Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-4830

Server certificates should be verified during SSL/TLS connections

    XMLWordPrintable

    Details

    • Message:
      Enable server certificate validation on this SSL/TLS connection
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      ABAP, APEX, Cobol, CSS, Flex, Go, HTML, Kotlin, PL/I, PL/SQL, RPG, Ruby, Rust, Scala, Solidity, Swift, T-SQL, TypeScript, VB6
    • Covered Languages:
      C#, C, C++, Java, JavaScript, Objective-C, PHP, Python, VB.Net
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      5min
    • Analysis Level:
      Syntactic Analysis
    • Analysis Scope:
      Main Sources
    • CERT:
      MSC61-J.
    • CWE:
      CWE-295
    • OWASP:
      A6, A3
    • FindSecBugs:
      WEAK_TRUST_MANAGER

      Description

      Validation of X.509 certificates is essential to create secure SSL/TLS sessions not vulnerable to man-in-the-middle attacks.
      The certificate chain validation includes these steps:

      • The certificate is issued by its parent Certificate Authority or the root CA trusted by the system.
      • Each CA is allowed to issue certificates.
      • Each certificate in the chain is not expired.

      It's not recommended to reinvent the wheel by implementing custom certificate chain validation.
      TLS libraries provide built-in certificate validation functions that should be used.

      See

        Attachments

          Issue Links

          1.
          Python RSPEC-5436 Language-Specification Active Unassigned
          2.
          PHP RSPEC-4831 Language-Specification Active Unassigned
          3.
          Java RSPEC-5529 Language-Specification Active Unassigned
          4.
          Kotlin RSPEC-5534 Language-Specification Active Unassigned
          5.
          C# RSPEC-5582 Language-Specification Active Unassigned
          6.
          VB.Net RSPEC-5637 Language-Specification Active Unassigned
          7.
          JavaScript RSPEC-5668 Language-Specification Active Unassigned
          8.
          C-Family RSPEC-5881 Language-Specification Active Unassigned

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              alexandre.gigleux Alexandre Gigleux
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated: