[Breaking change]: HttpClient/SslStream default certificate revocation check mode changed to Online

[rzikm]

Description

SslClientAuthenticationOptions.CertificateRevocationCheckMode and SslServerAuthenticationOptions.CertificateRevocationCheckMode default values have changed from NoCheck to Online. This change enhances security and makes the behavior consistent with X509ChainPolicy

Version

.NET 10 Preview 6

Previous behavior

SslClientAuthenticationOptions.CertificateRevocationCheckMode and SslServerAuthenticationOptions.CertificateRevocationCheckMode default values were NoCheck.

New behavior

SslClientAuthenticationOptions.CertificateRevocationCheckMode and SslServerAuthenticationOptions.CertificateRevocationCheckMode default values are Online.

Type of breaking change

• Binary incompatible: Existing binaries might encounter a breaking change in behavior, such as failure to load or execute, and if so, require recompilation.
• Source incompatible: When recompiled using the new SDK or component or to target the new runtime, existing source code might require source changes to compile successfully.
• Behavioral change: Existing binaries might behave differently at run time.

Reason for change

Enhancing security and consistency between APIs related to X.509 certificate revocation checking.

Recommended action

If certificate revocation checking is not desired, specify X509RevocaitonCheckMode.NoCheck explicitly.

In situations where the code may not be modified, previous behavior can be enabled by setting either:

• System.Net.Security.NoRevocationCheckByDefault AppContext switch to true
• DOTNET_SYSTEM_NET_SECURITY_NOREVOCATIONCHECKBYDEFAULT environment variable to true

Feature area

Networking

Affected APIs

SslStream.AuthenticateAsClient
SslStream.AuthenticateAsClientAsync
SslStream.AuthenticateAsServer
SslStream.AuthenticateAsServerAsync

HttpClient - all Send* methods (when using either WinHttpHandler or SocketsHttpClientHandler)