DataDog · dd-mergequeue · Jun 23, 2025 · Jun 22, 2025 · Jun 22, 2025 · Jun 22, 2025
@@ -144,7 +144,7 @@ func getExpectedConnections(encodedWithQueryType bool, httpOutBlob []byte) *mode
 			NpmEnabled: false,
 			UsmEnabled: false,
 		},
-		Tags: network.GetStaticTags(tagOpenSSL | tagTLS),
+		Tags: tls.GetStaticTags(tagOpenSSL | tagTLS),
 	}
 	// fixup Protocol stack as on windows or macos
 	// we don't have tags mechanism inserting TLS protocol on protocol stack

@@ -13,6 +13,7 @@ import (
 	"github.com/twmb/murmur3"
 
 	"github.com/DataDog/datadog-agent/pkg/network"
+	"github.com/DataDog/datadog-agent/pkg/network/protocols/tls"
 	"github.com/DataDog/datadog-agent/pkg/process/util"
 )
 
@@ -268,7 +269,7 @@ func formatRouteIdx(v *network.Via, routes map[network.Via]RouteIdx) int32 {
 func formatTags(c network.ConnectionStats, tagsSet *network.TagsSet, connDynamicTags map[string]struct{}) ([]uint32, uint32) {
 	var checksum uint32
 
-	staticTags := network.GetStaticTags(c.StaticTags)
+	staticTags := tls.GetStaticTags(c.StaticTags)
 	tagsIdx := make([]uint32, 0, len(staticTags)+len(connDynamicTags)+len(c.Tags))
 
 	for _, tag := range staticTags {

@@ -15,7 +15,7 @@ import (
 	model "github.com/DataDog/agent-payload/v5/process"
 
 	"github.com/DataDog/datadog-agent/pkg/network/protocols"
-	"github.com/DataDog/datadog-agent/pkg/network/protocols/http"
+	"github.com/DataDog/datadog-agent/pkg/network/protocols/tls"
 )
 
 func TestFormatTLSProtocols(t *testing.T) {
@@ -28,7 +28,7 @@ func TestFormatTLSProtocols(t *testing.T) {
 		{
 			name:       "GnuTLS - unknown protocol",
 			protocol:   protocols.Stack{Application: protocols.Unknown},
-			staticTags: http.TLS | http.GnuTLS,
+			staticTags: tls.TLS | tls.GnuTLS,
 			want: &model.ProtocolStack{
 				Stack: []model.ProtocolType{
 					model.ProtocolType_protocolTLS,
@@ -38,7 +38,7 @@ func TestFormatTLSProtocols(t *testing.T) {
 		{
 			name:       "OpenSSL - HTTP protocol",
 			protocol:   protocols.Stack{Application: protocols.HTTP},
-			staticTags: http.TLS | http.OpenSSL,
+			staticTags: tls.TLS | tls.OpenSSL,
 			want: &model.ProtocolStack{
 				Stack: []model.ProtocolType{
 					model.ProtocolType_protocolTLS,
@@ -49,7 +49,7 @@ func TestFormatTLSProtocols(t *testing.T) {
 		{
 			name:       "GoTLS - MySQL protocol",
 			protocol:   protocols.Stack{Application: protocols.MySQL},
-			staticTags: http.TLS | http.Go,
+			staticTags: tls.TLS | tls.Go,
 			want: &model.ProtocolStack{
 				Stack: []model.ProtocolType{
 					model.ProtocolType_protocolTLS,

@@ -8,8 +8,8 @@ package marshal
 import (
 	model "github.com/DataDog/agent-payload/v5/process"
 
-	"github.com/DataDog/datadog-agent/pkg/network"
 	"github.com/DataDog/datadog-agent/pkg/network/protocols"
+	"github.com/DataDog/datadog-agent/pkg/network/protocols/tls"
 	"github.com/DataDog/datadog-agent/pkg/util/log"
 )
 
@@ -34,7 +34,7 @@ import (
 func FormatProtocolStack(originalStack protocols.Stack, staticTags uint64) *model.ProtocolStack {
 	var stack []model.ProtocolType
 
-	if network.IsTLSTag(staticTags) || originalStack.Encryption == protocols.TLS {
+	if tls.IsTLSTag(staticTags) || originalStack.Encryption == protocols.TLS {
 		stack = addProtocol(stack, protocols.TLS)
 	}
 	if originalStack.Application != protocols.Unknown {

