Certificate not checked¶

ID: cpp/certificate-not-checked
Kind: problem
Security severity: 7.5
Severity: error
Precision: medium
Tags:
   - security
   - external/cwe/cwe-295
Query suites:
   - cpp-security-extended.qls
   - cpp-security-and-quality.qls

Click to see the query in the CodeQL repository

After fetching an SSL certificate, always check the result of certificate verification.

Recommendation¶

Always check the result of SSL certificate verification. A certificate that has been revoked may indicate that data is coming from an attacker, whereas a certificate that has expired or was self-signed may indicate an increased likelihood that the data is malicious.

Example¶

In this example, the SSL_get_peer_certificate function is used to get the certificate of a peer. However it is unsafe to use that information without checking if the certificate is valid.

// ...

X509 *cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result is never called)

// ...

In the corrected example, we use SSL_get_verify_result to check that certificate verification was successful.

// ...

X509 *cert = SSL_get_peer_certificate(ssl); // GOOD
if (cert)
{
	result = SSL_get_verify_result(ssl);
	if (result == X509_V_OK)
	{
		// ...

References¶

Common Weakness Enumeration: CWE-295.

© GitHub, Inc.
Terms
Privacy

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.

Certificate not checked¶

Recommendation¶

Example¶

References¶

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.