[研究]Fortify SCA報告Insecure SSL: Server Identity Verification Disabled
2021-11-24
環境:Visual Studio 2022 + C# + ASP.NET + WebForm
Default.apsx
protected void Page_Load(object sender, EventArgs e)
{
System.Net.ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
HttpWebRequest WebRequest = (HttpWebRequest)System.Net.WebRequest.Create("http://cdn.thu.edu.tw/");
} |
或
protected void Page_Load(object sender, EventArgs e)
{
System.Net.ServicePointManager.ServerCertificateValidationCallback = CertificateCheck;
HttpWebRequest WebRequest = (HttpWebRequest)System.Net.WebRequest.Create("http://cdn.thu.edu.tw/");
}
private static bool CertificateCheck(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
return true;
} |
用 Micro Focus Fortify SCA ( Static Code Analyzer ) 21.1.2 掃描有 Insecure SSL: Server Identity Verification Disabled 問題。
主要問題是 SSL 連線時 (連上 HTTPS 網站、Mail Client 和 SMTP Server 用 SSL 通訊、其他),沒有檢查伺服器憑證,或檢查沒通過 ( 自簽憑證、過期、其他),因為內部連線時,一般不會去付費買商用憑證來用,只好想辦法避過檢查。
********************************************************************************
解決方法
protected void Page_Load(object sender, EventArgs e)
{
System.Net.ServicePointManager.ServerCertificateValidationCallback = CertificateCheck;
HttpWebRequest WebRequest = (HttpWebRequest)System.Net.WebRequest.Create("http://cdn.thu.edu.tw/");
}
private static bool CertificateCheck(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
return !certificate.Issuer.Equals("解決");
} |
或
protected void Page_Load(object sender, EventArgs e)
{
System.Net.ServicePointManager.ServerCertificateValidationCallback = CertificateCheck;
HttpWebRequest WebRequest = (HttpWebRequest)System.Net.WebRequest.Create("http://cdn.thu.edu.tw/");
}
private static bool CertificateCheck(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
return false;
} |
********************************************************************************
或
using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
namespace WebApplication20
{
public partial class Default3 : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
System.Net.ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
HttpWebRequest WebRequest = (HttpWebRequest)System.Net.WebRequest.Create("http://cdn.thu.edu.tw/");
System.Net.ServicePointManager.ServerCertificateValidationCallback = CertificateCheck;
HttpWebRequest WebRequest2 = (HttpWebRequest)System.Net.WebRequest.Create("http://cdn.thu.edu.tw/");
System.Net.ServicePointManager.ServerCertificateValidationCallback = CertificateCheck2;
HttpWebRequest WebRequest3 = (HttpWebRequest)System.Net.WebRequest.Create("http://cdn.thu.edu.tw/");
System.Net.ServicePointManager.ServerCertificateValidationCallback = CertificateCheck3;
HttpWebRequest WebRequest4 = (HttpWebRequest)System.Net.WebRequest.Create("http://cdn.thu.edu.tw/");
}
private static bool CertificateCheck(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
return true;
}
private static bool CertificateCheck2(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
return false;
}
private static bool CertificateCheck3(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
return !certificate.Issuer.Equals("解決");
}
}
} |
(完)
您好,您曉得可以去哪裡下載SCA 21.1版呢??
回覆刪除