- fips
- base
-show ssl sni [-f <frontend>] [-A]
+show ssl sni [-f <frontend>] [-A] [-t <offset>]
Dump every SNI configured for the designated frontend, or all frontends if no
frontend was specified. It allows to see what SNI are offered for a frontend,
and to identify if a SNI is defined multiple times by multiple certificates for
The -A option allows to filter the list and only displays the certificates
that are past the notAfter date, allowing to show only expired certificates.
+ The -t option takes an offset in seconds, or with a time unit (s, m, h, d),
+ which is added to the current time, allowing to check which certificates
+ expired after the offset when combined with -A.
+ For example if you want to check which certificates would be expired in 30d,
+ just do "show ssl sni -A -t 30d".
+
Columns are separated by a single \t, allowing to parse it simply.
The 'Frontend/Bind' column shows the frontend name followed by the bind line
leaf certificate.
Example:
- $ echo "@1 show ssl sni" | socat /var/run/haproxy-master.sock - | column -t -s $'\t'
+ $ echo "@1 show ssl sni -A -t 30d" | socat /var/run/haproxy-master.sock - | column -t -s $'\t'
# Frontend/Bind SNI Negative Filter Type Filename NotAfter NotBefore
li1/haproxy.cfg:10021 *.ex.lan !m1.ex.lan rsa example.lan.pem Jun 13 13:37:21 2024 GMT May 14 13:37:21 2024 GMT
li1/haproxy.cfg:10021 machine10 - ecdsa machine10.pem.ecdsa Jun 13 13:37:21 2024 GMT May 14 13:37:21 2024 GMT
struct ebmb_node *n;
int nodetype;
int options;
+ unsigned int offset;
};
/* CLI context used by "dump ssl cert" */
#ifdef HAVE_ASN1_TIME_TO_TM
if (ctx->options & SHOW_SNI_OPT_NOTAFTER) {
time_t notAfter = x509_get_notafter_time_t(sni->ckch_inst->ckch_store->data->cert);
- if (!(date.tv_sec > notAfter))
+ if (!(date.tv_sec+ctx->offset > notAfter))
continue;
}
#endif
}
-/* parsing function for 'show ssl sni [-f <frontend>] [-A]' */
+/* parsing function for 'show ssl sni [-f <frontend>] [-A] [-t <offset>]' */
static int cli_parse_show_sni(char **args, char *payload, struct appctx *appctx, void *private)
{
struct show_sni_ctx *ctx = applet_reserve_svcctx(appctx, sizeof(*ctx));
return cli_err(appctx, "'-A' option is only supported with OpenSSL >= 1.1.1!\n");
#endif
+ } else if (strcmp(args[cur_arg], "-t") == 0) {
+ unsigned int offset;
+ const char *res;
+ char *err = NULL;
+
+ if (*args[cur_arg+1] == '\0')
+ return cli_err(appctx, "'-t' requires an offset argument!\n");
+
+ res = parse_time_err(args[cur_arg+1], &offset, TIME_UNIT_S);
+
+ if (res == PARSE_TIME_OVER) {
+ return cli_dynerr(appctx, memprintf(&err, "offset overflow '%s' (maximum value is 2147483647s or ~24855 days)", args[cur_arg+1]));
+ }
+ else if (res == PARSE_TIME_UNDER) {
+ return cli_dynerr(appctx, memprintf(&err, "timer underflow '%s' (minimum non-null value is 1s)", args[cur_arg+1]));
+ }
+ else if (res) {
+ return cli_dynerr(appctx, memprintf(&err, "'%s %s' : unexpected character '%c'", args[cur_arg], args[cur_arg+1], *res));
+ }
+
+ if (!offset) {
+ return cli_dynerr(appctx, memprintf(&err, "'%s' expects a positive value", args[cur_arg]));
+ }
+
+ ctx->offset = offset;
+ cur_arg++; /* skip the argument */
} else {
- return cli_err(appctx, "Invalid parameters, 'show ssl sni' only supports '-f', or '-A' options!\n");
+ return cli_err(appctx, "Invalid parameters, 'show ssl sni' only supports '-f', '-A' or '-t' options!\n");
}
cur_arg++;
}
projects / thirdparty / haproxy.git / commitdiff
