dotnet · wfurt · May 13, 2026 · May 12, 2026 · May 12, 2026 · May 12, 2026
diff --git a/src/libraries/System.Net.HttpListener/src/System/Net/Managed/HttpConnection.cs b/src/libraries/System.Net.HttpListener/src/System/Net/Managed/HttpConnection.cs
@@ -84,6 +84,11 @@ public HttpConnection(Socket sock, HttpEndPointListener epl, bool secure, X509Ce
             else
             {
 #pragma warning disable CA5359
+                // This part is actually never called because LoadCertificateAndKey always returns null
+                // and for managed implementation we never negotiate TLS. If this ever changes we will need to re-think
+                // how we deal with client certs and probably also remove "disable CA5359".
+                // Doing full validation brings its own problems ... like AIA processing and possibly access to untrusted sites.
+                // so that should probably be driven by user configuration.
                 _sslStream = HttpListener.CreateSslStream(new NetworkStream(sock, false), false, (t, c, ch, e) =>
                 {
                     if (c == null)