| rfc9850v1.txt | rfc9850.txt | |||
|---|---|---|---|---|
| skipping to change at line 145 ¶ | skipping to change at line 145 ¶ | |||
| Implementations that record secrets to a file do so continuously as | Implementations that record secrets to a file do so continuously as | |||
| those secrets are generated. | those secrets are generated. | |||
| Each secret is described using a single line composed of three values | Each secret is described using a single line composed of three values | |||
| that are separated by a single space character (U+20). These values | that are separated by a single space character (U+20). These values | |||
| are: | are: | |||
| label: | label: | |||
| The label identifies the type of secret that is being conveyed; | The label identifies the type of secret that is being conveyed; | |||
| see Section 2.1 for descriptions of the labels that are defined in | see Sections 2.1, 2.2, and 2.3 for descriptions of the labels that | |||
| this document. | are defined in this document. | |||
| client_random: | client_random: | |||
| The 32-byte value of the Random field from the ClientHello message | The 32-byte value of the Random field from the ClientHello message | |||
| that established the TLS connection. This value is encoded as 64 | that established the TLS connection. This value is encoded as 64 | |||
| hexadecimal characters. In a log that can include secrets from | hexadecimal characters. In a log that can include secrets from | |||
| multiple connections, this field can be used to identify a | multiple connections, this field can be used to identify a | |||
| connection. | connection. | |||
| secret: | secret: | |||
| The value of the identified secret for the identified connection. | The value of the identified secret for the identified connection. | |||
| skipping to change at line 178 ¶ | skipping to change at line 178 ¶ | |||
| Logged secret values are not annotated with the cipher suite or other | Logged secret values are not annotated with the cipher suite or other | |||
| connection parameters. Therefore, a record of the TLS handshake | connection parameters. Therefore, a record of the TLS handshake | |||
| might be needed to use the logged secrets. | might be needed to use the logged secrets. | |||
| 2.1. Secret Labels for TLS 1.3 | 2.1. Secret Labels for TLS 1.3 | |||
| An implementation of TLS 1.3 produces a number of values as part of | An implementation of TLS 1.3 produces a number of values as part of | |||
| the key schedule (see Section 7.1 of [TLS13]). If ECH was | the key schedule (see Section 7.1 of [TLS13]). If ECH was | |||
| successfully negotiated for a given connection, these labels MUST be | successfully negotiated for a given connection, these labels MUST be | |||
| followed by the Random from the Inner ClientHello. Otherwise, the | followed by the value of the Random field from the Inner ClientHello. | |||
| Random from the Outer ClientHello MUST be used. | Otherwise, the Random field from the Outer ClientHello MUST be used. | |||
| Each of the following labels correspond to the equivalent secret | Each of the following labels correspond to the equivalent secret | |||
| produced by the key schedule: | produced by the key schedule: | |||
| CLIENT_EARLY_TRAFFIC_SECRET: | CLIENT_EARLY_TRAFFIC_SECRET: | |||
| This secret is used to protect records sent by the client as early | This secret is used to protect records sent by the client as early | |||
| data, if early data is attempted by the client. Note that a | data, if early data is attempted by the client. Note that a | |||
| server that rejects early data will not log this secret, though a | server that rejects early data will not log this secret, though a | |||
| client that attempts early data can do so unconditionally. | client that attempts early data can do so unconditionally. | |||
