Don't shorten OCSP expriation on failed server OCSP fetch (dotnet#96972)

* Don't shorten OCSP expriation on failed server OCSP fetch * Code review feedback
rzikm · Jan 16, 2024 · cabb320 · cabb320
1 parent 174b8c0
commit cabb320
Showing 1 changed file with 3 additions and 4 deletions.
diff --git a/...ibraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs b/...ibraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs
@@ -282,11 +282,10 @@ partial void AddRootCertificate(X509Certificate2? rootCertificate, ref bool tran
                 _pendingDownload = null;
                 if (ret == null)
                 {
-                    // all download attempts failed, don't try again for 5 seconds.
-                    // Note that if server does not send OCSP staples, clients may still
-                    // contact OCSP responders directly.
+                    // All download attempts failed, don't try again for 5 seconds.
+                    // This backoff will be applied only if the OCSP staple is not expired.
+                    // If it is expired, we will force-refresh it during next GetOcspResponseAsync call.
                     _nextDownload = DateTimeOffset.UtcNow.AddSeconds(5);
-                    _ocspExpiration = _nextDownload;
                 }
                 return ret;
             }