This is an automated email from the ASF dual-hosted git repository.

ezelkow1 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new 82c4de1609 Throttle OCSP cert-status error instead of logging on every 
handshake (#13312)
82c4de1609 is described below

commit 82c4de1609a7f25a4e9fbd71e5a7d07b24495ea7
Author: Evan Zelkowitz <[email protected]>
AuthorDate: Wed Jul 1 15:26:43 2026 -0600

    Throttle OCSP cert-status error instead of logging on every handshake 
(#13312)
    
    ssl_callback_ocsp_stapling() emitted an Error on every TLS handshake when
    a cert's OCSP response was missing or expired, which could flood error.log.
    Use SiteThrottledError so ops are still alerted at Error severity but the
    message is rate-limited per call site (default 60s) with a suppressed-count.
    
    Co-authored-by: Evan Zelkowitz <[email protected]>
---
 src/iocore/net/OCSPStapling.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/iocore/net/OCSPStapling.cc b/src/iocore/net/OCSPStapling.cc
index 948bb4f834..9a0592f49b 100644
--- a/src/iocore/net/OCSPStapling.cc
+++ b/src/iocore/net/OCSPStapling.cc
@@ -1426,7 +1426,7 @@ ssl_callback_ocsp_stapling(SSL *ssl, void *)
   time_t current_time = time(nullptr);
   if ((cinf->resp_derlen == 0 || cinf->is_expire) || (cinf->expire_time < 
current_time && !cinf->is_prefetched)) {
     ink_mutex_release(&cinf->stapling_mutex);
-    Error("ssl_callback_ocsp_stapling: failed to get certificate status for 
%s", cinf->certname);
+    SiteThrottledError("ssl_callback_ocsp_stapling: failed to get certificate 
status for %s", cinf->certname);
     return SSL_TLSEXT_ERR_NOACK;
   } else {
 #ifdef OPENSSL_IS_BORINGSSL

Reply via email to