[Foundation] Treat any exception during X509Chain.Build as a remote certificate chain error. Fixes #24739.

[rolfbjarne]

In iOS 26.4 beta 4, X509Chain.Build started throwing CryptographicException:

System.Security.Cryptography.Interop+AppleCrypto+AppleCommonCryptoCryptographicException: Unable to decode the provided data.
    at System.Security.Cryptography.X509Certificates.SecTrustChainPal.Execute(:0)
    at System.Security.Cryptography.X509Certificates.ChainPal.BuildChain(:0)
    at System.Security.Cryptography.X509Certificates.X509Chain.Build(:0)
    at Foundation.NSUrlSessionHandler+ServerCertificateCustomValidationCallbackHelper.EvaluateSslPolicyErrors(:0)
    at Foundation.NSUrlSessionHandler+ServerCertificateCustomValidationCallbackHelper.Invoke(:0)
    at Foundation.NSUrlSessionHandler.TryInvokeServerCertificateCustomValidationCallback(:0)
    at Foundation.NSUrlSessionHandler+NSUrlSessionHandlerDelegate.DidReceiveChallengeImpl(:0)
    at Foundation.NSUrlSessionHandler+NSUrlSessionHandlerDelegate.DidReceiveChallenge(:0)
    at InvokeStub_NSUrlSessionHandlerDelegate.DidReceiveChallenge(:0)

The underlying cause of these exceptions is handled in this issue: dotnet/runtime#124552, this change is only dealing with the fact that the process crashes when an unexpected exception occurs in this code path in NSUrlSessionHandler.

The fix is to handle all exceptions in the call X509Chain.Build, and report them as a certificate chain error in the custom server validation callback; then the app developer can handle them as they see fit.

Fixes #24739.

See also:

• X509Chain.Build throwing exception on macOS/iOS 26.4 betas runtime#124552

[Copilot]

Pull request overview

This PR fixes a crash in iOS 26.4 beta 4 where X509Chain.Build throws CryptographicException during certificate validation. The fix ensures that any exception during certificate chain building is caught and reported as a certificate chain error to the ServerCertificateCustomValidationCallback, allowing application developers to handle certificate validation errors gracefully instead of the application crashing.

Changes:

• Broadened exception handling in NSUrlSessionHandler.EvaluateSslPolicyErrors from catching only ArgumentException to catching all exceptions when calling X509Chain.Build.

[vs-mobiletools-engineering-service2]

✅ [CI Build #060c25a] Build passed (Build packages) ✅

Pipeline on Agent
Hash: 060c25afbde461a69fe3fac6e150fe4c4efe8408 [PR build]

[rolfbjarne]

CC @filipnavara

[vs-mobiletools-engineering-service2]

✅ [CI Build #060c25a] Build passed (Build macOS tests) ✅

Pipeline on Agent
Hash: 060c25afbde461a69fe3fac6e150fe4c4efe8408 [PR build]

[vs-mobiletools-engineering-service2]

✅ [PR Build #060c25a] Build passed (Detect API changes) ✅

Pipeline on Agent
Hash: 060c25afbde461a69fe3fac6e150fe4c4efe8408 [PR build]

[vs-mobiletools-engineering-service2]

🔥 Unable to find the contents for the comment: D:\a\1\s\change-detection\results\gh-comment.md does not exist :fire

Pipeline on Agent
Hash: 060c25afbde461a69fe3fac6e150fe4c4efe8408 [PR build]

[vs-mobiletools-engineering-service2]

🚀 [CI Build #060c25a] Test results 🚀

Test results

✅ All tests passed on VSTS: test results.

🎉 All 156 tests passed 🎉

Tests counts

✅ cecil: All 1 tests passed. Html Report (VSDrops) Download
✅ dotnettests (iOS): All 1 tests passed. Html Report (VSDrops) Download
✅ dotnettests (MacCatalyst): All 1 tests passed. Html Report (VSDrops) Download
✅ dotnettests (macOS): All 1 tests passed. Html Report (VSDrops) Download
✅ dotnettests (Multiple platforms): All 1 tests passed. Html Report (VSDrops) Download
✅ dotnettests (tvOS): All 1 tests passed. Html Report (VSDrops) Download
✅ framework: All 2 tests passed. Html Report (VSDrops) Download
✅ fsharp: All 4 tests passed. Html Report (VSDrops) Download
✅ generator: All 5 tests passed. Html Report (VSDrops) Download
✅ interdependent-binding-projects: All 4 tests passed. Html Report (VSDrops) Download
✅ introspection: All 6 tests passed. Html Report (VSDrops) Download
✅ linker: All 44 tests passed. [attempt 2] Html Report (VSDrops) Download
✅ monotouch (iOS): All 11 tests passed. [attempt 2] Html Report (VSDrops) Download
✅ monotouch (MacCatalyst): All 15 tests passed. Html Report (VSDrops) Download
✅ monotouch (macOS): All 12 tests passed. Html Report (VSDrops) Download
✅ monotouch (tvOS): All 11 tests passed. Html Report (VSDrops) Download
✅ msbuild: All 2 tests passed. Html Report (VSDrops) Download
✅ sharpie: All 1 tests passed. Html Report (VSDrops) Download
✅ windows: All 3 tests passed. Html Report (VSDrops) Download
✅ xcframework: All 4 tests passed. Html Report (VSDrops) Download
✅ xtro: All 1 tests passed. Html Report (VSDrops) Download

macOS tests

✅ Tests on macOS Monterey (12): All 5 tests passed. Html Report (VSDrops) Download
✅ Tests on macOS Ventura (13): All 5 tests passed. Html Report (VSDrops) Download
✅ Tests on macOS Sonoma (14): All 5 tests passed. Html Report (VSDrops) Download
✅ Tests on macOS Sequoia (15): All 5 tests passed. Html Report (VSDrops) Download
✅ Tests on macOS Tahoe (26): All 5 tests passed. Html Report (VSDrops) Download

Pipeline on Agent
Hash: 060c25afbde461a69fe3fac6e150fe4c4efe8408 [PR build]

[rolfbjarne]

api-diff failing is unrelated (#24756).