MEDIUM: ssl: Change output of ocsp-update log

Since commit "BUG/MEDIUM: ssl: Fix crash in ocsp-update log function", some information from the log line are "faked" because they can be actually retrieved anymore (or never could). We should then remove them from the logline all along instead of providing some useless fields. We then only keep pure OCSP-update information in the log line: "<certname> <status> <status str> <fail count> <success count>"
2025-08-06 23:27:04 +02:00 · 2024-03-20 14:13:36 +01:00 · 2024-03-20 14:13:36 +01:00 · d4eeaa4003
commit d4eeaa4003
parent d4e3be18df
2 changed files with 9 additions and 17 deletions
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@ -16074,8 +16074,8 @@ ocsp-update [ off | on ] (crt-list only)

  Whenever an OCSP response is updated by the auto update task or following a
  call to the "update ssl ocsp-response" CLI command, a dedicated log line is
-  emitted. It follows a dedicated log-format that contains the following header
-  "%ci:%cp [%tr] %ft" and is followed by specific OCSP-related information:
+  emitted. It follows a dedicated format that contains the following header
+  "<OCSP-UPDATE>" and is followed by specific OCSP-related information:
    - the path of the corresponding frontend certificate
    - a numerical update status
    - a textual update status
@ -16095,11 +16095,11 @@ ocsp-update [ off | on ] (crt-list only)
  Here are two examples of such log lines, with a successful OCSP update log
  line first and then an example of an HTTP error with the two different lines
  (lines were spit and the URL was shortened for readability):
-    <134>Mar  6 11:16:53 haproxy[14872]: -:- [06/Mar/2023:11:16:52.808] \
-            <OCSP-UPDATE> /path_to_cert/foo.pem 1 "Update successful" 0 1
+    <134>Mar  6 11:16:53 haproxy[14872]: <OCSP-UPDATE> /path_to_cert/foo.pem 1 \
+            "Update successful" 0 1

-    <134>Mar  6 11:18:55 haproxy[14872]: -:- [06/Mar/2023:11:18:54.207] \
-            <OCSP-UPDATE> /path_to_cert/bar.pem 2 "HTTP error" 1 0
+    <134>Mar  6 11:18:55 haproxy[14872]: <OCSP-UPDATE> /path_to_cert/bar.pem 2 \
+            "HTTP error" 1 0
    <134>Mar  6 11:18:55 haproxy[14872]: -:- [06/Mar/2023:11:18:52.200] \
            <OCSP-UPDATE> -/- 2/0/-1/-1/3009 503 217 - - SC-- 0/0/0/0/3 0/0 {} \
            "GET http://127.0.0.1:12345/MEMwQT HTTP/1.1"
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@ -1110,10 +1110,8 @@ void ocsp_update_response_end_cb(struct httpclient *hc)


 /*
- * Send a log line that will mimic this previously used logformat :
- * char ocspupdate_log_format[] = "%ci:%cp [%tr] %ft %[ssl_ocsp_certname] \
- * %[ssl_ocsp_status] %{+Q}[ssl_ocsp_status_str] %[ssl_ocsp_fail_cnt] \
- * %[ssl_ocsp_success_cnt]";
+ * Send a log line that will contain only OCSP update related information:
+ * "<proxy_name> <ssl_ocsp_certname> <ocsp_status> \"<ocsp_status_str>\" <ocsp_fail_cnt> <ocsp_success_cnt>"
 * We can't use the regular sess_log function because we don't have any control
 * over the stream and session used by the httpclient which might not exist
 * anymore by the time we call this function.
@ -1123,8 +1121,6 @@ static void ssl_ocsp_send_log()
 	int status_str_len = 0;
 	char *status_str = NULL;
 	struct certificate_ocsp *ocsp = ssl_ocsp_task_ctx.cur_ocsp;
-	struct tm tm;
-	char timebuf[25];

 	if (!httpclient_ocsp_update_px)
 		return;
@ -1134,11 +1130,7 @@ static void ssl_ocsp_send_log()
 		status_str = istptr(ocsp_update_errors[ssl_ocsp_task_ctx.update_status]);
 	}

-	get_localtime(date.tv_sec, &tm);
-	date2str_log(timebuf, &tm, &date, 25);
-
-	send_log(httpclient_ocsp_update_px, LOG_INFO, "-:- [%s] %s %s %u \"%.*s\" %u %u",
-	         timebuf,
+	send_log(httpclient_ocsp_update_px, LOG_INFO, "%s %s %u \"%.*s\" %u %u",
 	         httpclient_ocsp_update_px->id,
 	         ocsp->path,
 	         ssl_ocsp_task_ctx.update_status,