[Foundation] Make it possible to customize the X509ChainPolicy when validating certificates in NSUrlSessionHandler. Fixes #23764. #23767

rolfbjarne · 2025-09-08T16:28:38Z

Add a CertificateChainPolicy property to NSUrlSessionHandler to make it
possible for developers to customize the the policy that is used when
validating certificate chains when using a custom server certificate
validation.
Also implement NSUrlSessionHandler.CheckCertificateRevocationList using
the new CertificateChainPolicy property.

…alidating certificates in NSUrlSessionHandler. Fixes #23764. * Add a `CertificateChainPolicy` property to `NSUrlSessionHandler` to make it possible for developers to customize the the policy that is used when validating certificate chains when using a custom server certificate validation. * Also implement `NSUrlSessionHandler.CheckCertificateRevocationList` using the new `CertificateChainPolicy` property. Fixes #23764.

mandel-macaque · 2025-09-08T17:05:46Z

src/Foundation/NSUrlSessionHandler.cs

-		public bool CheckCertificateRevocationList { get; set; } = false;
+		public bool CheckCertificateRevocationList {
+			get => CertificateChainPolicy!.RevocationMode == X509RevocationMode.Online;
+			set => CertificateChainPolicy!.RevocationMode = value ? X509RevocationMode.Online : X509RevocationMode.NoCheck;


Regarding offline mode: 'Revocation checks can only be performed with cached revocation data.'

From https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509revocationmode?view=net-9.0

I don't think we should take care of offline since the usage is tricky. It is usually there to make the happy path faster when we have a value in the cache. I think the documentation of the remarks should be enough to let the user know.

@mandel-macaque I'm not sure if I understand what you're suggesting? This implementation was mostly copied from https://github.com/dotnet/runtime/blob/0e3562e97c6db531f26a2ffe3e8084cf67ba8a93/src/libraries/System.Net.Http/src/System/Net/Http/HttpClientHandler.cs#L326-L335 (I just added a comment explaining this).

Offline mode is basically a trap. Don't use it :)

vs-mobiletools-engineering-service2 · 2025-09-09T08:59:56Z

✅ [CI Build #073820b] Build passed (Build packages) ✅

Pipeline on Agent
Hash: 073820b2d6766667dad1f73d9cc087a2bf9455e9 [PR build]

vs-mobiletools-engineering-service2 · 2025-09-09T09:12:32Z

✅ [PR Build #073820b] Build passed (Detect API changes) ✅

Pipeline on Agent
Hash: 073820b2d6766667dad1f73d9cc087a2bf9455e9 [PR build]

vs-mobiletools-engineering-service2 · 2025-09-09T09:29:49Z

✅ [CI Build #073820b] Build passed (Build macOS tests) ✅

Pipeline on Agent
Hash: 073820b2d6766667dad1f73d9cc087a2bf9455e9 [PR build]

vs-mobiletools-engineering-service2 · 2025-09-09T09:41:02Z

💻 [CI Build #073820b] Tests on macOS X64 - Mac Sonoma (14) passed 💻

✅ All tests on macOS X64 - Mac Sonoma (14) passed.

Pipeline on Agent
Hash: 073820b2d6766667dad1f73d9cc087a2bf9455e9 [PR build]

vs-mobiletools-engineering-service2 · 2025-09-09T09:48:32Z

✅ API diff for current PR / commit

.NET ( No breaking changes )

iOS: vsdrops gist ( No breaking changes )
tvOS: vsdrops gist ( No breaking changes )
MacCatalyst: vsdrops gist ( No breaking changes )
macOS: vsdrops gist ( No breaking changes )

✅ API diff vs stable

.NET ( No breaking changes )

iOS: vsdrops gist ( No breaking changes )
tvOS: vsdrops gist ( No breaking changes )
MacCatalyst: vsdrops gist ( No breaking changes )
macOS: vsdrops gist ( No breaking changes )

ℹ️ Generator diff

Generator Diff: vsdrops (html) vsdrops (raw diff) gist (raw diff) - Please review changes)

Pipeline on Agent
Hash: 073820b2d6766667dad1f73d9cc087a2bf9455e9 [PR build]

vs-mobiletools-engineering-service2 · 2025-09-09T09:48:33Z

💻 [CI Build #073820b] Tests on macOS M1 - Mac Monterey (12) passed 💻

✅ All tests on macOS M1 - Mac Monterey (12) passed.

