Disabled TLS certificate check¶
ID: rust/disabled-certificate-check
Kind: path-problem
Security severity: 7.5
Severity: warning
Precision: high
Tags:
- security
- external/cwe/cwe-295
Query suites:
- rust-code-scanning.qls
- rust-security-extended.qls
- rust-security-and-quality.qls
Click to see the query in the CodeQL repository
The danger_accept_invalid_certs option on TLS connectors and HTTP clients controls whether certificate verification is performed. If this option is set to true, the client will accept any certificate, making it susceptible to man-in-the-middle attacks.
Similarly, the danger_accept_invalid_hostnames option controls whether hostname verification is performed. If this option is set to true, the client will accept any valid certificate regardless of the site that certificate is for, again making it susceptible to man-in-the-middle attacks.
Recommendation¶
Do not set danger_accept_invalid_certs or danger_accept_invalid_hostnames to true, except in controlled environments such as tests. In production, always ensure certificate and hostname verification is enabled to prevent security risks.
Example¶
The following code snippet shows a function that creates an HTTP client with certificate verification disabled:
// BAD: Disabling certificate validation in Rust
let _client = reqwest::Client::builder()
.danger_accept_invalid_certs(true) // disables certificate validation
.build()
.unwrap();
In production code, always configure clients to verify certificates:
// GOOD: Certificate validation is enabled (default)
let _client = reqwest::Client::builder()
.danger_accept_invalid_certs(false) // certificate validation enabled explicitly
.build()
.unwrap();
let _client = native_tls::TlsConnector::builder() // certificate validation enabled by default
.build()
.unwrap();
References¶
Rust native-tls crate: TlsConnectorBuilder.
Rust reqwest crate: ClientBuilder.
SSL.com: Browsers and Certificate Validation.
Common Weakness Enumeration: CWE-295.