From: Remi Tricot-Le Breton Date: Tue, 28 Feb 2023 16:46:20 +0000 (+0100) Subject: MINOR: ssl: Add ocsp update success/failure counters X-Git-Tag: v2.8-dev5~61 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9e94df3e5532120538f77cf628feb0e559f1744b;p=thirdparty%2Fhaproxy.git MINOR: ssl: Add ocsp update success/failure counters Those counters will be used for debugging purposes and will be dumped via a cli command. --- diff --git a/include/haproxy/ssl_ocsp-t.h b/include/haproxy/ssl_ocsp-t.h index e591b499b4..0cb5b244a9 100644 --- a/include/haproxy/ssl_ocsp-t.h +++ b/include/haproxy/ssl_ocsp-t.h @@ -49,6 +49,11 @@ struct certificate_ocsp { STACK_OF(X509) *chain; struct eb64_node next_update; /* Key of items inserted in ocsp_update_tree (sorted by absolute date) */ struct buffer *uri; /* First OCSP URI contained in the corresponding certificate */ + + /* OCSP update stats */ + u64 last_update; /* Time of last successful update */ + unsigned int num_success; /* Number of successful updates */ + unsigned int num_failure; /* Number of failed updates */ }; struct ocsp_cbk_arg { diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c index f23531aa7e..d29baf1881 100644 --- a/src/ssl_ocsp.c +++ b/src/ssl_ocsp.c @@ -1043,6 +1043,9 @@ static struct task *ssl_ocsp_update_responses(struct task *task, void *context, ctx->flags &= ~HC_F_RES_END; + ++ocsp->num_success; + ocsp->last_update = now.tv_sec; + /* Reinsert the entry into the update list so that it can be updated later */ ssl_ocsp_update_insert(ocsp); /* Release the reference kept on the updated ocsp response. */ @@ -1150,6 +1153,7 @@ static struct task *ssl_ocsp_update_responses(struct task *task, void *context, leave: if (ctx->cur_ocsp) { /* Something went wrong, reinsert the entry in the tree. */ + ++ctx->cur_ocsp->num_failure; ssl_ocsp_update_insert_after_error(ctx->cur_ocsp); /* Release the reference kept on the updated ocsp response. */ ssl_sock_free_ocsp(ctx->cur_ocsp); @@ -1170,8 +1174,10 @@ wait: http_error: /* Reinsert certificate into update list so that it can be updated later */ - if (ocsp) + if (ocsp) { + ++ocsp->num_failure; ssl_ocsp_update_insert_after_error(ocsp); + } if (hc) httpclient_stop_and_destroy(hc);