runtime: HttpClient rejects valid certificates for dot-appended FQDNs

Description

HttpClient does not accept valid server certificates when a fully qualified domain name is used.

program.cs: await new System.Net.Http.HttpClient().GetAsync("https://microsoft.com./");

This should succeed. While not commonly used, the trailing . indicates that the host name is fully qualified and search suffixes should not be appended to support name resolution.

microsoft.com in the server certificate should match microsoft.com. as server identity in certs are implicitly full qualified.

Regression?

Originally noticed this in some 4.7.2 code, tested on newer dotnet 6. Suspect this is likely an underlying http.sys issue.

Workarounds

Obviously workarounds exist, this just can be a pain having to strip fqdns when building uris in iac.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 19 (18 by maintainers)

Most upvoted comments

However, I’m ok talking the argument that the SNI host is without trailing dot and treating rest of the usages identically.

Thank you for pointing this out, I’m going to implement it.

+1
greenEkatherine on Nov 30, 2021
Read more comments on GitHub
← runtime: HttpClient Performance Slow Compared to .NET 4.7
runtime: HttpClient Response Stream hangs →