<?xml version='1.0' encoding='utf-8'?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" version="3" ipr="trust200902" docName="draft-ietf-tls-keylogfile-05" number="9850" updates="" obsoletes="" xml:lang="en" category="info" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" prepTime="2026-07-15T22:48:03" indexInclude="true" scripts="Common,Latin" tocDepth="3">
  <link href="https://datatracker.ietf.org/doc/draft-ietf-tls-keylogfile-05" rel="prev"/>
  <link href="https://dx.doi.org/10.17487/rfc9850" rel="alternate"/>
  <link href="urn:issn:2070-1721" rel="alternate"/>
  <front>
    <title abbrev="SSLKEYLOGFILE">The SSLKEYLOGFILE Format for TLS</title>
    <seriesInfo name="RFC" value="9850" stream="IETF"/>
    <author fullname="Martin Thomson">
      <organization showOnFrontPage="true">Mozilla</organization>
      <address>
        <email>mt@lowentropy.net</email>
      </address>
    </author>
    <author fullname="Yaroslav Rosomakho">
      <organization showOnFrontPage="true">Zscaler</organization>
      <address>
        <email>yrosomakho@zscaler.com</email>
      </address>
    </author>
    <author fullname="Hannes Tschofenig">
      <organization abbrev="H-BRS" showOnFrontPage="true">University of Applied Sciences Bonn-Rhein-Sieg</organization>
      <address>
        <email>Hannes.Tschofenig@gmx.net</email>
      </address>
    </author>
    <date month="07" year="2026"/>
    <area>SEC</area>
    <workgroup>tls</workgroup>
    <keyword>network transparency</keyword>
    <keyword>tls</keyword>
    <keyword>blockchain</keyword>
    <abstract pn="section-abstract">
      <t indent="0" pn="section-abstract-1">This document describes a format that supports logging information about the secrets used in a TLS
connection.  Recording secrets to a file in SSLKEYLOGFILE format
allows diagnostic and logging tools that use this file to decrypt messages
exchanged by TLS endpoints.  This format is intended for use in systems where
TLS only protects test data.</t>
    </abstract>
    <boilerplate>
      <section anchor="status-of-memo" numbered="false" removeInRFC="false" toc="exclude" pn="section-boilerplate.1">
        <name slugifiedName="name-status-of-this-memo">Status of This Memo</name>
        <t indent="0" pn="section-boilerplate.1-1">
            This document is not an Internet Standards Track specification; it is
            published for informational purposes.  
        </t>
        <t indent="0" pn="section-boilerplate.1-2">
            This document is a product of the Internet Engineering Task Force
            (IETF).  It represents the consensus of the IETF community.  It has
            received public review and has been approved for publication by the
            Internet Engineering Steering Group (IESG).  Not all documents
            approved by the IESG are candidates for any level of Internet
            Standard; see Section 2 of RFC 7841. 
        </t>
        <t indent="0" pn="section-boilerplate.1-3">
            Information about the current status of this document, any
            errata, and how to provide feedback on it may be obtained at
            <eref target="https://www.rfc-editor.org/info/rfc9850" brackets="none"/>.
        </t>
      </section>
      <section anchor="copyright" numbered="false" removeInRFC="false" toc="exclude" pn="section-boilerplate.2">
        <name slugifiedName="name-copyright-notice">Copyright Notice</name>
        <t indent="0" pn="section-boilerplate.2-1">
            Copyright (c) 2026 IETF Trust and the persons identified as the
            document authors. All rights reserved.
        </t>
        <t indent="0" pn="section-boilerplate.2-2">
            This document is subject to BCP 78 and the IETF Trust's Legal
            Provisions Relating to IETF Documents
            (<eref target="https://trustee.ietf.org/license-info" brackets="none"/>) in effect on the date of
            publication of this document. Please review these documents
            carefully, as they describe your rights and restrictions with
            respect to this document. Code Components extracted from this
            document must include Revised BSD License text as described in
            Section 4.e of the Trust Legal Provisions and are provided without
            warranty as described in the Revised BSD License.
        </t>
      </section>
    </boilerplate>
    <toc>
      <section anchor="toc" numbered="false" removeInRFC="false" toc="exclude" pn="section-toc.1">
        <name slugifiedName="name-table-of-contents">Table of Contents</name>
        <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1">
          <li pn="section-toc.1-1.1">
            <t indent="0" keepWithNext="true" pn="section-toc.1-1.1.1"><xref derivedContent="1" format="counter" sectionFormat="of" target="section-1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-introduction">Introduction</xref></t>
            <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.1.2">
              <li pn="section-toc.1-1.1.2.1">
                <t indent="0" keepWithNext="true" pn="section-toc.1-1.1.2.1.1"><xref derivedContent="1.1" format="counter" sectionFormat="of" target="section-1.1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-applicability-statement">Applicability Statement</xref></t>
              </li>
              <li pn="section-toc.1-1.1.2.2">
                <t indent="0" keepWithNext="true" pn="section-toc.1-1.1.2.2.1"><xref derivedContent="1.2" format="counter" sectionFormat="of" target="section-1.2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-conventions">Conventions</xref></t>
              </li>
            </ul>
          </li>
          <li pn="section-toc.1-1.2">
            <t indent="0" pn="section-toc.1-1.2.1"><xref derivedContent="2" format="counter" sectionFormat="of" target="section-2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-the-sslkeylogfile-format">The SSLKEYLOGFILE Format</xref></t>
            <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.2.2">
              <li pn="section-toc.1-1.2.2.1">
                <t indent="0" pn="section-toc.1-1.2.2.1.1"><xref derivedContent="2.1" format="counter" sectionFormat="of" target="section-2.1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-secret-labels-for-tls-13">Secret Labels for TLS 1.3</xref></t>
              </li>
              <li pn="section-toc.1-1.2.2.2">
                <t indent="0" pn="section-toc.1-1.2.2.2.1"><xref derivedContent="2.2" format="counter" sectionFormat="of" target="section-2.2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-secret-labels-for-tls-12">Secret Labels for TLS 1.2</xref></t>
              </li>
              <li pn="section-toc.1-1.2.2.3">
                <t indent="0" pn="section-toc.1-1.2.2.3.1"><xref derivedContent="2.3" format="counter" sectionFormat="of" target="section-2.3"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-secret-labels-for-ech">Secret Labels for ECH</xref></t>
              </li>
            </ul>
          </li>
          <li pn="section-toc.1-1.3">
            <t indent="0" pn="section-toc.1-1.3.1"><xref derivedContent="3" format="counter" sectionFormat="of" target="section-3"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-security-considerations">Security Considerations</xref></t>
          </li>
          <li pn="section-toc.1-1.4">
            <t indent="0" pn="section-toc.1-1.4.1"><xref derivedContent="4" format="counter" sectionFormat="of" target="section-4"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-iana-considerations">IANA Considerations</xref></t>
