Triage for dotnet/macios#23764.
Last updated: 2025-05-28_15-42-36
Regression: NSUrlSessionHandler.ServerCertificateCustomValidationCallback behavior change by dotMorten
[Tool] Searching for NSUrlSessionHandler.ServerCertificateCustomValidationCallback regression, SslPolicyErrors RemoteCertificateChainErrors iOS, NSUrlSessionHandler certificate validation behavior change, ServerCertificateCustomValidationCallback net9.0, NSUrlSessionHandler SslPolicyErrors
[Tool] Obtained 1 comments for issue dotnet/macios#23764: Regression: NSUrlSessionHandler.ServerCertificateCustomValidationCallback behavior change
[Tool] Found 19 issues, 29 comments, 26 returned results (4162 ms)
Here are related issues and discussions for dotMorten's issue #116067: "Regression: NSUrlSessionHandler.ServerCertificateCustomValidationCallback behavior change".
1. Issue #85415 - [iOS] An SSL error when sending request to server with self-signed certificate
Summary:
This issue discusses problems with SSL errors on iOS when using self-signed certificates and the ServerCertificateCustomValidationCallback. The discussion covers the need to set NSAllowsArbitraryLoads in the Info.plist and the use of DangerousAcceptAnyServerCertificateValidator. There is also mention of differences in behavior between platforms and the importance of correct Info.plist configuration.
Relevance:
While this issue is about self-signed certificates, it highlights platform-specific differences in how certificate validation is handled, which is relevant to the regression in NSUrlSessionHandler's callback behavior.
2. Issue #75595 - ServerCertificateCustomValidationCallback not called when client certificate used and server uses self sign certificate
Summary:
This issue describes a scenario where the callback is not invoked at all when using client certificates and a self-signed server certificate. The discussion includes workarounds such as adding the CA chain to the store and notes that the callback is only called if the server's CA is trusted.
Relevance:
It demonstrates that the behavior of ServerCertificateCustomValidationCallback can change based on platform and certificate trust, and that regressions or changes in handler behavior are not uncommon.
3. Issue #31255 - .NET Core 2.2 SslPolicyErrors: RemoteCertificateChainErrors
Summary:
This issue discusses receiving RemoteCertificateChainErrors when connecting to an API with a certificate that is not trusted by the system. The discussion clarifies that this is expected if the certificate is not in the trusted store, and suggests using the callback to explicitly trust the certificate.
Relevance:
It provides background on why RemoteCertificateChainErrors might be returned and how this can differ from SslPolicyErrors.None, which is the crux of the regression reported in #116067.
4. Issue #31514 - The remote certificate is invalid according to the validation procedure
Summary:
This issue discusses how to diagnose RemoteCertificateChainErrors by examining the chain.ChainStatus array.
Relevance:
It is relevant for debugging why the error value changed in the callback, as suggested in the regression report.
5. Issue #41381 - Test failure: ...ExpectedPolicyErrors(url: "https://self-signed.badssl.com/", expectedErrors: RemoteCertificateChainErrors)
Summary:
This is a test issue where the expected SslPolicyErrors did not match the actual value, specifically for self-signed certificates. The discussion notes that the error mapping can be tricky and may differ between platforms or handler implementations.
Relevance:
It shows that the mapping of certificate errors to SslPolicyErrors can change, and that this has been a source of test failures and confusion before.
6. Issue #55986 - iOS/tvOS/MacCatalyst: some HttpClientHandler properties behave differently now
Summary:
This issue discusses changes in behavior for HttpClientHandler on iOS, including the support for ServerCertificateValidationCallback.
Relevance:
It is directly relevant to the regression in NSUrlSessionHandler, as it discusses changes in handler property support and behavior on Apple platforms.
7. Issue #666 - SSL RemoteCertificateNameMismatch on MacOS Catalina
Summary:
This issue discusses SSL errors and the mapping of OS-level certificate validation errors to .NET's SslPolicyErrors, noting that changes in the OS or .NET's mapping logic can cause different error values to be reported.
Relevance:
It provides context for why a previously passing test might now return a different SslPolicyErrors value.
8. Issue #46952 - RemoteCertificateNameMismatch when using self signed CA and server certificate on MacOS
Summary:
This issue discusses how certificate validation errors can surface differently on macOS, and how the underlying OS certificate validation can affect .NET's error reporting.
Relevance:
It is relevant for understanding platform-specific changes in certificate validation behavior.
9. Issue #42482 - DangerousAcceptAnyServerCertificateValidator for RemoteCertificateValidationCallback
Summary:
This issue requests a helper for quickly accepting all certificates in SocketsHttpHandler, similar to what exists for HttpClientHandler.
Relevance:
It is tangentially related, as it discusses the API surface for certificate validation callbacks and their intended behaviors.
10. Issue #113971 - Invalid certificate verification on Mac leading to The remote certificate is invalid because of errors in the certificate chain: RevocationStatusUnknown errors
Summary:
This issue discusses a regression in certificate validation on macOS, where certificates that validate on Windows/Linux fail on Mac due to revocation status checks.
Relevance:
It is another example of platform-specific changes/regressions in certificate validation logic.
- The second comment by rolfbjarne provides a distilled console app repro and binlog, confirming the issue is reproducible outside of a test framework and is not specific to the test harness.
Summary
- There is a history of platform-specific differences and regressions in how
ServerCertificateCustomValidationCallback and SslPolicyErrors are handled, especially on Apple platforms.