Pipeline on Agent
Hash: 073820b2d6766667dad1f73d9cc087a2bf9455e9 [PR build]

vs-mobiletools-engineering-service2 · 2025-09-09T09:49:08Z

💻 [CI Build #073820b] Tests on macOS M1 - Mac Ventura (13) passed 💻

✅ All tests on macOS M1 - Mac Ventura (13) passed.

Pipeline on Agent
Hash: 073820b2d6766667dad1f73d9cc087a2bf9455e9 [PR build]

vs-mobiletools-engineering-service2 · 2025-09-09T09:50:05Z

💻 [CI Build #073820b] Tests on macOS arm64 - Mac Sequoia (15) passed 💻

✅ All tests on macOS arm64 - Mac Sequoia (15) passed.

Pipeline on Agent
Hash: 073820b2d6766667dad1f73d9cc087a2bf9455e9 [PR build]

vs-mobiletools-engineering-service2 · 2025-09-09T10:32:43Z

🚀 [CI Build #073820b] Test results 🚀

Test results

✅ All tests passed on VSTS: test results.

🎉 All 115 tests passed 🎉

Tests counts

✅ cecil: All 1 tests passed. Html Report (VSDrops) Download
✅ dotnettests (iOS): All 1 tests passed. Html Report (VSDrops) Download
✅ dotnettests (MacCatalyst): All 1 tests passed. Html Report (VSDrops) Download
✅ dotnettests (macOS): All 1 tests passed. Html Report (VSDrops) Download
✅ dotnettests (Multiple platforms): All 1 tests passed. Html Report (VSDrops) Download
✅ dotnettests (tvOS): All 1 tests passed. Html Report (VSDrops) Download
✅ framework: All 2 tests passed. Html Report (VSDrops) Download
✅ fsharp: All 4 tests passed. Html Report (VSDrops) Download
✅ generator: All 5 tests passed. Html Report (VSDrops) Download
✅ interdependent-binding-projects: All 4 tests passed. Html Report (VSDrops) Download
✅ introspection: All 4 tests passed. Html Report (VSDrops) Download
✅ linker: All 44 tests passed. Html Report (VSDrops) Download
✅ monotouch (iOS): All 8 tests passed. Html Report (VSDrops) Download
✅ monotouch (MacCatalyst): All 11 tests passed. Html Report (VSDrops) Download
✅ monotouch (macOS): All 9 tests passed. Html Report (VSDrops) Download
✅ monotouch (tvOS): All 8 tests passed. Html Report (VSDrops) Download
✅ msbuild: All 2 tests passed. Html Report (VSDrops) Download
✅ windows: All 3 tests passed. Html Report (VSDrops) Download
✅ xcframework: All 4 tests passed. Html Report (VSDrops) Download
✅ xtro: All 1 tests passed. Html Report (VSDrops) Download

Pipeline on Agent
Hash: 073820b2d6766667dad1f73d9cc087a2bf9455e9 [PR build]

vs-mobiletools-engineering-service2 · 2025-09-09T10:41:32Z

🔥 [CI Build #3e4c05e] Test results 🔥

Test results

❌ Tests failed on VSTS: test results

0 tests crashed, 1 tests failed, 114 tests passed.

