Validation of X.509 certificates is essential to create secure SSL/TLS sessions not vulnerable to man-in-the-middle attacks.

The certificate chain validation includes these steps:

• The certificate is issued by its parent Certificate Authority or the root CA trusted by the system.
• Each CA is allowed to issue certificates.
• Each certificate in the chain is not expired.

It’s not recommended to reinvent the wheel by implementing custom certificate chain validation.

TLS libraries provide built-in certificate validation functions that should be used.

Noncompliant Code Example

ServicePointManager.ServerCertificateValidationCallback +=
    (sender, certificate, chain, errors) => {
        return true; // Noncompliant: trust all certificates
    };

Compliant Solution

ServicePointManager.ServerCertificateValidationCallback +=
    (sender, certificate, chain, errors) =>
    {
        if (development) return true; // for development, trust all certificates
        return errors == SslPolicyErrors.None
            && validCerts.Contains(certificate.GetCertHashString()); // Compliant: trust only some certificates
    };

See

• OWASP Top 10 2021 Category A2 - Cryptographic Failures
• OWASP Top 10 2021 Category A5 - Security Misconfiguration
• OWASP Top 10 2021 Category A7 - Identification and Authentication Failures
• OWASP Top 10 2017 Category A3 - Sensitive Data Exposure
• OWASP Top 10 2017 Category A6 - Security Misconfiguration
• Mobile AppSec Verification Standard - Network Communication Requirements
• OWASP Mobile Top 10 2016 Category M3 - Insecure Communication
• MITRE, CWE-295 - Improper Certificate Validation