From 6584a5968f9b57e2cbce3c864dd0dc7b289f693a Mon Sep 17 00:00:00 2001
From: Radek Zikmund <32671551+rzikm@users.noreply.github.com>
Date: Tue, 16 Jan 2024 22:34:48 +0100
Subject: [PATCH] Don't shorten OCSP expriation on failed server OCSP fetch
 (#96972)

* Don't shorten OCSP expriation on failed server OCSP fetch

* Code review feedback
---
 .../Net/Security/SslStreamCertificateContext.Linux.cs      | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs
index f9f4fbc6e6151..b62030a0c1df1 100644
--- a/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs
+++ b/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs
@@ -282,11 +282,10 @@ partial void AddRootCertificate(X509Certificate2? rootCertificate, ref bool tran
                 _pendingDownload = null;
                 if (ret == null)
                 {
-                    // all download attempts failed, don't try again for 5 seconds.
-                    // Note that if server does not send OCSP staples, clients may still
-                    // contact OCSP responders directly.
+                    // All download attempts failed, don't try again for 5 seconds.
+                    // This backoff will be applied only if the OCSP staple is not expired.
+                    // If it is expired, we will force-refresh it during next GetOcspResponseAsync call.
                     _nextDownload = DateTimeOffset.UtcNow.AddSeconds(5);
-                    _ocspExpiration = _nextDownload;
                 }
                 return ret;
             }