Difference between revisions of "Failure to validate certificate expiration"

Jump to: navigation, search
(Reverting to last version not containing links to www.textrodarb.com)
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[[ASDR Table of Contents]]
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
[[Category:FIXME|This is the text from the old template. This needs to be rewritten using the new template.]]
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]

Latest revision as of 12:30, 27 May 2009

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.

Last revision (mm/dd/yy): 05/27/2009

Vulnerabilities Table of Contents


The failure to validate certificate operation may result in trust being assigned to certificates which have been abandoned due to age.


  • Integrity: The data read from the system vouched for by the expired certificate may be flawed due to malicious spoofing.
  • Authentication: Trust afforded to the system in question - based on the expired certificate - may allow for spoofing attacks.

Exposure period

  • Design: Certificate expiration handling should be performed in the design phase.


  • Languages: All
  • Platforms: All

Required resources

Minor trust: Users must attempt to interact with the malicious system.



Likelihood of exploit


When the expiration of a certificate is not taken in to account, no trust has necessarily been conveyed through it; therefore, all benefit of certificate is lost.

Risk Factors



if (!(cert = SSL_get_peer(certificate(ssl)) || !host)
  if ((X509_V_OK==foo) || (X509_V_ERRCERT_NOT_YET_VALID==foo))
//do stuff 

Related Attacks

Related Vulnerabilities

Related Controls

  • Design: Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed.

Related Technical Impacts


Note: A reference to related CWE or CAPEC article should be added when exists. Eg: