diff --git a/include/haproxy/ssl_sock.h b/include/haproxy/ssl_sock.h
index 53375c917..a48a2e2aa 100644
--- a/include/haproxy/ssl_sock.h
+++ b/include/haproxy/ssl_sock.h
@@ -58,6 +58,7 @@ extern struct pool_head *pool_head_ssl_keylog_str;
 extern struct list openssl_providers;
 extern struct stats_module ssl_stats_module;
 
+uint64_t ssl_sock_sni_hash(const struct ist sni);
 int ssl_sock_prep_ctx_and_inst(struct bind_conf *bind_conf, struct ssl_bind_conf *ssl_conf,
 			       SSL_CTX *ctx, struct ckch_inst *ckch_inst, char **err);
 int ssl_sock_prep_srv_ctx_and_inst(const struct server *srv, SSL_CTX *ctx,
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 3fe42d3f6..1731b9635 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -108,6 +108,7 @@
 int nb_engines = 0;
 
 static struct eb_root cert_issuer_tree = EB_ROOT; /* issuers tree from "issuers-chain-path" */
+static uint64_t sni_hash_seed = 0; /* Seed used to compute hash of SNIs */
 
 struct global_ssl global_ssl = {
 #ifdef LISTEN_DEFAULT_CIPHERS
@@ -610,7 +611,11 @@ static int ssl_locking_init(void)
 
 __decl_thread(HA_SPINLOCK_T ckch_lock);
 
-
+/* Returns the hash corresponding to <sni> */
+uint64_t ssl_sock_sni_hash(const struct ist sni)
+{
+	return XXH3(istptr(sni), istlen(sni), sni_hash_seed);
+}
 
 /* mimic what X509_STORE_load_locations do with store_ctx */
 static int ssl_set_cert_crl_file(X509_STORE *store_ctx, char *path)
@@ -8481,6 +8486,8 @@ static void __ssl_sock_init(void)
 	HA_SPIN_INIT(&ocsp_tree_lock);
 #endif
 
+	sni_hash_seed = ha_random64();
+
 	/* Try to register dedicated SSL/TLS protocol message callbacks for
 	 * heartbleed attack (CVE-2014-0160) and clienthello.
 	 */