Connection problems after upgrading to dotnet 10

jvrooyen · January 9, 2026, 4:17pm

After upgrading my project to net10.0, I cannot connect to my Capella cluster. Cluster.ConnectAsync throws an AggregateException which yields 2 NullReferenceExceptions after unwinding. ConnectAsync succeeds when I suppress the certificate validation by returning true from KvCertificateCallbackValidation. Here is the full stack trace:

Object reference not set to an instance of an object.
   at System.Security.Cryptography.X509Certificates.StorePal.LinkFromCertificateCollection(X509Certificate2Collection certificates)
   at System.Security.Cryptography.X509Certificates.ChainPal.BuildChain(Boolean useMachineContext, ICertificatePal cert, X509Certificate2Collection extraStore, OidCollection applicationPolicy, OidCollection certificatePolicy, X509RevocationMode revocationMode, X509RevocationFlag revocationFlag, X509Certificate2Collection customTrustStore, X509ChainTrustMode trustMode, DateTime verificationTime, TimeSpan timeout, Boolean disableAia)
   at System.Security.Cryptography.X509Certificates.X509Chain.Build(X509Certificate2 certificate, Boolean throwOnException)
   at Couchbase.Core.IO.Authentication.X509.CertificateFactory.<>c__DisplayClass7_0.<GetValidatorWithPredefinedCertificates>b__0(Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
   at Couchbase.Core.IO.Connections.CallbackCreator.Callback(Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
   at Couchbase.Core.IO.Connections.ConnectionFactory.<>c__DisplayClass6_0.<CreateAndConnectAsync>b__0(Object __sender, X509Certificate __certificate, X509Chain __chain, SslPolicyErrors __sslPolicyErrors)
   at System.Net.Security.SslStream.VerifyRemoteCertificate(RemoteCertificateValidationCallback remoteCertValidationCallback, SslCertificateTrust trust, ProtocolToken& alertToken, SslPolicyErrors& sslPolicyErrors, X509ChainStatusFlags& chainStatus)
   at System.Net.Security.SslStream.CompleteHandshake(ProtocolToken& alertToken, SslPolicyErrors& sslPolicyErrors, X509ChainStatusFlags& chainStatus)
   at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
   at System.Net.Security.SslStream.ProcessAuthenticationWithTelemetryAsync(Boolean isAsync, CancellationToken cancellationToken)
   at Couchbase.Core.IO.Connections.ConnectionFactory.CreateAndConnectAsync(HostEndpointWithPort hostEndpoint, CancellationToken cancellationToken)
   at Couchbase.Core.IO.Connections.ConnectionPoolBase.CreateConnectionAsync(CancellationToken cancellationToken)
   at Couchbase.Core.IO.Connections.Channels.ChannelConnectionPool.<>c__DisplayClass34_0.<<AddConnectionsAsync>g__StartConnection|0>d.MoveNext()
--- End of stack trace from previous location ---
   at Couchbase.Core.IO.Connections.Channels.ChannelConnectionPool.InitializeAsync(CancellationToken cancellationToken)
   at Couchbase.Core.ClusterNode.InitializeAsync()
   at Couchbase.Core.DI.ClusterNodeFactory.CreateAndConnectAsync(HostEndpointWithPort endPoint, NodeAdapter nodeAdapter, CancellationToken cancellationToken)
   at Couchbase.Core.ClusterContext.BootstrapGlobalAsync()

I construct my cluster options with

var options = new ClusterOptions()
    .WithConnectionString(secureConnectionString) // couchbases://
    .WithCredentials(databaseUsername, databasePassword)
    .ApplyProfile(“wan-development”);

I’m using .NET SDK 10.0.101

jeffrymorris · January 9, 2026, 4:49pm

Hi @jvrooyen -

I’m using .NET SDK 10.0.101

Which version of the Couchbase .NET SDK (CouchbaseNetClient) are you using?

Thanks,

Jeff

jvrooyen · January 9, 2026, 5:00pm

I’m using 3.8.1 and have also tried the preview of 3.9. Both behave the same

btburnett3 · January 9, 2026, 5:17pm

.NET uses the operating system for SSL/TLS, and there were some changes in .NET 10, especially on MacOS. What OS are you running on?

jvrooyen · January 9, 2026, 5:18pm

I running on Windows

btburnett3 · January 9, 2026, 9:19pm

We have also just stumbled on this problem, appears to be a bug in .NET 10 being triggered by how Couchbase is using X509Chain.Build for Capella. It doesn’t seem to be Windows specific, we’ve seen it on Linux. I’m trying to dig in further.

btburnett3 · January 10, 2026, 1:24am

@jvrooyen

I have identified this as a bug in .NET 10, filed here: X509Chain.Build fails with NRE when ExtraStore certificates are reused within SslStream RemoteCertificateValidationCallback · Issue #123058 · dotnet/runtime · GitHub

I have also started work to apply a workaround to the Couchbase SDK, which you can follow here: https://review.couchbase.org/c/couchbase-net-client/+/238451

Topic		Replies	Views
Error connecting to cluster with 3.1.7.0 (clr/.NET 5.0.4) .NET SDK	1	698	June 19, 2021
Unable to connect after upgrading CouchbaseNetClient from v2.x to v3.1.7 .NET SDK	1	751	July 15, 2021
Connection error in couchbase schema, dotnet sdk -3.4 .NET SDK connections , n1ql , dot-net	5	668	October 18, 2023
Latest .NET SDK and Server compatibility .NET SDK connections , dot-net	7	1502	January 4, 2022
CouchbaseNetClient mismatch in CouchbaseAspNet .NET SDK	3	3044	September 2, 2015

Connection problems after upgrading to dotnet 10

Related topics