Skip to content

Fix connecting with VerifyCA and VerifyFull#5944

Merged
vonzshik merged 10 commits intomainfrom
5942-ssl-verify-revocation-check-fix
Nov 20, 2024
Merged

Fix connecting with VerifyCA and VerifyFull#5944
vonzshik merged 10 commits intomainfrom
5942-ssl-verify-revocation-check-fix

Conversation

@vonzshik
Copy link
Contributor

@vonzshik vonzshik commented Nov 20, 2024

Fixes #5942

@vonzshik vonzshik requested a review from roji as a code owner November 20, 2024 05:23
@vonzshik vonzshik changed the title 5942 ssl verify revocation check fix Fix connecting with VerifyCA and VerifyFull Nov 20, 2024
@vonzshik vonzshik merged commit 2b013ed into main Nov 20, 2024
@vonzshik vonzshik deleted the 5942-ssl-verify-revocation-check-fix branch November 20, 2024 17:29
vonzshik added a commit that referenced this pull request Nov 20, 2024
@vonzshik
Fix connecting with VerifyCA and VerifyFull (#5944)
47ee78b 
Fixes #5942

(cherry picked from commit 2b013ed)
@vonzshik
Copy link
Contributor Author

vonzshik commented Nov 20, 2024

Backported to 9.0.2 via 47ee78b

bartonjs
bartonjs reviewed Nov 21, 2024
View reviewed changes
src/Npgsql/Internal/NpgsqlConnector.cs
ClientCertificates = clientCertificates,
EnabledSslProtocols = SslProtocols.None,
CertificateRevocationCheckMode = checkCertificateRevocation ? X509RevocationMode.Online : X509RevocationMode.Offline,
CertificateRevocationCheckMode = checkCertificateRevocation ? X509RevocationMode.Online : X509RevocationMode.NoCheck,
Copy link

@bartonjs bartonjs Nov 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just in case this was a "we changed this line of code, but don't know why it solved the problem":

RevocationMode.Online is basically bool? revoked = CheckCachedRevocation() ?? DownloadAndCacheRevocation(); where the null state is "OfflineRevocation | RevocationUnknown")

RevocationMode.Offline is just CheckCachedRevocation().

So Offline only works if anyone ever did Online (or somehow seeded the cache via different means). It's... basically... never the right answer.

Since Online checks the cache first, it's more "Online possible", vs "live". If you're talking to the same host repeatedly, it's functionally the same as Offline, but without the errors.

Copy link
Contributor Author

@vonzshik vonzshik Nov 21, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm mostly confused as to why I used X509RevocationMode.Offline in the first place. Just looking at the previous implementation, we passed false to check for certificate revocation to SslStream, and in turn that passes X509RevocationMode.NoCheck, so I should have done the exact same thing...

This was referenced Nov 23, 2025
Merged
Merged
Merged
Closed
Closed
Closed
Closed
Merged
Closed
Closed
Closed
Merged
This was referenced Jan 5, 2026
Merged
Closed
Closed
Closed
Closed
Closed
Merged
This was referenced Jan 12, 2026
Closed
Closed
Closed
This was referenced Jan 19, 2026
Open
Open
Merged
Closed
This was referenced Jan 30, 2026
Open
Open
Closed
Merged
Merged
This was referenced Feb 9, 2026
Closed
Open
This was referenced Feb 20, 2026
Merged
Merged
This was referenced Mar 2, 2026
Closed
Open
Closed
Closed
Closed
Open
@dependabot dependabot bot mentioned this pull request Mar 9, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@roji roji roji approved these changes

+1 more reviewer

@bartonjs bartonjs bartonjs left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SSL Mode=VerifyFull fails since 9.0.1

3 participants

@vonzshik @roji @bartonjs