Why is this an issue?
Validation of X.509 certificates is essential to create secure SSL/TLS sessions not vulnerable to man-in-the-middle attacks.
The certificate chain validation includes these steps:
- The certificate is issued by its parent Certificate Authority or the root CA trusted by the system.
- Each CA is allowed to issue certificates.
- Each certificate in the chain is not expired.
It’s not recommended to reinvent the wheel by implementing custom certificate chain validation.
TLS libraries provide built-in certificate validation functions that should be used.
Noncompliant code example
HTTP request tools such as curl
, wget
and Invoke-WebRequest
offer the option to disable certificate
verification. The following example successfully requests data from a server with an insecure certificate. Thus, it is possible that the response was
intercepted or tampered with by a third party.
FROM ubuntu:22.04
# Noncompliant
RUN curl --insecure -O https://expired.example.com/downloads/install.sh
Compliant solution
Enabling certificate verification helps to make sure that the created TLS session is secure and cannot be intercepted. In this example, the option
to disable certificate verification is removed, and a request is made to a secure server instead.
FROM ubuntu:22.04
RUN curl -O https://new.example.com/downloads/install.sh
Resources