This is an automated email from the ASF dual-hosted git repository. cmcfarlen pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit e84d148214871afcef91f1d5e462d75251755690 Author: Brian Neradt <[email protected]> AuthorDate: Fri Apr 11 17:33:14 2025 -0500 OCSP: FetchSM initialization check (#12185) Delay OCSP fetch until FetchSM is initialized. This avoids noisy OCSP error messages on ATS initialization that result when the FetchSM calls fail each attempted OCSP cert fetch. Fixes: #9819 (cherry picked from commit 9b571e4e762ad7478b6e4de67ef31bc23052589a) --- include/proxy/FetchSM.h | 6 ++++++ include/proxy/PluginHttpConnect.h | 1 + src/iocore/cache/unit_tests/stub.cc | 5 +++++ src/iocore/net/OCSPStapling.cc | 10 +++++++++- src/iocore/net/P_OCSPStapling.h | 7 ++++++- src/iocore/net/SSLNetProcessor.cc | 8 +++++--- src/iocore/net/libinknet_stub.cc | 5 +++++ src/proxy/FetchSM.cc | 6 ++++++ src/proxy/PluginHttpConnect.cc | 6 ++++++ src/traffic_quic/traffic_quic.cc | 5 +++++ 10 files changed, 54 insertions(+), 5 deletions(-) diff --git a/include/proxy/FetchSM.h b/include/proxy/FetchSM.h index d59457977f..ef7585bc71 100644 --- a/include/proxy/FetchSM.h +++ b/include/proxy/FetchSM.h @@ -38,6 +38,12 @@ class FetchSM : public Continuation { public: FetchSM() {} + + /** Indicate whether FetchSM dependencies have been initialized by ATS. + * @return True if FetchSM dependencies have been initialized, false otherwise. + */ + static bool is_initialized(); + void init_comm() { diff --git a/include/proxy/PluginHttpConnect.h b/include/proxy/PluginHttpConnect.h index 10b0f2afb4..90c0104a64 100644 --- a/include/proxy/PluginHttpConnect.h +++ b/include/proxy/PluginHttpConnect.h @@ -25,4 +25,5 @@ #include "proxy/PluginVC.h" +bool PluginHttpConnectIsInitialized(); PluginVC *PluginHttpConnectInternal(TSHttpConnectOptions *options); diff --git a/src/iocore/cache/unit_tests/stub.cc b/src/iocore/cache/unit_tests/stub.cc index 38771f9194..7fb06a10a7 100644 --- a/src/iocore/cache/unit_tests/stub.cc +++ b/src/iocore/cache/unit_tests/stub.cc @@ -57,6 +57,11 @@ TSIOBufferReaderConsume(TSIOBufferReader /* readerp ATS_UNUSED */, int64_t /* nb #include "proxy/FetchSM.h" ClassAllocator<FetchSM> FetchSMAllocator("unusedFetchSMAllocator"); +bool +FetchSM::is_initialized() +{ + return true; +} void FetchSM::ext_launch() { diff --git a/src/iocore/net/OCSPStapling.cc b/src/iocore/net/OCSPStapling.cc index a61f82cb13..7946c78129 100644 --- a/src/iocore/net/OCSPStapling.cc +++ b/src/iocore/net/OCSPStapling.cc @@ -1284,13 +1284,19 @@ done: return rv; } -void +OCSPStatus ocsp_update() { + if (!FetchSM::is_initialized()) { + Dbg(dbg_ctl_ssl_ocsp, "FetchSM is not yet initialized. Skipping OCSP update."); + return OCSPStatus::OCSP_FETCHSM_NOT_INITIALIZED; + } shared_SSL_CTX ctx; TS_OCSP_RESPONSE *resp = nullptr; time_t current_time; + Note("OCSP refresh started"); + SSLCertificateConfig::scoped_config certLookup; Dbg(dbg_ctl_ssl_ocsp, "updating