Skip to content

Latest commit

 

History

History
81 lines (59 loc) · 3.43 KB

ca5399.md

File metadata and controls

81 lines (59 loc) · 3.43 KB
Raw
title description ms.date author ms.author f1_keywords
CA5399: Definitely disable HttpClient certificate revocation list check (code analysis)
Provides information about code analysis rule CA5399, including causes, how to fix violations, and when to suppress it.
05/18/2020
LLLXXXCCC
linche
CA5399

CA5399: Enable HttpClient certificate revocation list check

Property Value
Rule ID CA5399
Title Enable HttpClient certificate revocation list check
Category Security
Fix is breaking or non-breaking Non-breaking
Enabled by default in .NET 8 No

Cause

Using xref:System.Net.Http.HttpClient?displayProperty=fullName while providing a platform specific handler (xref:System.Net.Http.WinHttpHandler?displayProperty=fullName or xref:System.Net.Http.HttpClientHandler?displayProperty=fullName) whose CheckCertificateRevocationList property is not set to true will allow revoked certificates to be accepted by the xref:System.Net.Http.HttpClient as valid.

This rule is similar to CA5400, but analysis can determine that the CheckCertificateRevocationList property is definitely false or not set.

Rule description

A revoked certificate isn't trusted anymore. It could be used by attackers passing some malicious data or stealing sensitive data in HTTPS communication.

How to fix violations

Set the xref:System.Net.Http.HttpClientHandler.CheckCertificateRevocationList?displayProperty=fullName property to true explicitly. If the xref:System.Net.Http.HttpClientHandler.CheckCertificateRevocationList property is unavailable, you need to upgrade your target framework.

When to suppress warnings

Do not suppress this rule.

Configure code to analyze

Use the following options to configure which parts of your codebase to run this rule on.

You can configure these options for just this rule, for all rules it applies to, or for all rules in this category (Security) that it applies to. For more information, see Code quality rule configuration options.

[!INCLUDEexcluded-symbol-names]

[!INCLUDEexcluded-type-names-with-derived-types]

Pseudo-code examples

using System.Net.Http;

class ExampleClass
{
    void ExampleMethod()
    {
        WinHttpHandler winHttpHandler = new WinHttpHandler();
        winHttpHandler.CheckCertificateRevocationList = false;
        HttpClient httpClient = new HttpClient(winHttpHandler);
    }
}

Solution

using System.Net.Http;

class ExampleClass
{
    void ExampleMethod()
    {
        WinHttpHandler winHttpHandler = new WinHttpHandler();
        winHttpHandler.CheckCertificateRevocationList = true;
        HttpClient httpClient = new HttpClient(winHttpHandler);
    }
}