| skipping to change at line 306 ¶ | skipping to change at line 306 ¶ | |||
| Using an environment variable, such as SSLKEYLOGFILE, to enable | Using an environment variable, such as SSLKEYLOGFILE, to enable | |||
| logging implies that access to the launch context for the application | logging implies that access to the launch context for the application | |||
| is needed to authorize logging. On systems that support specially | is needed to authorize logging. On systems that support specially | |||
| named files, logs might be directed to these names so that logging | named files, logs might be directed to these names so that logging | |||
| does not result in storage but enables consumption by other programs. | does not result in storage but enables consumption by other programs. | |||
| In both cases, applications might require special authorization or | In both cases, applications might require special authorization or | |||
| might rely on system-level access control to limit access to these | might rely on system-level access control to limit access to these | |||
| capabilities. | capabilities. | |||
| Forward secrecy guarantees provided in TLS 1.3 (see Section 1.2 and | Forward secrecy guarantees provided in TLS 1.3 (see Section 1.3 and | |||
| Appendix E.1 of [RFC8446]) and some modes of TLS 1.2 (such as those | Appendix F.1 of [TLS13]) and some modes of TLS 1.2 (such as those in | |||
| in Sections 2.2 and 2.4 of [RFC4492]) do not hold if key material is | Sections 2.1 and 2.2 of [RFC8422]) do not hold if key material is | |||
| recorded. Access to key material allows an attacker to decrypt data | recorded. Access to key material allows an attacker to decrypt data | |||
| exchanged in any previously logged TLS connections. | exchanged in any previously logged TLS connections. | |||
| Logging the TLS 1.2 "master" secret provides the recipient of that | Logging the TLS 1.2 "master" secret provides the recipient of that | |||
| secret far greater access to an active connection than TLS 1.3 | secret far greater access to an active connection than TLS 1.3 | |||
| secrets provide. In addition to reading and altering protected | secrets provide. In addition to reading and altering protected | |||
| messages, the TLS 1.2 "master" secret confers the ability to resume | messages, the TLS 1.2 "master" secret confers the ability to resume | |||
| the connection and impersonate either endpoint, insert records that | the connection and impersonate either endpoint, insert records that | |||
| result in renegotiation, and forge Finished messages. | result in renegotiation, and forge Finished messages. | |||
| Implementations can avoid the risks associated with these | Implementations can avoid the risks associated with these | |||
| skipping to change at line 401 ¶ | skipping to change at line 401 ¶ | |||
| | Value | Description | Reference | | | Value | Description | Reference | | |||
| +=================================+=====================+===========+ | +=================================+=====================+===========+ | |||
| | CLIENT_RANDOM | Master secret in | RFC 9850 | | | CLIENT_RANDOM | Master secret in | RFC 9850 | | |||
| | | TLS 1.2 and | | | | | TLS 1.2 and | | | |||
| | | earlier | | | | | earlier | | | |||
| +---------------------------------+---------------------+-----------+ | +---------------------------------+---------------------+-----------+ | |||
| | CLIENT_EARLY_TRAFFIC_SECRET | Secret for client | RFC 9850 | | | CLIENT_EARLY_TRAFFIC_SECRET | Secret for client | RFC 9850 | | |||
| | | early data | | | | | early data | | | |||
| | | records | | | | | records | | | |||
| +---------------------------------+---------------------+-----------+ | +---------------------------------+---------------------+-----------+ | |||
| | EARLY_EXPORTER_SECRET | Early exporters | RFC 9850 | | | EARLY_EXPORTER_SECRET | Early exporter | RFC 9850 | | |||
