[✨ Triage] dotnet/runtime#117681 by Jericho - SSL certificate fails validation

[MihuBot]

Triage for dotnet/runtime#117681.
Repo filter: All networking issues.
MihuBot version: 7cce3b.
Ping MihaZupan for any issues.

This is a test triage report generated by AI, aimed at helping the triage team quickly identify past issues/PRs that may be related.
Take any conclusions with a large grain of salt.

dotnet/runtime#117681: Certificate validation fails with RevocationStatusUnknown when using HTTPS proxy by Jericho
[Tool] Searching for RevocationStatusUnknown, certificate revocation .NET 10 preview 6, HttpClient certificate validation proxy, SSL certificate revocation check default, Fiddler certificate revocation, AuthenticationException certificate chain (IncludeOpen=True, IncludeClosed=True, IncludeIssues=True, IncludePullRequests=True, Repository=dotnet/runtime)
[Tool] Found 163 issues, 139 comments, 163 returned results (20340 ms)

Here are the most relevant related issues and discussions for issue #117681, "Certificate validation fails with RevocationStatusUnknown when using HTTPS proxy":

---

1. PR dotnet/runtime#116098 (May–June 2025) - Change HttpClient/SslStream default certificate revocation check mode to Online

• Summary: This PR changed the default certificate revocation mode for HttpClient and SslStream to Online in .NET 10 preview 6, which is a breaking change. Previously, revocation checking was not performed by default. Now, unless explicitly disabled, .NET will attempt to check certificate revocation status online (via CRL/OCSP).
• Discussion: The PR and its comments discuss the security and compatibility implications, performance impact, and platform differences (notably on Apple/macOS and Linux). There is also mention of opt-out mechanisms via app context switches and environment variables.
• Relevance: This is the root cause of the regression described in #117681. The new default causes failures when the proxy (Fiddler) issues certificates without revocation information, resulting in RevocationStatusUnknown.
• Key comments:
  • Benchmark results show minimal perf impact.
  • Breaking change doc is referenced.
  • Discussion of Apple/OCSP/CRL issues.

---

2. Issue dotnet/runtime#111704 (Jan–June 2025) - Consider doing certificate revocation checking by default for SslStream/HttpClient

• Summary: This issue tracks the proposal and discussion to enable revocation checking by default for HttpClient and SslStream. It covers the rationale, security trade-offs, platform differences, and the need for opt-outs.
• Discussion: There is extensive discussion about the impact on isolated networks, performance, and the fact that many proxies (like Fiddler) and some CAs do not provide revocation information. There is also debate about whether to "fail open" or "fail closed" when revocation status is unknown.
• Relevance: This is the design discussion that led to the breaking change in .NET 10 preview 6, directly explaining the regression in #117681.
• Key comments:
  • @vcsjones and @ericlaw1979 discuss Fiddler's lack of revocation info and the implications for .NET.
  • Opt-out mechanisms and documentation plans.

---

3. Issue dotnet/runtime#117681 (July 2025) - Certificate validation fails with RevocationStatusUnknown when using HTTPS proxy

• Summary: The original issue being triaged. The regression is due to .NET 10 preview 6 enabling revocation checking by default, which fails when using Fiddler as a proxy because Fiddler's certificates lack revocation info.
• Discussion: The comments confirm the regression, discuss workarounds (disabling revocation checking or using a custom validation callback), and reference the breaking change documentation.
• Key comments:
  • @wfurt notes the workaround: set HttpClientHandler.CheckCertificateRevocationList = false.
  • @Jericho confirms the workaround works.
  • @vcsjones and @ericlaw1979 confirm Fiddler does not provide revocation info by default.
  • @rzikm updated the breaking change doc with HttpClient-specific guidelines.

---

4. Issue dotnet/runtime#37435 (June 2020–July 2021) - RevocationStatusUnknown unable to get certificate CRL

• Summary: This older issue discusses RevocationStatusUnknown errors in a Linux Docker context, where CRLs are not available or cannot be downloaded. The discussion covers platform differences and workarounds.
• Relevance: Shows that RevocationStatusUnknown is a common error when revocation info is missing or unreachable, and that this is not new, but the default behavior in .NET 10 preview 6 now exposes it more often.

---

5. Issue dotnet/runtime#25872 (April 2018–Jan 2025) - SSlStream on OSX High Sierra throws AuthenticationException when certificate revocation checking is enabled and the server’s certificate extensions includes a CRL but not OCSP

• Summary: Discusses platform-specific issues with revocation checking, especially on macOS, where CRL/OCSP support is inconsistent.
• Relevance: Highlights that revocation checking is not always reliable, and that "fail closed" can cause problems in real-world scenarios.

---

6. Issue dotnet/runtime#113971 (March–May 2025) - Invalid certificate verification on Mac leading to The remote certificate is invalid because of errors in the certificate chain: RevocationStatusUnknown errors

• Summary: Another recent example of RevocationStatusUnknown errors, this time on macOS, due to inability to fetch CRLs.
• Relevance: Shows that the new default can cause failures on platforms and with certificates that lack revocation info.

---

7. Issue dotnet/runtime#117195 (July 2025) - [iOS] SSL Certificate Validation fails with RevocationStatusUnknown

• Summary: Reports RevocationStatusUnknown errors on iOS, especially with Let's Encrypt certificates after OCSP was deprecated.
• Relevance: Demonstrates that the new default can cause failures in other environments, not just with proxies.

---

8. Docs: .NET 10 breaking change - SSL certificate revocation check default

• Summary: Official documentation of the breaking change, including workarounds and opt-out instructions.
• Relevance: Directly referenced in #117681 and should be included in any triage summary.

---

Summary of Conclusions and Workarounds

• Root cause: .NET 10 preview 6 changed the default for HttpClient and SslStream to perform online certificate revocation checking. This causes failures when the certificate (e.g., from Fiddler) does not include revocation information, resulting in RevocationStatusUnknown.
• Workarounds:
  • Set HttpClientHandler.CheckCertificateRevocationList = false to restore previous behavior.
  • Use a custom ServerCertificateCustomValidationCallback that ignores RevocationStatusUnknown.
  • Use the documented app context switch or environment variable to opt out globally.
• Documentation: The breaking change is documented at https://learn.microsoft.com/en-us/dotnet/core/compatibility/networking/10.0/ssl-certificate-revocation-check-default.
• Design intent: The change was made for security reasons, but the team is aware of the compatibility and usability impact, especially for proxies and test tools like Fiddler.

---

Actionable Links

• PR dotnet/runtime#116098 - Change HttpClient/SslStream default certificate revocation check mode to Online
• Issue dotnet/runtime#111704 - Consider doing certificate revocation checking by default for SslStream/HttpClient
• Issue dotnet/runtime#117681 - Certificate validation fails with RevocationStatusUnknown when using HTTPS proxy
• .NET 10 breaking change doc

---

If you need to triage or respond to #117681, reference the above issues and documentation, and point out that this is a known and intentional breaking change in .NET 10 preview 6, with documented workarounds.