Skip to content

Revert changes to HttpClient/SslStream certificate revocation check mode #118456

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Revert changes to HttpClient/SslStream certificate revocation check mode #118456

wants to merge 7 commits into from
+16 −46

Conversation

rzikm
Copy link
Member

@rzikm rzikm commented Aug 6, 2025

Fixes #117681.

We don't have a good story for X509 certificates without CRL Distribution Points and AIA:OCSP extensions (i.e. certificates for which the revocation cannot be checked online). Such as those used by HTTPS proxies (Fiddler, corporate HTTPS proxies, ...).

We may try again in .NET 11 timeline if we figure out a soluiton for these cases.

@Copilot Copilot AI review requested due to automatic review settings August 6, 2025 16:19
Copilot
Copilot AI reviewed Aug 6, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR reverts changes that made X509RevocationMode.Online the default certificate revocation check mode for SSL/TLS connections in HttpClient and SslStream. The revert restores the previous default of X509RevocationMode.NoCheck to address compatibility issues with certificates that lack proper revocation checking infrastructure (such as HTTPS proxy certificates).

Key Changes:

  • Reverted default revocation check mode from Online back to NoCheck
  • Removed AppContext switch infrastructure that was added to control the default behavior
  • Updated tests to reflect the reverted default behavior

Reviewed Changes

Copilot reviewed 23 out of 23 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
SslClientAuthenticationOptions.cs Reverted default _checkCertificateRevocation from SslAuthenticationOptions.DefaultRevocationMode to X509RevocationMode.NoCheck
SslServerAuthenticationOptions.cs Reverted default _checkCertificateRevocation from SslAuthenticationOptions.DefaultRevocationMode to X509RevocationMode.NoCheck
SslAuthenticationOptions.cs Removed DefaultRevocationMode property that used AppContext switch
WinHttpHandler.cs Reverted default _checkCertificateRevocationList from DefaultCertificateRevocationCheck to false
Various test files Updated test expectations to reflect NoCheck as default, removed AppContext switch tests, and updated certificate handling patterns
Project files Removed references to AppContextSwitchHelper.cs which is no longer needed

@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

@wfurt
Copy link
Member

wfurt commented Aug 6, 2025

do we need to revert everything? It seems like we can flip just the default back - especially if we pan to move forward eventually.

@bartonjs
Copy link
Member

bartonjs commented Aug 7, 2025

I agree with Tomas... rather than "revert" the change, which had some good test cleanup in it, it's really revert the intent by just changing the default (and presumably adjusting a few tests to account for it).

@rzikm
Copy link
Member Author

rzikm commented Aug 7, 2025

change, which had some good test cleanup in it

yeah was too tired yesterday and didn't remember that that PR had those

@rzikm rzikm marked this pull request as draft August 7, 2025 11:40
This was referenced Aug 7, 2025
Open
Open
@rzikm
Copy link
Member Author

rzikm commented Aug 8, 2025

/azp run runtime-libraries-coreclr outerloop

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@rzikm rzikm marked this pull request as ready for review August 8, 2025 07:38
@rzikm rzikm requested a review from a team August 8, 2025 07:38
@rzikm
Copy link
Member Author

rzikm commented Aug 8, 2025

/azp run runtime-libraries-coreclr outerloop

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

ManickaP
ManickaP approved these changes Aug 8, 2025
View reviewed changes
Copy link
Member

@ManickaP ManickaP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apart from the compilation error in WInHttpHandler, LGTM. Thanks.

@rzikm
Copy link
Member Author

rzikm commented Aug 8, 2025

/azp run runtime-libraries-coreclr outerloop

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@build-analysis build-analysis bot mentioned this pull request Aug 8, 2025
Open
3 tasks
@karelz karelz added this to the 10.0.0 milestone Aug 9, 2025
@build-analysis build-analysis bot mentioned this pull request Aug 9, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@ManickaP ManickaP ManickaP approved these changes

@MihaZupan MihaZupan MihaZupan approved these changes

Assignees

@rzikm rzikm

Labels
area-System.Net.Security
Projects
None yet
Milestone
10.0.0
Development

Successfully merging this pull request may close these issues.

Certificate validation fails with RevocationStatusUnknown when using HTTPS proxy
6 participants
@rzikm @wfurt @bartonjs @ManickaP @MihaZupan @karelz