Failure to Validate Host-Specific Certificate Data

From Guidance Share

Jump to: navigation, search

Contents

Description

The failure to validate host-specific certificate data may mean that, while the certificate read was valid, it was not for the site originally requested.

Applies To

  • Language: All
  • Operating platform: All

Example

The following example shows use of a certificate without validating host-specific certificate data:

if (!(cert = SSL_get_peer(certificate(ssl)) || !host)
foo=SSL_get_veryify_result(ssl);
if ((X509_V_OK==foo) || X509_V_ERR_SUBJECT_ISSUER_MISMATCH==foo))
//do stuff 

Impact

  • Integrity: The data read from the system vouched for by the certificate may not be from the expected system.
  • Authentication: Trust afforded to the system in question -- based on the certificate -- may allow for spoofing or redirection attacks.

Vulnerabilities

  • Failure to check certificate for host information.

Countermeasures

  • Design: Check certificate for host information to ensure it is valid for the host in question.

Vulnerability Patterns

How Tos

Personal tools