[.NET Core/Linux] X509 chain revocation check uses only first CDP URL, does not fall back to others #121253
Description
Description
On Linux, .NET’s certificate validation (OpenSSL-based) appears to use only the first CRL Distribution Point (CDP) in the certificate. If that URL is unreachable/down, the entire revocation check fails, even when additional CDP endpoints are present on the certificate. This causes unnecessary hard failures and reduces resiliency.
Reproduction Steps
Use a certificate that has multiple CRL Distribution Points (CDP A – primary, CDP B – secondary).
Make CDP A unreachable (simulate network block or HTTP 5xx).
Build an X509Chain in .NET on Linux with revocation enabled:
var chain = new X509Chain
{
ChainPolicy =
{
RevocationMode = X509RevocationMode.Online,
RevocationFlag = X509RevocationFlag.EntireChain
}
};
var ok = chain.Build(cert);Observe that the chain build fails due to CRL download failure, even though CDP B is present.
Expected behavior
Iterate over all CDP URLs in the order provided on the certificate.
Stop at the first successful fetch/valid CRL.
Maintain a short-lived cache of failed CDP endpoints (e.g. static dictionary with TTL) to avoid repeatedly calling an endpoint that is currently down.
Actual behavior
Only the first CDP endpoint is called.
If it fails, revocation check fails even though alternative CDPs are available.
Regression?
No
Known Workarounds
None
Configuration
.NET (Core) on Linux
Using default OpenSSL-backed chain engine
Other information
Why this matters:
In environments where a primary CRL endpoint is fronted by a CDN or may be temporarily unavailable, the current behavior turns a transient CDP issue into a hard revocation failure for all .NET Core/Linux workloads.