Project

General

Profile

Actions

Feature #7970

open

tls: Log elliptic curve ID

Added by Jamie Lavigne about 12 hours ago. Updated about 12 hours ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Feature request to support logging the value of the chosen elliptic curve (when used) in TLS event logs. It would be OK for this to be enabled by extended logging.

When elliptic curve protocols are used for key exchange, the chosen curve ID will appear in either the server key exchange message (TLS 1.2) or the key_share extension of the client hello (TLS 1.3). For security monitoring use cases it would be useful to support logging this value in TLS event logs.

Actions #1

Updated by Jamie Lavigne about 12 hours ago

Searchable keyword: protolog

Actions #2

Updated by Jamie Lavigne about 12 hours ago

Additionally we expect the usage of post-quantum TLS to continue to increase over time, so we should maybe think ahead to support those key exchange methods too. The equivalent for these would probably be to support logging the Kyber parameter set name like Kyber512 or Kyber1024. If we supported logging both the key exchange method and the selected parameters (the curve ID for EC based methods and the parameter set for Kyber) then both cases would be covered.

Actions

Also available in: Atom PDF