| | | secret | | | | | secret | | | |||
| +---------------------------------+---------------------+-----------+ | +---------------------------------+---------------------+-----------+ | |||
| | CLIENT_HANDSHAKE_TRAFFIC_SECRET | Secret protecting | RFC 9850 | | | CLIENT_HANDSHAKE_TRAFFIC_SECRET | Secret protecting | RFC 9850 | | |||
| | | client handshake | | | | | client handshake | | | |||
| +---------------------------------+---------------------+-----------+ | +---------------------------------+---------------------+-----------+ | |||
| | SERVER_HANDSHAKE_TRAFFIC_SECRET | Secret protecting | RFC 9850 | | | SERVER_HANDSHAKE_TRAFFIC_SECRET | Secret protecting | RFC 9850 | | |||
| | | server handshake | | | | | server handshake | | | |||
| +---------------------------------+---------------------+-----------+ | +---------------------------------+---------------------+-----------+ | |||
| | CLIENT_TRAFFIC_SECRET_0 | Secret protecting | RFC 9850 | | | CLIENT_TRAFFIC_SECRET_0 | Secret protecting | RFC 9850 | | |||
| | | client records | | | | | client records | | | |||
| skipping to change at line 434 ¶ | skipping to change at line 434 ¶ | |||
| +---------------------------------+---------------------+-----------+ | +---------------------------------+---------------------+-----------+ | |||
| | ECH_CONFIG | ECHConfig used | RFC 9850 | | | ECH_CONFIG | ECHConfig used | RFC 9850 | | |||
| | | for construction | | | | | for construction | | | |||
| | | of the ECH | | | | | of the ECH | | | |||
| +---------------------------------+---------------------+-----------+ | +---------------------------------+---------------------+-----------+ | |||
| Table 1 | Table 1 | |||
| New assignments in the "TLS SSLKEYLOGFILE Labels" registry will be | New assignments in the "TLS SSLKEYLOGFILE Labels" registry will be | |||
| administered by IANA through the Specification Required procedure | administered by IANA through the Specification Required procedure | |||
| [RFC8126]. The role of the designated expert is described in | [RFC8126]. The role of designated experts for TLS registries is | |||
| Section 17 of [RFC8447]. The designated expert [RFC8126] ensures | described in Section 17 of [RFC8447]. Designated experts for this | |||
| that the specification is publicly available. In the Reference | registry are advised to ensure that the specification is publicly | |||
| column, it is sufficient to cite an Internet-Draft (that is posted | available. In the Reference column, it is sufficient to cite an | |||
| but not published as an RFC) or a document from another standards | Internet-Draft (that is posted but not published as an RFC) or a | |||
| body, an industry consortium, or any other location. The designated | document from another standards body, an industry consortium, or any | |||
| expert may provide more in-depth reviews, but their approval should | other organization. Designated experts may provide more in-depth | |||
| not be taken as an endorsement of the SSLKEYLOGFILE label. | reviews, but their approval should not be taken as an endorsement of | |||
| the SSLKEYLOGFILE label. | ||||
| 5. References | 5. References | |||
| 5.1. Normative References | 5.1. Normative References | |||
| [ECH] Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS | [ECH] Rescorla, E., Oku, K., Sullivan, N., and C. A. Wood, "TLS | |||
| Encrypted Client Hello", RFC 9849, DOI 10.17487/RFC9849, | Encrypted Client Hello", RFC 9849, DOI 10.17487/RFC9849, | |||
| December 2025, <https://www.rfc-editor.org/info/rfc9849>. | December 2025, <https://www.rfc-editor.org/info/rfc9849>. | |||
| [HPKE] Barnes, R., Bhargavan, K., Lipp, B., and C. Wood, "Hybrid | [HPKE] Barnes, R., Bhargavan, K., Lipp, B., and C. Wood, "Hybrid | |||
| skipping to change at line 495 ¶ | skipping to change at line 496 ¶ | |||
