This is an automated email from the ASF dual-hosted git repository.
bneradt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 9b571e4e76 OCSP: FetchSM initialization check (#12185)
9b571e4e76 is described below
commit 9b571e4e762ad7478b6e4de67ef31bc23052589a
Author: Brian Neradt <[email protected]>
AuthorDate: Fri Apr 11 17:33:14 2025 -0500
OCSP: FetchSM initialization check (#12185)
Delay OCSP fetch until FetchSM is initialized. This avoids noisy OCSP
error messages on ATS initialization that result when the FetchSM calls
fail each attempted OCSP cert fetch.
Fixes: #9819
---
include/proxy/FetchSM.h | 6 ++++++
include/proxy/PluginHttpConnect.h | 1 +
src/iocore/cache/unit_tests/stub.cc | 5 +++++
src/iocore/net/OCSPStapling.cc | 10 +++++++++-
src/iocore/net/P_OCSPStapling.h | 7 ++++++-
src/iocore/net/SSLNetProcessor.cc | 8 +++++---
src/iocore/net/libinknet_stub.cc | 5 +++++
src/proxy/FetchSM.cc | 6 ++++++
src/proxy/PluginHttpConnect.cc | 6 ++++++
src/traffic_quic/traffic_quic.cc | 5 +++++
10 files changed, 54 insertions(+), 5 deletions(-)
diff --git a/include/proxy/FetchSM.h b/include/proxy/FetchSM.h
index d59457977f..ef7585bc71 100644
--- a/include/proxy/FetchSM.h
+++ b/include/proxy/FetchSM.h
@@ -38,6 +38,12 @@ class FetchSM : public Continuation
{
public:
FetchSM() {}
+
+ /** Indicate whether FetchSM dependencies have been initialized by ATS.
+ * @return True if FetchSM dependencies have been initialized, false
otherwise.
+ */
+ static bool is_initialized();
+
void
init_comm()
{
diff --git a/include/proxy/PluginHttpConnect.h
b/include/proxy/PluginHttpConnect.h
index 10b0f2afb4..90c0104a64 100644
--- a/include/proxy/PluginHttpConnect.h
+++ b/include/proxy/PluginHttpConnect.h
@@ -25,4 +25,5 @@
#include "proxy/PluginVC.h"
+bool PluginHttpConnectIsInitialized();
PluginVC *PluginHttpConnectInternal(TSHttpConnectOptions *options);
diff --git a/src/iocore/cache/unit_tests/stub.cc
b/src/iocore/cache/unit_tests/stub.cc
index 38771f9194..7fb06a10a7 100644
--- a/src/iocore/cache/unit_tests/stub.cc
+++ b/src/iocore/cache/unit_tests/stub.cc
@@ -57,6 +57,11 @@ TSIOBufferReaderConsume(TSIOBufferReader /* readerp
ATS_UNUSED */, int64_t /* nb
#include "proxy/FetchSM.h"
ClassAllocator<FetchSM> FetchSMAllocator("unusedFetchSMAllocator");
+bool
+FetchSM::is_initialized()
+{
+ return true;
+}
void
FetchSM::ext_launch()
{
diff --git a/src/iocore/net/OCSPStapling.cc b/src/iocore/net/OCSPStapling.cc
index a61f82cb13..7946c78129 100644
--- a/src/iocore/net/OCSPStapling.cc
+++ b/src/iocore/net/OCSPStapling.cc
@@ -1284,13 +1284,19 @@ done:
return rv;
}
-void
+OCSPStatus
ocsp_update()
{
+ if (!FetchSM::is_initialized()) {
+ Dbg(dbg_ctl_ssl_ocsp, "FetchSM is not yet initialized. Skipping OCSP
update.");
+ return OCSPStatus::OCSP_FETCHSM_NOT_INITIALIZED;
+ }
shared_SSL_CTX ctx;
TS_OCSP_RESPONSE *resp = nullptr;
time_t current_time;
+ Note("OCSP refresh started");
+
SSLCertificateConfig::scoped_config certLookup;
