Project

General

Profile

Actions

Feature #7971

open

tls: log state history

Added by Jamie Lavigne about 12 hours ago. Updated about 12 hours ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Feature request for additional detail in TLS log events. It would be OK for this to be enabled by TLS extended logging.

It would be very useful for extended TLS event logs to include a history of events in some form, so that security investigators would be able to use extended TLS logs to identify connections with unique or interesting histories. Any log schema that encodes the state history would be acceptable.

Zeek has a similar feature that could be used for inspiration that densely encodes the relevant state history in a small number of bytes: https://github.com/zeek/zeek/blob/4de7a2b947d8b1367238ff7bcebcc6638764f377/scripts/base/protocols/ssl/main.zeek#L75

An example from Zeek includes the field "ssl_history": "CsxknGIi" from which we can read this sequence of events in the TLS connection:
  • Client hello (C)
  • Server hello (s)
  • Server certificate exchange (x)
  • Server key exchange (k)
  • Server hello done (n)
  • Client key exchange (G)
  • Change cipher spec (I)
  • Client finished (i)
Actions #1

Updated by Jamie Lavigne about 12 hours ago

Searchable keyword: protolog

Actions

Also available in: Atom PDF