tls-disabled-cert-validation¶
Ensure TLS validation is enabled
Explicitly disabling TLS certificate validation is highly risky because it makes otherwise secure connections subject to eavesdropping and data manipulation. The outcome is that the connection is no more secure than it would if it was using plain HTTP. The only potentially valid reason for disabling it might to simplify debugging or testing, but in such case, it would be preferable to specify a test root certificate.
Examples¶
Insecure Example
package main
import (
"crypto/tls"
"fmt"
"io/ioutil"
"net/http"
)
func main() {
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true, // Disable TLS certificate validation
},
},
}
// The server at this address is using self-signed certificate
resp, err := client.Get("https://self-signed.badssl.com/")
if err != nil {
fmt.Println(err)
} else {
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
fmt.Println(">>> Data received over insecure connection (no certificate validation)")
fmt.Println(string(body))
}
}
package com.bigcorp.verify;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
public class AllHosts implements HostnameVerifier {
public boolean verify(final String hostname, final SSLSession session) {
// This will accept any certificate, making connections insecure
return true;
}
}
import ssl
import httplib.client
context = ssl._create_unverified_context()
conn = httplib.client.HTTPSConnection("123.123.21.21", context=context)
require "net/https"
require "uri"
# The server at this address is using self-signed certificate
uri = URI.parse("https://self-signed.badssl.com/")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
# This will disable certificate validation !
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Get.new(uri.request_uri)
response = http.request(request)
# This will print data received over insecure connection
puts response.body
Secure Example
package main
import (
"crypto/tls"
"fmt"
"io/ioutil"
"net/http"
)
func main() {
client := &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{
// Overriding the default configuration is generally not recommended.
// It validates certificates!
// Disabling it should only be done when you are in controlled environment, for testing purposes.
},
},
}
// The server at this address is using self-signed certificate
resp, err := client.Get("https://self-signed.badssl.com/")
if err != nil {
// With default configuration, the connection will not be established and an error will be returned.
fmt.Println(err)
} else {
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
fmt.Println(">>> Data received over insecure connection (no certificate validation) !!! This should not be called.")
fmt.Println(string(body))
}
}
package verify;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
public class LocalHost implements HostnameVerifier {
public boolean verify(final String hostname, final SSLSession session) {
// Avoid doing this, as the default configuration, will validate the certificate
// In a controlled environment, for testing purposes, you may validate it manually, but you need to be extremely careful.
return hostname.equals("localhost");
}
}
import httplib.client
conn = httplib.client.HTTPSConnection("123.123.21.21")
require "net/https"
require "uri"
# The server at this address is using self-signed certificate
uri = URI.parse("https://self-signed.badssl.com/")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
# This will keep certificate validation enabled
# This is the default, so it is not necessary to specify it explicitely
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
begin
request = Net::HTTP::Get.new(uri.request_uri)
response = http.request(request)
puts response.body
rescue StandardError => e
# This should catch the invalid certificate
puts e
end