Dbg(dbg_ctl_ssl_ocsp, "updating OCSP data");
@@ -1332,6 +1338,8 @@ ocsp_update()
}
}
}
+ Note("OCSP refresh finished");
+ return OCSPStatus::OCSP_OK;
}
// RFC 6066 Section-8: Certificate Status Request
diff --git a/src/iocore/net/P_OCSPStapling.h b/src/iocore/net/P_OCSPStapling.h
index 9ca65e4578..71bfc792e6 100644
--- a/src/iocore/net/P_OCSPStapling.h
+++ b/src/iocore/net/P_OCSPStapling.h
@@ -25,6 +25,11 @@
void ssl_stapling_ex_init();
bool ssl_stapling_init_cert(SSL_CTX *ctx, X509 *cert, const char *certname,
const char *rsp_file);
-void ocsp_update();
+
+enum class OCSPStatus {
+ OCSP_OK,
+ OCSP_FETCHSM_NOT_INITIALIZED,
+};
+OCSPStatus ocsp_update();
int ssl_callback_ocsp_stapling(SSL *, void *);
diff --git a/src/iocore/net/SSLNetProcessor.cc
b/src/iocore/net/SSLNetProcessor.cc
index 25521f9abc..530e98926c 100644
--- a/src/iocore/net/SSLNetProcessor.cc
+++ b/src/iocore/net/SSLNetProcessor.cc
@@ -38,9 +38,11 @@ struct OCSPContinuation : public Continuation {
int
mainEvent(int /* event ATS_UNUSED */, Event * /* e ATS_UNUSED */)
{
- Note("OCSP refresh started");
- ocsp_update();
- Note("OCSP refresh finished");
+ if (ocsp_update() == OCSPStatus::OCSP_FETCHSM_NOT_INITIALIZED) {
+ Note("Delaying OCSP fetching until FetchSM is initialized.");
+ this_ethread()->schedule_in(this, HRTIME_SECONDS(1));
+ return EVENT_CONT;
+ }
return EVENT_CONT;
}
diff --git a/src/iocore/net/libinknet_stub.cc b/src/iocore/net/libinknet_stub.cc
index 3b7f601f6f..9d1c8b6441 100644
--- a/src/iocore/net/libinknet_stub.cc
+++ b/src/iocore/net/libinknet_stub.cc
@@ -27,6 +27,11 @@ AppVersionInfo appVersionInfo;
#include "proxy/FetchSM.h"
ClassAllocator<FetchSM> FetchSMAllocator("unusedFetchSMAllocator");
+bool
+FetchSM::is_initialized()
+{
+ return true;
+}
void
FetchSM::ext_launch()
{
diff --git a/src/proxy/FetchSM.cc b/src/proxy/FetchSM.cc
index 8e0a364453..6a4c6e9935 100644
--- a/src/proxy/FetchSM.cc
+++ b/src/proxy/FetchSM.cc
@@ -40,6 +40,12 @@ DbgCtl dbg_ctl{DEBUG_TAG};
} // end anonymous namespace
+bool
+FetchSM::is_initialized()
+{
+ return PluginHttpConnectIsInitialized();
+}
+
void
FetchSM::cleanUp()
{
diff --git a/src/proxy/PluginHttpConnect.cc b/src/proxy/PluginHttpConnect.cc
index 9e8ea31697..2869d78c11 100644
--- a/src/proxy/PluginHttpConnect.cc
+++ b/src/proxy/PluginHttpConnect.cc
@@ -26,6 +26,12 @@
extern HttpSessionAccept *plugin_http_accept;
+bool
+PluginHttpConnectIsInitialized()
+{
+ return plugin_http_accept != nullptr;
+}
+
PluginVC *
PluginHttpConnectInternal(TSHttpConnectOptions *options)
{
diff --git a/src/traffic_quic/traffic_quic.cc b/src/traffic_quic/traffic_quic.cc
index 069a231cc3..0624828e14 100644
--- a/src/traffic_quic/traffic_quic.cc
+++ b/src/traffic_quic/traffic_quic.cc
@@ -347,6 +347,11 @@ PreWarmManager prewarmManager;
#include "proxy/FetchSM.h"
ClassAllocator<FetchSM> FetchSMAllocator("unusedFetchSMAllocator");
+bool
+FetchSM::is_initialized()
+{
+ return true;
+}
void
FetchSM::ext_launch()
{
