Ensure HttpClient certificate revocation list check is not disabled
Ensure HttpClient certificate revocation list check is not disabled
Microsoft docsDescription
A revoked certificate isn't trusted anymore. It could be used by attackers passing some malicious data or stealing sensitive data in HTTPS communication.
Cause
Using System.Net.Http.HttpClient while providing a platform specific handler (System.Net.Http.WinHttpHandler or System.Net.Http.HttpClientHandler) whose CheckCertificateRevocationList property is possibly set to false will allow revoked certificates to be accepted by the System.Net.Http.HttpClient as valid.
This rule is similar to CA5399, but analysis can't determine that the CheckCertificateRevocationList property is definitely false or not set.
How to fix violations
Set the System.Net.Http.HttpClientHandler.CheckCertificateRevocationList property to true explicitly. If the System.Net.Http.HttpClientHandler.CheckCertificateRevocationList property is unavailable, you need to upgrade your target framework.
Example
using System;
using System.Net.Http;
class ExampleClass
{
void ExampleMethod(bool checkCertificateRevocationList)
{
WinHttpHandler winHttpHandler = new WinHttpHandler();
winHttpHandler.CheckCertificateRevocationList = checkCertificateRevocationList;
Random r = new Random();
if (r.Next(6) == 4)
{
winHttpHandler.CheckCertificateRevocationList = true;
}
HttpClient httpClient = new HttpClient(winHttpHandler);
}
}
using System.Net.Http;
class ExampleClass
{
void ExampleMethod()
{
WinHttpHandler winHttpHandler = new WinHttpHandler();
winHttpHandler.CheckCertificateRevocationList = true;
HttpClient httpClient = new HttpClient(winHttpHandler);
}
}When to suppress
It's safe to suppress this rule if you're sure that the CheckCertificateRevocationList property is set correctly.