org.sonar.l10n.py.rules.python.S4830.html Maven / Gradle / Ivy
This vulnerability makes it possible that an encrypted communication is intercepted.
Why is this an issue?
Transport Layer Security (TLS) provides secure communication between systems over the internet by encrypting the data sent between them.
Certificate validation adds an extra layer of trust and security to this process to ensure that a system is indeed the one it claims to be.
When certificate validation is disabled, the client skips a critical security check. This creates an opportunity for attackers to pose as a trusted
entity and intercept, manipulate, or steal the data being transmitted.
What is the potential impact?
Establishing trust in a secure way is a non-trivial task. When you disable certificate validation, you are removing a key mechanism designed to
build this trust in internet communication, opening your system up to a number of potential threats.
Identity spoofing
If a system does not validate certificates, it cannot confirm the identity of the other party involved in the communication. An attacker can
exploit this by creating a fake server and masquerading as a legitimate one. For example, they might set up a server that looks like your bank’s
server, tricking your system into thinking it is communicating with the bank. This scenario, called identity spoofing, allows the attacker to collect
any data your system sends to them, potentially leading to significant data breaches.
Loss of data integrity
When TLS certificate validation is disabled, the integrity of the data you send and receive cannot be guaranteed. An attacker could modify the data
in transit, and you would have no way of knowing. This could range from subtle manipulations of the data you receive to the injection of malicious
code or malware into your system. The consequences of such breaches of data integrity can be severe, depending on the nature of the data and the
system.
How to fix it in Python Standard Library
Code examples
The following code contains examples of disabled certificate validation.
Certificate validation is not enabled by default when _create_unverified_context
is used. It is recommended to use
_create_default_https_context
instead to create a secure context that validates certificates.
Noncompliant code example
import ssl
ctx1 = ssl._create_unverified_context() # Noncompliant
ctx2 = ssl._create_stdlib_context() # Noncompliant
ctx3 = ssl.create_default_context()
ctx3.verify_mode = ssl.CERT_NONE # Noncompliant
Compliant solution
import ssl
ctx = ssl.create_default_context()
ctx.verify_mode = ssl.CERT_REQUIRED
# By default, certificate validation is enabled
ctx = ssl._create_default_https_context()
How does this work?
Addressing the vulnerability of disabled TLS certificate validation primarily involves re-enabling the default validation.
To avoid running into problems with invalid certificates, consider the following sections.
Using trusted certificates
If possible, always use a certificate issued by a well-known, trusted CA for your server. Most programming environments come with a predefined list
of trusted root CAs, and certificates issued by these authorities are validated automatically. This is the best practice, and it requires no
additional code or configuration.
Working with self-signed certificates or non-standard CAs
In some cases, you might need to work with a server using a self-signed certificate, or a certificate issued by a CA not included in your trusted
roots. Rather than disabling certificate validation in your code, you can add the necessary certificates to your trust store.
How to fix it in OpenSSL
Code examples
The following code contains examples of disabled certificate validation.
Certificate validation is not enabled by default and has to be explicitly enabled through set_verify
.
Noncompliant code example
from OpenSSL import SSL
ctx1 = SSL.Context(SSL.TLSv1_2_METHOD) # Noncompliant
ctx2 = SSL.Context(SSL.TLSv1_2_METHOD)
ctx2.set_verify(SSL.VERIFY_NONE, verify_callback) # Noncompliant
Compliant solution
from OpenSSL import SSL
ctx = SSL.Context(SSL.TLSv1_2_METHOD)
ctx.set_verify(SSL.VERIFY_PEER, verify_callback)
ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback)
ctx.set_verify(SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT | SSL.VERIFY_CLIENT_ONCE, verify_callback)
How does this work?
Addressing the vulnerability of disabled TLS certificate validation primarily involves re-enabling the default validation.
To avoid running into problems with invalid certificates, consider the following sections.
Using trusted certificates
If possible, always use a certificate issued by a well-known, trusted CA for your server. Most programming environments come with a predefined list
of trusted root CAs, and certificates issued by these authorities are validated automatically. This is the best practice, and it requires no
additional code or configuration.
Working with self-signed certificates or non-standard CAs
In some cases, you might need to work with a server using a self-signed certificate, or a certificate issued by a CA not included in your trusted
roots. Rather than disabling certificate validation in your code, you can add the necessary certificates to your trust store.
