From 7f1516925c6165b4ff21aa967f33477b32a41334 Mon Sep 17 00:00:00 2001 From: Radek Zikmund Date: Mon, 23 Jun 2025 09:58:27 +0200 Subject: [PATCH 1/4] Log cert validation errors --- ...ttpClientHandlerTest.ServerCertificates.cs | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.ServerCertificates.cs b/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.ServerCertificates.cs index c8f581179ab042..91ebdfa50cce8a 100644 --- a/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.ServerCertificates.cs +++ b/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.ServerCertificates.cs @@ -267,6 +267,27 @@ private async Task UseCallback_BadCertificate_ExpectedPolicyErrors_Helper(string handler.ServerCertificateCustomValidationCallback = (request, cert, chain, errors) => { + if (chain != null) + { + for (int i = 0; i < chain.ChainElements.Count; i++) + { + var element = chain.ChainElements[i]; + _output.WriteLine($"Certificate {i}:"); + _output.WriteLine(element.Certificate.ToString(true)); + foreach (var status in element.ChainElementStatus) + { + _output.WriteLine($" Status: {status.Status}"); + if (status.StatusInformation.Length > 0) + { + _output.WriteLine($" Status Information: {status.StatusInformation}"); + } + } + _output.WriteLine(""); + } + } + + _output.WriteLine($"SSL Policy Errors: {errors}"); + callbackCalled = true; Assert.NotNull(request); Assert.NotNull(cert); From dd36215001b12a79199f4fb1050908bcb466284a Mon Sep 17 00:00:00 2001 From: Radek Zikmund Date: Mon, 23 Jun 2025 11:59:23 +0200 Subject: [PATCH 2/4] Add a test server --- .../System/Net/Http/HttpClientHandlerTest.ServerCertificates.cs | 1 + 1 file changed, 1 insertion(+) diff --git a/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.ServerCertificates.cs b/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.ServerCertificates.cs index 91ebdfa50cce8a..7b917bd452ba6b 100644 --- a/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.ServerCertificates.cs +++ b/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.ServerCertificates.cs @@ -256,6 +256,7 @@ public async Task NoCallback_RevokedCertificate_RevocationChecking_Fails() { new object[] { Configuration.Http.ExpiredCertRemoteServer, SslPolicyErrors.RemoteCertificateChainErrors }, new object[] { Configuration.Http.WrongHostNameCertRemoteServer , SslPolicyErrors.RemoteCertificateNameMismatch}, + new object[] { "https://smartermail.emclient.com/", SslPolicyErrors.None}, }; private async Task UseCallback_BadCertificate_ExpectedPolicyErrors_Helper(string url, string useHttp2String, SslPolicyErrors expectedErrors) From fa01c644bdd14fa0a5bf0cb48204c4b5ed7f5f7b Mon Sep 17 00:00:00 2001 From: Radek Zikmund Date: Mon, 23 Jun 2025 15:55:03 +0200 Subject: [PATCH 3/4] Apply fix from https://github.com/dotnet/corefx/pull/22305 --- ...ttpClientHandlerTest.ServerCertificates.cs | 24 +++++-------------- 1 file changed, 6 insertions(+), 18 deletions(-) diff --git a/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.ServerCertificates.cs b/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.ServerCertificates.cs index 7b917bd452ba6b..916b77568d4513 100644 --- a/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.ServerCertificates.cs +++ b/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.ServerCertificates.cs @@ -268,27 +268,15 @@ private async Task UseCallback_BadCertificate_ExpectedPolicyErrors_Helper(string handler.ServerCertificateCustomValidationCallback = (request, cert, chain, errors) => { - if (chain != null) + // https://github.com/dotnet/corefx/issues/21922#issuecomment-315555237 + X509ChainStatusFlags flags = chain.ChainStatus.Aggregate(X509ChainStatusFlags.NoError, (cur, status) => cur | status.Status); + if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX) && + flags == X509ChainStatusFlags.RevocationStatusUnknown && + handler.CheckCertificateRevocationList) { - for (int i = 0; i < chain.ChainElements.Count; i++) - { - var element = chain.ChainElements[i]; - _output.WriteLine($"Certificate {i}:"); - _output.WriteLine(element.Certificate.ToString(true)); - foreach (var status in element.ChainElementStatus) - { - _output.WriteLine($" Status: {status.Status}"); - if (status.StatusInformation.Length > 0) - { - _output.WriteLine($" Status Information: {status.StatusInformation}"); - } - } - _output.WriteLine(""); - } + expectedErrors |= SslPolicyErrors.RemoteCertificateChainErrors; } - _output.WriteLine($"SSL Policy Errors: {errors}"); - callbackCalled = true; Assert.NotNull(request); Assert.NotNull(cert); From 57afee6807444decbf5962d141dcb46e8021d105 Mon Sep 17 00:00:00 2001 From: Radek Zikmund <32671551+rzikm@users.noreply.github.com> Date: Fri, 27 Jun 2025 07:57:32 +0200 Subject: [PATCH 4/4] Apply suggestions from code review --- .../Net/Http/HttpClientHandlerTest.ServerCertificates.cs | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.ServerCertificates.cs b/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.ServerCertificates.cs index 916b77568d4513..d027b87f0d86df 100644 --- a/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.ServerCertificates.cs +++ b/src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.ServerCertificates.cs @@ -256,7 +256,6 @@ public async Task NoCallback_RevokedCertificate_RevocationChecking_Fails() { new object[] { Configuration.Http.ExpiredCertRemoteServer, SslPolicyErrors.RemoteCertificateChainErrors }, new object[] { Configuration.Http.WrongHostNameCertRemoteServer , SslPolicyErrors.RemoteCertificateNameMismatch}, - new object[] { "https://smartermail.emclient.com/", SslPolicyErrors.None}, }; private async Task UseCallback_BadCertificate_ExpectedPolicyErrors_Helper(string url, string useHttp2String, SslPolicyErrors expectedErrors) @@ -271,8 +270,7 @@ private async Task UseCallback_BadCertificate_ExpectedPolicyErrors_Helper(string // https://github.com/dotnet/corefx/issues/21922#issuecomment-315555237 X509ChainStatusFlags flags = chain.ChainStatus.Aggregate(X509ChainStatusFlags.NoError, (cur, status) => cur | status.Status); if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX) && - flags == X509ChainStatusFlags.RevocationStatusUnknown && - handler.CheckCertificateRevocationList) + flags == X509ChainStatusFlags.RevocationStatusUnknown) { expectedErrors |= SslPolicyErrors.RemoteCertificateChainErrors; }