[Breaking change]: HttpClient/SslStream default certificate revocation check mode changed to Online #46824
Description
Description
SslClientAuthenticationOptions.CertificateRevocationCheckMode and SslServerAuthenticationOptions.CertificateRevocationCheckMode default values have changed from NoCheck to Online. This change enhances security and makes the behavior consistent with X509ChainPolicy
Version
.NET 10 Preview 6
Previous behavior
SslClientAuthenticationOptions.CertificateRevocationCheckMode and SslServerAuthenticationOptions.CertificateRevocationCheckMode default values were NoCheck.
New behavior
SslClientAuthenticationOptions.CertificateRevocationCheckMode and SslServerAuthenticationOptions.CertificateRevocationCheckMode default values are Online.
Type of breaking change
- Binary incompatible: Existing binaries might encounter a breaking change in behavior, such as failure to load or execute, and if so, require recompilation.
- Source incompatible: When recompiled using the new SDK or component or to target the new runtime, existing source code might require source changes to compile successfully.
- Behavioral change: Existing binaries might behave differently at run time.
Reason for change
Enhancing security and consistency between APIs related to X.509 certificate revocation checking.
Recommended action
If certificate revocation checking is not desired, specify X509RevocationCheckMode.NoCheck explicitly.
In situations where the code may not be modified, previous behavior can be enabled by setting either:
System.Net.Security.NoRevocationCheckByDefaultAppContext switch totrueDOTNET_SYSTEM_NET_SECURITY_NOREVOCATIONCHECKBYDEFAULTenvironment variable totrue
Feature area
Networking
Affected APIs
SslStream.AuthenticateAsClient
SslStream.AuthenticateAsClientAsync
SslStream.AuthenticateAsServer
SslStream.AuthenticateAsServerAsync
HttpClient - all Send* methods (when using either WinHttpHandler or SocketsHttpClientHandler)