Extra Defensive Measures

Ideally, beyond the checks weve detailed in this sin, you should also check any other critical X.509 extensions and make sure there arent any critical extensions that arent understood . This could keep you from mistaking, for example, a code signing certificate for an SSL certificate. All in all, such checks can be interesting, but theyre usually not as critical as they sound.

To help mitigate credential theft that would lead to revoking a certificate, you might consider using hardware for SSL acceleration. Most of these products will keep private credentials in the hardware, and will not give them out to the computer under any circumstances. This will thwart anyone able to break onto the machine. Some hardware may have physical antitampering measures as well, making it difficult to launch even a physical attack.

Finally, if youre overwhelmed with the complexity of doing SSL server certificate validation properly, and your application only talks to a small number of servers, you can hardcode the valid server certificates, doing a complete byte-for-byte compare. This allow- list approach can be supplemented by running your own PKI, but in the long run, to do a good job, thats more costly and time-consuming than just doing validation properly in the first place.