From cc1ed2c128621246b8ce3e3f20501e10b03c3d0e Mon Sep 17 00:00:00 2001
From: rido-min <rido-min@users.noreply.github.com>
Date: Thu, 26 Oct 2023 15:54:00 -0700
Subject: [PATCH] do not require to disable revocation checks

---
 Samples/Client/Client_Connection_Samples.cs      |  1 -
 Source/MQTTnet/Implementations/MqttTcpChannel.cs | 13 ++++---------
 2 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/Samples/Client/Client_Connection_Samples.cs b/Samples/Client/Client_Connection_Samples.cs
index b48dce165..65c3c652d 100644
--- a/Samples/Client/Client_Connection_Samples.cs
+++ b/Samples/Client/Client_Connection_Samples.cs
@@ -450,7 +450,6 @@ public static async Task ConnectTls_WithCaFile()
                 .WithTcpServer("test.mosquitto.org", 8883)
                 .WithTlsOptions(new MqttClientTlsOptionsBuilder()
                     .WithTrustChain(caChain) 
-                    .WithRevocationMode(System.Security.Cryptography.X509Certificates.X509RevocationMode.NoCheck) // no check, since this CA does not include CRL/OCSP endpoints
                     .Build())
                 .Build();
 
diff --git a/Source/MQTTnet/Implementations/MqttTcpChannel.cs b/Source/MQTTnet/Implementations/MqttTcpChannel.cs
index a25cdd209..118611771 100644
--- a/Source/MQTTnet/Implementations/MqttTcpChannel.cs
+++ b/Source/MQTTnet/Implementations/MqttTcpChannel.cs
@@ -115,9 +115,7 @@ public async Task ConnectAsync(CancellationToken cancellationToken)
                             ApplicationProtocols = _tcpOptions.TlsOptions.ApplicationProtocols,
                             ClientCertificates = LoadCertificates(),
                             EnabledSslProtocols = _tcpOptions.TlsOptions.SslProtocol,
-                            CertificateRevocationCheckMode = _tcpOptions.TlsOptions.IgnoreCertificateRevocationErrors ? 
-                                                                    X509RevocationMode.NoCheck : 
-                                                                    _tcpOptions.TlsOptions.RevocationMode,
+                            CertificateRevocationCheckMode = _tcpOptions.TlsOptions.IgnoreCertificateRevocationErrors ? X509RevocationMode.NoCheck : _tcpOptions.TlsOptions.RevocationMode,
                             TargetHost = targetHost,
                             CipherSuitesPolicy = _tcpOptions.TlsOptions.CipherSuitesPolicy,
                             EncryptionPolicy = _tcpOptions.TlsOptions.EncryptionPolicy,
@@ -126,14 +124,11 @@ public async Task ConnectAsync(CancellationToken cancellationToken)
 #if NET7_0_OR_GREATER
                         if (_tcpOptions.TlsOptions.TrustChain?.Count > 0)
                         {
-                            X509Certificate2Collection caCerts = _tcpOptions.TlsOptions.TrustChain;
                             sslOptions.CertificateChainPolicy = new X509ChainPolicy();
                             sslOptions.CertificateChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
-                            sslOptions.CertificateChainPolicy.RevocationMode = _tcpOptions.TlsOptions.RevocationMode;
-                            foreach (X509Certificate2 cert in caCerts)
-                            {
-                                sslOptions.CertificateChainPolicy.CustomTrustStore.Add(cert);
-                            }
+                            sslOptions.CertificateChainPolicy.VerificationFlags = X509VerificationFlags.IgnoreEndRevocationUnknown;
+                            sslOptions.CertificateChainPolicy.RevocationMode = _tcpOptions.TlsOptions.IgnoreCertificateRevocationErrors ? X509RevocationMode.NoCheck : _tcpOptions.TlsOptions.RevocationMode;
+                            sslOptions.CertificateChainPolicy.CustomTrustStore.AddRange(_tcpOptions.TlsOptions.TrustChain);
                         }
 #endif