CS.X509.REVOCATION

Certificate revocation list check is disabled

The CS.X509.REVOCATION checker detects instances of the System.Net.Http.HttpClient class that use a platform-specific handler (System.Net.Http.WinHttpHandler or System.Net.Http.HttpClientHandler) whose CheckCertificateRevocationList property is not set to true. This condition allows revoked certificates to be accepted by the HttpClient as valid.

Vulnerability and risk

An improper check for certificate revocation is a far more serious flaw than related certificate failures. This is because the use of any revoked certificate is almost certainly malicious. The most common reason for certificate revocation is compromise of the system in question, with the result that no legitimate servers will be using a revoked certificate, unless they are sorely out of sync.

Mitigation and prevention

Always set the System.Net.Http.HttpClientHandler.CheckCertificateRevocationList property to true explicitly.

Vulnerable code example

1  using System.Net.Http;
2   
3  class ExampleClass
4  {
5      void ExampleMethod()
6      {
7          WinHttpHandler winHttpHandler = new WinHttpHandler();
8          winHttpHandler.CheckCertificateRevocationList = false; // Certificate revocation list check is disabled
9          HttpClient httpClient = new HttpClient(winHttpHandler);
10     }
11 }

In this example, Klocwork reports a CS.X509.REVOCATION defect on line 8, indicating, "Certificate revocation list check is disabled by setting 'CheckCertificateRevocationList' property with 'false'."

Fixed code example

1  using System.Net.Http;
2   
3  class ExampleClass
4  {
5      void ExampleMethod()
6      {
7          WinHttpHandler winHttpHandler = new WinHttpHandler();
8          winHttpHandler.CheckCertificateRevocationList = true;
9          HttpClient httpClient = new HttpClient(winHttpHandler);
10     }
11 }

Security training

Application security training materials provided by Secure Code Warrior.