diff options
author | Remi Tricot-Le Breton <rlebreton@haproxy.com> | 2023-02-28 17:46:20 +0100 |
---|---|---|
committer | William Lallemand <wlallemand@haproxy.org> | 2023-03-02 15:37:11 +0100 |
commit | 9e94df3e5532120538f77cf628feb0e559f1744b (patch) | |
tree | f34e3a9e716c8df93c28381d179718657aa3e282 | |
parent | 6de7b78c9f92b3bac00e8fc678077aa6aa440876 (diff) | |
download | haproxy-9e94df3e5532120538f77cf628feb0e559f1744b.tar.gz |
MINOR: ssl: Add ocsp update success/failure counters
Those counters will be used for debugging purposes and will be dumped
via a cli command.
-rw-r--r-- | include/haproxy/ssl_ocsp-t.h | 5 | ||||
-rw-r--r-- | src/ssl_ocsp.c | 8 |
2 files changed, 12 insertions, 1 deletions
diff --git a/include/haproxy/ssl_ocsp-t.h b/include/haproxy/ssl_ocsp-t.h index e591b499b..0cb5b244a 100644 --- a/include/haproxy/ssl_ocsp-t.h +++ b/include/haproxy/ssl_ocsp-t.h @@ -49,6 +49,11 @@ struct certificate_ocsp { STACK_OF(X509) *chain; struct eb64_node next_update; /* Key of items inserted in ocsp_update_tree (sorted by absolute date) */ struct buffer *uri; /* First OCSP URI contained in the corresponding certificate */ + + /* OCSP update stats */ + u64 last_update; /* Time of last successful update */ + unsigned int num_success; /* Number of successful updates */ + unsigned int num_failure; /* Number of failed updates */ }; struct ocsp_cbk_arg { diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c index f23531aa7..d29baf188 100644 --- a/src/ssl_ocsp.c +++ b/src/ssl_ocsp.c @@ -1043,6 +1043,9 @@ static struct task *ssl_ocsp_update_responses(struct task *task, void *context, ctx->flags &= ~HC_F_RES_END; + ++ocsp->num_success; + ocsp->last_update = now.tv_sec; + /* Reinsert the entry into the update list so that it can be updated later */ ssl_ocsp_update_insert(ocsp); /* Release the reference kept on the updated ocsp response. */ @@ -1150,6 +1153,7 @@ static struct task *ssl_ocsp_update_responses(struct task *task, void *context, leave: if (ctx->cur_ocsp) { /* Something went wrong, reinsert the entry in the tree. */ + ++ctx->cur_ocsp->num_failure; ssl_ocsp_update_insert_after_error(ctx->cur_ocsp); /* Release the reference kept on the updated ocsp response. */ ssl_sock_free_ocsp(ctx->cur_ocsp); @@ -1170,8 +1174,10 @@ wait: http_error: /* Reinsert certificate into update list so that it can be updated later */ - if (ocsp) + if (ocsp) { + ++ocsp->num_failure; ssl_ocsp_update_insert_after_error(ocsp); + } if (hc) httpclient_stop_and_destroy(hc); |