Failure to Check for Certificate Revocation

From Guidance Share

Jump to: navigation, search



If a certificate is used without first checking to ensure it was not revoked, the certificate may be compromised.

Applies To

  • Languages: Any language which does not abstract out this part of the process
  • Operating platforms: All


The following code, uses a certificate:

if (!(cert = SSL_get_peer(certificate(ssl)) || !host)

... without a call to get_verify_results to check for certificate revocation.


  • Authentication: Trust may be assigned to an entity impersonating a trusted entity.
  • Integrity: Data from an untrusted (and possibly malicious) source may be integrated.
  • Confidentiality: Data may be disclosed to an entity impersonating a trusted entity, resulting in information disclosure.


  • Failure to use a certificate without checking for revocation.


  • Design: Ensure that certificates are checked for revoked status.

Vulnerability Patterns

How Tos

Personal tools