MINOR: ssl: Add ocsp update success/failure counters
Those counters will be used for debugging purposes and will be dumped
via a cli command.
diff --git a/include/haproxy/ssl_ocsp-t.h b/include/haproxy/ssl_ocsp-t.h
index e591b49..0cb5b24 100644
--- a/include/haproxy/ssl_ocsp-t.h
+++ b/include/haproxy/ssl_ocsp-t.h
@@ -49,6 +49,11 @@
STACK_OF(X509) *chain;
struct eb64_node next_update; /* Key of items inserted in ocsp_update_tree (sorted by absolute date) */
struct buffer *uri; /* First OCSP URI contained in the corresponding certificate */
+
+ /* OCSP update stats */
+ u64 last_update; /* Time of last successful update */
+ unsigned int num_success; /* Number of successful updates */
+ unsigned int num_failure; /* Number of failed updates */
};
struct ocsp_cbk_arg {
diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c
index f23531a..d29baf1 100644
--- a/src/ssl_ocsp.c
+++ b/src/ssl_ocsp.c
@@ -1043,6 +1043,9 @@
ctx->flags &= ~HC_F_RES_END;
+ ++ocsp->num_success;
+ ocsp->last_update = now.tv_sec;
+
/* Reinsert the entry into the update list so that it can be updated later */
ssl_ocsp_update_insert(ocsp);
/* Release the reference kept on the updated ocsp response. */
@@ -1150,6 +1153,7 @@
leave:
if (ctx->cur_ocsp) {
/* Something went wrong, reinsert the entry in the tree. */
+ ++ctx->cur_ocsp->num_failure;
ssl_ocsp_update_insert_after_error(ctx->cur_ocsp);
/* Release the reference kept on the updated ocsp response. */
ssl_sock_free_ocsp(ctx->cur_ocsp);
@@ -1170,8 +1174,10 @@
http_error:
/* Reinsert certificate into update list so that it can be updated later */
- if (ocsp)
+ if (ocsp) {
+ ++ocsp->num_failure;
ssl_ocsp_update_insert_after_error(ocsp);
+ }
if (hc)
httpclient_stop_and_destroy(hc);