            <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.4.2">
              <li pn="section-toc.1-1.4.2.1">
                <t indent="0" pn="section-toc.1-1.4.2.1.1"><xref derivedContent="4.1" format="counter" sectionFormat="of" target="section-4.1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-sslkeylogfile-media-type">SSLKEYLOGFILE Media Type</xref></t>
              </li>
              <li pn="section-toc.1-1.4.2.2">
                <t indent="0" pn="section-toc.1-1.4.2.2.1"><xref derivedContent="4.2" format="counter" sectionFormat="of" target="section-4.2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-tls-sslkeylogfile-labels-re">TLS SSLKEYLOGFILE Labels Registry</xref></t>
              </li>
            </ul>
          </li>
          <li pn="section-toc.1-1.5">
            <t indent="0" pn="section-toc.1-1.5.1"><xref derivedContent="5" format="counter" sectionFormat="of" target="section-5"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-references">References</xref></t>
            <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.5.2">
              <li pn="section-toc.1-1.5.2.1">
                <t indent="0" pn="section-toc.1-1.5.2.1.1"><xref derivedContent="5.1" format="counter" sectionFormat="of" target="section-5.1"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-normative-references">Normative References</xref></t>
              </li>
              <li pn="section-toc.1-1.5.2.2">
                <t indent="0" pn="section-toc.1-1.5.2.2.1"><xref derivedContent="5.2" format="counter" sectionFormat="of" target="section-5.2"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-informative-references">Informative References</xref></t>
              </li>
            </ul>
          </li>
          <li pn="section-toc.1-1.6">
            <t indent="0" pn="section-toc.1-1.6.1"><xref derivedContent="Appendix A" format="default" sectionFormat="of" target="section-appendix.a"/>.  <xref derivedContent="" format="title" sectionFormat="of" target="name-example">Example</xref></t>
          </li>
          <li pn="section-toc.1-1.7">
            <t indent="0" pn="section-toc.1-1.7.1"><xref derivedContent="" format="none" sectionFormat="of" target="section-appendix.b"/><xref derivedContent="" format="title" sectionFormat="of" target="name-acknowledgments">Acknowledgments</xref></t>
          </li>
          <li pn="section-toc.1-1.8">
            <t indent="0" pn="section-toc.1-1.8.1"><xref derivedContent="" format="none" sectionFormat="of" target="section-appendix.c"/><xref derivedContent="" format="title" sectionFormat="of" target="name-authors-addresses">Authors' Addresses</xref></t>
          </li>
        </ul>
      </section>
    </toc>
  </front>
  <middle>
    <section anchor="introduction" numbered="true" removeInRFC="false" toc="include" pn="section-1">
      <name slugifiedName="name-introduction">Introduction</name>
      <t indent="0" pn="section-1-1">Debugging or analyzing protocols can be challenging when TLS <xref target="RFC9846" format="default" sectionFormat="of" derivedContent="TLS13"/> is used
to protect the content of communications.  Inspecting the content of encrypted
messages in diagnostic tools can enable more thorough analysis.</t>
      <t indent="0" pn="section-1-2">Over time, multiple TLS implementations have informally adopted a file format
for logging the secret values generated by the TLS key schedule.  In many
implementations, the file that the secrets are logged to is specified in an
environment variable named "SSLKEYLOGFILE", hence the name of SSLKEYLOGFILE
format.  Note the use of "SSL" as this convention originally predates the
adoption of TLS as the name of the protocol.</t>
      <t indent="0" pn="section-1-3">This document describes the SSLKEYLOGFILE format.  This format can be used for
TLS 1.2 <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="TLS12"/> and TLS 1.3 <xref target="RFC9846" format="default" sectionFormat="of" derivedContent="TLS13"/>.  The format also
supports earlier TLS versions, though use of earlier versions is strongly discouraged
<xref target="RFC8996" format="default" sectionFormat="of" derivedContent="RFC8996"/> <xref target="RFC9325" format="default" sectionFormat="of" derivedContent="RFC9325"/>.  This format can also be used with DTLS <xref target="RFC9147" format="default" sectionFormat="of" derivedContent="DTLS13"/>, QUIC
<xref target="RFC9000" format="default" sectionFormat="of" derivedContent="RFC9000"/> <xref target="RFC9001" format="default" sectionFormat="of" derivedContent="RFC9001"/>, and other protocols that use the TLS key
schedule.  Use of this format could complement other protocol-specific logging
such as qlog <xref target="I-D.ietf-quic-qlog-main-schema" format="default" sectionFormat="of" derivedContent="QLOG"/>.</t>
      <t indent="0" pn="section-1-4">This document also defines labels that can be used to log information
about exchanges that use Encrypted Client Hello (ECH) <xref target="RFC9849" format="default" sectionFormat="of" derivedContent="ECH"/>.</t>
      <section anchor="applicability-statement" numbered="true" removeInRFC="false" toc="include" pn="section-1.1">
        <name slugifiedName="name-applicability-statement">Applicability Statement</name>
        <t indent="0" pn="section-1.1-1">The artifact that this document describes -- if made available to entities other
than endpoints -- completely undermines the core guarantees that TLS provides.
This format is intended for use in systems where TLS only protects test data.
While the access that this information provides to TLS connections can be useful
for diagnosing problems while developing systems, this mechanism <bcp14>MUST NOT</bcp14> be
used in a production system.  For software that is compiled, use of conditional
compilation is the best way to ensure that deployed binaries cannot be
configured to enable key logging.</t>
        <t indent="0" pn="section-1.1-2"><xref target="security" format="default" sectionFormat="of" derivedContent="Section 3"/> addresses a number of additional concerns that arise from the use
of key logging.</t>
      </section>
      <section anchor="conventions-and-definitions" numbered="true" removeInRFC="false" toc="include" pn="section-1.2">
        <name slugifiedName="name-conventions">Conventions</name>
        <t indent="0" pn="section-1.2-1">
    The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
    "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>",
    "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
    "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are
    to be interpreted as described in BCP 14 <xref target="RFC2119" format="default" sectionFormat="of" derivedContent="RFC2119"/>
          <xref target="RFC8174" format="default" sectionFormat="of" derivedContent="RFC8174"/> when, and only when, they appear in all capitals,
    as shown here. 
</t>
      </section>
    </section>
    <section anchor="the-sslkeylogfile-format" numbered="true" removeInRFC="false" toc="include" pn="section-2">
      <name slugifiedName="name-the-sslkeylogfile-format">The SSLKEYLOGFILE Format</name>
      <t indent="0" pn="section-2-1">A file in SSLKEYLOGFILE format is a text file.  This document specifies the
character encoding as UTF-8 <xref target="RFC3629" format="default" sectionFormat="of" derivedContent="RFC3629"/>.  Though the format itself only
includes ASCII characters <xref target="RFC0020" format="default" sectionFormat="of" derivedContent="RFC0020"/>, comments <bcp14>MAY</bcp14> contain other characters.
