SSL Verification Disabled

What does this mean ?

verify_mode is set to SSL_VERIFY_NONE which's means the SSL verfication can be bypassed

What can happen ?

Attackers can bypass authentication and have unauthorized access to the application/system

Recommendation

It's highly recommended to enable SSL verification and never set it to SSL_VERIFY_NONE

Sample Code

C#

Vulnerable :

sslContext.SetVerify(VerifyMode.SSL_VERIFY_NONE, null);

Non Vulnerable :

sslContext.SetVerify(VerifyMode.SSL_VERIFY_PEER, remoteCertificateSelectionCallback);

JAVA

Vulnerable :

SSLContext.setVerify(ctx, SSL.SSL_VERIFY_NONE, VERIFY_DEPTH);

Non Vulnerable :

SSLContext.setVerify(ctx, SSL.SSL_VERIFY_PEER, VERIFY_DEPTH);

PHP

Vulnerable :

curl_setopt($ch, CURLOPT_SSL_VERIFYNONE, 1);

Non Vulnerable :

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);

Go

Vulnerable :

RPC::XML::Client->new($uri,
    useragent => [
        ssl_opts => {
            verify_hostname => 0,
            SSL_verify_mode => SSL_VERIFY_NONE,
        },
    ],
);

Non Vulnerable :

RPC::XML::Client->new($uri,
    useragent => [
        ssl_opts => {
            verify_hostname => 0,
            SSL_verify_mode => SSL_VERIFY_PEER,
        },
    ],
);

Ruby

Vulnerable :

http.verify_mode = OpenSSL::SSL::VERIFY_NONE

Non Vulnerable :

http.verify_mode = OpenSSL::SSL::VERIFY_PEER

References

• https://www.ibm.com/docs/en/ztpf/1.1.0.14?topic=functions-ssl-set-verify