HTTP module accepting expired, self-signed and untrusted SSL certificates

While testing requests to my own API, I noticed that the built-in HTTP module accepts invalid SSL certificates despite bVerifyPeer being true.

I sent some POST requests to badssl.com for testing purposes.

wrong host

Request URL: “https://wrong.host.badssl.com/

As expected, the request is not successful in this case:

subjectAltName does not match wrong.host.badssl.com

expired certificate

Request URL: “https://expired.badssl.com/

The request is successful.

SSL certificate verify result: certificate has expired (10), continuing anyway.

self-signed certificate

Request URL: “https://self-signed.badssl.com/

The request is successful.

SSL certificate verify result: self signed certificate (18), continuing anyway.

untrusted root certificate

Request URL: “https://untrusted-root.badssl.com/

The request is successful.

SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

revoked certificate

Request URL: “https://revoked.badssl.com/

The fact that the certificate is revoked is not detected.

SSL certificate verify ok.

Why are expired, self-signed and untrusted certificates accepted even if they are detected as invalid? This behavior is unacceptable and insecure. Is this a bug or is it possible to change this?

bVerifyPeer is already true, OS is Windows.

Hello,

We’ve recently made a switch to a new bug reporting method using a more structured form. Please visit the link below for more details and report the issue using the new Bug Submission Form. Feel free to continue to use this thread for community discussion around the issue.

https://epicsupport.force.com/unrealengine/s/

Thanks

Hi @CHD Gaming, can you please shed some light on how are you adding the SSL certificates to your https requests? I’m having troubles HTTPs requests using OS installed certificates. (All my requests return invalid certificate, even tho the certs are installed within windows and other API testing tools are able to perform valid requests using the OS certs) Thanks in advance!

Just an update on this in 2022 with UE5, seems that peer verification fails with all the scenarios listed in OP’s question except for the last one with regards to a revoked certificate. So expired, self-signed, and untrusted certificates are rejected but I guess revoked certificates are still accepted.