| ||
Do use the latest version of SSL/TLS available, in order of preference: TLS 1.1, TLS 1.0, and SSL3.
Do use a certificate allow list, if appropriate.
Do ensure that, before you send data, the peer certificate is traced back to a trusted CA and is within its validity period.
Do check that the expected hostname appears in a proper field of the peer certificate.
Do not use SSL2. It has serious cryptographic weaknesses.
Do not rely on the underlying SSL/TLS library to properly validate a connection, unless you are using HTTPS.
Do not only check the name (for example, the DN) in a certificate. Anyone can create a certificate and add any name they wish to it.
Consider using an OCSP responder when validating certificates in a trust chain to ensure that the certificate hasnt been revoked .
Consider downloading CRLs once the present CRLs expire and using them to further validate certificates in a trust chain.