Create rule S4830: Server certificates should be verified during SSL/TLS connections (#4662)
* Add go to rule S4830 * Add examples * Improve examples * Update rules/S4830/go/rule.adoc Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com> --------- Co-authored-by: teemu-rytilahti-sonarsource <teemu-rytilahti-sonarsource@users.noreply.github.com> Co-authored-by: Teemu Rytilahti <teemu.rytilahti@sonarsource.com> Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com>
This commit is contained in:
github-actions[bot]
GitHub
parent
d22236c056
commit
a2320f1b8d
2
rules/S4830/go/metadata.json
Normal file
2
rules/S4830/go/metadata.json
Normal file
@ -0,0 +1,2 @@
|
||||
{
|
||||
}
|
||||
86
rules/S4830/go/rule.adoc
Normal file
86
rules/S4830/go/rule.adoc
Normal file
@ -0,0 +1,86 @@
|
||||
include::../summary.adoc[]
|
||||
|
||||
== Why is this an issue?
|
||||
|
||||
include::../rationale.adoc[]
|
||||
|
||||
include::../impact.adoc[]
|
||||
|
||||
== How to fix it
|
||||
|
||||
=== Code examples
|
||||
|
||||
include::../common/fix/code-rationale.adoc[]
|
||||
|
||||
==== Noncompliant code example
|
||||
|
||||
It is strongly recommended to avoid using `++InsecureSkipVerify++` to skip the certificate checks. +
|
||||
|
||||
[source,go,diff-id=1,diff-type=noncompliant]
|
||||
----
|
||||
conf := &tls.Config{
|
||||
InsecureSkipVerify: true, // Noncompliant
|
||||
}
|
||||
----
|
||||
|
||||
If additional checks are implemented using `++VerifyPeerCertificate++` or `++VerifyConnection++`, they must return an error on some conditions.
|
||||
|
||||
[source,go,diff-id=2,diff-type=noncompliant]
|
||||
----
|
||||
conf := &tls.Config{
|
||||
VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
|
||||
return nil // Noncompliant: function never errors
|
||||
},
|
||||
}
|
||||
----
|
||||
|
||||
==== Compliant solution
|
||||
|
||||
The recommended solution to let `crypto/tls` verify the certificate. +
|
||||
|
||||
[source,go,diff-id=1,diff-type=compliant]
|
||||
----
|
||||
conf := &tls.Config{
|
||||
InsecureSkipVerify: false,
|
||||
}
|
||||
----
|
||||
|
||||
If additional checks are implemented using `++VerifyPeerCertificate++` or `++VerifyConnection++`, they must return an error on some conditions.
|
||||
|
||||
[source,go,diff-id=2,diff-type=compliant]
|
||||
----
|
||||
conf := &tls.Config{
|
||||
VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
|
||||
if len(rawCerts) > 1 {
|
||||
return fmt.Errorf("Server sent more than 2 certs")
|
||||
}
|
||||
return nil
|
||||
},
|
||||
}
|
||||
----
|
||||
|
||||
=== How does this work?
|
||||
|
||||
include::../common/fix/validation.adoc[]
|
||||
|
||||
|
||||
== Resources
|
||||
|
||||
include::../common/resources/standards.adoc[]
|
||||
|
||||
ifdef::env-github,rspecator-view[]
|
||||
|
||||
'''
|
||||
== Implementation Specification
|
||||
(visible only on this page)
|
||||
|
||||
include::../message.adoc[]
|
||||
|
||||
'''
|
||||
== Comments And Links
|
||||
(visible only on this page)
|
||||
|
||||
include::../comments-and-links.adoc[]
|
||||
|
||||
endif::env-github,rspecator-view[]
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user