Though Unicode is permitted in comments, the file <bcp14>MUST NOT</bcp14> contain a Unicode
byte order mark (U+FEFF).</t>
      <t indent="0" pn="section-2-2">Lines are terminated using the line-ending convention of the platform on which
the file is generated.  Tools that process these files <bcp14>MUST</bcp14> accept CRLF (U+13
followed by U+10), CR (U+13), or LF (U+10) as a line terminator.  Lines are
ignored if they are empty or if the first character is an octothorpe character
('#', U+23).  Other lines of the file each contain a single secret.</t>
      <t indent="0" pn="section-2-3">Implementations that record secrets to a file do so continuously as those
secrets are generated.</t>
      <t indent="0" pn="section-2-4">Each secret is described using a single line composed of three values that are
      separated by a single space character (U+20).  These values are:</t>
      <dl spacing="normal" newline="true" indent="3" pn="section-2-5">
        <dt pn="section-2-5.1"><tt>label</tt>:</dt>
        <dd pn="section-2-5.2">
          <t indent="0" pn="section-2-5.2.1">The <tt>label</tt> identifies the type of secret that is being conveyed; see Sections <xref target="labels" format="counter" sectionFormat="of" derivedContent="2.1"/>, <xref target="secret-labels-for-tls-12" format="counter" sectionFormat="of" derivedContent="2.2"/>, and <xref target="secret-labels-for-ech" format="counter" sectionFormat="of" derivedContent="2.3"/>
for descriptions of the labels that are defined in this document.</t>
        </dd>
        <dt pn="section-2-5.3"><tt>client_random</tt>:</dt>
        <dd pn="section-2-5.4">
          <t indent="0" pn="section-2-5.4.1">The 32-byte value of the Random field from the ClientHello message that
established the TLS connection.  This value is encoded as 64 hexadecimal
characters.  In a log that can include secrets from multiple connections, this
field can be used to identify a connection.</t>
        </dd>
        <dt pn="section-2-5.5"><tt>secret</tt>:</dt>
        <dd pn="section-2-5.6">
          <t indent="0" pn="section-2-5.6.1">The value of the identified secret for the identified connection.  This value
is encoded in hexadecimal, with a length that depends on the size of the
secret.</t>
        </dd>
      </dl>
      <t indent="0" pn="section-2-6">For the hexadecimal values of <tt>client_random</tt> or <tt>secret</tt>, no convention
exists for the case of characters "a" through "f" (or "A" through "F").  Files
can be generated with either, so either form <bcp14>MUST</bcp14> be accepted when processing a
file.</t>
      <t indent="0" pn="section-2-7">Diagnostic tools that accept files in this format might choose to ignore lines
that do not conform to this format in the interest of ensuring that secrets can
be obtained from corrupted files.</t>
      <t indent="0" pn="section-2-8">Logged secret values are not annotated with the cipher suite or other connection
parameters.  Therefore, a record of the TLS handshake might be needed to use the
logged secrets.</t>
      <section anchor="labels" numbered="true" removeInRFC="false" toc="include" pn="section-2.1">
        <name slugifiedName="name-secret-labels-for-tls-13">Secret Labels for TLS 1.3</name>
        <t indent="0" pn="section-2.1-1">An implementation of TLS 1.3 produces a number of values as part of the key
schedule (see <xref section="7.1" sectionFormat="of" target="RFC9846" format="default" derivedLink="https://rfc-editor.org/rfc/rfc9846#section-7.1" derivedContent="TLS13"/>). If ECH was successfully negotiated for a
given connection, these labels <bcp14>MUST</bcp14> be followed by the value of the Random field from the Inner ClientHello.
Otherwise, the Random field from the Outer ClientHello <bcp14>MUST</bcp14> be used.</t>
        <t indent="0" pn="section-2.1-2">Each of the following labels correspond to the equivalent secret produced by the key schedule:</t>
        <dl spacing="normal" newline="true" indent="3" pn="section-2.1-3">
          <dt pn="section-2.1-3.1">CLIENT_EARLY_TRAFFIC_SECRET:</dt>
          <dd pn="section-2.1-3.2">
            <t indent="0" pn="section-2.1-3.2.1">This secret is used to protect records sent by the client as early data, if
early data is attempted by the client.  Note that a server that rejects early
data will not log this secret, though a client that attempts early data can do
so unconditionally.</t>
          </dd>
          <dt pn="section-2.1-3.3">EARLY_EXPORTER_SECRET:</dt>
          <dd pn="section-2.1-3.4">
            <t indent="0" pn="section-2.1-3.4.1">This secret is used for early exporters.  Like
CLIENT_EARLY_TRAFFIC_SECRET, this is only generated when early data is
attempted and might not be logged by a server if early data is rejected.</t>
          </dd>
          <dt pn="section-2.1-3.5">CLIENT_HANDSHAKE_TRAFFIC_SECRET:</dt>
          <dd pn="section-2.1-3.6">
            <t indent="0" pn="section-2.1-3.6.1">This secret is used to protect handshake records sent by the client.</t>
          </dd>
          <dt pn="section-2.1-3.7">SERVER_HANDSHAKE_TRAFFIC_SECRET:</dt>
          <dd pn="section-2.1-3.8">
            <t indent="0" pn="section-2.1-3.8.1">This secret is used to protect handshake records sent by the server.</t>
          </dd>
          <dt pn="section-2.1-3.9">CLIENT_TRAFFIC_SECRET_0:</dt>
          <dd pn="section-2.1-3.10">
            <t indent="0" pn="section-2.1-3.10.1">This secret is used to protect application_data records sent by the client
immediately after the handshake completes.  This secret is identified as
<tt>client_application_traffic_secret_0</tt> in the TLS 1.3 key schedule.</t>
          </dd>
          <dt pn="section-2.1-3.11">SERVER_TRAFFIC_SECRET_0:</dt>
          <dd pn="section-2.1-3.12">
            <t indent="0" pn="section-2.1-3.12.1">This secret is used to protect application_data records sent by the server
immediately after the handshake completes.  This secret is identified as
<tt>server_application_traffic_secret_0</tt> in the TLS 1.3 key schedule.</t>
          </dd>
          <dt pn="section-2.1-3.13">EXPORTER_SECRET:</dt>
          <dd pn="section-2.1-3.14">
            <t indent="0" pn="section-2.1-3.14.1">This secret is used in generating exporters (<xref section="7.5" sectionFormat="of" target="RFC9846" format="default" derivedLink="https://rfc-editor.org/rfc/rfc9846#section-7.5" derivedContent="TLS13"/>).</t>
          </dd>
        </dl>
        <t indent="0" pn="section-2.1-4">These labels all appear in uppercase in the key log, but they correspond to
lowercase labels in the TLS key schedule (<xref section="7.1" sectionFormat="of" target="RFC9846" format="default" derivedLink="https://rfc-editor.org/rfc/rfc9846#section-7.1" derivedContent="TLS13"/>), except for
the application data secrets as noted.  For example, "EXPORTER_SECRET" in the
log file corresponds to the secret named <tt>exporter_secret</tt>.</t>
        <t indent="0" pn="section-2.1-5">Note that the order that labels appear here corresponds to the order in which
they are presented in <xref target="RFC9846" format="default" sectionFormat="of" derivedContent="TLS13"/>, but there is no guarantee that implementations
will log secrets strictly in this order.</t>
      </section>
      <section anchor="secret-labels-for-tls-12" numbered="true" removeInRFC="false" toc="include" pn="section-2.2">
        <name slugifiedName="name-secret-labels-for-tls-12">Secret Labels for TLS 1.2</name>
        <t indent="0" pn="section-2.2-1">Implementations of TLS 1.2 <xref target="RFC5246" format="default" sectionFormat="of" derivedContent="TLS12"/> (and also earlier versions) use the
label "CLIENT_RANDOM" to identify the "master" secret for the connection.</t>
      </section>
      <section anchor="secret-labels-for-ech" numbered="true" removeInRFC="false" toc="include" pn="section-2.3">
        <name slugifiedName="name-secret-labels-for-ech">Secret Labels for ECH</name>
        <t indent="0" pn="section-2.3-1">With ECH <xref target="RFC9849" format="default" sectionFormat="of" derivedContent="ECH"/>, additional secrets are derived
during the handshake to encrypt the Inner ClientHello message using Hybrid Public
Key Encryption (HPKE) <xref target="RFC9180" format="default" sectionFormat="of" derivedContent="HPKE"/>. A client can log the ECH labels described below
if it offered ECH, regardless of server acceptance. The server can log the labels only if it
successfully decrypted the ECH offered by the client, though it could choose to do so
only when it accepts ECH.</t>
        <t indent="0" pn="section-2.3-2">These labels <bcp14>MUST</bcp14> always use the Random from the Outer ClientHello.</t>
        <dl spacing="normal" newline="true" indent="3" pn="section-2.3-3">
          <dt pn="section-2.3-3.1">ECH_SECRET:</dt>
          <dd pn="section-2.3-3.2">
            <t indent="0" pn="section-2.3-3.2.1">This label corresponds to the Key Encapsulation Mechanism (KEM) shared secret used by HPKE
(<tt>shared_secret</tt> in the algorithms in <xref section="5.1.1" sectionFormat="of" target="RFC9180" format="default" derivedLink="https://rfc-editor.org/rfc/rfc9180#section-5.1.1" derivedContent="HPKE"/>).
