From 174b8c0ab93640d0ed6b94ed3b7d9c16a8301810 Mon Sep 17 00:00:00 2001 From: Radek Zikmund <32671551+rzikm@users.noreply.github.com> Date: Wed, 10 Jan 2024 18:56:32 +0100 Subject: [PATCH] Recover from failed OCSP download. (#96448) * Recover from failed OCSP check. * Add 5s back-off after failed OCSP querry --- .../Net/Security/SslStreamCertificateContext.Linux.cs | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs index 2c01cea48e208..cd3d48b7ab09c 100644 --- a/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs +++ b/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs @@ -266,7 +266,6 @@ partial void AddRootCertificate(X509Certificate2? rootCertificate, ref bool tran _ocspResponse = ret; _ocspExpiration = expiration; _nextDownload = nextCheckA < nextCheckB ? nextCheckA : nextCheckB; - _pendingDownload = null; break; } } @@ -279,6 +278,16 @@ partial void AddRootCertificate(X509Certificate2? rootCertificate, ref bool tran GC.KeepAlive(_privateIntermediateCertificates); GC.KeepAlive(_rootCertificate); GC.KeepAlive(caCert); + + _pendingDownload = null; + if (ret == null) + { + // all download attempts failed, don't try again for 5 seconds. + // Note that if server does not send OCSP staples, clients may still + // contact OCSP responders directly. + _nextDownload = DateTimeOffset.UtcNow.AddSeconds(5); + _ocspExpiration = _nextDownload; + } return ret; } }