| title | description | ms.date | author | ms.author | f1_keywords | |
|---|---|---|---|---|---|---|
CA5400: Ensure HttpClient certificate revocation list check is not disabled (code analysis) |
Provides information about code analysis rule CA5400, including causes, how to fix violations, and when to suppress it. |
05/18/2020 |
LLLXXXCCC |
linche |
|
| Property | Value |
|---|---|
| Rule ID | CA5400 |
| Title | Ensure HttpClient certificate revocation list check is not disabled |
| Category | Security |
| Fix is breaking or non-breaking | Non-breaking |
| Enabled by default in .NET 8 | No |
Using xref:System.Net.Http.HttpClient?displayProperty=fullName while providing a platform specific handler (xref:System.Net.Http.WinHttpHandler?displayProperty=fullName or xref:System.Net.Http.HttpClientHandler?displayProperty=fullName) whose CheckCertificateRevocationList property is possibly set to false will allow revoked certificates to be accepted by the xref:System.Net.Http.HttpClient as valid.
This rule is similar to CA5399, but analysis can't determine that the CheckCertificateRevocationList property is definitely false or not set.
A revoked certificate isn't trusted anymore. It could be used by attackers passing some malicious data or stealing sensitive data in HTTPS communication.
Set the xref:System.Net.Http.HttpClientHandler.CheckCertificateRevocationList?displayProperty=fullName property to true explicitly. If the xref:System.Net.Http.HttpClientHandler.CheckCertificateRevocationList property is unavailable, you need to upgrade your target framework.
It's safe to suppress this rule if you're sure that the CheckCertificateRevocationList property is set correctly.
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA5400
// The code that's violating the rule is on this line.
#pragma warning restore CA5400To disable the rule for a file, folder, or project, set its severity to none in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA5400.severity = noneFor more information, see How to suppress code analysis warnings.
Use the following options to configure which parts of your codebase to run this rule on.
You can configure this option for just this rule, for all rules it applies to, or for all rules in this category (Security) that it applies to. For more information, see Code quality rule configuration options.
[!INCLUDEexcluded-symbol-names]
[!INCLUDEexcluded-type-names-with-derived-types]
using System;
using System.Net.Http;
class ExampleClass
{
void ExampleMethod(bool checkCertificateRevocationList)
{
WinHttpHandler winHttpHandler = new WinHttpHandler();
winHttpHandler.CheckCertificateRevocationList = checkCertificateRevocationList;
Random r = new Random();
if (r.Next(6) == 4)
{
winHttpHandler.CheckCertificateRevocationList = true;
}
HttpClient httpClient = new HttpClient(winHttpHandler);
}
}using System.Net.Http;
class ExampleClass
{
void ExampleMethod()
{
WinHttpHandler winHttpHandler = new WinHttpHandler();
winHttpHandler.CheckCertificateRevocationList = true;
HttpClient httpClient = new HttpClient(winHttpHandler);
}
}