This is an automated email from the ASF dual-hosted git repository.
ezelkow1 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 82c4de1609 Throttle OCSP cert-status error instead of logging on every
handshake (#13312)
82c4de1609 is described below
commit 82c4de1609a7f25a4e9fbd71e5a7d07b24495ea7
Author: Evan Zelkowitz <[email protected]>
AuthorDate: Wed Jul 1 15:26:43 2026 -0600
Throttle OCSP cert-status error instead of logging on every handshake
(#13312)
ssl_callback_ocsp_stapling() emitted an Error on every TLS handshake when
a cert's OCSP response was missing or expired, which could flood error.log.
Use SiteThrottledError so ops are still alerted at Error severity but the
message is rate-limited per call site (default 60s) with a suppressed-count.
Co-authored-by: Evan Zelkowitz <[email protected]>
---
src/iocore/net/OCSPStapling.cc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/iocore/net/OCSPStapling.cc b/src/iocore/net/OCSPStapling.cc
index 948bb4f834..9a0592f49b 100644
--- a/src/iocore/net/OCSPStapling.cc
+++ b/src/iocore/net/OCSPStapling.cc
@@ -1426,7 +1426,7 @@ ssl_callback_ocsp_stapling(SSL *ssl, void *)
time_t current_time = time(nullptr);
if ((cinf->resp_derlen == 0 || cinf->is_expire) || (cinf->expire_time <
current_time && !cinf->is_prefetched)) {
ink_mutex_release(&cinf->stapling_mutex);
- Error("ssl_callback_ocsp_stapling: failed to get certificate status for
%s", cinf->certname);
+ SiteThrottledError("ssl_callback_ocsp_stapling: failed to get certificate
status for %s", cinf->certname);
return SSL_TLSEXT_ERR_NOACK;
} else {
#ifdef OPENSSL_IS_BORINGSSL