From cbe7fe51ebffa6bedbba403f5eb552a2f1cbd2fe Mon Sep 17 00:00:00 2001 From: Brian Neradt Date: Fri, 11 Apr 2025 17:05:26 +0000 Subject: [PATCH] OCSP: FetchSM initialization check Delay OCSP fetch until FetchSM is initialized. This avoids noisy OCSP error messages on ATS initialization that result when the FetchSM calls fail each attempted OCSP cert fetch. Fixes: #9819 --- include/proxy/FetchSM.h | 6 ++++++ include/proxy/PluginHttpConnect.h | 1 + src/iocore/cache/unit_tests/stub.cc | 5 +++++ src/iocore/net/OCSPStapling.cc | 10 +++++++++- src/iocore/net/P_OCSPStapling.h | 7 ++++++- src/iocore/net/SSLNetProcessor.cc | 8 +++++--- src/iocore/net/libinknet_stub.cc | 5 +++++ src/proxy/FetchSM.cc | 6 ++++++ src/proxy/PluginHttpConnect.cc | 6 ++++++ src/traffic_quic/traffic_quic.cc | 5 +++++ 10 files changed, 54 insertions(+), 5 deletions(-) diff --git a/include/proxy/FetchSM.h b/include/proxy/FetchSM.h index d59457977f9..ef7585bc711 100644 --- a/include/proxy/FetchSM.h +++ b/include/proxy/FetchSM.h @@ -38,6 +38,12 @@ class FetchSM : public Continuation { public: FetchSM() {} + + /** Indicate whether FetchSM dependencies have been initialized by ATS. + * @return True if FetchSM dependencies have been initialized, false otherwise. + */ + static bool is_initialized(); + void init_comm() { diff --git a/include/proxy/PluginHttpConnect.h b/include/proxy/PluginHttpConnect.h index 10b0f2afb43..90c0104a648 100644 --- a/include/proxy/PluginHttpConnect.h +++ b/include/proxy/PluginHttpConnect.h @@ -25,4 +25,5 @@ #include "proxy/PluginVC.h" +bool PluginHttpConnectIsInitialized(); PluginVC *PluginHttpConnectInternal(TSHttpConnectOptions *options); diff --git a/src/iocore/cache/unit_tests/stub.cc b/src/iocore/cache/unit_tests/stub.cc index 38771f91945..7fb06a10a75 100644 --- a/src/iocore/cache/unit_tests/stub.cc +++ b/src/iocore/cache/unit_tests/stub.cc @@ -57,6 +57,11 @@ TSIOBufferReaderConsume(TSIOBufferReader /* readerp ATS_UNUSED */, int64_t /* nb #include "proxy/FetchSM.h" ClassAllocator FetchSMAllocator("unusedFetchSMAllocator"); +bool +FetchSM::is_initialized() +{ + return true; +} void FetchSM::ext_launch() { diff --git a/src/iocore/net/OCSPStapling.cc b/src/iocore/net/OCSPStapling.cc index a61f82cb13a..7946c78129b 100644 --- a/src/iocore/net/OCSPStapling.cc +++ b/src/iocore/net/OCSPStapling.cc @@ -1284,13 +1284,19 @@ stapling_refresh_response(certinfo *cinf, TS_OCSP_RESPONSE **prsp) return rv; } -void +OCSPStatus ocsp_update() { + if (!FetchSM::is_initialized()) { + Dbg(dbg_ctl_ssl_ocsp, "FetchSM is not yet initialized. Skipping OCSP update."); + return OCSPStatus::OCSP_FETCHSM_NOT_INITIALIZED; + } shared_SSL_CTX ctx; TS_OCSP_RESPONSE *resp = nullptr; time_t current_time; + Note("OCSP refresh started"); + SSLCertificateConfig::scoped_config certLookup; Dbg(dbg_ctl_ssl_ocsp, "updating OCSP data"); @@ -1332,6 +1338,8 @@ ocsp_update() } } } + Note("OCSP refresh finished"); + return OCSPStatus::OCSP_OK; } // RFC 6066 Section-8: Certificate Status Request diff --git a/src/iocore/net/P_OCSPStapling.h b/src/iocore/net/P_OCSPStapling.h index 9ca65e45784..71bfc792e69 100644 --- a/src/iocore/net/P_OCSPStapling.h +++ b/src/iocore/net/P_OCSPStapling.h @@ -25,6 +25,11 @@ void ssl_stapling_ex_init(); bool ssl_stapling_init_cert(SSL_CTX *ctx, X509 *cert, const char *certname, const char *rsp_file); -void ocsp_update(); + +enum class OCSPStatus { + OCSP_OK, + OCSP_FETCHSM_NOT_INITIALIZED, +}; +OCSPStatus ocsp_update(); int ssl_callback_ocsp_stapling(SSL *, void *); diff --git a/src/iocore/net/SSLNetProcessor.cc b/src/iocore/net/SSLNetProcessor.cc index 25521f9abc9..530e98926c7 100644 --- a/src/iocore/net/SSLNetProcessor.cc +++ b/src/iocore/net/SSLNetProcessor.cc @@ -38,9 +38,11 @@ struct OCSPContinuation : public Continuation { int mainEvent(int /* event ATS_UNUSED */, Event * /* e ATS_UNUSED */) { - Note("OCSP refresh started"); - ocsp_update(); - Note("OCSP refresh finished"); + if (ocsp_update() == OCSPStatus::OCSP_FETCHSM_NOT_INITIALIZED) { + Note("Delaying OCSP fetching until FetchSM is initialized."); + this_ethread()->schedule_in(this, HRTIME_SECONDS(1)); + return EVENT_CONT; + } return EVENT_CONT; } diff --git a/src/iocore/net/libinknet_stub.cc b/src/iocore/net/libinknet_stub.cc index 3b7f601f6f2..9d1c8b6441c 100644 --- a/src/iocore/net/libinknet_stub.cc +++ b/src/iocore/net/libinknet_stub.cc @@ -27,6 +27,11 @@ AppVersionInfo appVersionInfo; #include "proxy/FetchSM.h" ClassAllocator FetchSMAllocator("unusedFetchSMAllocator"); +bool +FetchSM::is_initialized() +{ + return true; +} void FetchSM::ext_launch() { diff --git a/src/proxy/FetchSM.cc b/src/proxy/FetchSM.cc index 8e0a364453d..6a4c6e9935f 100644 --- a/src/proxy/FetchSM.cc +++ b/src/proxy/FetchSM.cc @@ -40,6 +40,12 @@ DbgCtl dbg_ctl{DEBUG_TAG}; } // end anonymous namespace +bool +FetchSM::is_initialized() +{ + return PluginHttpConnectIsInitialized(); +} + void FetchSM::cleanUp() { diff --git a/src/proxy/PluginHttpConnect.cc b/src/proxy/PluginHttpConnect.cc index 9e8ea31697d..2869d78c11b 100644 --- a/src/proxy/PluginHttpConnect.cc +++ b/src/proxy/PluginHttpConnect.cc @@ -26,6 +26,12 @@ extern HttpSessionAccept *plugin_http_accept; +bool +PluginHttpConnectIsInitialized() +{ + return plugin_http_accept != nullptr; +} + PluginVC * PluginHttpConnectInternal(TSHttpConnectOptions *options) { diff --git a/src/traffic_quic/traffic_quic.cc b/src/traffic_quic/traffic_quic.cc index 069a231cc3e..0624828e143 100644 --- a/src/traffic_quic/traffic_quic.cc +++ b/src/traffic_quic/traffic_quic.cc @@ -347,6 +347,11 @@ PreWarmManager prewarmManager; #include "proxy/FetchSM.h" ClassAllocator FetchSMAllocator("unusedFetchSMAllocator"); +bool +FetchSM::is_initialized() +{ + return true; +} void FetchSM::ext_launch() {