do not require to disable revocation checks

dotnet · Oct 26, 2023 · cc1ed2c · cc1ed2c
1 parent 0b5dff5
commit cc1ed2c
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 10 deletions.
diff --git a/Samples/Client/Client_Connection_Samples.cs b/Samples/Client/Client_Connection_Samples.cs
@@ -450,7 +450,6 @@ public static async Task ConnectTls_WithCaFile()
                 .WithTcpServer("test.mosquitto.org", 8883)
                 .WithTlsOptions(new MqttClientTlsOptionsBuilder()
                     .WithTrustChain(caChain) 
-                    .WithRevocationMode(System.Security.Cryptography.X509Certificates.X509RevocationMode.NoCheck) // no check, since this CA does not include CRL/OCSP endpoints
                     .Build())
                 .Build();
 

diff --git a/Source/MQTTnet/Implementations/MqttTcpChannel.cs b/Source/MQTTnet/Implementations/MqttTcpChannel.cs
@@ -115,9 +115,7 @@ public async Task ConnectAsync(CancellationToken cancellationToken)
                             ApplicationProtocols = _tcpOptions.TlsOptions.ApplicationProtocols,
                             ClientCertificates = LoadCertificates(),
                             EnabledSslProtocols = _tcpOptions.TlsOptions.SslProtocol,
-                            CertificateRevocationCheckMode = _tcpOptions.TlsOptions.IgnoreCertificateRevocationErrors ? 
-                                                                    X509RevocationMode.NoCheck : 
-                                                                    _tcpOptions.TlsOptions.RevocationMode,
+                            CertificateRevocationCheckMode = _tcpOptions.TlsOptions.IgnoreCertificateRevocationErrors ? X509RevocationMode.NoCheck : _tcpOptions.TlsOptions.RevocationMode,
                             TargetHost = targetHost,
                             CipherSuitesPolicy = _tcpOptions.TlsOptions.CipherSuitesPolicy,
                             EncryptionPolicy = _tcpOptions.TlsOptions.EncryptionPolicy,
@@ -126,14 +124,11 @@ public async Task ConnectAsync(CancellationToken cancellationToken)
 #if NET7_0_OR_GREATER
                         if (_tcpOptions.TlsOptions.TrustChain?.Count > 0)
                         {
-                            X509Certificate2Collection caCerts = _tcpOptions.TlsOptions.TrustChain;
                             sslOptions.CertificateChainPolicy = new X509ChainPolicy();
                             sslOptions.CertificateChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
-                            sslOptions.CertificateChainPolicy.RevocationMode = _tcpOptions.TlsOptions.RevocationMode;
-                            foreach (X509Certificate2 cert in caCerts)
-                            {
-                                sslOptions.CertificateChainPolicy.CustomTrustStore.Add(cert);
-                            }
+                            sslOptions.CertificateChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreEndRevocationUnknown;
+                            sslOptions.CertificateChainPolicy.RevocationMode = _tcpOptions.TlsOptions.IgnoreCertificateRevocationErrors ? X509RevocationMode.NoCheck : _tcpOptions.TlsOptions.RevocationMode;
+                            sslOptions.CertificateChainPolicy.CustomTrustStore.AddRange(_tcpOptions.TlsOptions.TrustChain);
                         }
 #endif