A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.
When the expiration of a certificate is not taken into account, no trust has necessarily been conveyed through it. Therefore, the validity of the certificate cannot be verified and all benefit of the certificate is lost.
Threat Mapped score: 0.0
Industry: Finiancial
Threat priority: Unclassified
N/A
N/A
| Phase | Note |
|---|---|
| Implementation | When the software uses certificate pinning, the developer might not properly validate all relevant components of the certificate before pinning the certificate. This can make it difficult or expensive to test after the pinning is complete. |
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
Intro: The following OpenSSL code ensures that there is a certificate and allows the use of expired certificates.
Body: If the call to SSL_get_verify_result() returns X509_V_ERR_CERT_HAS_EXPIRED, this means that the certificate has expired. As time goes on, there is an increasing chance for attackers to compromise the certificate.
if (cert = SSL_get_peer(certificate(ssl)) { foo=SSL_get_verify_result(ssl); if ((X509_V_OK==foo) || (X509_V_ERR_CERT_HAS_EXPIRED==foo)) //do stuff