OCSP data"); @@ -1332,6 +1338,8 @@ ocsp_update() } } } + Note("OCSP refresh finished"); + return OCSPStatus::OCSP_OK; } // RFC 6066 Section-8: Certificate Status Request diff --git a/src/iocore/net/P_OCSPStapling.h b/src/iocore/net/P_OCSPStapling.h index 9ca65e4578..71bfc792e6 100644 --- a/src/iocore/net/P_OCSPStapling.h +++ b/src/iocore/net/P_OCSPStapling.h @@ -25,6 +25,11 @@ void ssl_stapling_ex_init(); bool ssl_stapling_init_cert(SSL_CTX *ctx, X509 *cert, const char *certname, const char *rsp_file); -void ocsp_update(); + +enum class OCSPStatus { + OCSP_OK, + OCSP_FETCHSM_NOT_INITIALIZED, +}; +OCSPStatus ocsp_update(); int ssl_callback_ocsp_stapling(SSL *, void *); diff --git a/src/iocore/net/SSLNetProcessor.cc b/src/iocore/net/SSLNetProcessor.cc index 25521f9abc..530e98926c 100644 --- a/src/iocore/net/SSLNetProcessor.cc +++ b/src/iocore/net/SSLNetProcessor.cc @@ -38,9 +38,11 @@ struct OCSPContinuation : public Continuation { int mainEvent(int /* event ATS_UNUSED */, Event * /* e ATS_UNUSED */) { - Note("OCSP refresh started"); - ocsp_update(); - Note("OCSP refresh finished"); + if (ocsp_update() == OCSPStatus::OCSP_FETCHSM_NOT_INITIALIZED) { + Note("Delaying OCSP fetching until FetchSM is initialized."); + this_ethread()->schedule_in(this, HRTIME_SECONDS(1)); + return EVENT_CONT; + } return EVENT_CONT; } diff --git a/src/iocore/net/libinknet_stub.cc b/src/iocore/net/libinknet_stub.cc index 3b7f601f6f..9d1c8b6441 100644 --- a/src/iocore/net/libinknet_stub.cc +++ b/src/iocore/net/libinknet_stub.cc @@ -27,6 +27,11 @@ AppVersionInfo appVersionInfo; #include "proxy/FetchSM.h" ClassAllocator<FetchSM> FetchSMAllocator("unusedFetchSMAllocator"); +bool +FetchSM::is_initialized() +{ + return true; +} void FetchSM::ext_launch() { diff --git a/src/proxy/FetchSM.cc b/src/proxy/FetchSM.cc index 8e0a364453..6a4c6e9935 100644 --- a/src/proxy/FetchSM.cc +++ b/src/proxy/FetchSM.cc @@ -40,6 +40,12 @@ DbgCtl dbg_ctl{DEBUG_TAG}; } // end anonymous namespace +bool +FetchSM::is_initialized() +{ + return PluginHttpConnectIsInitialized(); +} + void FetchSM::cleanUp() { diff --git a/src/proxy/PluginHttpConnect.cc b/src/proxy/PluginHttpConnect.cc index 9e8ea31697..2869d78c11 100644 --- a/src/proxy/PluginHttpConnect.cc +++ b/src/proxy/PluginHttpConnect.cc @@ -26,6 +26,12 @@ extern HttpSessionAccept *plugin_http_accept; +bool +PluginHttpConnectIsInitialized() +{ + return plugin_http_accept != nullptr; +} + PluginVC * PluginHttpConnectInternal(TSHttpConnectOptions *options) { diff --git a/src/traffic_quic/traffic_quic.cc b/src/traffic_quic/traffic_quic.cc index 069a231cc3..0624828e14 100644 --- a/src/traffic_quic/traffic_quic.cc +++ b/src/traffic_quic/traffic_quic.cc @@ -347,6 +347,11 @@ PreWarmManager prewarmManager; #include "proxy/FetchSM.h" ClassAllocator<FetchSM> FetchSMAllocator("unusedFetchSMAllocator"); +bool +FetchSM::is_initialized() +{ + return true; +} void FetchSM::ext_launch() {
