From 7696c6afa0fd4192ce183b43a9833f110afad926 Mon Sep 17 00:00:00 2001 From: Masakazu Kitajo Date: Tue, 2 May 2023 15:05:45 -0600 Subject: [PATCH 1/2] Add error log for invalid OCSP response --- iocore/net/OCSPStapling.cc | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/iocore/net/OCSPStapling.cc b/iocore/net/OCSPStapling.cc index 11dd1dc9166..d3077500f4e 100644 --- a/iocore/net/OCSPStapling.cc +++ b/iocore/net/OCSPStapling.cc @@ -957,8 +957,10 @@ stapling_check_response(certinfo *cinf, TS_OCSP_RESPONSE *rsp) if (!TS_OCSP_resp_find_status(bs, cinf->cid, &status, &reason, &rev, &thisupd, &nextupd)) { // If ID not present just pass it back to client Error("stapling_check_response: certificate ID not present in response for %s", cinf->certname); - } else { - TS_OCSP_check_validity(thisupd, nextupd, 300, -1); + } + if (!TS_OCSP_check_validity(thisupd, nextupd, 300, -1)) { + // The check is just for logging and pass the response back to client anyway + Error("stapling_check_response: status in response for %s is not valid already/yet", cinf->certname); } switch (status) { From 1df7130ea61e9c9b52040ac7d0fd36b28ce5e33a Mon Sep 17 00:00:00 2001 From: Masakazu Kitajo Date: Wed, 3 May 2023 09:43:45 -0600 Subject: [PATCH 2/2] Check times only if status is available --- iocore/net/OCSPStapling.cc | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/iocore/net/OCSPStapling.cc b/iocore/net/OCSPStapling.cc index d3077500f4e..86c42d1b40b 100644 --- a/iocore/net/OCSPStapling.cc +++ b/iocore/net/OCSPStapling.cc @@ -957,10 +957,11 @@ stapling_check_response(certinfo *cinf, TS_OCSP_RESPONSE *rsp) if (!TS_OCSP_resp_find_status(bs, cinf->cid, &status, &reason, &rev, &thisupd, &nextupd)) { // If ID not present just pass it back to client Error("stapling_check_response: certificate ID not present in response for %s", cinf->certname); - } - if (!TS_OCSP_check_validity(thisupd, nextupd, 300, -1)) { - // The check is just for logging and pass the response back to client anyway - Error("stapling_check_response: status in response for %s is not valid already/yet", cinf->certname); + } else { + if (!TS_OCSP_check_validity(thisupd, nextupd, 300, -1)) { + // The check is just for logging and pass the response back to client anyway + Error("stapling_check_response: status in response for %s is not valid already/yet", cinf->certname); + } } switch (status) {