Skip to content

Disable AIA certificate downloads for server client-cert validation by default#125049

Merged
rzikm merged 6 commits intodotnet:mainfrom
rzikm:server-aia-default-disable
Mar 9, 2026
Merged

Disable AIA certificate downloads for server client-cert validation by default#125049
rzikm merged 6 commits intodotnet:mainfrom
rzikm:server-aia-default-disable

Conversation

@rzikm
Copy link
Member

@rzikm rzikm commented Mar 2, 2026
edited
Loading

During TLS handshake, peers should include all intermediate certificates necessary for the other side to perform certificate validation. If intermediates are not sent, it is possible for the receiver to look them up and download using the Authority Information Access extension (AIA).

This behavior is not desirable on server side for multiple reasons:

  • performance - AIA server may be slow or plain unresponsive, performing network IO as part of certificate validation slows down the handshake.
  • security - server makes outbound HTTP GET requests to client-provided endpoint.

This PR changes the default behavior of server SslStream instances to disable intermediate cert downloading using AIA by default. Scenarios, where user passes custom X509ChainPolicy are not affected.

This change may break scenarios where client and/or server is not properly configured, meaning either:

  • client does not send necessary intermediates in the handshake (they were not provided to SslStream in SslStreamCertificateContext, or they are not present in the intermediate CA store on the machine)
  • server does not have the necessary intermediate certificates in the CA store.

Action to be taken by affected users are either:

  • configure server auth options with X509ChainPolicy with ExtraStore that contains the necessary intermediates. Note that you also should specify DisableCertificateDownloads = true on the policy as the default is false
  • (not recommended) specify X509ChainPolicy that allows AIA downloads (DisableCertificateDownloads = false)
  • install CA certificates to the proper certificate store, so they can be looked up when building the outbound cert chain (client) or when validating client cert (server)

@rzikm
Disable AIA certificate downloads for server client-cert validation b…
bb8bd2f 
…y default

When SslStream operates as a server validating client certificates and no
custom X509ChainPolicy has been provided by the user, set
DisableCertificateDownloads to true on the chain policy. This prevents
the server from making outbound HTTP requests to download intermediate
certificates via AIA extensions.

Add compat switch System.Net.Security.EnableServerAIADownloads and
environment variable DOTNET_SYSTEM_NET_SECURITY_ENABLESERVERAIADOWNLOADS
to opt back into the previous behavior.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings March 2, 2026 13:32
Copilot AI reviewed Mar 2, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates SslStream server-side client-certificate validation to avoid outbound intermediate-certificate downloads (AIA) by default when the user hasn’t provided a custom X509ChainPolicy, with a compat switch/env-var opt-out.

Changes:

  • Add System.Net.Security.EnableServerAIADownloads (AppContext) / DOTNET_SYSTEM_NET_SECURITY_ENABLESERVERAIADOWNLOADS (env var) switch plumbing.
  • When acting as a server and using the default chain policy, set chain.ChainPolicy.DisableCertificateDownloads = true during remote certificate validation.
  • Add a functional test validating the default behavior and the AppContext compat switch.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
src/libraries/System.Net.Security/src/System/Net/Security/SslStream.Protocol.cs Adds compat switch handling and applies DisableCertificateDownloads on server-side default chain policy.
src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamRemoteExecutorTests.cs Adds RemoteExecutor-based functional coverage for default behavior and AppContext switch.

rzikm and others added 2 commits March 2, 2026 15:22
@rzikm
Merge remote-tracking branch 'upstream/main' into server-aia-default-…
5ce95bd 
…disable

# Conflicts:
#	src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamRemoteExecutorTests.cs
@rzikm
Apply suggestion from @Copilot
d9454ca 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@rzikm rzikm requested review from a team and Copilot March 2, 2026 16:11
Copilot AI reviewed Mar 2, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

@rzikm rzikm added the breaking-change Issue or PR that represents a breaking API or functional change over a previous release. label Mar 2, 2026
@dotnet-policy-service dotnet-policy-service bot added the needs-breaking-change-doc-created Breaking changes need an issue opened with https://github.com/dotnet/docs/issues/new?template=dotnet label Mar 2, 2026
@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Mar 2, 2026

Added needs-breaking-change-doc-created label because this PR has the breaking-change label.

When you commit this breaking change:

  1. Create and link to this PR and the issue a matching issue in the dotnet/docs repo using the breaking change documentation template, then remove this needs-breaking-change-doc-created label.
  2. Ask a committer to mail the .NET Breaking Change Notification DL.

Tagging @dotnet/compat for awareness of the breaking change.

This was referenced Mar 2, 2026
Open
Open
Open
@rzikm rzikm requested review from bartonjs and wfurt March 5, 2026 14:25
@rzikm @bartonjs
Update src/libraries/System.Net.Security/src/System/Net/Security/SslS…
f7d8a81 
…tream.Protocol.cs

Co-authored-by: Jeremy Barton <jbarton@microsoft.com>
Copilot AI review requested due to automatic review settings March 6, 2026 06:44
@rzikm rzikm enabled auto-merge (squash) March 6, 2026 06:45
Copilot AI reviewed Mar 6, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

You can also share your feedback on Copilot code review. Take the survey.

@build-analysis build-analysis bot mentioned this pull request Mar 6, 2026
Closed
@rzikm
Apply suggestion from @Copilot
71c624d 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings March 6, 2026 11:19
Copilot AI reviewed Mar 6, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

You can also share your feedback on Copilot code review. Take the survey.

@rzikm rzikm merged commit bd3fd16 into dotnet:main Mar 9, 2026
86 of 90 checks passed
@github-actions
Copy link
Contributor

github-actions bot commented Mar 9, 2026

📋 Breaking Change Documentation Required

Create a breaking change issue with AI-generated content

Generated by Breaking Change Documentation Tool - 2026-03-09 09:15:07

@rzikm rzikm mentioned this pull request Mar 9, 2026
Open
@dotnet-maestro dotnet-maestro bot mentioned this pull request Mar 10, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vcsjones vcsjones vcsjones left review comments

Copilot code review Copilot Copilot left review comments

@bartonjs bartonjs bartonjs approved these changes

@wfurt wfurt Awaiting requested review from wfurt

Assignees

@rzikm rzikm

Labels

area-System.Net.Security breaking-change Issue or PR that represents a breaking API or functional change over a previous release. needs-breaking-change-doc-created Breaking changes need an issue opened with https://github.com/dotnet/docs/issues/new?template=dotnet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@rzikm @vcsjones @bartonjs @wfurt