This is an automated email from the ASF dual-hosted git repository.

cmcfarlen pushed a commit to branch 10.2.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git

commit a63417f33db888e2ee30516c655b392851ee0362
Author: Evan Zelkowitz <[email protected]>
AuthorDate: Wed Jul 1 15:26:43 2026 -0600

    Throttle OCSP cert-status error instead of logging on every handshake 
(#13312)
    
    ssl_callback_ocsp_stapling() emitted an Error on every TLS handshake when
    a cert's OCSP response was missing or expired, which could flood error.log.
    Use SiteThrottledError so ops are still alerted at Error severity but the
    message is rate-limited per call site (default 60s) with a suppressed-count.
    
    Co-authored-by: Evan Zelkowitz <[email protected]>
    (cherry picked from commit 82c4de1609a7f25a4e9fbd71e5a7d07b24495ea7)
---
 src/iocore/net/OCSPStapling.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/iocore/net/OCSPStapling.cc b/src/iocore/net/OCSPStapling.cc
index 342e0dea49..e1c2e4ca3b 100644
--- a/src/iocore/net/OCSPStapling.cc
+++ b/src/iocore/net/OCSPStapling.cc
@@ -1423,7 +1423,7 @@ ssl_callback_ocsp_stapling(SSL *ssl, void *)
   time_t current_time = time(nullptr);
   if ((cinf->resp_derlen == 0 || cinf->is_expire) || (cinf->expire_time < 
current_time && !cinf->is_prefetched)) {
     ink_mutex_release(&cinf->stapling_mutex);
-    Error("ssl_callback_ocsp_stapling: failed to get certificate status for 
%s", cinf->certname);
+    SiteThrottledError("ssl_callback_ocsp_stapling: failed to get certificate 
status for %s", cinf->certname);
     return SSL_TLSEXT_ERR_NOACK;
   } else {
 #ifdef OPENSSL_IS_BORINGSSL

Reply via email to