Missing Validation of OpenSSL Certificate
The software uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements.
This could allow an attacker to use an invalid certificate to claim to be a trusted host, use expired certificates, or conduct other attacks that could be detected if the certificate is properly validated.
The following examples help to illustrate the nature of this weakness and describe methods or techniques which can be used to mitigate the risk.
Note that the examples here are by no means exhaustive and any given weakness may have many subtle varieties, each of which may require different detection methods or runtime controls.
The following OpenSSL code ensures that the host has a certificate.
Note that the code does not call SSL_get_verify_result(ssl), which effectively disables the validation step that checks the certificate.
Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that ex...
This category identifies Software Fault Patterns (SFPs) within the Digital Certificate cluster.
This view (slice) covers all the elements in CWE.
CWE identifiers in this view are weaknesses that do not have associated Software Fault Patterns (SFPs), as covered by the CWE-888 view. As such, they represent gaps in...
This view (slice) lists weaknesses that can be introduced during implementation.