To establish a SSL/TLS connection not vulnerable to man-in-the-middle attacks, it’s essential to make sure the server presents the right certificate.

The certificate’s hostname-specific data should match the server hostname.

It’s not recommended to re-invent the wheel by implementing custom hostname verification.

TLS/SSL libraries provide built-in hostname verification functions that should be used.

Noncompliant Code Example

When using the okhttp library, a custom unsecure hostname verifier accepting every hostname is used:

val builder = OkHttpClient.Builder()
builder.hostnameVerifier(object : HostnameVerifier {
  override fun verify(hostname: String?, session: SSLSession?): Boolean {
    return true // Noncompliant (s5527)
  }
})

Compliant Solution

When using the okhttp library, if hostnameVerifier method is not used to set a verifier, then a built-in secure one will be used:

val builder = OkHttpClient.Builder()

See

• OWASP Top 10 2021 Category A2 - Cryptographic Failures
• OWASP Top 10 2021 Category A5 - Security Misconfiguration
• OWASP Top 10 2021 Category A7 - Identification and Authentication Failures
• OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
• OWASP Top 10 2017 Category A6 - Security Misconfiguration
• Mobile AppSec Verification Standard - Network Communication Requirements
• OWASP Mobile Top 10 2016 Category M3 - Insecure Communication
• MITRE, CWE-297 - Improper Validation of Certificate with Host Mismatch