From 783f8a59b3e6836bfaff47140f91ae95d72a6410 Mon Sep 17 00:00:00 2001
From: Radek Zikmund <r.zikmund.rz@gmail.com>
Date: Wed, 3 Jan 2024 16:55:07 +0100
Subject: [PATCH 1/2] Recover from failed OCSP check.

---
 .../System/Net/Security/SslStreamCertificateContext.Linux.cs   | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs
index bf8ee151cb75c3..fb898a4d7e1dd1 100644
--- a/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs
+++ b/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs
@@ -247,7 +247,6 @@ partial void AddRootCertificate(X509Certificate2? rootCertificate, ref bool tran
                         _ocspResponse = ret;
                         _ocspExpiration = expiration;
                         _nextDownload = nextCheckA < nextCheckB ? nextCheckA : nextCheckB;
-                        _pendingDownload = null;
                         break;
                     }
                 }
@@ -256,6 +255,8 @@ partial void AddRootCertificate(X509Certificate2? rootCertificate, ref bool tran
                 ArrayPool<char>.Shared.Return(rentedChars.Array!);
                 GC.KeepAlive(TargetCertificate);
                 GC.KeepAlive(caCert);
+
+                _pendingDownload = null;
                 return ret;
             }
         }

From aa4f9ed43006670d408893b672dab213f4e2f220 Mon Sep 17 00:00:00 2001
From: Radek Zikmund <r.zikmund.rz@gmail.com>
Date: Thu, 4 Jan 2024 12:37:45 +0100
Subject: [PATCH 2/2] Add 5s back-off after failed OCSP querry

---
 .../Net/Security/SslStreamCertificateContext.Linux.cs     | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs b/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs
index fb898a4d7e1dd1..53b588d37b50e7 100644
--- a/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs
+++ b/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs
@@ -257,6 +257,14 @@ partial void AddRootCertificate(X509Certificate2? rootCertificate, ref bool tran
                 GC.KeepAlive(caCert);
 
                 _pendingDownload = null;
+                if (ret == null)
+                {
+                    // all download attempts failed, don't try again for 5 seconds.
+                    // Note that if server does not send OCSP staples, clients may still
+                    // contact OCSP responders directly.
+                    _nextDownload = DateTimeOffset.UtcNow.AddSeconds(5);
+                    _ocspExpiration = _nextDownload;
+                }
                 return ret;
             }
         }