CWE-298 证书过期验证不恰当

Improper Validation of Certificate Expiration

结构: Simple

Abstraction: Variant

状态: Draft

被利用可能性: Low


A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.


When the expiration of a certificate is not taken into account, no trust has necessarily been conveyed through it. Therefore, the validity of the certificate cannot be verified and all benefit of the certificate is lost.


  • cwe_Nature: ChildOf cwe_CWE_ID: 295 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 295 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 672 cwe_View_ID: 1000


Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}


范围 影响 注释
['Integrity', 'Other'] Other The data read from the system vouched for by the expired certificate may be flawed due to malicious spoofing.
['Authentication', 'Other'] Other Trust afforded to the system in question - based on the expired certificate - may allow for spoofing attacks.


Architecture and Design


Check for expired certificates and provide the user with adequate information about the nature of the problem and how to proceed.



If certificate pinning is being used, ensure that all relevant properties of the certificate are fully validated before the certificate is pinned, including the expiration.


The following OpenSSL code ensures that there is a certificate and allows the use of expired certificates.

bad C

if (cert = SSL_get_peer(certificate(ssl)) {
if ((X509_V_OK==foo) || (X509_V_ERR_CERT_HAS_EXPIRED==foo))

//do stuff

If the call to SSL_get_verify_result() returns X509_V_ERR_CERT_HAS_EXPIRED, this means that the certificate has expired. As time goes on, there is an increasing chance for attackers to compromise the certificate.


映射的分类名 ImNode ID Fit Mapped Node Name
CLASP Failure to validate certificate expiration