Skip to content

Certificate Validation Disabled

What does this mean ?

The software does not validate, or incorrectly validates, a certificate. A certificate is a token that associates an identity (principal) to a cryptographic key. Certificates can be used to check if a public key belongs to the assumed owner.

What can happen ?

When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.

Recommendation

Certificates should be carefully managed and checked to assure that data are encrypted with the intended owner's public key. If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the hostname.

Sample Code

Vulnerable :

ServicePointManager.ServerCertificateValidationCallback +=
  (sender, certificate, chain, errors) => {
      return true; // Noncompliant: trust all certificates
  };

Non Vulnerable :

ServicePointManager.ServerCertificateValidationCallback +=
  (sender, certificate, chain, errors) =>
  {
      if (development) return true; // for development, trust all certificates
      return errors == SslPolicyErrors.None
          && validCerts.Contains(certificate.GetCertHashString()); // Compliant: trust only some certificates
  };

Vulnerable :

class TrustAllManager implements X509TrustManager {

    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {  // Noncompliant, nothing means trust any client
    }

    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { // Noncompliant, this method never throws exception, it means trust any server
        LOG.log(Level.SEVERE, ERROR_MESSAGE);
    }

    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return null;
    }
}

Vulnerable :

curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE); // Noncompliant
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);  // Noncompliant

Non Vulnerable :

curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, TRUE); // Compliant; default value is TRUE
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 1);  // Compliant

References