| L. Pardue, Ed., "qlog: Structured Logging for Network | L. Pardue, Ed., "qlog: Structured Logging for Network | |||
| Protocols", Work in Progress, Internet-Draft, draft-ietf- | Protocols", Work in Progress, Internet-Draft, draft-ietf- | |||
| quic-qlog-main-schema-13, 20 October 2025, | quic-qlog-main-schema-13, 20 October 2025, | |||
| <https://datatracker.ietf.org/doc/html/draft-ietf-quic- | <https://datatracker.ietf.org/doc/html/draft-ietf-quic- | |||
| qlog-main-schema-13>. | qlog-main-schema-13>. | |||
| [RFC0020] Cerf, V., "ASCII format for network interchange", STD 80, | [RFC0020] Cerf, V., "ASCII format for network interchange", STD 80, | |||
| RFC 20, DOI 10.17487/RFC0020, October 1969, | RFC 20, DOI 10.17487/RFC0020, October 1969, | |||
| <https://www.rfc-editor.org/info/rfc20>. | <https://www.rfc-editor.org/info/rfc20>. | |||
| [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. | ||||
| Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites | ||||
| for Transport Layer Security (TLS)", RFC 4492, | ||||
| DOI 10.17487/RFC4492, May 2006, | ||||
| <https://www.rfc-editor.org/info/rfc4492>. | ||||
| [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for | |||
| Writing an IANA Considerations Section in RFCs", BCP 26, | Writing an IANA Considerations Section in RFCs", BCP 26, | |||
| RFC 8126, DOI 10.17487/RFC8126, June 2017, | RFC 8126, DOI 10.17487/RFC8126, June 2017, | |||
| <https://www.rfc-editor.org/info/rfc8126>. | <https://www.rfc-editor.org/info/rfc8126>. | |||
| [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8422] Nir, Y., Josefsson, S., and M. Pegourie-Gonnard, "Elliptic | |||
| Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Curve Cryptography (ECC) Cipher Suites for Transport Layer | |||
| <https://www.rfc-editor.org/info/rfc8446>. | Security (TLS) Versions 1.2 and Earlier", RFC 8422, | |||
| DOI 10.17487/RFC8422, August 2018, | ||||
| <https://www.rfc-editor.org/info/rfc8422>. | ||||
| [RFC8447] Salowey, J. and S. Turner, "IANA Registry Updates for TLS | [RFC8447] Salowey, J. and S. Turner, "IANA Registry Updates for TLS | |||
| and DTLS", RFC 8447, DOI 10.17487/RFC8447, August 2018, | and DTLS", RFC 8447, DOI 10.17487/RFC8447, August 2018, | |||
| <https://www.rfc-editor.org/info/rfc8447>. | <https://www.rfc-editor.org/info/rfc8447>. | |||
| [RFC8471] Popov, A., Ed., Nystroem, M., Balfanz, D., and J. Hodges, | [RFC8471] Popov, A., Ed., Nystroem, M., Balfanz, D., and J. Hodges, | |||
| "The Token Binding Protocol Version 1.0", RFC 8471, | "The Token Binding Protocol Version 1.0", RFC 8471, | |||
| DOI 10.17487/RFC8471, October 2018, | DOI 10.17487/RFC8471, October 2018, | |||
| <https://www.rfc-editor.org/info/rfc8471>. | <https://www.rfc-editor.org/info/rfc8471>. | |||
| skipping to change at line 552 ¶ | skipping to change at line 549 ¶ | |||
| "Recommendations for Secure Use of Transport Layer | "Recommendations for Secure Use of Transport Layer | |||
| Security (TLS) and Datagram Transport Layer Security | Security (TLS) and Datagram Transport Layer Security | |||
| (DTLS)", BCP 195, RFC 9325, DOI 10.17487/RFC9325, November | (DTLS)", BCP 195, RFC 9325, DOI 10.17487/RFC9325, November | |||
| 2022, <https://www.rfc-editor.org/info/rfc9325>. | 2022, <https://www.rfc-editor.org/info/rfc9325>. | |||
| Appendix A. Example | Appendix A. Example | |||
| The following is a sample of a file in SSLKEYLOGFILE format, | The following is a sample of a file in SSLKEYLOGFILE format, | |||
| including secrets from two TLS 1.3 connections. | including secrets from two TLS 1.3 connections. | |||
| # NOTE: '\' line wrapping per RFC 8792 | The examples below use line wrapping per [RFC8792]. | |||
| CLIENT_HANDSHAKE_TRAFFIC_SECRET \ | CLIENT_HANDSHAKE_TRAFFIC_SECRET \ | |||
| cf34899b3dcb8c9fe7160ceaf95d354a294793b67a2e49cb9cca4d69b43593a0 \ | cf34899b3dcb8c9fe7160ceaf95d354a294793b67a2e49cb9cca4d69b43593a0 \ | |||
