 2023
f5af1cb
Merge branch 'main' into add-tls-semconv
AlexanderWert Oct 23, 2023
aa4ebe5
Remove requirement levels
svrnm Oct 23, 2023
9befa13
Add CHANGELOG entry
svrnm Oct 23, 2023
a5db29e
Merge branch 'main' into add-tls-semconv
AlexanderWert Oct 25, 2023
d3014e8
Merge branch 'main' into add-tls-semconv
AlexanderWert Oct 30, 2023
764872b
Merge branch 'main' into add-tls-semconv
svrnm Nov 6, 2023
ff608e6
Merge branch 'main' into add-tls-semconv
joaopgrassi Nov 7, 2023
f5fde9c
Add README entry
svrnm Nov 8, 2023
04caa2d
Merge branch 'main' into add-tls-semconv
AlexanderWert Nov 13, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
204 changes: 204 additions & 0 deletions semantic_conventions/trace/tls.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,204 @@
groups:
- id: tls
prefix: tls
type: span
lmolkova marked this conversation as resolved.
Show resolved Hide resolved
brief: "This document defines semantic conventions for TLS/SSL client and server Spans."
attributes:
- id: version
svrnm marked this conversation as resolved.
Show resolved Hide resolved
requirement_level: required
brief: >
Numeric part of the version parsed from the original string of the
negotiated [SSL/TLS protocol version](https://www.openssl.org/docs/man1.1.1/man3/SSL_get_version.html#RETURN-VALUES)
type: string
examples: ["1.2", "3"]
- id: version_protocol
svrnm marked this conversation as resolved.
Show resolved Hide resolved
requirement_level: required
svrnm marked this conversation as resolved.
Show resolved Hide resolved
brief: >
Normalized lowercase protocol name parsed from original string of the
negotiated [SSL/TLS protocol version](https://www.openssl.org/docs/man1.1.1/man3/SSL_get_version.html#RETURN-VALUES)
type:
allow_custom_values: false
svrnm marked this conversation as resolved.
Show resolved Hide resolved
members:
- id: ssl
value: ssl
- id: tls
value: tls
- id: unknown
value: unknown
svrnm marked this conversation as resolved.
Show resolved Hide resolved
- id: cipher
requirement_level: opt_in
brief: >
String indicating the [cipher](https://datatracker.ietf.org/doc/html/rfc5246#appendix-A.5)
used during the current connection.
type: string
examples:
[
"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
]
- id: curve
requirement_level: opt_in
brief: "String indicating the curve used for the given cipher, when applicable"
type: string
examples: ["secp256r1"]
- id: established
requirement_level: opt_in
brief: "Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel."
type: boolean
examples: [true]
- id: next_protocol
requirement_level: opt_in
brief: >
String indicating the protocol being tunneled.
Per the values in the [IANA registry](https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids),
this string should be lower case.
type: string
examples: ["http/1.1"]
- id: resumed
requirement_level: opt_in
brief: "Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation."
type: boolean
examples: [true]
- id: tls.client
prefix: tls.client
type: span
brief: "The following additional attributes describe the client participating in secure communication."
attributes:
- id: certificate
type: string
requirement_level: opt_in
brief: >
PEM-encoded stand-alone certificate offered by the client.
This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list.
examples:
['MII...']
- id: certificate_chain
type: string[]
requirement_level: opt_in
brief: >
Array of PEM-encoded certificates that make up the certificate chain offered by the client.
This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain.
examples:
['MII...', 'MI...']
- id: issuer
type: string
requirement_level: opt_in
brief: "Distinguished name of [subject](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6) of the issuer of the x.509 certificate presented by the client."
examples:
["CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com"]
- id: ja3
type: string
requirement_level: opt_in
brief: "A hash that identifies clients based on how they perform an SSL/TLS handshake."
examples: ["d4e5b18d6b55c71272893221c96ba240"]
- id: not_after
type: string
requirement_level: opt_in
brief: "Date/Time indicating when client certificate is no longer considered valid."
