Skip to content

Certificate Validation Disabled

What does this mean ?

A certificate is not validated or is validated improperly by the software. A certificate can links an identity (principal) to a cryptographic key. Certificates can be used to determine whether or not a public key belongs to the presumed owner.

What can happen ?

When a certificate is incorrect or fraudulent, an attacker may be able to impersonate a trusted entity by interfering with the communication flow between the host and client. The program may connect to a malicious host while believing it is connecting to a trustworthy host, or the software may be duped into accepting faked data that looks to originate from a trusted host.

Recommendation

Certificates should be properly handled and reviewed to ensure that data is encrypted with the public key of the intended owner. If certificate pinning is utilized, verify that all essential characteristics of the certificate, including the hostname, are completely validated before the certificate is pinned.

Sample Code

Vulnerable :

ServicePointManager.ServerCertificateValidationCallback +=
  (sender, certificate, chain, errors) => {
      return true; // Noncompliant: trust all certificates
  };

Non Vulnerable :

ServicePointManager.ServerCertificateValidationCallback +=
  (sender, certificate, chain, errors) =>
  {
      if (development) return true; // for development, trust all certificates
      return errors == SslPolicyErrors.None
          && validCerts.Contains(certificate.GetCertHashString()); // Compliant: trust only some certificates
  };

Vulnerable :

class TrustAllManager implements X509TrustManager {

    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {  // Noncompliant, nothing means trust any client
    }

    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { // Noncompliant, this method never throws exception, it means trust any server
        LOG.log(Level.SEVERE, ERROR_MESSAGE);
    }

    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return null;
    }
}

Vulnerable :

curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE); // Noncompliant
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);  // Noncompliant

Non Vulnerable :

curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, TRUE); // Compliant; default value is TRUE
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 1);  // Compliant

Vulnerable :

const options = {
    hostname: 'www.sample.com',
    port: 443,
    path: '/',
    method: 'GET',
    secureProtocol: 'TLSv1_2_method',
    rejectUnauthorized: false ; // Vulnerable
};

const req = https.request(options, (res) => {
    res.on('data', (d) => {
        process.stdout.write(d);
    });
}); // Vulnerable

Non Vulnerable :

const options = {
    hostname: 'www.sample.com',
    port: 443,
    path: '/',
    method: 'GET',
    secureProtocol: 'TLSv1_2_method'
};

const req = https.request(options, (res) => {
    res.on('data', (d) => {
        process.stdout.write(d);
    });
}); // Non Vulnerable

Vulnerable :

const socket = request.get({
    url: 'www.sample.com',
    secureProtocol: 'TLSv1_2_method',
    rejectUnauthorized: false ; // Vulnerable
});

Non Vulnerable :

const socket = request.get({
    url: 'https://www.sample.com/',
    secureProtocol: 'TLSv1_2_method'
}); // Non Vulnerable

References