OCSP: FetchSM initialization check

bneradt · bneradt · commit 55580a095651 · 2025-04-11T21:17:27.000Z
Delay OCSP fetch until FetchSM is initialized. This avoids noisy OCSP error messages on ATS initialization that result when the FetchSM calls fail each attempted OCSP cert fetch. Fixes: #9819
diff --git a/include/proxy/FetchSM.h b/include/proxy/FetchSM.h
@@ -38,6 +38,12 @@ class FetchSM : public Continuation
 {
 public:
   FetchSM() {}
+
+  /** Indicate whether FetchSM dependencies have been initialized by ATS.
+   * @return True if FetchSM dependencies have been initialized, false otherwise.
+   */
+  static bool is_initialized();
+
   void
   init_comm()
   {
diff --git a/include/proxy/PluginHttpConnect.h b/include/proxy/PluginHttpConnect.h
@@ -25,4 +25,5 @@
 
 #include "proxy/PluginVC.h"
 
+bool      PluginHttpConnectIsInitialized();
 PluginVC *PluginHttpConnectInternal(TSHttpConnectOptions *options);
diff --git a/src/iocore/net/OCSPStapling.cc b/src/iocore/net/OCSPStapling.cc
@@ -1284,13 +1284,19 @@ stapling_refresh_response(certinfo *cinf, TS_OCSP_RESPONSE **prsp)
   return rv;
 }
 
-void
+OCSPStatus
 ocsp_update()
 {
+  if (!FetchSM::is_initialized()) {
+    Dbg(dbg_ctl_ssl_ocsp, "FetchSM is not yet initialized. Skipping OCSP update.");
+    return OCSPStatus::OCSP_FETCHSM_NOT_INITIALIZED;
+  }
   shared_SSL_CTX    ctx;
   TS_OCSP_RESPONSE *resp = nullptr;
   time_t            current_time;
 
+  Note("OCSP refresh started");
+
   SSLCertificateConfig::scoped_config certLookup;
 
   Dbg(dbg_ctl_ssl_ocsp, "updating OCSP data");
@@ -1332,6 +1338,8 @@ ocsp_update()
       }
     }
   }
+  Note("OCSP refresh finished");
+  return OCSPStatus::OCSP_OK;
 }
 
 // RFC 6066 Section-8: Certificate Status Request
diff --git a/src/iocore/net/P_OCSPStapling.h b/src/iocore/net/P_OCSPStapling.h
@@ -25,6 +25,11 @@
 
 void ssl_stapling_ex_init();
 bool ssl_stapling_init_cert(SSL_CTX *ctx, X509 *cert, const char *certname, const char *rsp_file);
-void ocsp_update();
+
+enum class OCSPStatus {
+  OCSP_OK,
+  OCSP_FETCHSM_NOT_INITIALIZED,
+};
+OCSPStatus ocsp_update();
 
 int ssl_callback_ocsp_stapling(SSL *, void *);
diff --git a/src/iocore/net/SSLNetProcessor.cc b/src/iocore/net/SSLNetProcessor.cc
@@ -38,9 +38,11 @@ struct OCSPContinuation : public Continuation {
   int
   mainEvent(int /* event ATS_UNUSED */, Event * /* e ATS_UNUSED */)
   {
-    Note("OCSP refresh started");
-    ocsp_update();
-    Note("OCSP refresh finished");
+    if (ocsp_update() == OCSPStatus::OCSP_FETCHSM_NOT_INITIALIZED) {
+      Note("Delaying OCSP fetching until FetchSM is initialized.");
+      this_ethread()->schedule_in(this, HRTIME_SECONDS(1));
+      return EVENT_CONT;
+    }
     return EVENT_CONT;
   }
 
diff --git a/src/proxy/FetchSM.cc b/src/proxy/FetchSM.cc
@@ -40,6 +40,12 @@ DbgCtl dbg_ctl{DEBUG_TAG};
 
 } // end anonymous namespace
 
+bool
+FetchSM::is_initialized()
+{
+  return PluginHttpConnectIsInitialized();
+}
+
 void
 FetchSM::cleanUp()
 {
diff --git a/src/proxy/PluginHttpConnect.cc b/src/proxy/PluginHttpConnect.cc
@@ -26,6 +26,12 @@
 
 extern HttpSessionAccept *plugin_http_accept;
 