- Several issues document changes in error reporting, the need for correct Info.plist configuration, and the impact of OS-level certificate validation.
- The regression reported in #116067 (change from
SslPolicyErrors.None to RemoteCertificateChainErrors for a valid certificate) is consistent with past issues where updates to .NET, the handler, or the underlying OS changed the mapping or evaluation of certificate errors.
- No clear workaround is documented for this specific regression, but related issues suggest examining the certificate chain and OS trust settings, and possibly updating Info.plist or trusting the relevant CA.
If you need a more detailed summary of any specific related issue, let me know!
Triage for dotnet/macios#23764.
Last updated: 2025-05-28_15-42-36
Here are related issues and discussions for dotMorten's issue #116067: "Regression: NSUrlSessionHandler.ServerCertificateCustomValidationCallback behavior change".
1. Issue #85415 - [iOS] An SSL error when sending request to server with self-signed certificate
Summary:
This issue discusses problems with SSL errors on iOS when using self-signed certificates and the
ServerCertificateCustomValidationCallback. The discussion covers the need to setNSAllowsArbitraryLoadsin the Info.plist and the use ofDangerousAcceptAnyServerCertificateValidator. There is also mention of differences in behavior between platforms and the importance of correct Info.plist configuration.Relevance:
While this issue is about self-signed certificates, it highlights platform-specific differences in how certificate validation is handled, which is relevant to the regression in NSUrlSessionHandler's callback behavior.
2. Issue #75595 - ServerCertificateCustomValidationCallback not called when client certificate used and server uses self sign certificate
Summary:
This issue describes a scenario where the callback is not invoked at all when using client certificates and a self-signed server certificate. The discussion includes workarounds such as adding the CA chain to the store and notes that the callback is only called if the server's CA is trusted.
Relevance:
It demonstrates that the behavior of
ServerCertificateCustomValidationCallbackcan change based on platform and certificate trust, and that regressions or changes in handler behavior are not uncommon.3. Issue #31255 - .NET Core 2.2 SslPolicyErrors: RemoteCertificateChainErrors
Summary:
This issue discusses receiving
RemoteCertificateChainErrorswhen connecting to an API with a certificate that is not trusted by the system. The discussion clarifies that this is expected if the certificate is not in the trusted store, and suggests using the callback to explicitly trust the certificate.Relevance:
It provides background on why
RemoteCertificateChainErrorsmight be returned and how this can differ fromSslPolicyErrors.None, which is the crux of the regression reported in #116067.4. Issue #31514 - The remote certificate is invalid according to the validation procedure
Summary:
This issue discusses how to diagnose
RemoteCertificateChainErrorsby examining thechain.ChainStatusarray.Relevance:
It is relevant for debugging why the error value changed in the callback, as suggested in the regression report.
5. Issue #41381 - Test failure: ...ExpectedPolicyErrors(url: "https://self-signed.badssl.com/", expectedErrors: RemoteCertificateChainErrors)
Summary:
This is a test issue where the expected
SslPolicyErrorsdid not match the actual value, specifically for self-signed certificates. The discussion notes that the error mapping can be tricky and may differ between platforms or handler implementations.Relevance:
It shows that the mapping of certificate errors to
SslPolicyErrorscan change, and that this has been a source of test failures and confusion before.6. Issue #55986 - iOS/tvOS/MacCatalyst: some HttpClientHandler properties behave differently now
Summary:
This issue discusses changes in behavior for
HttpClientHandleron iOS, including the support forServerCertificateValidationCallback.Relevance:
It is directly relevant to the regression in NSUrlSessionHandler, as it discusses changes in handler property support and behavior on Apple platforms.
7. Issue #666 - SSL RemoteCertificateNameMismatch on MacOS Catalina
Summary:
This issue discusses SSL errors and the mapping of OS-level certificate validation errors to .NET's
SslPolicyErrors, noting that changes in the OS or .NET's mapping logic can cause different error values to be reported.Relevance:
It provides context for why a previously passing test might now return a different
SslPolicyErrorsvalue.8. Issue #46952 - RemoteCertificateNameMismatch when using self signed CA and server certificate on MacOS
Summary:
This issue discusses how certificate validation errors can surface differently on macOS, and how the underlying OS certificate validation can affect .NET's error reporting.
Relevance:
It is relevant for understanding platform-specific changes in certificate validation behavior.
9. Issue #42482 - DangerousAcceptAnyServerCertificateValidator for RemoteCertificateValidationCallback
Summary:
This issue requests a helper for quickly accepting all certificates in
SocketsHttpHandler, similar to what exists forHttpClientHandler.Relevance:
It is tangentially related, as it discusses the API surface for certificate validation callbacks and their intended behaviors.
10. Issue #113971 - Invalid certificate verification on Mac leading to
The remote certificate is invalid because of errors in the certificate chain: RevocationStatusUnknownerrorsSummary:
This issue discusses a regression in certificate validation on macOS, where certificates that validate on Windows/Linux fail on Mac due to revocation status checks.
Relevance:
It is another example of platform-specific changes/regressions in certificate validation logic.
Additional Notes from #116067 Comments
Summary
ServerCertificateCustomValidationCallbackandSslPolicyErrorsare handled, especially on Apple platforms.SslPolicyErrors.NonetoRemoteCertificateChainErrorsfor a valid certificate) is consistent with past issues where updates to .NET, the handler, or the underlying OS changed the mapping or evaluation of certificate errors.If you need a more detailed summary of any specific related issue, let me know!