Trust of OpenSSL Certificate Without Validation
Weakness ID: 599 (Weakness Variant)Status: Incomplete
+ Description

Description Summary

The failure to validate certificate data may mean that an attacker may be claiming to be a host which it is not.
+ Time of Introduction
  • Architecture and Design
  • Implementation
+ Common Consequences

the data read may not be properly secured, it might be viewed by an attacker.


trust afforded to the system in question may allow for spoofing or redirection attacks.

+ Demonstrative Examples

Example 1

(Bad Code)
Example Language:
if (!(cert = SSL_get_peer(certificate(ssl)) || !host))
//if ((X509_V_OK==foo)
+ Potential Mitigations

Phase: Architecture and Design

Ensure that proper authentication is included in the system design.

Phase: Implementation

Understand and properly implement all checks necessary to ensure the identity of entities involved in encrypted communications.

+ Other Notes

If the certificate is not checked, it may be possible for a redirection or spoofing attack to allow a malicious host with a valid certificate to provide data under the guise of a trusted host. While the attacker in question may have a valid certificate, it may simply be a valid certificate for a different site. In order to ensure data integrity, we must check that the certificate is valid, and that it pertains to the site we wish to access.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness BaseWeakness Base297Improper Validation of Host-specific Certificate Data
Development Concepts (primary)699
Research Concepts (primary)1000
+ Content History
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Common Consequences, Relationships, Other Notes
2009-03-10CWE Content TeamMITREInternal
updated Relationships
2009-07-27CWE Content TeamMITREInternal
updated Relationships
Previous Entry Names
Change DatePrevious Entry Name
2008-04-11No OpenSSL Certificate Check Performed before Use