TLS/SSL certificate verification disabled
ID |
rust.tls.ssl_verify_disabled |
Severity |
high |
Resource |
Tls |
Language |
Rust |
Description
TLS/SSL certificate verification is disabled or weakened. This allows man-in-the-middle attacks where an attacker can intercept and modify encrypted traffic. Always verify server certificates in production. If testing with self-signed certificates, use a custom CA bundle instead of disabling verification entirely.
Rationale
TLS/SSL certificate verification is disabled or weakened. This allows man-in-the-middle attacks where an attacker can intercept and modify encrypted traffic. Always verify server certificates in production. If testing with self-signed certificates, use a custom CA bundle instead of disabling verification entirely.
The following code illustrates a vulnerable pattern detected by this rule:
fn bad_openssl_verify_none() {
// VULNERABLE: TLS/SSL certificate verification disabled
let mut builder = SslConnector::builder(SslMethod::tls()).unwrap();
builder.set_verify(openssl::ssl::SslVerifyMode::NONE);
}Remediation
Follow secure coding practices and review the references below for detailed remediation guidance.
References
-
OWASP Top 10 2021 - A02 : Cryptographic Failures.
-
OWASP Top 10 2021 - A07 : Identification and Authentication Failures.
-
https://docs.rs/openssl/latest/openssl/ssl/struct.SslVerifyMode.html
-
https://docs.rs/rustls/latest/rustls/client/struct.DangerousClientConfig.html
-
https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html