The length of the secret is defined by the KEM negotiated for use with ECH.</t>
          </dd>
          <dt pn="section-2.3-3.3">ECH_CONFIG:</dt>
          <dd pn="section-2.3-3.4">
            <t indent="0" pn="section-2.3-3.4.1">The ECHConfig used to construct the ECH extension. The value is logged
in hexadecimal representation.</t>
          </dd>
        </dl>
      </section>
    </section>
    <section anchor="security" numbered="true" removeInRFC="false" toc="include" pn="section-3">
      <name slugifiedName="name-security-considerations">Security Considerations</name>
      <t indent="0" pn="section-3-1">Access to the content of a file in SSLKEYLOGFILE format allows an attacker to
break the confidentiality and integrity protection on any TLS connections that
are included in the file.  This includes both active connections and connections
for which encrypted records were previously stored.  Therefore, ensuring adequate access
control on these files becomes very important.</t>
      <t indent="0" pn="section-3-2">Implementations that support logging this data need to ensure that logging can
only be enabled by those who are authorized.  Allowing logging to be initiated
by any entity that is not otherwise authorized to observe or modify the content
of connections for which secrets are logged could represent a privilege
escalation attack.  Implementations that enable logging also need to ensure that
access to logged secrets is limited, using appropriate file permissions or
equivalent access control mechanisms.</t>
      <t indent="0" pn="section-3-3">In order to support decryption, the secrets necessary to remove record
protection are logged.  However, as the keys that can be derived from these
secrets are symmetric, an adversary with access to these secrets is also able to
encrypt data for an active connection.  This might allow for injection or
modification of application data on a connection that would otherwise be
      protected by TLS.</t>
      <t indent="0" pn="section-3-4">As some protocols rely on TLS for generating encryption keys, the SSLKEYLOGFILE
format includes keys that identify the secret used in TLS exporters or early
exporters (<xref section="7.5" sectionFormat="of" target="RFC9846" format="default" derivedLink="https://rfc-editor.org/rfc/rfc9846#section-7.5" derivedContent="TLS13"/>).  Knowledge of these secrets can enable
more than inspection or modification of encrypted data, depending on how an
application protocol uses exporters.  For instance, exporters might be used for
session bindings (e.g., <xref target="RFC8471" format="default" sectionFormat="of" derivedContent="RFC8471"/>), authentication (e.g., <xref target="RFC9261" format="default" sectionFormat="of" derivedContent="RFC9261"/>), or
other derived secrets that are used in application context.  An adversary that
obtains these secrets might be able to use this information to attack these
applications.  A TLS implementation might either choose to omit these secrets in
contexts where the information might be abused or require separate
authorization to enable logging of exporter secrets.</t>
      <t indent="0" pn="section-3-5">Using an environment variable, such as <tt>SSLKEYLOGFILE</tt>, to enable logging
implies that access to the launch context for the application is needed to
authorize logging.  On systems that support specially named files, logs might be
directed to these names so that logging does not result in storage but enables
consumption by other programs.  In both cases, applications might require
special authorization or might rely on system-level access control to limit
      access to these capabilities.</t>
      <t indent="0" pn="section-3-6">Forward secrecy guarantees provided in TLS 1.3 (see Section <xref target="RFC9846" section="1.3" sectionFormat="bare" format="default" derivedLink="https://rfc-editor.org/rfc/rfc9846#section-1.3" derivedContent="TLS13"/> and Appendix <xref target="RFC9846" section="F.1" sectionFormat="bare" format="default" derivedLink="https://rfc-editor.org/rfc/rfc9846#appendix-F.1" derivedContent="TLS13"/> of <xref target="RFC9846" format="default" sectionFormat="of" derivedContent="TLS13"/>) and some modes of TLS 1.2 (such as those in Sections <xref target="RFC8422" section="2.1" sectionFormat="bare" format="default" derivedLink="https://rfc-editor.org/rfc/rfc8422#section-2.1" derivedContent="RFC8422"/> and <xref target="RFC8422" section="2.2" sectionFormat="bare" format="default" derivedLink="https://rfc-editor.org/rfc/rfc8422#section-2.2" derivedContent="RFC8422"/> of <xref target="RFC8422" format="default" sectionFormat="of" derivedContent="RFC8422"/>) do not hold if key material is recorded.  Access to key
material allows an attacker to decrypt data exchanged in any previously logged TLS
connections.</t>
      <t indent="0" pn="section-3-7">Logging the TLS 1.2 "master" secret provides the recipient of that secret far
greater access to an active connection than TLS 1.3 secrets provide.  In addition to
reading and altering protected messages, the TLS 1.2 "master" secret confers the
ability to resume the connection and impersonate either endpoint, insert records
that result in renegotiation, and forge Finished messages.  Implementations can
avoid the risks associated with these capabilities by not logging this secret
value.</t>
      <t indent="0" pn="section-3-8">Access to the ECH_SECRET record in SSLKEYLOGFILE allows the attacker to decrypt
the ECH extension and thereby reveal the content of the Inner ClientHello message,
including the payload of the Server Name Indication (SNI) extension.</t>
      <t indent="0" pn="section-3-9">Access to the HPKE-established shared secret used in ECH introduces a potential
attack surface against the HPKE library since access to this keying material
is normally not available otherwise.</t>
    </section>
    <section anchor="iana-considerations" numbered="true" removeInRFC="false" toc="include" pn="section-4">
      <name slugifiedName="name-iana-considerations">IANA Considerations</name>
      <t indent="0" pn="section-4-1">This document registers a media type (<xref target="iana-media" format="default" sectionFormat="of" derivedContent="Section 4.1"/>)
and creates a registry for labels (<xref target="iana-labels-registry" format="default" sectionFormat="of" derivedContent="Section 4.2"/>).</t>
      <section anchor="iana-media" numbered="true" removeInRFC="false" toc="include" pn="section-4.1">
        <name slugifiedName="name-sslkeylogfile-media-type">SSLKEYLOGFILE Media Type</name>
        <t indent="0" pn="section-4.1-1">The "<tt>application/sslkeylogfile</tt>" media type can be used to describe content in
the SSLKEYLOGFILE format.  IANA has added the following
information to the "Media Types" registry at
<eref brackets="angle" target="https://www.iana.org/assignments/media-types"/>:</t>
        <dl spacing="normal" newline="false" indent="3" pn="section-4.1-2">
          <dt pn="section-4.1-2.1">Type name:</dt>
