title | description | ms.date | author | ms.author | f1_keywords | |
---|---|---|---|---|---|---|
CA5399: Definitely disable HttpClient certificate revocation list check (code analysis) |
Provides information about code analysis rule CA5399, including causes, how to fix violations, and when to suppress it. |
05/18/2020 |
LLLXXXCCC |
linche |
|
Property | Value |
---|---|
Rule ID | CA5399 |
Title | Enable HttpClient certificate revocation list check |
Category | Security |
Fix is breaking or non-breaking | Non-breaking |
Enabled by default in .NET 8 | No |
Using xref:System.Net.Http.HttpClient?displayProperty=fullName while providing a platform specific handler (xref:System.Net.Http.WinHttpHandler?displayProperty=fullName or xref:System.Net.Http.HttpClientHandler?displayProperty=fullName) whose CheckCertificateRevocationList
property is not set to true
will allow revoked certificates to be accepted by the xref:System.Net.Http.HttpClient as valid.
This rule is similar to CA5400, but analysis can determine that the CheckCertificateRevocationList
property is definitely false
or not set.
A revoked certificate isn't trusted anymore. It could be used by attackers passing some malicious data or stealing sensitive data in HTTPS communication.
Set the xref:System.Net.Http.HttpClientHandler.CheckCertificateRevocationList?displayProperty=fullName property to true
explicitly. If the xref:System.Net.Http.HttpClientHandler.CheckCertificateRevocationList property is unavailable, you need to upgrade your target framework.
Do not suppress this rule.
Use the following options to configure which parts of your codebase to run this rule on.
You can configure these options for just this rule, for all rules it applies to, or for all rules in this category (Security) that it applies to. For more information, see Code quality rule configuration options.
[!INCLUDEexcluded-symbol-names]
[!INCLUDEexcluded-type-names-with-derived-types]
using System.Net.Http;
class ExampleClass
{
void ExampleMethod()
{
WinHttpHandler winHttpHandler = new WinHttpHandler();
winHttpHandler.CheckCertificateRevocationList = false;
HttpClient httpClient = new HttpClient(winHttpHandler);
}
}
using System.Net.Http;
class ExampleClass
{
void ExampleMethod()
{
WinHttpHandler winHttpHandler = new WinHttpHandler();
winHttpHandler.CheckCertificateRevocationList = true;
HttpClient httpClient = new HttpClient(winHttpHandler);
}
}