Failure to Validate Host-Specific Certificate Data

From Guidance Share

Revision as of 02:14, 30 October 2006; Admin (Talk | contribs)
(diff) ←Older revision | Current revision | Newer revision→ (diff)
Jump to: navigation, search



The failure to validate host-specific certificate data may mean that, while the certificate read was valid, it was not for the site originally requested.

Applies To

  • Language: All
  • Operating platform: All


The following example shows use of a certificate without validating host-specific certificate data:

if (!(cert = SSL_get_peer(certificate(ssl)) || !host)
if ((X509_V_OK==foo) || X509_V_ERR_SUBJECT_ISSUER_MISMATCH==foo))
//do stuff 


  • Integrity: The data read from the system vouched for by the certificate may not be from the expected system.
  • Authentication: Trust afforded to the system in question -- based on the certificate -- may allow for spoofing or redirection attacks.


  • Failure to check certificate for host information.


  • Design: Check certificate for host information to ensure it is valid for the host in question.

Vulnerability Patterns

How Tos

Personal tools