diff --git a/src/libraries/System.Net.HttpListener/src/System/Net/Managed/HttpConnection.cs b/src/libraries/System.Net.HttpListener/src/System/Net/Managed/HttpConnection.cs
index d0e17bcd3f387f..34373ca8088e4e 100644
--- a/src/libraries/System.Net.HttpListener/src/System/Net/Managed/HttpConnection.cs
+++ b/src/libraries/System.Net.HttpListener/src/System/Net/Managed/HttpConnection.cs
@@ -84,6 +84,11 @@ public HttpConnection(Socket sock, HttpEndPointListener epl, bool secure, X509Ce
             else
             {
 #pragma warning disable CA5359
+                // This part is actually never called because LoadCertificateAndKey always returns null
+                // and for managed implementation we never negotiate TLS. If this ever changes we will need to re-think
+                // how we deal with client certs and probably also remove "disable CA5359".
+                // Doing full validation brings its own problems ... like AIA processing and possibly access to untrusted sites.
+                // so that should probably be driven by user configuration.
                 _sslStream = HttpListener.CreateSslStream(new NetworkStream(sock, false), false, (t, c, ch, e) =>
                 {
                     if (c == null)