examples: ["2021-01-01T00:00:00.000Z"]
- id: not_before
type: string
requirement_level: opt_in
brief: "Date/Time indicating when client certificate is first considered valid."
examples: ["1970-01-01T00:00:00.000Z"]
- id: server_name
type: string
requirement_level: opt_in
brief: 'Also called an SNI, this tells the server which hostname to which the client is attempting to connect to.'
examples: ["opentelemetry.io"]
- id: subject
type: string
requirement_level: opt_in
brief: "Distinguished name of subject of the x.509 certificate presented by the client."
examples: ["CN=myclient, OU=Documentation Team, DC=example, DC=com"]
- id: hash.md5
type: string
requirement_level: opt_in
brief: >
Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client.
For consistency with other hash values, this value should be formatted as an uppercase hash.
examples: ["0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC"]
- id: hash.sha1
type: string
requirement_level: opt_in
brief: >
Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client.
For consistency with other hash values, this value should be formatted as an uppercase hash.
examples: ["9E393D93138888D288266C2D915214D1D1CCEB2A"]
- id: hash.sha256
type: string
requirement_level: opt_in
brief: >
Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client.
For consistency with other hash values, this value should be formatted as an uppercase hash.
examples:
["0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0"]
- id: tls.server
prefix: tls.server
type: span
brief: "The following additional attributes describe the server participating in secure communication."
attributes:
- id: certificate
type: string
requirement_level: opt_in
brief: >
PEM-encoded stand-alone certificate offered by the server.
This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list.
examples:
['MII...']
- id: certificate_chain
type: string[]
requirement_level: opt_in
brief: >
Array of PEM-encoded certificates that make up the certificate chain offered by the server.
This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain.
examples:
['MII...', 'MI...']
- id: issuer
type: string
requirement_level: opt_in
brief: "Distinguished name of [subject](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6) of the issuer of the x.509 certificate presented by the client."
examples:
["CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com"]
- id: ja3s
type: string
requirement_level: opt_in
brief: "A hash that identifies servers based on how they perform an SSL/TLS handshake."
examples: ["d4e5b18d6b55c71272893221c96ba240"]
- id: not_after
type: string
requirement_level: opt_in
brief: "Date/Time indicating when server certificate is no longer considered valid."
examples: ["2021-01-01T00:00:00.000Z"]
- id: not_before
type: string
requirement_level: opt_in
brief: "Date/Time indicating when server certificate is first considered valid."
examples: ["1970-01-01T00:00:00.000Z"]
- id: subject
type: string
requirement_level: opt_in
brief: "Distinguished name of subject of the x.509 certificate presented by the server."
examples: ["CN=myserver, OU=Documentation Team, DC=example, DC=com"]
- id: hash.md5
type: string
requirement_level: opt_in
brief: >
Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server.
For consistency with other hash values, this value should be formatted as an uppercase hash.
examples: ["0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC"]
- id: hash.sha1
type: string
requirement_level: opt_in
brief: >
Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server.
For consistency with other hash values, this value should be formatted as an uppercase hash.
examples: ["9E393D93138888D288266C2D915214D1D1CCEB2A"]
- id: hash.sha256
type: string
requirement_level: opt_in
brief: >
Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server.
For consistency with other hash values, this value should be formatted as an uppercase hash.
examples:
["0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0"]
80 changes: 80 additions & 0 deletions specification/trace/semantic_conventions/tls.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
# Semantic conventions for TLS spans

