dotnet · simonrozsival · Jun 28, 2024 · Jun 26, 2024 · Jun 26, 2024 · Jun 27, 2024
diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.cs
@@ -56,15 +56,20 @@ internal static SslStreamCertificateContext Create(
 
                 if (trust != null)
                 {
-                    chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
                     if (trust._store != null)
                     {
                         chain.ChainPolicy.CustomTrustStore.AddRange(trust._store.Certificates);
                     }
+
                     if (trust._trustList != null)
                     {
                         chain.ChainPolicy.CustomTrustStore.AddRange(trust._trustList);
                     }
+
+                    if (chain.ChainPolicy.CustomTrustStore.Count > 0)
+                    {
+                        chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
+                    }
                 }
 
                 chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;
@@ -77,7 +82,7 @@ internal static SslStreamCertificateContext Create(
                     NetEventSource.Error(null, $"Failed to build chain for {target.Subject}");
                 }
 
-                if (!chainStatus && ChainBuildNeedsTrustedRoot && additionalCertificates != null)
+                if (!chainStatus && ChainBuildNeedsTrustedRoot && additionalCertificates?.Count > 0)
                 {
                     // Some platforms like Android may not be able to build the chain unless the chain root is trusted.
                     // We can try to rebuild the chain with making all extra certificates trused.

diff --git a/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamNetworkStreamTest.cs b/src/libraries/System.Net.Security/tests/FunctionalTests/SslStreamNetworkStreamTest.cs
@@ -917,7 +917,6 @@ public async Task SslStream_ClientCertificate_SendsChain()
         [Theory]
         [InlineData(true)]
         [InlineData(false)]
-        [ActiveIssue("https://github.com/dotnet/runtime/issues/68206", TestPlatforms.Android)]
         public async Task SslStream_ClientCertificateContext_SendsChain(bool useTrust)
         {
             (X509Certificate2 clientCertificate, X509Certificate2Collection clientChain) = Configuration.Certificates.GenerateCertificates(nameof(SslStream_ClientCertificateContext_SendsChain), serverCertificate: false);