Why is this an issue?
Validation of X.509 certificates is essential to create secure SSL/TLS sessions not vulnerable to man-in-the-middle attacks.
The certificate chain validation includes these steps:
- The certificate is issued by its parent Certificate Authority or the root CA trusted by the system.
- Each CA is allowed to issue certificates.
- Each certificate in the chain is not expired.
It’s not recommended to reinvent the wheel by implementing custom certificate chain validation.
TLS libraries provide built-in certificate validation functions that should be used.
Noncompliant code example
HTTP request tools such as
Invoke-WebRequest offer the option to disable certificate
verification. The following example successfully requests data from a server with an insecure certificate. Thus, it is possible that the response was
intercepted or tampered with by a third party.
RUN curl --insecure -O https://expired.example.com/downloads/install.sh
Enabling certificate verification helps to make sure that the created TLS session is secure and cannot be intercepted. In this example, the option
to disable certificate verification is removed, and a request is made to a secure server instead.
RUN curl -O https://new.example.com/downloads/install.sh