SV.ECV
This checker detects cases of empty SSL certificate validation.
SV.ECV defects are reported on classes trivially implementing “verify” methods of the org.apache.http.conn.ssl.X509HostnameVerifier interface.
Vulnerability and risk
When a certificate validation is empty, all SSL certificates are considered as valid. This allows the possibility of a man-in-the-middle attack, allowing an intruder to gain access to secure data.
Mitigation and prevention
To prevent the issue, “verify” methods of a class implementing X509HostnameVerifier interface should perform an actual validation; it should not be empty or consist of a single return statement. We recommend properly overriding the HostnameVerifier.verify()
to check that the certificate’s hostname-specific data matches the server hostname.
Vulnerable code example
private static X509HostnameVerifier ACCEPT_ALL_HOSTNAMES =
new X509HostnameVerifier() {
public void verify(String host, String[] cns, String[] subjectAlts) throws SSLException {
}
public void verify(String host, X509Certificate cert) throws SSLException {
}
public void verify(String host, SSLSocket ssl) throws IOException {
}
public boolean verify(String host, SSLSession session) {
return true;
}
};
In this example, X509HostnameVerifier is set to accept all hostnames.
Vulnerable code example 2
import javax.net.ssl.*;
import java.security.cert.*;
class Host {
private static void disableSSLVerification(HttpsURLConnection connection) {
connection.setHostnameVerifier(new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
}
}
Klocwork reports an SV.ECV defect on line 8, indicating, "Method verify does nothing".
Fixed code example 2
import javax.net.ssl.*;
import java.security.cert.*;
class Host {
private static void retrieve() {
HttpsURLConnection uc = (HttpsURLConnection) u.openConnection();
uc.setHostnameVerifier(new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) {
boolean valid = false;
try {
String expectedHostname = hostname.toLowerCase();
//...
} catch (Exception ex) {
}
}
});
}
}
After specifying the HostnameVerifier.verify()
as "false" and providing the correct hostname, the issue is gone.
External guidance
- CWE-295: Improper Certificate Validation
- DISA STIG version 5
- OWASP A6:2017 Security Misconfiguration
- OWASP A2:2021 Cryptographic Failures
- OWASP A5:2021 Security Misconfiguration
- OWASP A7:2021 Identification and Authentication Failures
- V-222555 (APSC-DV-001860): The application must use mechanisms meeting the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
Security training
Application security training materials provided by Secure Code Warrior.