Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-3384

Add stats for OCSP Stapling errors

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 6.0.0
    • SSL

    Description

      1. Add stats for bad OCSP response status: revoked or unknown.
        $ traffic_line -m proxy.process.ssl.ssl_ocsp
        proxy.process.ssl.ssl_ocsp_revoked_cert_stat 0
        proxy.process.ssl.ssl_ocsp_unknown_cert_stat 0
        
          OCSP_resp_find_status(bs, cinf->cid, &status, &reason, &rev, &thisupd, &nextupd);
        
          switch (status) {
            case V_OCSP_CERTSTATUS_GOOD:
              break;
            case V_OCSP_CERTSTATUS_REVOKED:
              SSL_INCREMENT_DYN_STAT(ssl_ocsp_revoked_cert_stat);
              break;
            case V_OCSP_CERTSTATUS_UNKNOWN:
              SSL_INCREMENT_DYN_STAT(ssl_ocsp_unknown_cert_stat);
              break;
            default:
              break;
          }
        
      2. change debug tag in OCSP Stapling to ssl_ocsp.

      Attachments

        1. TS-3384.diff
          7 kB
          Feifei Cai

        Issue Links

          Activity

            People

              bcall Bryan Call
              ffcai Feifei Cai
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Slack

                  Issue deployment