Preload intermediate certificates before exposing certificate to Kestrel

[dv00d00]

I had quite an epic issue with certificate verification in .net core.

Full details here: dotnet/aspnetcore#21183

TLDR: .net core 3.1 will perform an HTTP call to root authority of the certificate issuer to check if it was revoked. If this happens under load after a restart, threadpool is filled with blocking calls to check cert revocation, rendering app unresponsive.

@davidfowl suggested a workaround that can prevent this behavior.

There are several open questions marked as todo's in code

[bartonjs]

Since the VerificationFlags is AllFlags and revocation isn't requested I'm not sure (off the top of my head) if it's possible to get a false result (the only thing that would do that is ExplicitDistrust, IIRC, and we don't currently produce that on Linux).

If VerificationFlags had its default value (no flags set => all tests tested) then this would report that the intermediate couldn't be fetched (or something was expired, or something weird was going on). If that's an interesting state to differentiate, then just remove the assignment of VerificationFlags.

[davidfowl]

The flags were copied from the logic that SSLStream performs

[bartonjs]

The flags were copied from the logic that SSLStream performs

Yeah, SslStream is just trying to build a best-effort chain and see what it can do with that. I'm just suggesting that for logging purposes it might make sense to try to build a "normally valid" chain.

[davidfowl]

@dv00d00 it’s not revocation it’s downloading intermediates certificates. Old change the title to, populate the cache with intermediate certs before giving it to kestrel

[ffMathy]

Looks good to me.

Also, totally starstruck that @davidfowl visited my repo to review 🤩

@davidfowl got any final comments on the review fixes before I merge this?

[davidfowl]

LGTM