@@ -7,18 +7,20 @@
 
 package http
 
+import "github.com/DataDog/datadog-agent/pkg/network/protocols/tls"
+
 // Add increments the TLS-aware counter based on the specified transaction's static tags
 func (t *TLSCounter) Add(tx Transaction) {
 	switch tx.StaticTags() {
-	case GnuTLS:
+	case tls.GnuTLS:
 		t.counterGnuTLS.Add(1)
-	case OpenSSL:
+	case tls.OpenSSL:
 		t.counterOpenSSL.Add(1)
-	case Go:
+	case tls.Go:
 		t.counterGoTLS.Add(1)
-	case Istio:
+	case tls.Istio:
 		t.counterIstioTLS.Add(1)
-	case NodeJS:
+	case tls.NodeJS:
 		t.counterNodeJSTLS.Add(1)
 	default:
 		t.counterPlain.Add(1)

@@ -8,7 +8,6 @@
 package http
 
 /*
-#include "../../ebpf/c/protocols/tls/tags-types.h"
 #include "../../ebpf/c/protocols/http/types.h"
 #include "../../ebpf/c/protocols/classification/defs.h"
 */
@@ -27,25 +26,3 @@ type EbpfTx C.http_transaction_t
 const (
 	BufferSize = C.HTTP_BUFFER_SIZE
 )
-
-type ConnTag = uint64
-
-const (
-	GnuTLS  ConnTag = C.LIBGNUTLS
-	OpenSSL ConnTag = C.LIBSSL
-	Go      ConnTag = C.GO
-	TLS     ConnTag = C.CONN_TLS
-	Istio   ConnTag = C.ISTIO
-	NodeJS  ConnTag = C.NODEJS
-)
-
-var (
-	StaticTags = map[ConnTag]string{
-		GnuTLS:  "tls.library:gnutls",
-		OpenSSL: "tls.library:openssl",
-		Go:      "tls.library:go",
-		TLS:     "tls.connection:encrypted",
-		Istio:   "tls.library:istio",
-		NodeJS:  "tls.library:nodejs",
-	}
-)
@@ -0,0 +1,135 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2024-present Datadog, Inc.
+
+// Package tls contains definitions and methods related to tags parsed from the TLS handshake
+package tls
+
+import (
+	"crypto/tls"
+	"fmt"
+)
+
+// Constants for tag keys
+const (
+	TagTLSVersion       = "tls.version:"
+	TagTLSCipherSuiteID = "tls.cipher_suite_id:"
+	TagTLSClientVersion = "tls.client_version:"
+	version10           = "tls_1.0"
+	version11           = "tls_1.1"
+	version12           = "tls_1.2"
+	version13           = "tls_1.3"
+)
+
+// Bitmask constants for Offered_versions matching kernelspace definitions
+const (
+	OfferedTLSVersion10 uint8 = 0x01
+	OfferedTLSVersion11 uint8 = 0x02
+	OfferedTLSVersion12 uint8 = 0x04
+	OfferedTLSVersion13 uint8 = 0x08
+)
+
+// VersionTags maps TLS versions to tag names for server chosen version (exported for testing)
+var VersionTags = map[uint16]string{
+	tls.VersionTLS10: TagTLSVersion + version10,
+	tls.VersionTLS11: TagTLSVersion + version11,
+	tls.VersionTLS12: TagTLSVersion + version12,
+	tls.VersionTLS13: TagTLSVersion + version13,
+}
+
+// ClientVersionTags maps TLS versions to tag names for client offered versions (exported for testing)
+var ClientVersionTags = map[uint16]string{
+	tls.VersionTLS10: TagTLSClientVersion + version10,
+	tls.VersionTLS11: TagTLSClientVersion + version11,
+	tls.VersionTLS12: TagTLSClientVersion + version12,
+	tls.VersionTLS13: TagTLSClientVersion + version13,
+}
+
+// Mapping of offered version bitmasks to version constants
+var offeredVersionBitmask = []struct {
+	bitMask uint8
+	version uint16
+}{
+	{OfferedTLSVersion10, tls.VersionTLS10},
+	{OfferedTLSVersion11, tls.VersionTLS11},
+	{OfferedTLSVersion12, tls.VersionTLS12},
+	{OfferedTLSVersion13, tls.VersionTLS13},
+}
+
+// Tags holds the TLS tags. It is used to store the TLS version, cipher suite and offered versions.
+// We can't use the struct from eBPF as the definition is shared with windows.
+type Tags struct {
+	ChosenVersion   uint16
+	CipherSuite     uint16
+	OfferedVersions uint8
+}
+
+// MergeWith merges the tags from another Tags struct into this one
+func (t *Tags) MergeWith(that Tags) {
+	if t.ChosenVersion == 0 {
+		t.ChosenVersion = that.ChosenVersion
+	}
+	if t.CipherSuite == 0 {
+		t.CipherSuite = that.CipherSuite
+	}
+	if t.OfferedVersions == 0 {
+		t.OfferedVersions = that.OfferedVersions
+	}
+
+}
+
+// IsEmpty returns true if all fields are zero
+func (t *Tags) IsEmpty() bool {
+	if t == nil {
+		return true
+	}
+	return t.ChosenVersion == 0 && t.CipherSuite == 0 && t.OfferedVersions == 0
+}
+
+// String returns a string representation of the Tags struct
+func (t *Tags) String() string {
+	return fmt.Sprintf("ChosenVersion: %d, CipherSuite: %d, OfferedVersions: %d", t.ChosenVersion, t.CipherSuite, t.OfferedVersions)
+}
+
+// parseOfferedVersions parses the Offered_versions bitmask into a slice of version strings
+func parseOfferedVersions(offeredVersions uint8) []string {
+	versions := make([]string, 0, len(offeredVersionBitmask))
+	for _, ov := range offeredVersionBitmask {
+		if (offeredVersions & ov.bitMask) != 0 {
+			if name := ClientVersionTags[ov.version]; name != "" {
+				versions = append(versions, name)
+			}
+		}
+	}
+	return versions
+}
+
+func hexCipherSuiteTag(cipherSuite uint16) string {
+	return fmt.Sprintf("%s0x%04X", TagTLSCipherSuiteID, cipherSuite)
+}
+
+// GetDynamicTags generates dynamic tags based on TLS information
+func (t *Tags) GetDynamicTags() map[string]struct{} {
+	if t.IsEmpty() {
+		return nil
+	}
+	tags := make(map[string]struct{})
+
+	// Server chosen version
+	if tag, ok := VersionTags[t.ChosenVersion]; ok {
+		tags[tag] = struct{}{}
+	}
+
+	// Client offered versions
+	for _, versionName := range parseOfferedVersions(t.OfferedVersions) {
+		tags[versionName] = struct{}{}
+	}
+
+	// Cipher suite ID as hex string
+	if t.CipherSuite != 0 {
+		tags[hexCipherSuiteTag(t.CipherSuite)] = struct{}{}
+	}
+
+	return tags
+}
@@ -5,30 +5,26 @@
 
