show ssl ech

Display the list of Encrypted Client Hello (ECH) keys loaded in the HAProxy process.

Description Jump to heading #

Displays all ECH keys by default. Specify a bind to display keys for just the named bind.

You can specify the bind using the line number:

text
<frontend>/@<config_filename>:<linenum>

text
<frontend>/@<config_filename>:<linenum>

Alternatively, you can specify the bind using the bind name:

text
<frontend>/<bind_name>

text
<frontend>/<bind_name>

The output includes key age, which represents the time, in seconds, since the key was loaded in the bind line. This value is reset when HAProxy is started, reloaded, or restarted.

This command is supported only on a CLI connection running in experimental mode (experimental-mode on).

Examples Jump to heading #

Show all ECH keys in the HAProxy process:

nix
echo "experimental-mode on; show ssl ech" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999

nix
echo "experimental-mode on; show ssl ech" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999

output
text
   ***
   frontend: frontend1
   bind: frontend1/@hapee-lb.cfg:19
   ECH entry: 0 public_name: example.com age: 557 (has private key)
        [fe0d,94,example.com,[0020,0001,0001],c39285b774bf61c071864181c5292a012b30adaf767e39369a566af05573ef2b,00,00]
   ECH entry: 1 public_name: example.com age: 557 (has private key)
        [fe0d,ee,example.com,[0020,0001,0001],6572191131b5cabba819f8cacf2d2e06fa0b87b30d9b793644daba7b8866d511,00,00]
   bind: frontend1/@hapee-lb.cfg:20
   ECH entry: 0 public_name: example.com age: 557 (has private key)
        [fe0d,94,example.com,[0020,0001,0001],c39285b774bf61c071864181c5292a012b30adaf767e39369a566af05573ef2b,00,00]
   ECH entry: 1 public_name: example.com age: 557 (has private key)
        [fe0d,ee,example.com,[0020,0001,0001],6572191131b5cabba819f8cacf2d2e06fa0b87b30d9b793644daba7b8866d511,00,00]

output
text
   ***
   frontend: frontend1
   bind: frontend1/@hapee-lb.cfg:19
   ECH entry: 0 public_name: example.com age: 557 (has private key)
        [fe0d,94,example.com,[0020,0001,0001],c39285b774bf61c071864181c5292a012b30adaf767e39369a566af05573ef2b,00,00]
   ECH entry: 1 public_name: example.com age: 557 (has private key)
        [fe0d,ee,example.com,[0020,0001,0001],6572191131b5cabba819f8cacf2d2e06fa0b87b30d9b793644daba7b8866d511,00,00]
   bind: frontend1/@hapee-lb.cfg:20
   ECH entry: 0 public_name: example.com age: 557 (has private key)
        [fe0d,94,example.com,[0020,0001,0001],c39285b774bf61c071864181c5292a012b30adaf767e39369a566af05573ef2b,00,00]
   ECH entry: 1 public_name: example.com age: 557 (has private key)
        [fe0d,ee,example.com,[0020,0001,0001],6572191131b5cabba819f8cacf2d2e06fa0b87b30d9b793644daba7b8866d511,00,00]

Show ECH keys of the bind on line 19 in frontend frontend1 of configuration hapee-lb.cfg:

nix
echo "experimental-mode on; show ssl ech frontend1/@hapee-lb.cfg:19" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999

nix
echo "experimental-mode on; show ssl ech frontend1/@hapee-lb.cfg:19" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999

output
text
  ***
  ECH for frontend1/@hapee-lb.cfg:19
  ECH entry: 0 public_name: example.com age: 786 (has private key)
        [fe0d,94,example.com,[0020,0001,0001],c39285b774bf61c071864181c5292a012b30adaf767e39369a566af05573ef2b,00,00]
  ECH entry: 1 public_name: example.com age: 786 (has private key)
        [fe0d,ee,example.com,[0020,0001,0001],6572191131b5cabba819f8cacf2d2e06fa0b87b30d9b793644daba7b8866d511,00,00]

output
text
  ***
  ECH for frontend1/@hapee-lb.cfg:19
  ECH entry: 0 public_name: example.com age: 786 (has private key)
        [fe0d,94,example.com,[0020,0001,0001],c39285b774bf61c071864181c5292a012b30adaf767e39369a566af05573ef2b,00,00]
  ECH entry: 1 public_name: example.com age: 786 (has private key)
        [fe0d,ee,example.com,[0020,0001,0001],6572191131b5cabba819f8cacf2d2e06fa0b87b30d9b793644daba7b8866d511,00,00]

See also Jump to heading #

• experimental-mode
• add ssl ech
• del ssl ech
• set ssl ech