CWE-599: Missing Validation of OpenSSL Certificate
Description
The product uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements.
Submission Date :
Dec. 15, 2006, midnight
Modification Date :
2023-06-29 00:00:00+00:00
Organization :
MITRE
Extended Description
This could allow an attacker to use an invalid certificate to claim to be a trusted host, use expired certificates, or conduct other attacks that could be detected if the certificate is properly validated.
Example - 1
The following OpenSSL code ensures that the host has a certificate. Note that the code does not call SSL_get_verify_result(ssl), which effectively disables the validation step that checks the certificate.
// // got certificate, host can be trusted//
// //foo=SSL_get_verify_result(ssl);//
// //if (X509_V_OK==foo) ...//
if (cert = SSL_get_peer_certificate(ssl)) {}
Related Weaknesses
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.
Visit http://cwe.mitre.org/ for more details.