TLS

TLS Attributes

This document defines semantic convention attributes in the TLS namespace.

AttributeTypeDescriptionExamplesStability
tls.cipherstringString indicating the cipher used during the current connection. [1]TLS_RSA_WITH_3DES_EDE_CBC_SHA; TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256Experimental
tls.client.certificatestringPEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of client.certificate_chain since this value also exists in that list.MII...Experimental
tls.client.certificate_chainstring[]Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of client.certificate since that value should be the first certificate in the chain.["MII...", "MI..."]Experimental
tls.client.hash.md5stringCertificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.0F76C7F2C55BFD7D8E8B8F4BFBF0C9ECExperimental
tls.client.hash.sha1stringCertificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.9E393D93138888D288266C2D915214D1D1CCEB2AExperimental
tls.client.hash.sha256stringCertificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0Experimental
tls.client.issuerstringDistinguished name of subject of the issuer of the x.509 certificate presented by the client.CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=comExperimental
tls.client.ja3stringA hash that identifies clients based on how they perform an SSL/TLS handshake.d4e5b18d6b55c71272893221c96ba240Experimental
tls.client.not_afterstringDate/Time indicating when client certificate is no longer considered valid.2021-01-01T00:00:00.000ZExperimental
tls.client.not_beforestringDate/Time indicating when client certificate is first considered valid.1970-01-01T00:00:00.000ZExperimental
tls.client.subjectstringDistinguished name of subject of the x.509 certificate presented by the client.CN=myclient, OU=Documentation Team, DC=example, DC=comExperimental
tls.client.supported_ciphersstring[]Array of ciphers offered by the client during the client hello.["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"]Experimental
tls.curvestringString indicating the curve used for the given cipher, when applicablesecp256r1Experimental
tls.establishedbooleanBoolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.trueExperimental
tls.next_protocolstringString indicating the protocol being tunneled. Per the values in the IANA registry, this string should be lower case.http/1.1Experimental
tls.protocol.namestringNormalized lowercase protocol name parsed from original string of the negotiated SSL/TLS protocol versionssl; tlsExperimental
tls.protocol.versionstringNumeric part of the version parsed from the original string of the negotiated SSL/TLS protocol version1.2; 3Experimental
tls.resumedbooleanBoolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.trueExperimental
tls.server.certificatestringPEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of server.certificate_chain since this value also exists in that list.MII...Experimental
tls.server.certificate_chainstring[]Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of server.certificate since that value should be the first certificate in the chain.["MII...", "MI..."]Experimental
tls.server.hash.md5stringCertificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.0F76C7F2C55BFD7D8E8B8F4BFBF0C9ECExperimental
tls.server.hash.sha1stringCertificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.9E393D93138888D288266C2D915214D1D1CCEB2AExperimental
tls.server.hash.sha256stringCertificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0Experimental
tls.server.issuerstringDistinguished name of subject of the issuer of the x.509 certificate presented by the client.CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=comExperimental
tls.server.ja3sstringA hash that identifies servers based on how they perform an SSL/TLS handshake.d4e5b18d6b55c71272893221c96ba240Experimental
tls.server.not_afterstringDate/Time indicating when server certificate is no longer considered valid.2021-01-01T00:00:00.000ZExperimental
tls.server.not_beforestringDate/Time indicating when server certificate is first considered valid.1970-01-01T00:00:00.000ZExperimental
tls.server.subjectstringDistinguished name of subject of the x.509 certificate presented by the server.CN=myserver, OU=Documentation Team, DC=example, DC=comExperimental

[1]: The values allowed for tls.cipher MUST be one of the Descriptions of the registered TLS Cipher Suits.

tls.protocol.name has the following list of well-known values. If one of them applies, then the respective value MUST be used; otherwise, a custom value MAY be used.

ValueDescriptionStability
sslsslExperimental
tlstlsExperimental

TLS Deprecated Attributes

Describes deprecated tls attributes.

AttributeTypeDescriptionExamplesStability
tls.client.server_namestringDeprecated, use server.address instead.opentelemetry.ioDeprecated
Replaced by server.address.