maskit commented on code in PR #9674:
URL: https://github.com/apache/trafficserver/pull/9674#discussion_r1183854725
##########
iocore/net/OCSPStapling.cc:
##########
@@ -957,8 +957,10 @@ stapling_check_response(certinfo *cinf, TS_OCSP_RESPONSE
*rsp)
if (!TS_OCSP_resp_find_status(bs, cinf->cid, &status, &reason, &rev,
&thisupd, &nextupd)) {
// If ID not present just pass it back to client
Error("stapling_check_response: certificate ID not present in response for
%s", cinf->certname);
- } else {
- TS_OCSP_check_validity(thisupd, nextupd, 300, -1);
+ }
+ if (!TS_OCSP_check_validity(thisupd, nextupd, 300, -1)) {
+ // The check is just for logging and pass the response back to client
anyway
+ Error("stapling_check_response: status in response for %s is not valid
already/yet", cinf->certname);
Review Comment:
To the client? Client should check the stapled response and get the same
error (and it's up to the client whether they ignore the error).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
