Logging server name on failed SSL handshakes


I’m interested in logging failed SSL handshakes, and require knowing which server name was sent in the SNI request (we occasionally get requests for domains which still don’t have a certificate and would like to generate one for them).
I’ve tried using ssl_fc_err_str and ssl_fc_sni, but couldn’t log the server name. ssl_fc_sni is empty (-). Can someone help?

HAProxy version 2.5.0-1~bpo10+1 2021/11/26 - https://haproxy.org/
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes


Are you running with strict-sni enabled, or why is it that the handshake fails?

SSL logging was improved in haproxy 2.5, you should use the following features:

HTTPS log format and especially the Error log format

Thanks for the reply.

I am running with strict-sni, the handshake fails because the certificate is missing for the specified domain. I serve a great deal of certificates and in some cases they are missing and I need to generate them.

As you can see we are using haproxy 2.5. however I couldn’t find any way to log the server name requested in the SNI in the error log. I assumed it would be ssl_fc_sni but it is blank. I might be missing something there.

Did you use error-log-format ?

Yes, I’ve tried quite a few variations on it.
For example this one:

error-log-format “%ci:%cp [%tr] %ft %ac/%fc %[ssl_fc_sni] %[fc_err] %[bc_err] “%[fc_err_str]” “%[ssl_fc_err_str]””

I couldn’t find a parameter that holds the server name.

I’ve filed a bug:

Thank you very much!