Skip to content

[release/10.0] Fix certificate disposal in RemoteCertificateValidationCallback causing NRE on reuse#124584

Open
github-actions[bot] wants to merge 5 commits intorelease/10.0from
backport/pr-123875-to-release/10.0
Open

[release/10.0] Fix certificate disposal in RemoteCertificateValidationCallback causing NRE on reuse#124584
github-actions[bot] wants to merge 5 commits intorelease/10.0from
backport/pr-123875-to-release/10.0

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Feb 19, 2026
edited by rzikm
Loading

Backport of #123875 to release/10.0
/cc @rzikm @copilot

Fixes #123058

Customer Impact

Reported by customer in #123058
When customer provided custom RemoteCertificateValidationCallback during which they added extra certs to the X509Chain.ExtraStore, these certs would end up disposed by the SslStream, preventing their reuse across multiple connections.

Unless a workaround is implemented by the customer, the bug render's the application/server unable to establish new TLS connections.

Regression

Yes - introduced in PR #117667 in .NET 10.

The original change was an attempt to improve deterministic cleanup of resources. Adding more intermediate certs during cert validation callback wasn't considered common scenario and there was missing code coverage.

Testing

Targeted unit test added to ensure we returned to the previous behavior.

Risk

Low, the issue is well understood and the fix is simple.

Copilot AI and others added 5 commits February 19, 2026 08:22
Initial plan
8b2d818
@rzikm
Fix certificate disposal in RemoteCertificateValidationCallback
6456bb6 
Only cleanup ExtraStore and ChainElements certificates when no RemoteCertificateValidationCallback is provided. When a callback is provided, users might add their own certificates to ExtraStore or keep references to certificates from ChainElements, and these should not be disposed by SslStream.

Co-authored-by: rzikm <32671551+rzikm@users.noreply.github.com>
@rzikm
Address code review: Use using statement for certificate disposal
63e2494 
Changed shared certificate to use 'using' declaration to ensure proper cleanup even if test fails.

Co-authored-by: rzikm <32671551+rzikm@users.noreply.github.com>
@rzikm
Address code review feedback: refactor test to use for loop and fix u…
f4b9fba 
…nused variable

- Refactored test to use a for loop instead of duplicating connection code
- Fixed unused 'built' variable by discarding return value
- Removed issue reference from test comment as requested

Co-authored-by: rzikm <32671551+rzikm@users.noreply.github.com>
@rzikm
Enhance test to verify ChainElements certificates are not disposed
3738fdd 
Added verification that certificates from chain.ChainElements are not disposed when RemoteCertificateValidationCallback is provided, as suggested by @bartonjs. The test now:
- Saves certificates from ChainElements on first connection
- Verifies they remain valid after connection closes
- Verifies they remain valid after multiple connections

Co-authored-by: rzikm <32671551+rzikm@users.noreply.github.com>
@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Feb 19, 2026

Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

@rzikm
Copy link
Member

rzikm commented Feb 19, 2026

cc @karelz

@rzikm rzikm requested a review from a team February 19, 2026 10:21
This was referenced Feb 19, 2026
Open
Open
@teo-tsirpanis teo-tsirpanis added this to the 10.0.x milestone Feb 20, 2026
@rickeshj
Copy link

rickeshj commented Mar 6, 2026

Hi, is there any update on when this might be released? Thanks

@rzikm rzikm self-assigned this Mar 6, 2026
@rzikm
Copy link
Member

rzikm commented Mar 6, 2026

Hi, is there any update on when this might be released? Thanks

The earliest this can be released is mid-April. The cut-off date for the next servicing release is next week. It is on my radar to get this merged in time for that.

@rickeshj
Copy link

rickeshj commented Mar 6, 2026

**rzikm **

Hey @rzikm, thanks for the response and timeline.

@karelz
Copy link
Member

karelz commented Mar 6, 2026

Regression in 10, we should fix it in servicing given it impacts customer scenarios without a reasonable workaround.

@karelz karelz added Servicing-consider Issue for next servicing release review Servicing-approved Approved for servicing release and removed Servicing-consider Issue for next servicing release review labels Mar 6, 2026
@karelz
Copy link
Member

karelz commented Mar 7, 2026

Approved by Tactics (@jeffschwMSFT) via email on Fri 3/6. Adding Servicing-approved label accordingly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@karelz karelz karelz approved these changes

@ManickaP ManickaP ManickaP approved these changes

Assignees

@rzikm rzikm

@github-actions github-actions[bot]

Labels

area-System.Net.Security Servicing-approved Approved for servicing release

Projects

None yet

Milestone

10.0.x

Development

Successfully merging this pull request may close these issues.

6 participants

@rzikm @rickeshj @karelz @ManickaP @teo-tsirpanis