Mitigation: X509CertificateClaimSet.FindClaims Method

Starting with apps that target .NET Framework 4.6.1, the X509CertificateClaimSet.FindClaims method will attempt to match the claimType argument with all the DNS entries in its SAN field.

Impact

This change only affects apps that target versions of the .NET Framework starting with the .NET Framework 4.6.1.

For apps that target previous versions of the .NET Framework, the X509CertificateClaimSet.FindClaims method attempts to match the claimType argument only with the last DNS entry.

Mitigation

If this change is undesirable, apps that target versions of the .NET Framework starting with the .NET Framework 4.6.1 can opt out of it by adding the following configuration setting to the <runtime> section of the app’s configuration file:

<runtime>  
   <AppContextSwitchOverrides value="Switch.System.IdentityModel.DisableMultipleDNSEntriesInSANCertificate=true" />
</runtime>  

In addition, apps that target previous versions of the .NET Framework but are running under the .NET Framework 4.6.1 and later versions can opt in to this behavior by adding the following configuration setting to the <runtime> section of the app’s configuration file:

<runtime>  
    <AppContextSwitchOverrides value="Switch.System.IdentityModel.DisableMultipleDNSEntriesInSANCertificate=false" />
</runtime>  

See also