From 9e94df3e5532120538f77cf628feb0e559f1744b Mon Sep 17 00:00:00 2001 From: Remi Tricot-Le Breton Date: Tue, 28 Feb 2023 17:46:20 +0100 Subject: [PATCH] MINOR: ssl: Add ocsp update success/failure counters Those counters will be used for debugging purposes and will be dumped via a cli command. --- include/haproxy/ssl_ocsp-t.h | 5 +++++ src/ssl_ocsp.c | 8 +++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/include/haproxy/ssl_ocsp-t.h b/include/haproxy/ssl_ocsp-t.h index e591b499b..0cb5b244a 100644 --- a/include/haproxy/ssl_ocsp-t.h +++ b/include/haproxy/ssl_ocsp-t.h @@ -49,6 +49,11 @@ struct certificate_ocsp { STACK_OF(X509) *chain; struct eb64_node next_update; /* Key of items inserted in ocsp_update_tree (sorted by absolute date) */ struct buffer *uri; /* First OCSP URI contained in the corresponding certificate */ + + /* OCSP update stats */ + u64 last_update; /* Time of last successful update */ + unsigned int num_success; /* Number of successful updates */ + unsigned int num_failure; /* Number of failed updates */ }; struct ocsp_cbk_arg { diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c index f23531aa7..d29baf188 100644 --- a/src/ssl_ocsp.c +++ b/src/ssl_ocsp.c @@ -1043,6 +1043,9 @@ static struct task *ssl_ocsp_update_responses(struct task *task, void *context, ctx->flags &= ~HC_F_RES_END; + ++ocsp->num_success; + ocsp->last_update = now.tv_sec; + /* Reinsert the entry into the update list so that it can be updated later */ ssl_ocsp_update_insert(ocsp); /* Release the reference kept on the updated ocsp response. */ @@ -1150,6 +1153,7 @@ static struct task *ssl_ocsp_update_responses(struct task *task, void *context, leave: if (ctx->cur_ocsp) { /* Something went wrong, reinsert the entry in the tree. */ + ++ctx->cur_ocsp->num_failure; ssl_ocsp_update_insert_after_error(ctx->cur_ocsp); /* Release the reference kept on the updated ocsp response. */ ssl_sock_free_ocsp(ctx->cur_ocsp); @@ -1170,8 +1174,10 @@ wait: http_error: /* Reinsert certificate into update list so that it can be updated later */ - if (ocsp) + if (ocsp) { + ++ocsp->num_failure; ssl_ocsp_update_insert_after_error(ocsp); + } if (hc) httpclient_stop_and_destroy(hc);