Failure to Validate Certificate Expiration

From Guidance Share

Jump to: navigation, search

Contents

Description

The failure to validate certificate operation may result in trust being assigned to certificates which have been abandoned due to age.


Applies To

  • Languages: All
  • Platforms: All


Example

The following example shows use of a certificate without validating certificate expiration:

if (!(cert = SSL_get_peer(certificate(ssl)) || !host)
foo=SSL_get_veryify_result(ssl);
if ((X509_V_OK==foo) || (X509_V_ERRCERT_NOT_YET_VALID==foo))
//do stuff 


Impact

  • Integrity: The data read from the system vouched for by the expired certificate may be flawed due to malicious spoofing.
  • Authentication: Trust afforded to the system in question -- based on the expired certificate -- may allow for spoofing attacks.


Vulnerabilities

  • Failure to check for certificate expiration


Countermeasures

  • Design: Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed.


Vulnerability Patterns


How Tos

Personal tools