Failures

❌ monotouch tests (macOS)

1 tests failed, 8 tests passed.

monotouch-test/macOS/Debug (managed static registrar): Failed (Test run failed.
Tests run: 3223 Passed: 3112 Inconclusive: 7 Failed: 1 Ignored: 110)

Html Report (VSDrops) Download

Successes

✅ cecil: All 1 tests passed. Html Report (VSDrops) Download
✅ dotnettests (iOS): All 1 tests passed. Html Report (VSDrops) Download
✅ dotnettests (MacCatalyst): All 1 tests passed. Html Report (VSDrops) Download
✅ dotnettests (macOS): All 1 tests passed. Html Report (VSDrops) Download
✅ dotnettests (Multiple platforms): All 1 tests passed. Html Report (VSDrops) Download
✅ dotnettests (tvOS): All 1 tests passed. Html Report (VSDrops) Download
✅ framework: All 2 tests passed. Html Report (VSDrops) Download
✅ fsharp: All 4 tests passed. Html Report (VSDrops) Download
✅ generator: All 5 tests passed. Html Report (VSDrops) Download
✅ interdependent-binding-projects: All 4 tests passed. Html Report (VSDrops) Download
✅ introspection: All 4 tests passed. Html Report (VSDrops) Download
✅ linker: All 44 tests passed. Html Report (VSDrops) Download
✅ monotouch (iOS): All 8 tests passed. Html Report (VSDrops) Download
✅ monotouch (MacCatalyst): All 11 tests passed. Html Report (VSDrops) Download
✅ monotouch (tvOS): All 8 tests passed. Html Report (VSDrops) Download
✅ msbuild: All 2 tests passed. Html Report (VSDrops) Download
✅ windows: All 3 tests passed. Html Report (VSDrops) Download
✅ xcframework: All 4 tests passed. Html Report (VSDrops) Download
✅ xtro: All 1 tests passed. Html Report (VSDrops) Download

Pipeline on Agent
Hash: 3e4c05e6375256f35ce0c0f581709aa53d8b2ef7 [PR build]

vs-mobiletools-engineering-service2 · 2025-09-09T17:16:08Z

💻 [CI Build #3e4c05e] Tests on macOS arm64 - Mac Sequoia (15) passed 💻

✅ All tests on macOS arm64 - Mac Sequoia (15) passed.

Pipeline on Agent
Hash: 3e4c05e6375256f35ce0c0f581709aa53d8b2ef7 [PR build]

vs-mobiletools-engineering-service2 · 2025-09-09T17:37:17Z

🔥 [CI Build #3e4c05e] Test results 🔥

Test results

❌ Tests failed on VSTS: test results

0 tests crashed, 1 tests failed, 117 tests passed.

Failures

❌ monotouch tests (macOS) [attempt 2]

1 tests failed, 11 tests passed.

monotouch-test/macOS/Debug (ARM64): Failed (Test run failed.
Tests run: 3226 Passed: 3101 Inconclusive: 4 Failed: 1 Ignored: 124)

Html Report (VSDrops) Download

Successes

✅ cecil: All 1 tests passed. Html Report (VSDrops) Download
✅ dotnettests (iOS): All 1 tests passed. Html Report (VSDrops) Download
✅ dotnettests (MacCatalyst): All 1 tests passed. Html Report (VSDrops) Download
✅ dotnettests (macOS): All 1 tests passed. Html Report (VSDrops) Download
✅ dotnettests (Multiple platforms): All 1 tests passed. Html Report (VSDrops) Download
✅ dotnettests (tvOS): All 1 tests passed. Html Report (VSDrops) Download
✅ framework: All 2 tests passed. Html Report (VSDrops) Download
✅ fsharp: All 4 tests passed. Html Report (VSDrops) Download
✅ generator: All 5 tests passed. Html Report (VSDrops) Download
✅ interdependent-binding-projects: All 4 tests passed. Html Report (VSDrops) Download
✅ introspection: All 4 tests passed. Html Report (VSDrops) Download
✅ linker: All 44 tests passed. Html Report (VSDrops) Download
✅ monotouch (iOS): All 8 tests passed. Html Report (VSDrops) Download
✅ monotouch (MacCatalyst): All 11 tests passed. Html Report (VSDrops) Download
✅ monotouch (tvOS): All 8 tests passed. Html Report (VSDrops) Download
✅ msbuild: All 2 tests passed. Html Report (VSDrops) Download
✅ windows: All 3 tests passed. Html Report (VSDrops) Download
✅ xcframework: All 4 tests passed. Html Report (VSDrops) Download
✅ xtro: All 1 tests passed. Html Report (VSDrops) Download

Pipeline on Agent
Hash: 3e4c05e6375256f35ce0c0f581709aa53d8b2ef7 [PR build]

rolfbjarne requested a review from mandel-macaque as a code owner September 8, 2025 16:28

rolfbjarne mentioned this pull request Sep 8, 2025

Regression: NSUrlSessionHandler.ServerCertificateCustomValidationCallback behavior change #23764

Closed

This comment has been minimized.