+bool
+PluginHttpConnectIsInitialized()
+{
+  return plugin_http_accept != nullptr;
+}
+
 PluginVC *
 PluginHttpConnectInternal(TSHttpConnectOptions *options)
 {

Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,12 @@ class FetchSM : public Continuation`
`38`	`38`	`{`
`39`	`39`	`public:`
`40`	`40`	`FetchSM() {}`
	`41`	`+`
	`42`	`+ /** Indicate whether FetchSM dependencies have been initialized by ATS.`
	`43`	`+ * @return True if FetchSM dependencies have been initialized, false otherwise.`
	`44`	`+ */`
	`45`	`+ static bool is_initialized();`
	`46`	`+`
`41`	`47`	`void`
`42`	`48`	`init_comm()`
`43`	`49`	`{`
Original file line number	Diff line number	Diff line change
`@@ -25,4 +25,5 @@`
`25`	`25`
`26`	`26`	`#include "proxy/PluginVC.h"`
`27`	`27`
	`28`	`+bool PluginHttpConnectIsInitialized();`
`28`	`29`	`PluginVC PluginHttpConnectInternal(TSHttpConnectOptions options);`
Original file line number	Diff line number	Diff line change
`@@ -1284,13 +1284,19 @@ stapling_refresh_response(certinfo cinf, TS_OCSP_RESPONSE *prsp)`
`1284`	`1284`	`return rv;`
`1285`	`1285`	`}`
`1286`	`1286`
`1287`		`-void`
	`1287`	`+OCSPStatus`
`1288`	`1288`	`ocsp_update()`
`1289`	`1289`	`{`
	`1290`	`+ if (!FetchSM::is_initialized()) {`
	`1291`	`+ Dbg(dbg_ctl_ssl_ocsp, "FetchSM is not yet initialized. Skipping OCSP update.");`
	`1292`	`+ return OCSPStatus::OCSP_FETCHSM_NOT_INITIALIZED;`
	`1293`	`+ }`
`1290`	`1294`	`shared_SSL_CTX ctx;`
`1291`	`1295`	`TS_OCSP_RESPONSE *resp = nullptr;`
`1292`	`1296`	`time_t current_time;`
`1293`	`1297`
	`1298`	`+ Note("OCSP refresh started");`
	`1299`	`+`
`1294`	`1300`	`SSLCertificateConfig::scoped_config certLookup;`
`1295`	`1301`
`1296`	`1302`	`Dbg(dbg_ctl_ssl_ocsp, "updating OCSP data");`
`@@ -1332,6 +1338,8 @@ ocsp_update()`
`1332`	`1338`	`}`
`1333`	`1339`	`}`
`1334`	`1340`	`}`
	`1341`	`+ Note("OCSP refresh finished");`
	`1342`	`+ return OCSPStatus::OCSP_OK;`
`1335`	`1343`	`}`
`1336`	`1344`
`1337`	`1345`	`// RFC 6066 Section-8: Certificate Status Request`
Original file line number	Diff line number	Diff line change
`@@ -38,9 +38,11 @@ struct OCSPContinuation : public Continuation {`
`38`	`38`	`int`
`39`	`39`	`mainEvent(int /* event ATS_UNUSED /, Event /* e ATS_UNUSED */)`
`40`	`40`	`{`
`41`		`- Note("OCSP refresh started");`
`42`		`- ocsp_update();`
`43`		`- Note("OCSP refresh finished");`
	`41`	`+ if (ocsp_update() == OCSPStatus::OCSP_FETCHSM_NOT_INITIALIZED) {`
	`42`	`+ Note("Delaying OCSP fetching until FetchSM is initialized.");`
	`43`	`+ this_ethread()->schedule_in(this, HRTIME_SECONDS(1));`
	`44`	`+ return EVENT_CONT;`
	`45`	`+ }`
`44`	`46`	`return EVENT_CONT;`
`45`	`47`	`}`
`46`	`48`