SV.ECV

This checker detects cases of empty SSL certificate validation.

SV.ECV defects are reported on classes trivially implementing “verify” methods of the org.apache.http.conn.ssl.X509HostnameVerifier interface.

Vulnerability and risk

When a certificate validation is empty, all SSL certificates are considered as valid. This allows the possibility of a man-in-the-middle attack, allowing an intruder to gain access to secure data.

Mitigation and prevention

To prevent the issue, “verify” methods of a class implementing X509HostnameVerifier interface should perform an actual validation; it should not be empty or consist of a single return statement. We recommend properly overriding the HostnameVerifier.verify() to check that the certificate’s hostname-specific data matches the server hostname.

Vulnerable code example

Copy
private static X509HostnameVerifier ACCEPT_ALL_HOSTNAMES =  
    new X509HostnameVerifier() {
        public void verify(String host, String[] cns, String[] subjectAlts) throws SSLException {
        }
        public void verify(String host, X509Certificate cert) throws SSLException {
        }
        public void verify(String host, SSLSocket ssl) throws IOException {
        }
        public boolean verify(String host, SSLSession session) { 
        return true;
    }
};

In this example, X509HostnameVerifier is set to accept all hostnames.

Vulnerable code example 2

Copy
import javax.net.ssl.*;
import java.security.cert.*;
 
class Host {
 
    private static void disableSSLVerification(HttpsURLConnection connection) {
        connection.setHostnameVerifier(new HostnameVerifier() {
            public boolean verify(String hostname, SSLSession session) {
                return true;
            }
        });
  }
}

Klocwork reports an SV.ECV defect on line 8, indicating, "Method verify does nothing".

Fixed code example 2

Copy
import javax.net.ssl.*;
import java.security.cert.*;

class Host {
 
    private static void retrieve() {
        HttpsURLConnection uc = (HttpsURLConnection) u.openConnection();
        uc.setHostnameVerifier(new HostnameVerifier() {
 
            public boolean verify(String hostname, SSLSession session) {
                boolean valid = false;
                try {
                    String expectedHostname = hostname.toLowerCase();
                    //...
                } catch (Exception ex) {
                }
            }
        });
    }
}

After specifying the HostnameVerifier.verify() as "false" and providing the correct hostname, the issue is gone.

Security training

Application security training materials provided by Secure Code Warrior.