Recover from failed OCSP download. (dotnet#96448)

* Recover from failed OCSP check. * Add 5s back-off after failed OCSP querry
rzikm · Jan 11, 2024 · 174b8c0 · 174b8c0
1 parent df4171f
commit 174b8c0
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/...ibraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs b/...ibraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs
@@ -266,7 +266,6 @@ partial void AddRootCertificate(X509Certificate2? rootCertificate, ref bool tran
                         _ocspResponse = ret;
                         _ocspExpiration = expiration;
                         _nextDownload = nextCheckA < nextCheckB ? nextCheckA : nextCheckB;
-                        _pendingDownload = null;
                         break;
                     }
                 }
@@ -279,6 +278,16 @@ partial void AddRootCertificate(X509Certificate2? rootCertificate, ref bool tran
                 GC.KeepAlive(_privateIntermediateCertificates);
                 GC.KeepAlive(_rootCertificate);
                 GC.KeepAlive(caCert);
+
+                _pendingDownload = null;
+                if (ret == null)
+                {
+                    // all download attempts failed, don't try again for 5 seconds.
+                    // Note that if server does not send OCSP staples, clients may still
+                    // contact OCSP responders directly.
+                    _nextDownload = DateTimeOffset.UtcNow.AddSeconds(5);
+                    _ocspExpiration = _nextDownload;
+                }
                 return ret;
             }
         }