          <dd pn="section-4.1-2.2">application</dd>
          <dt pn="section-4.1-2.3">Subtype name:</dt>
          <dd pn="section-4.1-2.4">sslkeylogfile</dd>
          <dt pn="section-4.1-2.5">Required parameters:</dt>
          <dd pn="section-4.1-2.6">N/A</dd>
          <dt pn="section-4.1-2.7">Optional parameters:</dt>
          <dd pn="section-4.1-2.8">N/A</dd>
          <dt pn="section-4.1-2.9">Encoding considerations:</dt>
          <dd pn="section-4.1-2.10">UTF-8 without BOM, or ASCII only</dd>
          <dt pn="section-4.1-2.11">Security considerations:</dt>
          <dd pn="section-4.1-2.12">See <xref target="security" format="default" sectionFormat="of" derivedContent="Section 3"/>.</dd>
          <dt pn="section-4.1-2.13">Interoperability considerations:</dt>
          <dd pn="section-4.1-2.14">Line endings might differ from platform convention.</dd>
          <dt pn="section-4.1-2.15">Published specification:</dt>
          <dd pn="section-4.1-2.16">RFC 9850</dd>
          <dt pn="section-4.1-2.17">Applications that use this media type:</dt>
          <dd pn="section-4.1-2.18">Diagnostic and
          analysis tools that need to decrypt data that is otherwise protected
          by TLS.</dd>
          <dt pn="section-4.1-2.19">Fragment identifier considerations:</dt>
          <dd pn="section-4.1-2.20">N/A</dd>
          <dt pn="section-4.1-2.21">Additional information:</dt>
          <dd pn="section-4.1-2.22">
            <t indent="0" pn="section-4.1-2.22.1"><br/></t>
            <dl spacing="compact" indent="3" newline="false" pn="section-4.1-2.22.2">
              <dt pn="section-4.1-2.22.2.1">Deprecated alias names for this type:</dt>
              <dd pn="section-4.1-2.22.2.2">N/A</dd>
              <dt pn="section-4.1-2.22.2.3">Magic number(s):</dt>
              <dd pn="section-4.1-2.22.2.4">N/A</dd>
              <dt pn="section-4.1-2.22.2.5">File extension(s):</dt>
              <dd pn="section-4.1-2.22.2.6">N/A</dd>
              <dt pn="section-4.1-2.22.2.7">Macintosh file type code(s):</dt>
              <dd pn="section-4.1-2.22.2.8">N/A</dd>
            </dl>
          </dd>
          <dt pn="section-4.1-2.23">Person &amp; email address to contact for further information:</dt>
          <dd pn="section-4.1-2.24">
            <br/>TLS WG (tls@ietf.org)</dd>
          <dt pn="section-4.1-2.25">Intended usage:</dt>
          <dd pn="section-4.1-2.26">COMMON</dd>
          <dt pn="section-4.1-2.27">Restrictions on usage:</dt>
          <dd pn="section-4.1-2.28">N/A</dd>
          <dt pn="section-4.1-2.29">Author:</dt>
          <dd pn="section-4.1-2.30">IETF TLS Working Group</dd>
          <dt pn="section-4.1-2.31">Change controller:</dt>
          <dd pn="section-4.1-2.32">IETF</dd>
        </dl>
      </section>
      <section anchor="iana-labels-registry" numbered="true" removeInRFC="false" toc="include" pn="section-4.2">
        <name slugifiedName="name-tls-sslkeylogfile-labels-re">TLS SSLKEYLOGFILE Labels Registry</name>
        <t indent="0" pn="section-4.2-1">IANA has created a new registry named "TLS SSLKEYLOGFILE Labels" within the
existing "Transport Layer Security (TLS) Parameters" registry group.
This new registry reserves labels used for SSLKEYLOGFILE entries.
The initial contents of this registry are as follows:</t>
        <table align="center" pn="table-1">
          <thead>
            <tr>
              <th align="left" colspan="1" rowspan="1">Value</th>
              <th align="left" colspan="1" rowspan="1">Description</th>
              <th align="left" colspan="1" rowspan="1">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left" colspan="1" rowspan="1">CLIENT_RANDOM</td>
              <td align="left" colspan="1" rowspan="1">Master secret in TLS 1.2 and earlier</td>
              <td align="left" colspan="1" rowspan="1">RFC 9850</td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">CLIENT_EARLY_TRAFFIC_SECRET</td>
              <td align="left" colspan="1" rowspan="1">Secret for client early data records</td>
              <td align="left" colspan="1" rowspan="1">RFC 9850</td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">EARLY_EXPORTER_SECRET</td>
              <td align="left" colspan="1" rowspan="1">Early exporter secret</td>
              <td align="left" colspan="1" rowspan="1">RFC 9850</td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">CLIENT_HANDSHAKE_TRAFFIC_SECRET</td>
              <td align="left" colspan="1" rowspan="1">Secret protecting client handshake</td>
              <td align="left" colspan="1" rowspan="1">RFC 9850</td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">SERVER_HANDSHAKE_TRAFFIC_SECRET</td>
              <td align="left" colspan="1" rowspan="1">Secret protecting server handshake</td>
              <td align="left" colspan="1" rowspan="1">RFC 9850</td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">CLIENT_TRAFFIC_SECRET_0</td>
              <td align="left" colspan="1" rowspan="1">Secret protecting client records post handshake</td>
              <td align="left" colspan="1" rowspan="1">RFC 9850</td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">SERVER_TRAFFIC_SECRET_0</td>
              <td align="left" colspan="1" rowspan="1">Secret protecting server records post handshake</td>
              <td align="left" colspan="1" rowspan="1">RFC 9850</td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">EXPORTER_SECRET</td>
              <td align="left" colspan="1" rowspan="1">Exporter secret after handshake</td>
              <td align="left" colspan="1" rowspan="1">RFC 9850</td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">ECH_SECRET</td>
              <td align="left" colspan="1" rowspan="1">HPKE KEM shared secret used in the ECH</td>
              <td align="left" colspan="1" rowspan="1">RFC 9850</td>
            </tr>
            <tr>
              <td align="left" colspan="1" rowspan="1">ECH_CONFIG</td>
              <td align="left" colspan="1" rowspan="1">ECHConfig used for construction of the ECH</td>
              <td align="left" colspan="1" rowspan="1">RFC 9850</td>
            </tr>
          </tbody>
        </table>
        <t indent="0" pn="section-4.2-3">New assignments in the "TLS SSLKEYLOGFILE Labels" registry will be administered by IANA through
the Specification Required procedure <xref target="RFC8126" format="default" sectionFormat="of" derivedContent="RFC8126"/>. The role of designated experts for TLS registries is described
in <xref section="17" sectionFormat="of" target="RFC8447" format="default" derivedLink="https://rfc-editor.org/rfc/rfc8447#section-17" derivedContent="RFC8447"/>. Designated experts for this registry are advised to ensure that the specification is
publicly available.  In the Reference column, it is sufficient to cite an Internet-Draft (that is posted but not published
as an RFC) or a document from another standards body, an industry consortium, or any other organization.