**Status**: [Experimental](../../document-status.md)

This document defines semantic conventions for TLS/SSL client and server Spans.
svrnm marked this conversation as resolved.
Show resolved Hide resolved

<!-- Re-generate TOC with `markdown-toc --no-first-h1 -i` -->

<!-- toc -->

- [Common Attributes](#common-attributes)
- [Client attributes](#client-attributes)
- [Server attributes](#server-attributes)

<!-- tocstop -->

## Common Attributes

These attributes may be used for base information of any TLS/SSL encrypted communication.

<!-- semconv tls -->
| Attribute | Type | Description | Examples | Requirement Level |
|---|---|---|---|---|
| `tls.version` | string | Numeric part of the version parsed from the original string of the negotiated [SSL/TLS protocol version](https://www.openssl.org/docs/man1.1.1/man3/SSL_get_version.html#RETURN-VALUES) | `1.2`; `3` | Required |
| `tls.version_protocol` | string | Normalized lowercase protocol name parsed from original string of the negotiated [SSL/TLS protocol version](https://www.openssl.org/docs/man1.1.1/man3/SSL_get_version.html#RETURN-VALUES) | `ssl` | Required |
| `tls.cipher` | string | String indicating the [cipher](https://datatracker.ietf.org/doc/html/rfc5246#appendix-A.5) used during the current connection. | `TLS_RSA_WITH_3DES_EDE_CBC_SHA`; `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256` | Opt-In |
| `tls.curve` | string | String indicating the curve used for the given cipher, when applicable | `secp256r1` | Opt-In |
| `tls.established` | boolean | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | `True` | Opt-In |
| `tls.next_protocol` | string | String indicating the protocol being tunneled. Per the values in the [IANA registry](https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids), this string should be lower case. | `http/1.1` | Opt-In |
| `tls.resumed` | boolean | Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. | `True` | Opt-In |

`tls.version_protocol` MUST be one of the following:

| Value | Description |
|---|---|
| `ssl` | ssl |
| `tls` | tls |
| `unknown` | unknown |
<!-- endsemconv -->

The values allowed for `tls.cipher` MUST be one of the `Descriptions` of the [registered TLS Cipher Suits](https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#table-tls-parameters-4).

## Client attributes

The following additional attributes describe the client participating in secure communication.

<!-- semconv tls.client -->
| Attribute | Type | Description | Examples | Requirement Level |
|---|---|---|---|---|
| `tls.client.certificate` | string | PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list. | `MII...` | Opt-In |
| `tls.client.certificate_chain` | string[] | Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain. | `[MII..., MI...]` | Opt-In |
| `tls.client.issuer` | string | Distinguished name of [subject](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6) of the issuer of the x.509 certificate presented by the client. | `CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com` | Opt-In |
| `tls.client.ja3` | string | A hash that identifies clients based on how they perform an SSL/TLS handshake. | `d4e5b18d6b55c71272893221c96ba240` | Opt-In |
| `tls.client.not_after` | string | Date/Time indicating when client certificate is no longer considered valid. | `2021-01-01T00:00:00.000Z` | Opt-In |
| `tls.client.not_before` | string | Date/Time indicating when client certificate is first considered valid. | `1970-01-01T00:00:00.000Z` | Opt-In |
| `tls.client.server_name` | string | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. | `opentelemetry.io` | Opt-In |
| `tls.client.subject` | string | Distinguished name of subject of the x.509 certificate presented by the client. | `CN=myclient, OU=Documentation Team, DC=example, DC=com` | Opt-In |
| `tls.client.hash.md5` | string | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | `0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC` | Opt-In |
| `tls.client.hash.sha1` | string | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | `9E393D93138888D288266C2D915214D1D1CCEB2A` | Opt-In |
| `tls.client.hash.sha256` | string | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash. | `0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0` | Opt-In |
<!-- endsemconv -->

## Server attributes

The following additional attributes describe the server participating in secure communication.

<!-- semconv tls.server -->
| Attribute | Type | Description | Examples | Requirement Level |
|---|---|---|---|---|
| `tls.server.certificate` | string | PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of `server.certificate_chain` since this value also exists in that list. | `MII...` | Opt-In |
| `tls.server.certificate_chain` | string[] | Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of `server.certificate` since that value should be the first certificate in the chain. | `[MII..., MI...]` | Opt-In |
| `tls.server.issuer` | string | Distinguished name of [subject](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6) of the issuer of the x.509 certificate presented by the client. | `CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com` | Opt-In |
| `tls.server.ja3s` | string | A hash that identifies servers based on how they perform an SSL/TLS handshake. | `d4e5b18d6b55c71272893221c96ba240` | Opt-In |
| `tls.server.not_after` | string | Date/Time indicating when server certificate is no longer considered valid. | `2021-01-01T00:00:00.000Z` | Opt-In |
| `tls.server.not_before` | string | Date/Time indicating when server certificate is first considered valid. | `1970-01-01T00:00:00.000Z` | Opt-In |
| `tls.server.subject` | string | Distinguished name of subject of the x.509 certificate presented by the server. | `CN=myserver, OU=Documentation Team, DC=example, DC=com` | Opt-In |
| `tls.server.hash.md5` | string | Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | `0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC` | Opt-In |
| `tls.server.hash.sha1` | string | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | `9E393D93138888D288266C2D915214D1D1CCEB2A` | Opt-In |
| `tls.server.hash.sha256` | string | Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | `0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0` | Opt-In |
<!-- endsemconv -->