You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2020/09/15 16:56:35 UTC

[trafficserver] branch 9.0.x updated: Emits log when OCSP fails to connect to server (#7183)

This is an automated email from the ASF dual-hosted git repository.

zwoop pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/9.0.x by this push:
     new adf7331  Emits log when OCSP fails to connect to server (#7183)
adf7331 is described below

commit adf73316881e91883b247d122cf02550c72d8c1a
Author: Randall Meyer <rr...@apache.org>
AuthorDate: Mon Sep 14 10:00:08 2020 -0700

    Emits log when OCSP fails to connect to server (#7183)
    
    This also adds a pair of log messages for the initial OCSP update.
    ATS doesn't respond until this is complete and may give operators an
    understanding where it on load.
    
    Fixes issue #6801
    
    (cherry picked from commit b353df22e09ffaecac1fd561a598cf8c13437f62)
---
 iocore/net/OCSPStapling.cc    | 25 ++++++++++++++-----------
 iocore/net/SSLNetProcessor.cc |  3 +++
 2 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/iocore/net/OCSPStapling.cc b/iocore/net/OCSPStapling.cc
index d39bf6b..7c39d2b 100644
--- a/iocore/net/OCSPStapling.cc
+++ b/iocore/net/OCSPStapling.cc
@@ -374,10 +374,12 @@ query_responder(BIO *b, char *host, char *path, OCSP_REQUEST *req, int req_timeo
 
   OCSP_REQ_CTX_free(ctx);
 
-  if (rv) {
+  if (rv == 1) {
     return resp;
   }
 
+  Error("failed to connect to OCSP server; host=%s path=%s", host, path);
+
   return nullptr;
 }
 
@@ -396,7 +398,7 @@ process_responder(OCSP_REQUEST *req, char *host, char *path, char *port, int req
 
   BIO_set_nbio(cbio, 1);
   if (BIO_do_connect(cbio) <= 0 && !BIO_should_retry(cbio)) {
-    Debug("ssl_ocsp", "process_responder: failed to connect to OCSP response server. host=%s port=%s path=%s", host, port, path);
+    Debug("ssl_ocsp", "process_responder: failed to connect to OCSP server; host=%s port=%s path=%s", host, port, path);
     goto end;
   }
   resp = query_responder(cbio, host, path, req, req_timeout);
@@ -415,16 +417,18 @@ stapling_refresh_response(certinfo *cinf, OCSP_RESPONSE **prsp)
   OCSP_REQUEST *req = nullptr;
   OCSP_CERTID *id   = nullptr;
   char *host = nullptr, *port = nullptr, *path = nullptr;
-  int ssl_flag    = 0;
-  int req_timeout = -1;
+  int ssl_flag        = 0;
+  int response_status = 0;
 
-  Debug("ssl_ocsp", "stapling_refresh_response: querying responder");
   *prsp = nullptr;
 
   if (!OCSP_parse_url(cinf->uri, &host, &port, &path, &ssl_flag)) {
+    Debug("ssl_ocsp", "stapling_refresh_response: OCSP_parse_url failed; uri=%s", cinf->uri);
     goto err;
   }
 
+  Debug("ssl_ocsp", "stapling_refresh_response: querying responder; host=%s port=%s path=%s", host, port, path);
+
   req = OCSP_REQUEST_new();
   if (!req) {
     goto err;
@@ -437,19 +441,18 @@ stapling_refresh_response(certinfo *cinf, OCSP_RESPONSE **prsp)
     goto err;
   }
 
-  req_timeout = SSLConfigParams::ssl_ocsp_request_timeout;
-  *prsp       = process_responder(req, host, path, port, req_timeout);
-
+  *prsp = process_responder(req, host, path, port, SSLConfigParams::ssl_ocsp_request_timeout);
   if (*prsp == nullptr) {
     goto done;
   }
 
-  if (OCSP_response_status(*prsp) == OCSP_RESPONSE_STATUS_SUCCESSFUL) {
+  response_status = OCSP_response_status(*prsp);
+  if (response_status == OCSP_RESPONSE_STATUS_SUCCESSFUL) {
     Debug("ssl_ocsp", "stapling_refresh_response: query response received");
     stapling_check_response(cinf, *prsp);
   } else {
-    // TODO: We should log the actual openssl error
-    Error("stapling_refresh_response: responder error");
+    Error("stapling_refresh_response: responder response error; host=%s port=%s path=%s response_status=%d", host, port, path,
+          response_status);
   }
 
   if (!stapling_cache_response(*prsp, cinf)) {
diff --git a/iocore/net/SSLNetProcessor.cc b/iocore/net/SSLNetProcessor.cc
index fd85508..0707cc3 100644
--- a/iocore/net/SSLNetProcessor.cc
+++ b/iocore/net/SSLNetProcessor.cc
@@ -78,7 +78,10 @@ SSLNetProcessor::start(int, size_t stacksize)
 #if TS_USE_TLS_OCSP
   if (SSLConfigParams::ssl_ocsp_enabled) {
     // Call the update initially to get things populated
+    Note("Initial OCSP refresh started");
     ocsp_update();
+    Note("Initial OCSP refresh finished");
+
     EventType ET_OCSP = eventProcessor.spawn_event_threads("ET_OCSP", 1, stacksize);
     eventProcessor.schedule_every(new OCSPContinuation(), HRTIME_SECONDS(SSLConfigParams::ssl_ocsp_update_period), ET_OCSP);
   }