Designated experts may provide more in-depth reviews, but their approval should not be taken as an endorsement
of the SSLKEYLOGFILE label.</t>
      </section>
    </section>
  </middle>
  <back>
    <displayreference target="RFC5246" to="TLS12"/>
    <displayreference target="RFC9147" to="DTLS13"/>
    <displayreference target="RFC9180" to="HPKE"/>
    <displayreference target="RFC9846" to="TLS13"/>
    <displayreference target="RFC9849" to="ECH"/>
    <displayreference target="I-D.ietf-quic-qlog-main-schema" to="QLOG"/>
    <references anchor="sec-combined-references" pn="section-5">
      <name slugifiedName="name-references">References</name>
      <references anchor="sec-normative-references" pn="section-5.1">
        <name slugifiedName="name-normative-references">Normative References</name>
        <reference anchor="RFC9849" target="https://www.rfc-editor.org/info/rfc9849" quoteTitle="true" derivedAnchor="ECH">
          <front>
            <title>TLS Encrypted Client Hello</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="K. Oku" initials="K." surname="Oku"/>
            <author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="March" year="2026"/>
            <abstract>
              <t indent="0">This document describes a mechanism in Transport Layer Security (TLS) for encrypting a message under a server public key.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9849"/>
          <seriesInfo name="DOI" value="10.17487/RFC9849"/>
        </reference>
        <reference anchor="RFC9180" target="https://www.rfc-editor.org/info/rfc9180" quoteTitle="true" derivedAnchor="HPKE">
          <front>
            <title>Hybrid Public Key Encryption</title>
            <author fullname="R. Barnes" initials="R." surname="Barnes"/>
            <author fullname="K. Bhargavan" initials="K." surname="Bhargavan"/>
            <author fullname="B. Lipp" initials="B." surname="Lipp"/>
            <author fullname="C. Wood" initials="C." surname="Wood"/>
            <date month="February" year="2022"/>
            <abstract>
              <t indent="0">This document describes a scheme for hybrid public key encryption (HPKE). This scheme provides a variant of public key encryption of arbitrary-sized plaintexts for a recipient public key. It also includes three authenticated variants, including one that authenticates possession of a pre-shared key and two optional ones that authenticate possession of a key encapsulation mechanism (KEM) private key. HPKE works for any combination of an asymmetric KEM, key derivation function (KDF), and authenticated encryption with additional data (AEAD) encryption function. Some authenticated variants may not be supported by all KEMs. We provide instantiations of the scheme using widely used and efficient primitives, such as Elliptic Curve Diffie-Hellman (ECDH) key agreement, HMAC-based key derivation function (HKDF), and SHA2.</t>
              <t indent="0">This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9180"/>
          <seriesInfo name="DOI" value="10.17487/RFC9180"/>
        </reference>
        <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" quoteTitle="true" derivedAnchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t indent="0">In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC3629" target="https://www.rfc-editor.org/info/rfc3629" quoteTitle="true" derivedAnchor="RFC3629">
          <front>
            <title>UTF-8, a transformation format of ISO 10646</title>
            <author fullname="F. Yergeau" initials="F." surname="Yergeau"/>
            <date month="November" year="2003"/>
            <abstract>
              <t indent="0">ISO/IEC 10646-1 defines a large character set called the Universal Character Set (UCS) which encompasses most of the world's writing systems. The originally proposed encodings of the UCS, however, were not compatible with many current applications and protocols, and this has led to the development of UTF-8, the object of this memo. UTF-8 has the characteristic of preserving the full US-ASCII range, providing compatibility with file systems, parsers and other software that rely on US-ASCII values but are transparent to other values. This memo obsoletes and replaces RFC 2279.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="63"/>
          <seriesInfo name="RFC" value="3629"/>
          <seriesInfo name="DOI" value="10.17487/RFC3629"/>
        </reference>
        <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" quoteTitle="true" derivedAnchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t indent="0">RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC5246" target="https://www.rfc-editor.org/info/rfc5246" quoteTitle="true" derivedAnchor="TLS12">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.2</title>
            <author fullname="T. Dierks" initials="T." surname="Dierks"/>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2008"/>
            <abstract>
              <t indent="0">This document specifies Version 1.2 of the Transport Layer Security (TLS) protocol. The TLS protocol provides communications security over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5246"/>
          <seriesInfo name="DOI" value="10.17487/RFC5246"/>
        </reference>
        <reference anchor="RFC9846" target="https://www.rfc-editor.org/info/rfc9846" quoteTitle="true" derivedAnchor="TLS13">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author initials="E." surname="Rescorla" fullname="Eric Rescorla">
              <organization showOnFrontPage="true">Independent</organization>
            </author>
            <date month="July" year="2026"/>
          </front>
          <seriesInfo name="RFC" value="9846"/>
          <seriesInfo name="DOI" value="10.17487/RFC9846"/>
        </reference>
      </references>
      <references anchor="sec-informative-references" pn="section-5.2">
        <name slugifiedName="name-informative-references">Informative References</name>
        <reference anchor="RFC9147" target="https://www.rfc-editor.org/info/rfc9147" quoteTitle="true" derivedAnchor="DTLS13">
          <front>
            <title>The Datagram Transport Layer Security (DTLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <author fullname="N. Modadugu" initials="N." surname="Modadugu"/>
            <date month="April" year="2022"/>
            <abstract>
              <t indent="0">This document specifies version 1.3 of the Datagram Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t indent="0">The DTLS 1.3 protocol is based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection / non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol.</t>
              <t indent="0">This document obsoletes RFC 6347.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9147"/>
          <seriesInfo name="DOI" value="10.17487/RFC9147"/>
        </reference>
        <reference anchor="I-D.ietf-quic-qlog-main-schema" target="https://datatracker.ietf.org/doc/html/draft-ietf-quic-qlog-main-schema-14" quoteTitle="true" derivedAnchor="QLOG">
          <front>
            <title>qlog: Structured Logging for Network Protocols</title>
            <author initials="R." surname="Marx" fullname="Robin Marx" role="editor">
              <organization showOnFrontPage="true">Akamai</organization>
            </author>
            <author initials="L." surname="Niccolini" fullname="Luca Niccolini" role="editor">
              <organization showOnFrontPage="true">Meta</organization>
            </author>
            <author initials="M." surname="Seemann" fullname="Marten Seemann" role="editor"> </author>
            <author initials="L." surname="Pardue" fullname="Lucas Pardue" role="editor">
              <organization showOnFrontPage="true">Cloudflare</organization>
            </author>
            <date month="July" day="6" year="2026"/>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-quic-qlog-main-schema-14"/>
          <refcontent>Work in Progress</refcontent>
        </reference>
        <reference anchor="RFC0020" target="https://www.rfc-editor.org/info/rfc20" quoteTitle="true" derivedAnchor="RFC0020">
          <front>
            <title>ASCII format for network interchange</title>
            <author fullname="V.G. Cerf" initials="V.G." surname="Cerf"/>
            <date month="October" year="1969"/>
          </front>
          <seriesInfo name="STD" value="80"/>
          <seriesInfo name="RFC" value="20"/>
          <seriesInfo name="DOI" value="10.17487/RFC20"/>
        </reference>
