CodeQL documentation

Certificate not checked

ID: cpp/certificate-not-checked
Kind: problem
Security severity: 7.5
Severity: error
Precision: medium
   - security
   - external/cwe/cwe-295
Query suites:
   - cpp-security-extended.qls
   - cpp-security-and-quality.qls

Click to see the query in the CodeQL repository

After fetching an SSL certificate, always check the result of certificate verification.


Always check the result of SSL certificate verification. A certificate that has been revoked may indicate that data is coming from an attacker, whereas a certificate that has expired or was self-signed may indicate an increased likelihood that the data is malicious.


In this example, the SSL_get_peer_certificate function is used to get the certificate of a peer. However it is unsafe to use that information without checking if the certificate is valid.

// ...

X509 *cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result is never called)

// ...

In the corrected example, we use SSL_get_verify_result to check that certificate verification was successful.

// ...

X509 *cert = SSL_get_peer_certificate(ssl); // GOOD
if (cert)
	result = SSL_get_verify_result(ssl);
	if (result == X509_V_OK)
		// ...


  • Common Weakness Enumeration: CWE-295.

  • © GitHub, Inc.
  • Terms
  • Privacy