RepoJournal
.NET

@dotnet

The .NET runtime, ASP.NET, and the C# tooling

Pick a date

Topics: .NET Full archive →

The Wire · Showcase

ANDROID SSL VALIDATION BYPASS PATCHED; WASM JIT ALIGNMENT FIXES BLOCKER

By RepoJournal · Filed · About .NET

SslStream on Android was ignoring platform certificate pinning entirely, bypassing network_security_config.xml and allowing rejected certificates through.

SslStream bypassed Android's X509TrustManager completely [1], meaning certificate pinning and custom trust anchors were silently ignored while RemoteCertificateValidationCallback always reported success. This is a critical fix for any Xamarin.Android or .NET MAUI app relying on platform security configuration. On the JIT side, a Wasm register parameter fix [2] unblocks the caller-side this-drop issue that was stalling browser workloads, with minimal binary impact (28 bytes across affected contexts). The dotnet/macios team aligned with runtime's new SYSTEM_CORELIB_DIRECTORY property [3], fixing scenarios where coreclr and System.Private.CoreLib.dll aren't colocated. A teardown crash fix [4] resolved intermittent arm/arm64 segfaults in the cDAC GC stress framework that occurred after all verification completed. Separately, macios optimized assembly-preparer to skip preserve/mark steps when trimming is disabled [5], and fixed stale build failure comments lingering on PRs after successful re-runs [6].

Action items

References

  1. [1] [Android] Respect platform trust manager in SslStream ↗ dotnet/runtime
  2. [2] JIT: always home register params on wasm (#130446) dotnet/runtime
  3. [3] [runtime] Use SYSTEM_CORELIB_DIRECTORY to locate System.Private.CoreLib.dll (#26009) dotnet/macios
  4. [4] Fix intermittent teardown crash in the cDAC GC stress framework (#130526) dotnet/runtime
  5. [5] [assembly-preparer] Don't run the preserve/optimize/mark steps when not trimming. (#26014) dotnet/macios
  6. [6] [build] Hide stale build failure comment when a re-run succeeds (#26012) dotnet/macios

Quick answers

What shipped in .NET on July 12, 2026?
SslStream on Android was ignoring platform certificate pinning entirely, bypassing network_security_config.xml and allowing rejected certificates through. In total, 14 commits and 14 pull requests landed.
Who contributed to .NET on July 12, 2026?
4 developers shipped this update, including Šimon Rozsíval, Andy Ayers, Max Charlamb, and Rolf Bjarne Kvinge.
What were the notable .NET updates?
[Android] Respect platform trust manager in SslStream, JIT: always home register params on wasm (#130446), and [runtime] Use SYSTEM_CORELIB_DIRECTORY to locate System.Private.CoreLib.dll (#26009).

More from @dotnet

Daily updates, in your inbox

Follow .NET

The .NET runtime, ASP.NET, and the C# tooling We'll email you a link to confirm first.

Free. Confirm via email. Unsubscribe in one click.

— or follow the whole beat:

Elsewhere on the wire