        <reference anchor="RFC8126" target="https://www.rfc-editor.org/info/rfc8126" quoteTitle="true" derivedAnchor="RFC8126">
          <front>
            <title>Guidelines for Writing an IANA Considerations Section in RFCs</title>
            <author fullname="M. Cotton" initials="M." surname="Cotton"/>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <author fullname="T. Narten" initials="T." surname="Narten"/>
            <date month="June" year="2017"/>
            <abstract>
              <t indent="0">Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t>
              <t indent="0">To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t>
              <t indent="0">This is the third edition of this document; it obsoletes RFC 5226.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="26"/>
          <seriesInfo name="RFC" value="8126"/>
          <seriesInfo name="DOI" value="10.17487/RFC8126"/>
        </reference>
        <reference anchor="RFC8422" target="https://www.rfc-editor.org/info/rfc8422" quoteTitle="true" derivedAnchor="RFC8422">
          <front>
            <title>Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) Versions 1.2 and Earlier</title>
            <author fullname="Y. Nir" initials="Y." surname="Nir"/>
            <author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
            <author fullname="M. Pegourie-Gonnard" initials="M." surname="Pegourie-Gonnard"/>
            <date month="August" year="2018"/>
            <abstract>
              <t indent="0">This document describes key exchange algorithms based on Elliptic Curve Cryptography (ECC) for the Transport Layer Security (TLS) protocol. In particular, it specifies the use of Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) key agreement in a TLS handshake and the use of the Elliptic Curve Digital Signature Algorithm (ECDSA) and Edwards-curve Digital Signature Algorithm (EdDSA) as authentication mechanisms.</t>
              <t indent="0">This document obsoletes RFC 4492.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8422"/>
          <seriesInfo name="DOI" value="10.17487/RFC8422"/>
        </reference>
        <reference anchor="RFC8447" target="https://www.rfc-editor.org/info/rfc8447" quoteTitle="true" derivedAnchor="RFC8447">
          <front>
            <title>IANA Registry Updates for TLS and DTLS</title>
            <author fullname="J. Salowey" initials="J." surname="Salowey"/>
            <author fullname="S. Turner" initials="S." surname="Turner"/>
            <date month="August" year="2018"/>
            <abstract>
              <t indent="0">This document describes a number of changes to TLS and DTLS IANA registries that range from adding notes to the registry all the way to changing the registration policy. These changes were mostly motivated by WG review of the TLS- and DTLS-related registries undertaken as part of the TLS 1.3 development process.</t>
              <t indent="0">This document updates the following RFCs: 3749, 5077, 4680, 5246, 5705, 5878, 6520, and 7301.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8447"/>
          <seriesInfo name="DOI" value="10.17487/RFC8447"/>
        </reference>
        <reference anchor="RFC8471" target="https://www.rfc-editor.org/info/rfc8471" quoteTitle="true" derivedAnchor="RFC8471">
          <front>
            <title>The Token Binding Protocol Version 1.0</title>
            <author fullname="A. Popov" initials="A." role="editor" surname="Popov"/>
            <author fullname="M. Nystroem" initials="M." surname="Nystroem"/>
            <author fullname="D. Balfanz" initials="D." surname="Balfanz"/>
            <author fullname="J. Hodges" initials="J." surname="Hodges"/>
            <date month="October" year="2018"/>
            <abstract>
              <t indent="0">This document specifies version 1.0 of the Token Binding protocol. The Token Binding protocol allows client/server applications to create long-lived, uniquely identifiable TLS bindings spanning multiple TLS sessions and connections. Applications are then enabled to cryptographically bind security tokens to the TLS layer, preventing token export and replay attacks. To protect privacy, the Token Binding identifiers are only conveyed over TLS and can be reset by the user at any time.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8471"/>
          <seriesInfo name="DOI" value="10.17487/RFC8471"/>
        </reference>
        <reference anchor="RFC8792" target="https://www.rfc-editor.org/info/rfc8792" quoteTitle="true" derivedAnchor="RFC8792">
          <front>
            <title>Handling Long Lines in Content of Internet-Drafts and RFCs</title>
            <author fullname="K. Watsen" initials="K." surname="Watsen"/>
            <author fullname="E. Auerswald" initials="E." surname="Auerswald"/>
            <author fullname="A. Farrel" initials="A." surname="Farrel"/>
            <author fullname="Q. Wu" initials="Q." surname="Wu"/>
            <date month="June" year="2020"/>
            <abstract>
              <t indent="0">This document defines two strategies for handling long lines in width-bounded text content. One strategy, called the "single backslash" strategy, is based on the historical use of a single backslash ('\') character to indicate where line-folding has occurred, with the continuation occurring with the first character that is not a space character (' ') on the next line. The second strategy, called the "double backslash" strategy, extends the first strategy by adding a second backslash character to identify where the continuation begins and is thereby able to handle cases not supported by the first strategy. Both strategies use a self-describing header enabling automated reconstitution of the original content.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8792"/>
          <seriesInfo name="DOI" value="10.17487/RFC8792"/>
        </reference>
        <reference anchor="RFC8996" target="https://www.rfc-editor.org/info/rfc8996" quoteTitle="true" derivedAnchor="RFC8996">
          <front>
            <title>Deprecating TLS 1.0 and TLS 1.1</title>
            <author fullname="K. Moriarty" initials="K." surname="Moriarty"/>
            <author fullname="S. Farrell" initials="S." surname="Farrell"/>
            <date month="March" year="2021"/>
            <abstract>
              <t indent="0">This document formally deprecates Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346). Accordingly, those documents have been moved to Historic status. These versions lack support for current and recommended cryptographic algorithms and mechanisms, and various government and industry profiles of applications using TLS now mandate avoiding these old TLS versions. TLS version 1.2 became the recommended version for IETF protocols in 2008 (subsequently being obsoleted by TLS version 1.3 in 2018), providing sufficient time to transition away from older versions. Removing support for older versions from implementations reduces the attack surface, reduces opportunity for misconfiguration, and streamlines library and product maintenance.</t>
              <t indent="0">This document also deprecates Datagram TLS (DTLS) version 1.0 (RFC 4347) but not DTLS version 1.2, and there is no DTLS version 1.1.</t>
              <t indent="0">This document updates many RFCs that normatively refer to TLS version 1.0 or TLS version 1.1, as described herein. This document also updates the best practices for TLS usage in RFC 7525; hence, it is part of BCP 195.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="195"/>
          <seriesInfo name="RFC" value="8996"/>
          <seriesInfo name="DOI" value="10.17487/RFC8996"/>
        </reference>
        <reference anchor="RFC9000" target="https://www.rfc-editor.org/info/rfc9000" quoteTitle="true" derivedAnchor="RFC9000">
          <front>
            <title>QUIC: A UDP-Based Multiplexed and Secure Transport</title>
            <author fullname="J. Iyengar" initials="J." role="editor" surname="Iyengar"/>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <date month="May" year="2021"/>
            <abstract>
              <t indent="0">This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9000"/>
          <seriesInfo name="DOI" value="10.17487/RFC9000"/>
        </reference>
        <reference anchor="RFC9001" target="https://www.rfc-editor.org/info/rfc9001" quoteTitle="true" derivedAnchor="RFC9001">
          <front>
            <title>Using TLS to Secure QUIC</title>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <author fullname="S. Turner" initials="S." role="editor" surname="Turner"/>
