Add error log for invalid OCSP response (#9674)

* Add error log for invalid OCSP response * Check times only if status is available
apache · May 10, 2023 · c5b935c · c5b935c
1 parent 29d8737
commit c5b935c
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/iocore/net/OCSPStapling.cc b/iocore/net/OCSPStapling.cc
@@ -958,7 +958,10 @@ stapling_check_response(certinfo *cinf, TS_OCSP_RESPONSE *rsp)
     // If ID not present just pass it back to client
     Error("stapling_check_response: certificate ID not present in response for %s", cinf->certname);
   } else {
-    TS_OCSP_check_validity(thisupd, nextupd, 300, -1);
+    if (!TS_OCSP_check_validity(thisupd, nextupd, 300, -1)) {
+      // The check is just for logging and pass the response back to client anyway
+      Error("stapling_check_response: status in response for %s is not valid already/yet", cinf->certname);
+    }
   }
 
   switch (status) {