While testing requests to my own API, I noticed that the built-in HTTP module accepts invalid SSL certificates despite bVerifyPeer being true.
I sent some POST requests to badssl.com for testing purposes.
wrong host
Request URL: “https://wrong.host.badssl.com/”
As expected, the request is not successful in this case:
subjectAltName does not match wrong.host.badssl.com
expired certificate
Request URL: “https://expired.badssl.com/”
The request is successful.
SSL certificate verify result: certificate has expired (10), continuing anyway.
self-signed certificate
Request URL: “https://self-signed.badssl.com/”
The request is successful.
SSL certificate verify result: self signed certificate (18), continuing anyway.
untrusted root certificate
Request URL: “https://untrusted-root.badssl.com/”
The request is successful.
SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
revoked certificate
Request URL: “https://revoked.badssl.com/”
The fact that the certificate is revoked is not detected.
SSL certificate verify ok.
Why are expired, self-signed and untrusted certificates accepted even if they are detected as invalid? This behavior is unacceptable and insecure. Is this a bug or is it possible to change this?
bVerifyPeer is already true, OS is Windows.