SV.ECV

This checker detects cases of empty SSL certificate validation.

SV.ECV defects are reported on classes trivially implementing “verify” methods of the org.apache.http.conn.ssl.X509HostnameVerifier interface.

Vulnerability and risk

In case certificate validation is empty, all SSL certificates are considered as valid. This allows the possibility of a man-in-the-middle attack, so that an intruder can get an access to secure data.

Mitigation and prevention

To prevent the issue, “verify” methods of a class, implementing X509HostnameVerifier interface, should perform actual validation and not be empty or consist of a single return statement.

Vulnerable code example

Copy

1
2
3
4
5
6
7
8
9
10
11
12
private static X509HostnameVerifier ACCEPT_ALL_HOSTNAMES =  
    new X509HostnameVerifier() {
        public void verify(String host, String[] cns, String[] subjectAlts) throws SSLException {
        }
        public void verify(String host, X509Certificate cert) throws SSLException {
        }
        public void verify(String host, SSLSocket ssl) throws IOException {
        }
        public boolean verify(String host, SSLSession session) { 
        return true;
    }
};

External guidance

CWE-295: Improper Certificate Validation

Security training

Application security training materials provided by Secure Code Warrior.

Weak Certificate Validation Training Video - Test your skills with a training example