Improper Validation of Certificate Expiration
Weakness ID: 298 (Weakness Base)Status: Draft
+ Description

Description Summary

A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.

Extended Description

When the expiration of a certificate is not taken into account no trust has necessarily been conveyed through it. Therefore, the validity of the certificate cannot be verified and all benefit of the certificate is lost.

+ Time of Introduction
  • Architecture and Design
+ Applicable Platforms



+ Common Consequences

The data read from the system vouched for by the expired certificate may be flawed due to malicious spoofing.


Trust afforded to the system in question -- based on the expired certificate -- may allow for spoofing attacks.

+ Likelihood of Exploit


+ Demonstrative Examples

Example 1

(Bad Code)
Example Languages: C and C++ 
if (!(cert = SSL_get_peer(certificate(ssl)) || !host) foo=SSL_get_verify_result(ssl);
if ((X509_V_OK==foo) || (X509_V_ERRCERT_NOT_YET_VALID==foo)) //do stuff
+ Potential Mitigations

Phase: Architecture and Design

Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory295Certificate Issues
Development Concepts (primary)699
ChildOfWeakness BaseWeakness Base672Operation on a Resource after Expiration or Release
Research Concepts (primary)1000
ChildOfCategoryCategory724OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOfWeakness ClassWeakness Class754Improper Check for Unusual or Exceptional Conditions
Research Concepts1000
PeerOfWeakness BaseWeakness Base296Improper Following of Chain of Trust for Certificate Validation
Research Concepts1000
PeerOfWeakness BaseWeakness Base297Improper Validation of Host-specific Certificate Data
Research Concepts1000
PeerOfWeakness BaseWeakness Base299Improper Check for Certificate Revocation
Research Concepts1000
PeerOfWeakness BaseWeakness Base322Key Exchange without Entity Authentication
Research Concepts1000
PeerOfWeakness BaseWeakness Base324Use of a Key Past its Expiration Date
Research Concepts1000
PeerOfWeakness BaseWeakness Base370Missing Check for Certificate Revocation after Initial Check
Research Concepts1000
+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
CLASPFailure to validate certificate expiration
+ Content History
Submission DateSubmitterOrganizationSource
CLASPExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Common Consequences, Relationships, Other Notes, Taxonomy Mappings
2009-03-10CWE Content TeamMITREInternal
updated Description, Name, Relationships
2009-05-27CWE Content TeamMITREInternal
updated Demonstrative Examples
2009-07-27CWE Content TeamMITREInternal
updated Demonstrative Examples
2009-10-29CWE Content TeamMITREInternal
updated Description, Other Notes
Previous Entry Names
Change DatePrevious Entry Name
2009-03-10Failure to Validate Certificate Expiration