dotnet · rzikm · Aug 11, 2025 · Aug 6, 2025 · Aug 7, 2025 · Aug 7, 2025
diff --git a/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.ServerCertificates.cs b/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.ServerCertificates.cs
@@ -48,7 +48,7 @@ public void Ctor_ExpectedDefaultValues()
             using (HttpClientHandler handler = CreateHttpClientHandler())
             {
                 Assert.Null(handler.ServerCertificateCustomValidationCallback);
-                Assert.True(handler.CheckCertificateRevocationList);
+                Assert.False(handler.CheckCertificateRevocationList);
             }
         }
 

diff --git a/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.cs b/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.cs
@@ -76,9 +76,9 @@ public void Ctor_ExpectedDefaultPropertyValues()
                 Assert.False(handler.PreAuthenticate);
                 Assert.True(handler.SupportsProxy);
                 Assert.True(handler.SupportsRedirectConfiguration);
+                Assert.False(handler.CheckCertificateRevocationList);
 
                 // Changes from .NET Framework.
-                Assert.True(handler.CheckCertificateRevocationList);
                 Assert.Equal(0, handler.MaxRequestContentBufferSize);
                 Assert.Equal(SslProtocols.None, handler.SslProtocols);
             }

diff --git a/src/libraries/System.Net.Http.WinHttpHandler/src/System/Net/Http/WinHttpHandler.cs b/src/libraries/System.Net.Http.WinHttpHandler/src/System/Net/Http/WinHttpHandler.cs
@@ -43,10 +43,7 @@ public class WinHttpHandler : HttpMessageHandler
         internal static readonly Version HttpVersion20 = new Version(2, 0);
         internal static readonly Version HttpVersion30 = new Version(3, 0);
         internal static readonly Version HttpVersionUnknown = new Version(0, 0);
-        internal static bool DefaultCertificateRevocationCheck { get; } =
-            AppContextSwitchHelper.GetBooleanConfig(
-                "System.Net.Security.NoRevocationCheckByDefault",
-                "DOTNET_SYSTEM_NET_SECURITY_NOREVOCATIONCHECKBYDEFAULT") ? false : true;
+        internal static bool DefaultCertificateRevocationCheck { get; }
 
         internal static bool CertificateCachingAppContextSwitchEnabled { get; } = AppContext.TryGetSwitch("System.Net.Http.UseWinHttpCertificateCaching", out bool enabled) && enabled;
         private static readonly TimeSpan s_maxTimeout = TimeSpan.FromMilliseconds(int.MaxValue);

diff --git a/src/libraries/System.Net.Http/tests/FunctionalTests/SocketsHttpHandlerTest.cs b/src/libraries/System.Net.Http/tests/FunctionalTests/SocketsHttpHandlerTest.cs
@@ -2540,7 +2540,7 @@ public void SslOptions_GetSet_Roundtrips()
 
                 Assert.True(options.AllowRenegotiation);
                 Assert.Null(options.ApplicationProtocols);
-                Assert.Equal(X509RevocationMode.Online, options.CertificateRevocationCheckMode);
+                Assert.Equal(X509RevocationMode.NoCheck, options.CertificateRevocationCheckMode);
                 Assert.Null(options.ClientCertificates);
                 Assert.Equal(SslProtocols.None, options.EnabledSslProtocols);
                 Assert.Equal(EncryptionPolicy.RequireEncryption, options.EncryptionPolicy);

diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslAuthenticationOptions.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslAuthenticationOptions.cs
@@ -13,11 +13,7 @@ internal sealed class SslAuthenticationOptions : IDisposable
     {
         private const string EnableOcspStaplingContextSwitchName = "System.Net.Security.EnableServerOcspStaplingFromOnlyCertificateOnLinux";
 
-        internal static readonly X509RevocationMode DefaultRevocationMode =
-            AppContextSwitchHelper.GetBooleanConfig(
-                "System.Net.Security.NoRevocationCheckByDefault",
-                "DOTNET_SYSTEM_NET_SECURITY_NOREVOCATIONCHECKBYDEFAULT")
-                ? X509RevocationMode.NoCheck : X509RevocationMode.Online;
+        internal const X509RevocationMode DefaultRevocationMode = X509RevocationMode.NoCheck;
 
         internal SslAuthenticationOptions()
         {

diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamRemoteExecutorTests.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamRemoteExecutorTests.cs
@@ -83,31 +83,5 @@ await TestConfiguration.WhenAllOrAnyFailedWithTimeout(
                 Assert.True(File.ReadAllText(tempFile).Length == 0);
             }
         }
-
-        [ConditionalTheory(typeof(RemoteExecutor), nameof(RemoteExecutor.IsSupported))]
-        [InlineData(true)]
-        [InlineData(false)]
-        public void DefaultRevocationMode_OfflineRevocationByDefault_True_UsesNoCheck(bool useEnvVar)
-        {
-            var psi = new ProcessStartInfo();
-            if (useEnvVar)
-            {
-                psi.Environment.Add("DOTNET_SYSTEM_NET_SECURITY_NOREVOCATIONCHECKBYDEFAULT", "true");
-            }
-
-            Assert.Equal(X509RevocationMode.Online, new SslClientAuthenticationOptions().CertificateRevocationCheckMode);
-            Assert.Equal(X509RevocationMode.Online, new SslServerAuthenticationOptions().CertificateRevocationCheckMode);
-
-            RemoteExecutor.Invoke(useEnvVar =>
-            {
-                if (!bool.Parse(useEnvVar))
-                {
-                    AppContext.SetSwitch("System.Net.Security.NoRevocationCheckByDefault", true);
-                }
-
-                Assert.Equal(X509RevocationMode.NoCheck, new SslClientAuthenticationOptions().CertificateRevocationCheckMode);
-                Assert.Equal(X509RevocationMode.NoCheck, new SslServerAuthenticationOptions().CertificateRevocationCheckMode);
-            }, useEnvVar.ToString(), new RemoteInvokeOptions { StartInfo = psi }).Dispose();
-        }
     }
 }
diff --git a/src/libraries/System.Net.Security/tests/UnitTests/SslAuthenticationOptionsTests.cs b/src/libraries/System.Net.Security/tests/UnitTests/SslAuthenticationOptionsTests.cs
@@ -133,13 +133,13 @@ public void EnabledSslProtocols_Get_Set_Succeeds()
         [Fact]
         public void CheckCertificateRevocation_Get_Set_Succeeds()
         {
-            Assert.Equal(X509RevocationMode.Online, _clientOptions.CertificateRevocationCheckMode);
-            Assert.Equal(X509RevocationMode.Online, _serverOptions.CertificateRevocationCheckMode);
+            Assert.Equal(X509RevocationMode.NoCheck, _clientOptions.CertificateRevocationCheckMode);
+            Assert.Equal(X509RevocationMode.NoCheck, _serverOptions.CertificateRevocationCheckMode);
 
-            _clientOptions.CertificateRevocationCheckMode = X509RevocationMode.NoCheck;
+            _clientOptions.CertificateRevocationCheckMode = X509RevocationMode.Online;
             _serverOptions.CertificateRevocationCheckMode = X509RevocationMode.Offline;
 
-            Assert.Equal(X509RevocationMode.NoCheck, _clientOptions.CertificateRevocationCheckMode);
+            Assert.Equal(X509RevocationMode.Online, _clientOptions.CertificateRevocationCheckMode);
             Assert.Equal(X509RevocationMode.Offline, _serverOptions.CertificateRevocationCheckMode);
 
             Assert.Throws<ArgumentException>(() => _clientOptions.CertificateRevocationCheckMode = (X509RevocationMode)3);