            <date month="May" year="2021"/>
            <abstract>
              <t indent="0">This document describes how Transport Layer Security (TLS) is used to secure QUIC.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9001"/>
          <seriesInfo name="DOI" value="10.17487/RFC9001"/>
        </reference>
        <reference anchor="RFC9261" target="https://www.rfc-editor.org/info/rfc9261" quoteTitle="true" derivedAnchor="RFC9261">
          <front>
            <title>Exported Authenticators in TLS</title>
            <author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
            <date month="July" year="2022"/>
            <abstract>
              <t indent="0">This document describes a mechanism that builds on Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS) and enables peers to provide proof of ownership of an identity, such as an X.509 certificate. This proof can be exported by one peer, transmitted out of band to the other peer, and verified by the receiving peer.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9261"/>
          <seriesInfo name="DOI" value="10.17487/RFC9261"/>
        </reference>
        <reference anchor="RFC9325" target="https://www.rfc-editor.org/info/rfc9325" quoteTitle="true" derivedAnchor="RFC9325">
          <front>
            <title>Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</title>
            <author fullname="Y. Sheffer" initials="Y." surname="Sheffer"/>
            <author fullname="P. Saint-Andre" initials="P." surname="Saint-Andre"/>
            <author fullname="T. Fossati" initials="T." surname="Fossati"/>
            <date month="November" year="2022"/>
            <abstract>
              <t indent="0">Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) are used to protect data exchanged over a wide range of application protocols and can also form the basis for secure transport protocols. Over the years, the industry has witnessed several serious attacks on TLS and DTLS, including attacks on the most commonly used cipher suites and their modes of operation. This document provides the latest recommendations for ensuring the security of deployed services that use TLS and DTLS. These recommendations are applicable to the majority of use cases.</t>
              <t indent="0">RFC 7525, an earlier version of the TLS recommendations, was published when the industry was transitioning to TLS 1.2. Years later, this transition is largely complete, and TLS 1.3 is widely available. This document updates the guidance given the new environment and obsoletes RFC 7525. In addition, this document updates RFCs 5288 and 6066 in view of recent attacks.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="195"/>
          <seriesInfo name="RFC" value="9325"/>
          <seriesInfo name="DOI" value="10.17487/RFC9325"/>
        </reference>
      </references>
    </references>
    <section anchor="example" numbered="true" removeInRFC="false" toc="include" pn="section-appendix.a">
      <name slugifiedName="name-example">Example</name>
      <t indent="0" pn="section-appendix.a-1">The following is a sample of a file in SSLKEYLOGFILE format, including secrets from two
      TLS 1.3 connections.</t>
      <t indent="0" pn="section-appendix.a-2">The examples below use line wrapping per <xref target="RFC8792" format="default" sectionFormat="of" derivedContent="RFC8792"/>.</t>
      <sourcecode type="application/sslkeylogfile" markers="false" pn="section-appendix.a-3">
CLIENT_HANDSHAKE_TRAFFIC_SECRET \
  cf34899b3dcb8c9fe7160ceaf95d354a294793b67a2e49cb9cca4d69b43593a0 \
  be4a28d81ce41242ff31c6d8a6615852178f2cd75eaca2ee8768f9ed51282b38
SERVER_HANDSHAKE_TRAFFIC_SECRET \
  cf34899b3dcb8c9fe7160ceaf95d354a294793b67a2e49cb9cca4d69b43593a0 \
  258179721fa704e2f1ee16688b4b0419967ddea5624cd5ad0863288dc5ead35f
CLIENT_HANDSHAKE_TRAFFIC_SECRET \
  b2eb93b8ddab8c228993567947bca1e133736980c22754687874e3896f7d6d0a \
  59ec0981b211a743f22d5a46a1fc77a2b230e16ef0de6d4e418abfe90eff10bf
SERVER_HANDSHAKE_TRAFFIC_SECRET \
  b2eb93b8ddab8c228993567947bca1e133736980c22754687874e3896f7d6d0a \
  a37fe4d3b6c9a6a372396b1562f6f8a40c1c3f85f1aa9b02d5ed46c4a1301365
CLIENT_TRAFFIC_SECRET_0 \
  cf34899b3dcb8c9fe7160ceaf95d354a294793b67a2e49cb9cca4d69b43593a0 \
  e9ca165bcb762fab8086068929d26c532e90ef2e2daa762d8b52346951a34c02
SERVER_TRAFFIC_SECRET_0 \
  cf34899b3dcb8c9fe7160ceaf95d354a294793b67a2e49cb9cca4d69b43593a0 \
  4f93c61ac1393008d4c820f3723db3c67494f06574b65fcc21c9eef22f90071a
EXPORTER_SECRET \
  cf34899b3dcb8c9fe7160ceaf95d354a294793b67a2e49cb9cca4d69b43593a0 \
  011c900833468f837f7c55d836b2719beebd39b1648fdeda58772f48d94a1ffa
CLIENT_TRAFFIC_SECRET_0 \
  b2eb93b8ddab8c228993567947bca1e133736980c22754687874e3896f7d6d0a \
  e9160bca1a531d871f5ecf51943d8cfb88833adeccf97701546b5fb93e030d79
SERVER_TRAFFIC_SECRET_0 \
  b2eb93b8ddab8c228993567947bca1e133736980c22754687874e3896f7d6d0a \
  fb1120b91e48d402fac20faa33880e77bace82c85d6688df0aa99bf5084430e4
EXPORTER_SECRET \
  b2eb93b8ddab8c228993567947bca1e133736980c22754687874e3896f7d6d0a \
  db1f4fa1a6942fb125d4cc47e02938b6f8030c6956bb81b9e3269f1cf855a8f8
</sourcecode>
      <t indent="0" pn="section-appendix.a-4">Note that secrets from the two connections might be interleaved as shown here,
because secrets could be logged as they are generated.</t>
      <t indent="0" pn="section-appendix.a-5">The following shows a log entry for a TLS 1.2 connection.</t>
      <sourcecode type="application/sslkeylogfile" markers="false" pn="section-appendix.a-6">
CLIENT_RANDOM \
  ad52329fcadd34ee3aa07092680287f09954823e26d7b5ae25c0d47714152a6a \
  97af4c8618cfdc0b2326e590114c2ec04b43b08b7e2c3f8124cc61a3b068ba966\
  9517e744e3117c3ce6c538a2d88dfdf
</sourcecode>
      <t indent="0" pn="section-appendix.a-7">The following shows a log entry for a TLS 1.3 connection that successfully
negotiated ECH.</t>
      <sourcecode type="application/sslkeylogfile" markers="false" pn="section-appendix.a-8">
ECH_SECRET \
  0ba587ee6b65ce21a726630efb881206a7cd995611095b5f4c244bb2b23f1ee1 \
  e8828ec09909cc9363179dc13b62498550c8637129345263011a1678370ca52a
ECH_CONFIG \
  0ba587ee6b65ce21a726630efb881206a7cd995611095b5f4c244bb2b23f1ee1 \
  fe0d003c5500200020d5260ae4cdda08bcbdc37bd0dc53c29aea5f0fdd2b2d59 \
  4e4235e99b134ac904000400010001000d636f7665722e6465666f2e69650000
CLIENT_HANDSHAKE_TRAFFIC_SECRET \
  8726180bb24718089a4c5c8c93e0ea1c6d6649d7dd3c978fc1413854a20e9647 \
  a195b63ec4270609692a204c08e63e74d9ae58e377d11a383bfe641a63c01140
SERVER_HANDSHAKE_TRAFFIC_SECRET \
  8726180bb24718089a4c5c8c93e0ea1c6d6649d7dd3c978fc1413854a20e9647 \
  022d1cb827a90f27dadde0c99110c2b7d0f362fdfe420a04818aa223e5f2c14c
CLIENT_TRAFFIC_SECRET_0 \
  8726180bb24718089a4c5c8c93e0ea1c6d6649d7dd3c978fc1413854a20e9647 \
  c2310f7db71109de88bab6f2f433fdc1704aecc0d57349cbf9113e5033178172
SERVER_TRAFFIC_SECRET_0 \
  8726180bb24718089a4c5c8c93e0ea1c6d6649d7dd3c978fc1413854a20e9647 \
  04ffc7c154f71ba5f530c7344b0496f60ce71b9b7c6b0e203ea574bfcdf14e27
EXPORTER_SECRET \
  8726180bb24718089a4c5c8c93e0ea1c6d6649d7dd3c978fc1413854a20e9647 \
  befb5db5ac6785b5dd4c6a8c4693c379ec0a1486b5fd035b25e50c3c95abc500
</sourcecode>
    </section>
    <section numbered="false" anchor="acknowledgments" removeInRFC="false" toc="include" pn="section-appendix.b">
      <name slugifiedName="name-acknowledgments">Acknowledgments</name>
      <t indent="0" pn="section-appendix.b-1">The SSLKEYLOGFILE format originated in the Network Security Services (NSS) project, but it has evolved over
time as TLS has changed.  Many people contributed to this evolution.  The authors
are only documenting the format as it is used while extending it to cover ECH.</t>
    </section>
    <section anchor="authors-addresses" numbered="false" removeInRFC="false" toc="include" pn="section-appendix.c">
      <name slugifiedName="name-authors-addresses">Authors' Addresses</name>
      <author fullname="Martin Thomson">
        <organization showOnFrontPage="true">Mozilla</organization>
        <address>
          <email>mt@lowentropy.net</email>
        </address>
      </author>
      <author fullname="Yaroslav Rosomakho">
        <organization showOnFrontPage="true">Zscaler</organization>
        <address>
          <email>yrosomakho@zscaler.com</email>
        </address>
      </author>
      <author fullname="Hannes Tschofenig">
        <organization abbrev="H-BRS" showOnFrontPage="true">University of Applied Sciences Bonn-Rhein-Sieg</organization>
        <address>
          <email>Hannes.Tschofenig@gmx.net</email>
        </address>
      </author>
    </section>
  </back>
</rfc>
