eric-wang-1990 commented on code in PR #3962:
URL: https://github.com/apache/arrow-adbc/pull/3962#discussion_r2794974773
##########
csharp/src/Drivers/Apache/Hive2/HiveServer2TlsImpl.cs:
##########
@@ -95,7 +125,7 @@ static private bool IsSignedBy(X509Certificate2 cert,
X509Certificate2 issuer)
{
chain.ChainPolicy.ExtraStore.Add(issuer);
chain.ChainPolicy.VerificationFlags =
X509VerificationFlags.AllowUnknownCertificateAuthority;
- chain.ChainPolicy.RevocationMode =
X509RevocationMode.Online;
+ chain.ChainPolicy.RevocationMode =
X509RevocationMode.NoCheck;
Review Comment:
✅ Done - Added clarifying comment explaining why `NoCheck` is intentional
here.
This helper method only validates cryptographic signatures (used by
`IsSelfSigned()`), not full certificate chain validation. The actual
configurable revocation checking happens in `ValidateCertificate()` on line 200
using `tlsProperties.RevocationMode`.
Checking revocation in this helper would be:
- Redundant (already done in main validation)
- Incorrect for self-signed cert detection
- Performance overhead
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