How to fix it in Requests
Code examples
The following code contains examples of disabled certificate validation.
The certificate validation gets disabled by setting verify
to False
. To enable validation set the value to
True
or do not set verify
at all to use the secure default value.
Noncompliant code example
import requests
requests.request('GET', 'https://example.com', verify=False) # Noncompliant
Compliant solution
import requests
# By default, certificate validation is enabled
requests.request('GET', 'https://example.com')
How does this work?
Addressing the vulnerability of disabled TLS certificate validation primarily involves re-enabling the default validation.
To avoid running into problems with invalid certificates, consider the following sections.
Using trusted certificates
If possible, always use a certificate issued by a well-known, trusted CA for your server. Most programming environments come with a predefined list
of trusted root CAs, and certificates issued by these authorities are validated automatically. This is the best practice, and it requires no
additional code or configuration.
Working with self-signed certificates or non-standard CAs
In some cases, you might need to work with a server using a self-signed certificate, or a certificate issued by a CA not included in your trusted
roots. Rather than disabling certificate validation in your code, you can add the necessary certificates to your trust store.
How to fix it in aiohttp
Code examples
The following code contains examples of disabled certificate validation.
The certificate validation gets disabled by setting verify_ssl
to False
. To enable validation set the value to
True
or do not set verify_ssl
at all to use the secure default value.
Noncompliant code example
import aiohttp
async def example():
async with aiohttp.ClientSession() as session:
session.get("https://example.com", verify_ssl=False) # Noncompliant
Compliant solution
import aiohttp
# By default, certificate validation is enabled
async def example():
async with aiohttp.ClientSession() as session:
session.get("https://example.com")
How does this work?
Addressing the vulnerability of disabled TLS certificate validation primarily involves re-enabling the default validation.
To avoid running into problems with invalid certificates, consider the following sections.
Using trusted certificates
If possible, always use a certificate issued by a well-known, trusted CA for your server. Most programming environments come with a predefined list
of trusted root CAs, and certificates issued by these authorities are validated automatically. This is the best practice, and it requires no
additional code or configuration.
Working with self-signed certificates or non-standard CAs
In some cases, you might need to work with a server using a self-signed certificate, or a certificate issued by a CA not included in your trusted
roots. Rather than disabling certificate validation in your code, you can add the necessary certificates to your trust store.
How to fix it in HTTPX
Code examples
The following code contains examples of disabled certificate validation.
The certificate validation gets disabled by setting verify
to False
. To enable validation set the value to
True
or do not set verify
at all to use the secure default value.
Noncompliant code example
import httpx
httpx.get('https://example.com', verify=False) # Noncompliant
Compliant solution
import httpx
# By default, certificate validation is enabled
httpx.get('https://example.com')
How does this work?
Addressing the vulnerability of disabled TLS certificate validation primarily involves re-enabling the default validation.
To avoid running into problems with invalid certificates, consider the following sections.
Using trusted certificates
If possible, always use a certificate issued by a well-known, trusted CA for your server. Most programming environments come with a predefined list
of trusted root CAs, and certificates issued by these authorities are validated automatically. This is the best practice, and it requires no
additional code or configuration.
Working with self-signed certificates or non-standard CAs
In some cases, you might need to work with a server using a self-signed certificate, or a certificate issued by a CA not included in your trusted
roots. Rather than disabling certificate validation in your code, you can add the necessary certificates to your trust store.
Resources
Standards
- OWASP - Top 10 2021 Category A2 - Cryptographic Failures
- OWASP - Top 10 2021 Category A5 - Security Misconfiguration
- OWASP - Top 10 2021 Category A7 - Identification and
Authentication Failures
- OWASP - Top 10 2017 Category A3 - Sensitive Data
Exposure
- OWASP - Top 10 2017 Category A6 - Security
Misconfiguration
- OWASP - Mobile Top 10 2016 Category M3 - Insecure
Communication
- OWASP - Mobile AppSec Verification Standard - Network Communication Requirements
- CWE - CWE-295 - Improper Certificate Validation
- STIG Viewer - Application Security and
Development: V-222550 - The application must validate certificates by constructing a certification path to an accepted trust anchor.