Sign in to view

mandel-macaque reviewed Sep 8, 2025

View reviewed changes

mandel-macaque approved these changes Sep 8, 2025

View reviewed changes

This comment has been minimized.

Sign in to view

dalexsoto approved these changes Sep 8, 2025

View reviewed changes

This comment has been minimized.

Sign in to view

rolfbjarne added 2 commits September 9, 2025 10:05

tweaks

3e4c05e

ignore unknown revocation status by default.

073820b

This comment has been minimized.

Sign in to view

rolfbjarne merged commit 97d260a into main Sep 9, 2025
44 checks passed

rolfbjarne deleted the dev/rolf/certificatechainpolicy branch September 9, 2025 17:47

[Foundation] Make it possible to customize the X509ChainPolicy when validating certificates in NSUrlSessionHandler. Fixes #23764. #23767

[Foundation] Make it possible to customize the X509ChainPolicy when validating certificates in NSUrlSessionHandler. Fixes #23764. #23767

Uh oh!

Conversation

rolfbjarne commented Sep 8, 2025

Uh oh!

This comment has been minimized.

mandel-macaque Sep 8, 2025

Choose a reason for hiding this comment

Uh oh!

rolfbjarne Sep 9, 2025

Choose a reason for hiding this comment

Uh oh!

bartonjs Sep 9, 2025

Choose a reason for hiding this comment

Uh oh!

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

vs-mobiletools-engineering-service2 commented Sep 9, 2025

✅ [CI Build #073820b] Build passed (Build packages) ✅

Uh oh!

This comment has been minimized.

vs-mobiletools-engineering-service2 commented Sep 9, 2025

✅ [PR Build #073820b] Build passed (Detect API changes) ✅

Uh oh!

This comment has been minimized.

This comment has been minimized.

This comment has been minimized.

vs-mobiletools-engineering-service2 commented Sep 9, 2025

✅ [CI Build #073820b] Build passed (Build macOS tests) ✅

Uh oh!

vs-mobiletools-engineering-service2 commented Sep 9, 2025

💻 [CI Build #073820b] Tests on macOS X64 - Mac Sonoma (14) passed 💻

Uh oh!

vs-mobiletools-engineering-service2 commented Sep 9, 2025

✅ API diff for current PR / commit

✅ API diff vs stable

ℹ️ Generator diff

Uh oh!

vs-mobiletools-engineering-service2 commented Sep 9, 2025

💻 [CI Build #073820b] Tests on macOS M1 - Mac Monterey (12) passed 💻

Uh oh!

vs-mobiletools-engineering-service2 commented Sep 9, 2025

💻 [CI Build #073820b] Tests on macOS M1 - Mac Ventura (13) passed 💻

Uh oh!

vs-mobiletools-engineering-service2 commented Sep 9, 2025

💻 [CI Build #073820b] Tests on macOS arm64 - Mac Sequoia (15) passed 💻

Uh oh!

vs-mobiletools-engineering-service2 commented Sep 9, 2025

🚀 [CI Build #073820b] Test results 🚀

Test results

Tests counts

Uh oh!

vs-mobiletools-engineering-service2 commented Sep 9, 2025

🔥 [CI Build #3e4c05e] Test results 🔥

Test results

Failures

❌ monotouch tests (macOS)

Successes

Uh oh!

vs-mobiletools-engineering-service2 commented Sep 9, 2025

💻 [CI Build #3e4c05e] Tests on macOS arm64 - Mac Sequoia (15) passed 💻

Uh oh!

vs-mobiletools-engineering-service2 commented Sep 9, 2025

🔥 [CI Build #3e4c05e] Test results 🔥

Test results

Failures

❌ monotouch tests (macOS) [attempt 2]

Successes

Uh oh!

Uh oh!