[release/9.0] Permit fail-open to avoid CRL check failures on Mac (#15712)

github-actions[bot] · mmitche · web-flow · commit ca3c62aa504a · 2025-04-08T14:17:30.000-07:00
Co-authored-by: Matt Mitchell &lt;mmitche@microsoft.com&gt;
diff --git a/src/Microsoft.DotNet.Arcade.Sdk/src/DownloadFile.cs b/src/Microsoft.DotNet.Arcade.Sdk/src/DownloadFile.cs
@@ -6,6 +6,7 @@
 using System.Linq;
 using System.Net;
 using System.Net.Http;
+using System.Security.Cryptography.X509Certificates;
 using System.Threading;
 using Microsoft.Build.Framework;
 using Microsoft.Build.Utilities;
@@ -123,7 +124,36 @@ private async Tasks.Task<bool> DownloadFromUriAsync(string uri) {
 
             Log.LogMessage($"Downloading '{uri}' to '{DestinationPath}'");
 
+            // Configure the cert revocation check in a fail-open state to avoid intermittent failures
+            // on Mac if the endpoint is not available. This is only available on .NET Core, but has only been
+            // observed on Mac anyway.
+
+#if NET
+            using SocketsHttpHandler handler = new SocketsHttpHandler();
+            handler.SslOptions.CertificateChainPolicy = new X509ChainPolicy
+            {
+                // Yes, check revocation.
+                // Yes, allow it to be downloaded if needed.
+                // Online is the default, but it doesn't hurt to be explicit.
+                RevocationMode = X509RevocationMode.Online,
+                // Roots never bother with revocation.
+                // ExcludeRoot is the default, but it doesn't hurt to be explicit.
+                RevocationFlag = X509RevocationFlag.ExcludeRoot,
+                // RevocationStatusUnknown at the EndEntity/Leaf certificate will not fail the chain build.
+                // RevocationStatusUnknown for any intermediate CA will not fail the chain build.
+                // IgnoreRootRevocationUnknown could also be specified, but it won't apply given ExcludeRoot above.
+                // The default is that all status codes are bad, this is not the default.
+                VerificationFlags =
+                    X509VerificationFlags.IgnoreCertificateAuthorityRevocationUnknown |
+                    X509VerificationFlags.IgnoreEndRevocationUnknown,
+                // Always use the "now" when building the chain, rather than the "now" of when this policy object was constructed.
+                VerificationTimeIgnored = true,
+            };
+
+            using (var httpClient = new HttpClient(handler))
+#else
             using (var httpClient = new HttpClient(new HttpClientHandler { CheckCertificateRevocationList = true }))
+#endif
             {
                 httpClient.Timeout = TimeSpan.FromSeconds(TimeoutInSeconds);
                 try