| be4a28d81ce41242ff31c6d8a6615852178f2cd75eaca2ee8768f9ed51282b38 | be4a28d81ce41242ff31c6d8a6615852178f2cd75eaca2ee8768f9ed51282b38 | |||
| SERVER_HANDSHAKE_TRAFFIC_SECRET \ | SERVER_HANDSHAKE_TRAFFIC_SECRET \ | |||
| cf34899b3dcb8c9fe7160ceaf95d354a294793b67a2e49cb9cca4d69b43593a0 \ | cf34899b3dcb8c9fe7160ceaf95d354a294793b67a2e49cb9cca4d69b43593a0 \ | |||
| 258179721fa704e2f1ee16688b4b0419967ddea5624cd5ad0863288dc5ead35f | 258179721fa704e2f1ee16688b4b0419967ddea5624cd5ad0863288dc5ead35f | |||
| CLIENT_HANDSHAKE_TRAFFIC_SECRET \ | CLIENT_HANDSHAKE_TRAFFIC_SECRET \ | |||
| b2eb93b8ddab8c228993567947bca1e133736980c22754687874e3896f7d6d0a \ | b2eb93b8ddab8c228993567947bca1e133736980c22754687874e3896f7d6d0a \ | |||
| 59ec0981b211a743f22d5a46a1fc77a2b230e16ef0de6d4e418abfe90eff10bf | 59ec0981b211a743f22d5a46a1fc77a2b230e16ef0de6d4e418abfe90eff10bf | |||
| skipping to change at line 590 ¶ | skipping to change at line 587 ¶ | |||
| fb1120b91e48d402fac20faa33880e77bace82c85d6688df0aa99bf5084430e4 | fb1120b91e48d402fac20faa33880e77bace82c85d6688df0aa99bf5084430e4 | |||
| EXPORTER_SECRET \ | EXPORTER_SECRET \ | |||
| b2eb93b8ddab8c228993567947bca1e133736980c22754687874e3896f7d6d0a \ | b2eb93b8ddab8c228993567947bca1e133736980c22754687874e3896f7d6d0a \ | |||
| db1f4fa1a6942fb125d4cc47e02938b6f8030c6956bb81b9e3269f1cf855a8f8 | db1f4fa1a6942fb125d4cc47e02938b6f8030c6956bb81b9e3269f1cf855a8f8 | |||
| Note that secrets from the two connections might be interleaved as | Note that secrets from the two connections might be interleaved as | |||
| shown here, because secrets could be logged as they are generated. | shown here, because secrets could be logged as they are generated. | |||
| The following shows a log entry for a TLS 1.2 connection. | The following shows a log entry for a TLS 1.2 connection. | |||
| # NOTE: '\' line wrapping per RFC 8792 | ||||
| CLIENT_RANDOM \ | CLIENT_RANDOM \ | |||
| ad52329fcadd34ee3aa07092680287f09954823e26d7b5ae25c0d47714152a6a \ | ad52329fcadd34ee3aa07092680287f09954823e26d7b5ae25c0d47714152a6a \ | |||
| 97af4c8618cfdc0b2326e590114c2ec04b43b08b7e2c3f8124cc61a3b068ba966\ | 97af4c8618cfdc0b2326e590114c2ec04b43b08b7e2c3f8124cc61a3b068ba966\ | |||
| 9517e744e3117c3ce6c538a2d88dfdf | 9517e744e3117c3ce6c538a2d88dfdf | |||
| The following shows a log entry for a TLS 1.3 connection that | The following shows a log entry for a TLS 1.3 connection that | |||
| successfully negotiated ECH. | successfully negotiated ECH. | |||
| # NOTE: '\' line wrapping per RFC 8792 | ||||
| ECH_SECRET \ | ECH_SECRET \ | |||
| 0ba587ee6b65ce21a726630efb881206a7cd995611095b5f4c244bb2b23f1ee1 \ | 0ba587ee6b65ce21a726630efb881206a7cd995611095b5f4c244bb2b23f1ee1 \ | |||
| e8828ec09909cc9363179dc13b62498550c8637129345263011a1678370ca52a | e8828ec09909cc9363179dc13b62498550c8637129345263011a1678370ca52a | |||
| ECH_CONFIG \ | ECH_CONFIG \ | |||
| 0ba587ee6b65ce21a726630efb881206a7cd995611095b5f4c244bb2b23f1ee1 \ | 0ba587ee6b65ce21a726630efb881206a7cd995611095b5f4c244bb2b23f1ee1 \ | |||
| fe0d003c5500200020d5260ae4cdda08bcbdc37bd0dc53c29aea5f0fdd2b2d594\ | fe0d003c5500200020d5260ae4cdda08bcbdc37bd0dc53c29aea5f0fdd2b2d594\ | |||
| e4235e99b134ac904000400010001000d636f7665722e6465666f2e69650000 | e4235e99b134ac904000400010001000d636f7665722e6465666f2e69650000 | |||
| CLIENT_HANDSHAKE_TRAFFIC_SECRET \ | CLIENT_HANDSHAKE_TRAFFIC_SECRET \ | |||
| 8726180bb24718089a4c5c8c93e0ea1c6d6649d7dd3c978fc1413854a20e9647 \ | 8726180bb24718089a4c5c8c93e0ea1c6d6649d7dd3c978fc1413854a20e9647 \ | |||
| a195b63ec4270609692a204c08e63e74d9ae58e377d11a383bfe641a63c01140 | a195b63ec4270609692a204c08e63e74d9ae58e377d11a383bfe641a63c01140 | |||
| End of changes. 10 change blocks. | ||||
| 30 lines changed or deleted | 23 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||