Page Comparison

This applies to both ingress into and egress from your project.

• For ingress, this applies to validation of the client certificates coming into your system.
• For egress, this applies to validation of the host certificates for external systems that your system reads from or sends to.

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on sub-resources.
Note that incorrect TLS certificate verification is a common mistake. For more information, see The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software by Martin Georgiev et al. and Do you trust this application? by Michael Catanzaro.

Note: One aspect of this is that, if something is missing that prevents the TLS from working, the software must NOT fall back to insecure mode but must instead prevent communication. If an insecure mode is allowed, it MUST be explicitly configured.

Note 2: If all of your traffic, either ingress or egress, is travelling through the ONAP mesh, then make a statement about that.

_{[crypto_certificate_verification S]}