 //go:build linux
 
-package network
-
-import (
-	"github.com/DataDog/datadog-agent/pkg/network/protocols/http"
-)
+package tls
 
 const (
 	// ConnTagGnuTLS is the tag for GnuTLS connections
-	ConnTagGnuTLS = http.GnuTLS
+	ConnTagGnuTLS = GnuTLS
 	// ConnTagOpenSSL is the tag for OpenSSL connections
-	ConnTagOpenSSL = http.OpenSSL
+	ConnTagOpenSSL = OpenSSL
 	// ConnTagGo is the tag for GO TLS connections
-	ConnTagGo = http.Go
+	ConnTagGo = Go
 	// ConnTagTLS is the tag for TLS connections in general
-	ConnTagTLS = http.TLS
+	ConnTagTLS = TLS
 	// ConnTagIstio is the tag for Istio TLS connections
-	ConnTagIstio = http.Istio
+	ConnTagIstio = Istio
 	// ConnTagNodeJS is the tag for NodeJS TLS connections
-	ConnTagNodeJS = http.NodeJS
+	ConnTagNodeJS = NodeJS
 )
 
 // GetStaticTags return the string list of static tags from network.ConnectionStats.Tags
 func GetStaticTags(staticTags uint64) (tags []string) {
-	for tag, str := range http.StaticTags {
+	for tag, str := range StaticTags {
 		if (staticTags & tag) > 0 {
 			tags = append(tags, str)
 		}

@@ -5,14 +5,14 @@
 
 //go:build !linux
 
-package network
+package tls
 
 // GetStaticTags return the string list of static tags from network.ConnectionStats.Tags
-func GetStaticTags(_ uint64) (tags []string) {
+func GetStaticTags(uint64) (tags []string) {
 	return tags
 }
 
 // IsTLSTag return if the tag is a TLS tag
-func IsTLSTag(_ uint64) bool {
+func IsTLSTag(uint64) bool {
 	return false
 }