From 98666dff27da455cd74346c8d1e3176a8162fd4e Mon Sep 17 00:00:00 2001
From: Radek Zikmund <32671551+rzikm@users.noreply.github.com>
Date: Wed, 16 Mar 2022 10:30:16 +0100
Subject: [PATCH 1/3] Update docs for SslCertificateTrust with changes in .NET
7
Changes implemented in https://github.com/dotnet/runtime/pull/65195
---
xml/System.Net.Security/SslCertificateTrust.xml | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/xml/System.Net.Security/SslCertificateTrust.xml b/xml/System.Net.Security/SslCertificateTrust.xml
index ebf049773ca..b520df0bd57 100644
--- a/xml/System.Net.Security/SslCertificateTrust.xml
+++ b/xml/System.Net.Security/SslCertificateTrust.xml
@@ -55,13 +55,18 @@
## Remarks
-If the `sendTrustInHandshake` argument is `true`, the client can use the list of trusted certificate authorities from the server to select an appropriate client certificate. In .NET 6, the list is only sent on Windows, and it depends on a registry setting.
+If the `sendTrustInHandshake` argument is `true`, the client can use the list of trusted certificate authorities from the server to select an appropriate client certificate. Sending trusted issuers list is not supported for `SslCertificateTrust` instances created using the `SslCertificaetTrust.CreateForX509Collection` is not supported in .NET 6.
+
+Since .NET 7, the sending trusted issuers list is supported on Linux and OSX platforms.
> [!WARNING]
> The list of trusted CAs increases the size of the handshake message. It could also be viewed as an information leak about the system's configuration. For these reasons, we recommend setting `sendTrustInHandshake` to `false`.
]]>
+
+ is and the current platform does not support sending trusted issuers list in handshake.
+
@@ -94,13 +99,16 @@ If the `sendTrustInHandshake` argument is `true`, the client can use the list of
## Remarks
-If the `sendTrustInHandshake` argument is `true`, the client can use the list of trusted certificate authorities from the server to select an appropriate client certificate. In .NET 6, the list is only sent on Windows, and it depends on a registry setting.
+If the `sendTrustInHandshake` argument is `true`, the client can use the list of trusted certificate authorities from the server to select an appropriate client certificate. In .NET 6, the list is only sent on Windows, and it depends on the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\SendTrustedIssuerList" registry setting being set to 1. Since .NET 7, the list is sent on Linux and OSX platforms as well.
> [!WARNING]
> The list of trusted CAs increases the size of the handshake message. It could also be viewed as an information leak about the system's configuration. For these reasons, we recommend setting `sendTrustInHandshake` to `false`.
]]>
+
+ is and the current platform does not support sending trusted issuers list in handshake, or (on Windows) the 's location is not .
+
From 578c295e31de34026c19a10da495e796a29f5d23 Mon Sep 17 00:00:00 2001
From: Radek Zikmund <32671551+rzikm@users.noreply.github.com>
Date: Wed, 16 Mar 2022 10:48:20 +0100
Subject: [PATCH 2/3] Fix build errors
---
xml/System.Net.Security/SslCertificateTrust.xml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/xml/System.Net.Security/SslCertificateTrust.xml b/xml/System.Net.Security/SslCertificateTrust.xml
index b520df0bd57..d114c1b5891 100644
--- a/xml/System.Net.Security/SslCertificateTrust.xml
+++ b/xml/System.Net.Security/SslCertificateTrust.xml
@@ -65,7 +65,7 @@ Since .NET 7, the sending trusted issuers list is supported on Linux and OSX pla
]]>
- is and the current platform does not support sending trusted issuers list in handshake.
+ is and the current platform does not support sending trusted issuers list in handshake.
@@ -107,7 +107,7 @@ If the `sendTrustInHandshake` argument is `true`, the client can use the list of
]]>
- is and the current platform does not support sending trusted issuers list in handshake, or (on Windows) the 's location is not .
+ is and the current platform does not support sending trusted issuers list in handshake, or (on Windows) the 's location is not .
From 19cfb62ad41e6c4e7d154684340509577a052e98 Mon Sep 17 00:00:00 2001
From: Radek Zikmund <32671551+rzikm@users.noreply.github.com>
Date: Wed, 16 Mar 2022 12:31:38 +0100
Subject: [PATCH 3/3] Fix wording
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Co-authored-by: Marie Píchová <11718369+ManickaP@users.noreply.github.com>
---
xml/System.Net.Security/SslCertificateTrust.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/xml/System.Net.Security/SslCertificateTrust.xml b/xml/System.Net.Security/SslCertificateTrust.xml
index d114c1b5891..c9602f25487 100644
--- a/xml/System.Net.Security/SslCertificateTrust.xml
+++ b/xml/System.Net.Security/SslCertificateTrust.xml
@@ -55,7 +55,7 @@
## Remarks
-If the `sendTrustInHandshake` argument is `true`, the client can use the list of trusted certificate authorities from the server to select an appropriate client certificate. Sending trusted issuers list is not supported for `SslCertificateTrust` instances created using the `SslCertificaetTrust.CreateForX509Collection` is not supported in .NET 6.
+If the `sendTrustInHandshake` argument is `true`, the client can use the list of trusted certificate authorities from the server to select an appropriate client certificate. Sending trusted issuers list is not supported for `SslCertificateTrust` instances created using the `SslCertificaetTrust.CreateForX509Collection` in .NET 6.
Since .NET 7, the sending trusted issuers list is supported on Linux and OSX platforms.