From 7194d733f5759b6007a09d55e364e09937208ff1 Mon Sep 17 00:00:00 2001
From: Evan Zelkowitz <e_zelkowitz@apple.com>
Date: Mon, 22 Jun 2026 20:14:48 -0600
Subject: [PATCH] Throttle OCSP cert-status error instead of logging on every
 handshake

ssl_callback_ocsp_stapling() emitted an Error on every TLS handshake when
a cert's OCSP response was missing or expired, which could flood error.log.
Use SiteThrottledError so ops are still alerted at Error severity but the
message is rate-limited per call site (default 60s) with a suppressed-count.
---
 src/iocore/net/OCSPStapling.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/iocore/net/OCSPStapling.cc b/src/iocore/net/OCSPStapling.cc
index 0c500f90069..75ced5401d7 100644
--- a/src/iocore/net/OCSPStapling.cc
+++ b/src/iocore/net/OCSPStapling.cc
@@ -1421,7 +1421,7 @@ ssl_callback_ocsp_stapling(SSL *ssl, void *)
   time_t current_time = time(nullptr);
   if ((cinf->resp_derlen == 0 || cinf->is_expire) || (cinf->expire_time < current_time && !cinf->is_prefetched)) {
     ink_mutex_release(&cinf->stapling_mutex);
-    Error("ssl_callback_ocsp_stapling: failed to get certificate status for %s", cinf->certname);
+    SiteThrottledError("ssl_callback_ocsp_stapling: failed to get certificate status for %s", cinf->certname);
     return SSL_TLSEXT_ERR_NOACK;
   } else {
     unsigned char *p = static_cast<unsigned char *>(OPENSSL_malloc(cinf->resp_derlen));