Skip to content

[Breaking change]: Linux AIA certificate fetching is now limited to two fetches per chain build #54809

Description

@bartonjs

Description

On Linux and other OpenSSL-based platforms, certificate chain building via Authority Information Access (AIA) is now limited to two AIA fetches per chain build. This aligns Linux behavior with Windows, which has always had a two-fetch limit. This change is part of dotnet/runtime#130456.

Version

.NET 11 Preview 7

Previous behavior

On OpenSSL-based platforms, X509Chain.Build performed AIA fetches to download intermediate certificates as many times as needed to complete the chain. For example, a chain requiring three intermediate certificates downloaded through AIA would succeed:

using var cert = X509Certificate2.CreateFromPem(leafCertificateWithThreeAiaHops);
using var chain = new X509Chain();

// On Linux with .NET 10 and earlier, this could succeed even when three or more
// intermediate certificates needed to be downloaded via AIA.
bool result = chain.Build(cert);
Console.WriteLine(result); // Could print True with 3+ AIA fetches

New behavior

On OpenSSL-based platforms, X509Chain.Build now performs at most two AIA fetches per chain build, matching Windows behavior. If completing the chain requires more than two intermediates to be downloaded through AIA, the chain build will not succeed through AIA downloads alone:

using var cert = X509Certificate2.CreateFromPem(leafCertificateWithThreeAiaHops);
using var chain = new X509Chain();

// On Linux with .NET 11+, if three or more AIA fetches are required,
// the build will fail.
// Intermediates should be provided to the chain via
// chain.ChainPolicy.ExtraStore or an appropriate certificate store.
bool result = chain.Build(cert);
Console.WriteLine(result); // May print False if more than 2 AIA fetches would be needed

Type of breaking change

  • Binary incompatible: Existing binaries might encounter a breaking change in behavior, such as failure to load or execute, and if so, require recompilation.
  • Source incompatible: When recompiled using the new SDK or component or to target the new runtime, existing source code might require source changes to compile successfully.
  • Behavioral change: Existing binaries might behave differently at run time.

Reason for change

Windows has always limited AIA fetches to two per chain build. The Linux implementation had no such limit, creating an inconsistency across platforms.

Applying the same limit on Linux makes cross-platform behavior consistent, and better limits the network and memory resources required to construct a certificate chain.

Recommended action

If your application builds certificate chains on Linux that require more than two intermediate certificates to be fetched via AIA, supply the intermediate certificates directly rather than relying on AIA downloads:

using var cert = X509Certificate2.CreateFromPem(leafCertPem);
using var intermediate1 = X509Certificate2.CreateFromPem(intermediate1Pem);
using var intermediate2 = X509Certificate2.CreateFromPem(intermediate2Pem);
using var intermediate3 = X509Certificate2.CreateFromPem(intermediate3Pem);

using var chain = new X509Chain();
chain.ChainPolicy.ExtraStore.Add(intermediate1);
chain.ChainPolicy.ExtraStore.Add(intermediate2);
chain.ChainPolicy.ExtraStore.Add(intermediate3);
// other ChainPolicy settings as appropriate

bool result = chain.Build(cert);

Alternatively, install the intermediate certificates in the user or system intermediate certificates certificate store so they are available to all chains without AIA downloads.

Feature area

Cryptography

Affected APIs

  • System.Security.Cryptography.X509Certificates.X509Chain.Build(System.Security.Cryptography.X509Certificates.X509Certificate2)

Metadata

Metadata

Assignees

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions