TLS

• TLS Attributes
• TLS Deprecated Attributes

TLS Attributes

This document defines semantic convention attributes in the TLS namespace.

Attribute	Type	Description	Examples	Stability
tls.cipher	string	String indicating the cipher used during the current connection. [1]	TLS_RSA_WITH_3DES_EDE_CBC_SHA; TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
tls.client.certificate	string	PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of client.certificate_chain since this value also exists in that list.	MII...
tls.client.certificate_chain	string[]	Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of client.certificate since that value should be the first certificate in the chain.	["MII...", "MI..."]
tls.client.hash.md5	string	Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.	0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
tls.client.hash.sha1	string	Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.	9E393D93138888D288266C2D915214D1D1CCEB2A
tls.client.hash.sha256	string	Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. For consistency with other hash values, this value should be formatted as an uppercase hash.	0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
tls.client.issuer	string	Distinguished name of subject of the issuer of the x.509 certificate presented by the client.	CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
tls.client.ja3	string	A hash that identifies clients based on how they perform an SSL/TLS handshake.	d4e5b18d6b55c71272893221c96ba240
tls.client.not_after	string	Date/Time indicating when client certificate is no longer considered valid.	2021-01-01T00:00:00.000Z
tls.client.not_before	string	Date/Time indicating when client certificate is first considered valid.	1970-01-01T00:00:00.000Z
tls.client.subject	string	Distinguished name of subject of the x.509 certificate presented by the client.	CN=myclient, OU=Documentation Team, DC=example, DC=com
tls.client.supported_ciphers	string[]	Array of ciphers offered by the client during the client hello.	["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "..."]
tls.curve	string	String indicating the curve used for the given cipher, when applicable	secp256r1
tls.established	boolean	Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel.	true
tls.next_protocol	string	String indicating the protocol being tunneled. Per the values in the IANA registry, this string should be lower case.	http/1.1
tls.protocol.name	string	Normalized lowercase protocol name parsed from original string of the negotiated SSL/TLS protocol version	ssl; tls
tls.protocol.version	string	Numeric part of the version parsed from the original string of the negotiated SSL/TLS protocol version	1.2; 3
tls.resumed	boolean	Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation.	true
tls.server.certificate	string	PEM-encoded stand-alone certificate offered by the server. This is usually mutually-exclusive of server.certificate_chain since this value also exists in that list.	MII...
tls.server.certificate_chain	string[]	Array of PEM-encoded certificates that make up the certificate chain offered by the server. This is usually mutually-exclusive of server.certificate since that value should be the first certificate in the chain.	["MII...", "MI..."]
tls.server.hash.md5	string	Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.	0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC
tls.server.hash.sha1	string	Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.	9E393D93138888D288266C2D915214D1D1CCEB2A
tls.server.hash.sha256	string	Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash.	0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0
tls.server.issuer	string	Distinguished name of subject of the issuer of the x.509 certificate presented by the client.	CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com
tls.server.ja3s	string	A hash that identifies servers based on how they perform an SSL/TLS handshake.	d4e5b18d6b55c71272893221c96ba240
tls.server.not_after	string	Date/Time indicating when server certificate is no longer considered valid.	2021-01-01T00:00:00.000Z
tls.server.not_before	string	Date/Time indicating when server certificate is first considered valid.	1970-01-01T00:00:00.000Z
tls.server.subject	string	Distinguished name of subject of the x.509 certificate presented by the server.	CN=myserver, OU=Documentation Team, DC=example, DC=com

[1]: The values allowed for tls.cipher MUST be one of the Descriptions of the registered TLS Cipher Suits.

tls.protocol.name has the following list of well-known values. If one of them applies, then the respective value MUST be used; otherwise, a custom value MAY be used.

Value	Description	Stability
ssl	ssl
tls	tls

TLS Deprecated Attributes

Describes deprecated tls attributes.

Attribute	Type	Description	Examples	Stability
tls.client.server_name	string	Deprecated, use server.address instead.	opentelemetry.io	Replaced by `server.address.