Rule Wars
All rules
CA5399Security Enabled by default: No

Enable HttpClient certificate revocation list check

Enable HttpClient certificate revocation list check

Microsoft docs

Description

A revoked certificate isn't trusted anymore. It could be used by attackers passing some malicious data or stealing sensitive data in HTTPS communication.

Cause

Using System.Net.Http.HttpClient while providing a platform specific handler (System.Net.Http.WinHttpHandler or System.Net.Http.HttpClientHandler) whose CheckCertificateRevocationList property is not set to true will allow revoked certificates to be accepted by the System.Net.Http.HttpClient as valid.

This rule is similar to CA5400, but analysis can determine that the CheckCertificateRevocationList property is definitely false or not set.

How to fix violations

Set the System.Net.Http.HttpClientHandler.CheckCertificateRevocationList property to true explicitly. If the System.Net.Http.HttpClientHandler.CheckCertificateRevocationList property is unavailable, you need to upgrade your target framework.

Example

using System.Net.Http;

class ExampleClass
{
    void ExampleMethod()
    {
        WinHttpHandler winHttpHandler = new WinHttpHandler();
        winHttpHandler.CheckCertificateRevocationList = false;
        HttpClient httpClient = new HttpClient(winHttpHandler);
    }
}

using System.Net.Http;

class ExampleClass
{
    void ExampleMethod()
    {
        WinHttpHandler winHttpHandler = new WinHttpHandler();
        winHttpHandler.CheckCertificateRevocationList = true;
        HttpClient httpClient = new HttpClient(winHttpHandler);
    }
}

When to suppress

Do not suppress this rule.

Your vote
Join a group to vote
Group results
0 yes 0 no
ConsensusNone (disabled)
Severity preference (yes voters)
Suggestion0
Warning0
Error0