Why is this an issue?
Validation of X.509 certificates is essential to create secure SSL/TLS sessions not vulnerable to man-in-the-middle attacks.
The certificate chain validation includes these steps:
- The certificate is issued by its parent Certificate Authority or the root CA trusted by the system.
- Each CA is allowed to issue certificates.
- Each certificate in the chain is not expired.
It’s not recommended to reinvent the wheel by implementing custom certificate chain validation.
TLS libraries provide built-in certificate validation functions that should be used.
Noncompliant code example
ServicePointManager.ServerCertificateValidationCallback =
Function(sender, certificate, chain, errors) True ' Noncompliant: trust all certificates
Compliant solution
ServicePointManager.ServerCertificateValidationCallback =
Function(sender, certificate, chain, errors)
If Development Then Return True ' For development, trust all certificates
Return Errors = SslPolicyErrors.None AndAlso ValidCerts.Contains(certificate.GetCertHashString()) ' Compliant: trust only some certificates
End Function
Resources