Reference

show ssl sni

On this page

Available since

  • HAProxy 3.2
  • HAProxy Enterprise 2.9r1

Display the names of the Server Name Indication (SNI) loaded by OpenSSL during initialization.

Description Jump to heading

The show ssl sni command dumps every SNI configured for all frontends, or, when the -f <frontend> option is used, only for the specified frontend.

The command shows what SNI are offered for a frontend and allows you to determine if a SNI is defined multiple times by multiple certificates for the same frontend.

To dump only expired certificates, use the -A option. Expiration is determined by the NotAfter date.

Columns are separated by a single tab (\t) to permit easy parsing.

Column Description
Frontend/Bind The frontend name followed by the bind line position in the configuration (frontend/file:linenum).
SNI The SNI. It can be either a CN, a SAN, or a filter from a crt-list. The default certificates of a bind line, (which are either declared explicitly by default-crt or implicitly the first certificate of a bind line when no strict-sni is used) shows the asterisk (*) character in the SNI column.
Negative Filter The list of negative filters matching a wildcard. Shows all negative filters that are on the same crt-list line. A dash character (-) is displayed if there are none.
Type The encryption algorithm type, one of rsa, ecdsa or dsa.
Filename Can be either a filename from the configuration or an alias declared in a crt-store.
NotAfter and NotBefore These columns are directly extracted from the X509 leaf certificate.

Examples Jump to heading

Show all SNI for all frontends:

nix
echo "show ssl sni" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999 | column -t -s $'\t'
nix
echo "show ssl sni" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999 | column -t -s $'\t'
output
text
# Frontend/Bind                      SNI         Negative Filter   Type   Filename                               NotAfter                   NotBefore
mysite//etc/haproxy/haproxy.cfg:30   bar.com     -                 ecdsa  /etc/haproxy/certs/bar.com/bar.ecdsa   Jun 13 13:37:21 2024 GMT   May 14 13:37:21 2024 GMT
mysite//etc/haproxy/haproxy.cfg:30   bar.com     -                 rsa    /etc/haproxy/certs/bar.com/bar.rsa     Jun 13 13:37:21 2024 GMT   May 14 13:37:21 2024 GMT
mysite//etc/haproxy/haproxy.cfg:30   foo.com     -                 rsa    /etc/haproxy/certs/foo.com/foo.pem     Jan  4 15:57:13 2027 GMT   Dec  5 15:57:13 2024 GMT
mysite//etc/haproxy/haproxy.cfg:30   *           -                 rsa    /etc/haproxy/certs/foo.com/foo.pem     Jan  4 15:57:13 2027 GMT   Dec  5 15:57:13 2024 GMT
mysite//etc/haproxy/haproxy.cfg:30   *.baz.com   !secure.baz.com   rsa    /etc/haproxy/certs/baz.com/baz.pem     Jan  4 15:57:13 2027 GMT   Dec  5 15:57:13 2024 GMT
output
text
# Frontend/Bind                      SNI         Negative Filter   Type   Filename                               NotAfter                   NotBefore
mysite//etc/haproxy/haproxy.cfg:30   bar.com     -                 ecdsa  /etc/haproxy/certs/bar.com/bar.ecdsa   Jun 13 13:37:21 2024 GMT   May 14 13:37:21 2024 GMT
mysite//etc/haproxy/haproxy.cfg:30   bar.com     -                 rsa    /etc/haproxy/certs/bar.com/bar.rsa     Jun 13 13:37:21 2024 GMT   May 14 13:37:21 2024 GMT
mysite//etc/haproxy/haproxy.cfg:30   foo.com     -                 rsa    /etc/haproxy/certs/foo.com/foo.pem     Jan  4 15:57:13 2027 GMT   Dec  5 15:57:13 2024 GMT
mysite//etc/haproxy/haproxy.cfg:30   *           -                 rsa    /etc/haproxy/certs/foo.com/foo.pem     Jan  4 15:57:13 2027 GMT   Dec  5 15:57:13 2024 GMT
mysite//etc/haproxy/haproxy.cfg:30   *.baz.com   !secure.baz.com   rsa    /etc/haproxy/certs/baz.com/baz.pem     Jan  4 15:57:13 2027 GMT   Dec  5 15:57:13 2024 GMT

Show expired SNI for all frontends (assuming the current date is before Feb 01 2025):

nix
echo "show ssl sni -A" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999 | column -t -s $'\t'
nix
echo "show ssl sni -A" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999 | column -t -s $'\t'
output
text
# Frontend/Bind                      SNI         Negative Filter   Type   Filename                               NotAfter                   NotBefore
mysite//etc/haproxy/haproxy.cfg:30   bar.com     -                 ecdsa  /etc/haproxy/certs/bar.com/bar.ecdsa   Jun 13 13:37:21 2024 GMT   May 14 13:37:21 2024 GMT
mysite//etc/haproxy/haproxy.cfg:30   bar.com     -                 rsa    /etc/haproxy/certs/bar.com/bar.rsa     Jun 13 13:37:21 2024 GMT   May 14 13:37:21 2024 GMT
output
text
# Frontend/Bind                      SNI         Negative Filter   Type   Filename                               NotAfter                   NotBefore
mysite//etc/haproxy/haproxy.cfg:30   bar.com     -                 ecdsa  /etc/haproxy/certs/bar.com/bar.ecdsa   Jun 13 13:37:21 2024 GMT   May 14 13:37:21 2024 GMT
mysite//etc/haproxy/haproxy.cfg:30   bar.com     -                 rsa    /etc/haproxy/certs/bar.com/bar.rsa     Jun 13 13:37:21 2024 GMT   May 14 13:37:21 2024 GMT

Do you have any suggestions on how we can improve the content of this page?

Previous page show ssl providers Next page show startup-logs
© 2025 HAProxy Technologies, LLC. All Rights Reserved
Manage Cookie Preferences