Skip to content

Certificate validation fails with RevocationStatusUnknown when using HTTPS proxy #117681

New issue
New issue
Closed
#118456
Closed
Certificate validation fails with RevocationStatusUnknown when using HTTPS proxy#117681
#118456
Assignees
rzikm
Labels
area-System.Net.Security
Milestone
10.0.0
@Jericho

Description

@Jericho
Jericho
opened on Jul 15, 2025

Description

I use Telerik's Fiddler tool to proxy the http traffic between my app and a 3rd party API. This tool allows me to visually inspect the http requests/responses, headers, etc. This makes investigating errors, problems, etc. super easy.

I installed .NET preview 6 earlier today and I am no longer able to use .NET's HttpClient in conjunction with WebProxy to proxy my http traffic to Fiddler. I get the following exception: AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: RevocationStatusUnknown.

Fiddler installs a SSL cert locally and there's something about this cert that is causing validation to fail. I'm sure I should contact Telerik and tell them to fix their cert, but I'm trying to figure out why this worked without any problem in .NET 10 preview 1, 2, 3, 4 and 5 but not in preview 6.

Was there a change in the SSL validation logic?

Reproduction Steps

  • Step 1: make sure you have Fiddler on your machine. You can download it from here: https://www.telerik.com/download/fiddler
  • Step 2: run Telerik's Fiddler. Please note: the first time you run Fiddler it will ask for your permission to install SSL vert locally. Make sure you agree.
  • Step 3: create a new C# console app and make sure global.json contains the following config:
{
  "sdk": {
    "version": "10.0.100-preview.6.25358.103",
    "rollForward": "patch",
    "allowPrerelease": true
  }
}
  • Step 4: run the following C# code in program.cs:
using System.Net;
using System.Net.Http;
using System.Threading.Tasks;

namespace MyConsoleApp
{
	public class Program
	{
		public static async Task Main()
		{
			var useProxy = true; // Set to true if you want to proxy requests through a tool such as Fiddler
			var proxyPort = 8888; // By default Fiddler Classic uses port 8888 and Fiddler Everywhere uses port 8866

			var proxy = useProxy ? new WebProxy($"http://localhost:{proxyPort}") : null;
			var myHttpClient = new HttpClient(new HttpClientHandler { Proxy = proxy, UseProxy = proxy != null });
			var response = await myHttpClient.GetAsync("https://bing.com").ConfigureAwait(false);
		}
	}
}

Expected behavior

I expect the call to GetAsync to complete successfully.

Actual behavior

The call to GetAsync fails with the following exception: AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: RevocationStatusUnknown

Regression?

This works fine in all versions of .NET up to and including .NET9.
It also works in all preview versions of .NET 10 up to and including preview 5

It does not work in .NET 10 preview 6

Known Workarounds

SSL cert validation can be turned off like so:

var myHttpClient = new HttpClient(new HttpClientHandler { Proxy = proxy, UseProxy = proxy != null, ServerCertificateCustomValidationCallback = (sender, cert, chain, error) => true });

See also https://learn.microsoft.com/en-us/dotnet/core/compatibility/networking/10.0/ssl-certificate-revocation-check-default for more workarounds.

Configuration

OS: Windows 11 x64
.NET: version 10 preview 6

This problem can be reproduced on .NET 10 preview 6 specifically. I did not experience this problem on any other version of .NET

Other information

No response

Metadata

Metadata

Assignees

Labels

area-System.Net.Security

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions