Writing Secure Code

Do use the latest version of SSL/TLS available, in order of preference: TLS 1.1, TLS 1.0, and SSL3.

Do use a certificate allow list, if appropriate.

Do ensure that, before you send data, the peer certificate is traced back to a trusted CA and is within its validity period.

Do check that the expected hostname appears in a proper field of the peer certificate.

Do not use SSL2. It has serious cryptographic weaknesses.

Do not rely on the underlying SSL/TLS library to properly validate a connection, unless you are using HTTPS.

Do not only check the name (for example, the DN) in a certificate. Anyone can create a certificate and add any name they wish to it.

Consider using an OCSP responder when validating certificates in a trust chain to ensure that the certificate hasnt been revoked .

Consider downloading CRLs once the present CRLs expire and using them to further validate certificates in a trust chain.