SSL certificate validation in Unity


#1

Does Unity need to validate SSL certificate ? If it is, how should it be done ?


#2

Hi @ATHellboy,

Could you please be more specific in your question?


#3

This seems very off topic…
Your forum question hasn’t been answered (yet): https://forum.unity.com/threads/ssl-certificate-validation.222529/


#4

Hey guys,

@schoen I mean for https communication with SSL/TLS which is provided by CA (not self-signed certificate), do I need to do any validation in my Unity or any kind of clients ? or it is just handled by a server ?

@rg305 I’m not sure about that topic you sent, because I don’t know if it is for self-signed certificate or CAs like Let’s Encrypt.


#5

The question appears to be whether Unity ships and uses a CA bundle or not.

Since Unity just uses the .NET runtime, I imagine the runtime would either come with a bundle or use the one it can find from the operating system where the program is running.

You could test by trying to connect to e.g. https://google.com from your Unity application, and then seeing whether you can connect to https://untrusted-root.badssl.com/ .

If the first one succeeds and the second one fails, then most likely you don’t need to do anything extra for Let’s Encrypt.

if they both fail, then you probably need to setup manual x.509 verification or CA bundle import in your C# code.

If they both succeed, then Unity is probably not doing any x.509 verification (unsafe), so you would need to setup manual x.509 verification or CA bundle import in your C# code.

My quick research indicates that Unity does the right thing (case #1), so hopefully it should just work out of the box for you without any extra setup.


#6

I’m referring to post #21:


Presuming “a-t-hellboy” and @ATHellboy are one and the same.

If you don’t get a response, you might want to open a new thread there making your request clearer (in the topic).


#7

@_az Unfortunately, it is connected to both urls. according to this code:

IEnumerator Connect()
    {
        using (WWW www = new WWW("https://temstore.ir"))
        {
            yield return www;
            if (www.error != null)
                Debug.Log(www.error);
            else
                Debug.Log("Connected");
        }
    }

So I think I need to implement your second solution. Manual x.509 verification or CA bundle import in your C# code.

@rg305 oh, you mean my post :slight_smile:


#8
IEnumerator Connect()
    {
        HttpWebRequest request = (HttpWebRequest)WebRequest.Create("https://google.com");
        HttpWebResponse response = (HttpWebResponse)request.GetResponse();

        Stream dataStream = response.GetResponseStream();
        StreamReader reader = new StreamReader(dataStream);
        string responseFromServer = reader.ReadToEnd();

        Debug.Log("responseFromServer=" + responseFromServer);

        yield return 0;
    }

With this piece of code it returns a error which is it:

TlsException: Invalid certificate received from server. Error code: 0xffffffff800b010a
Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.validateCertificates (Mono.Security.X509.X509CertificateCollection certificates)


#9

This appears to demonstrate how to import the CA bundle into Unity/the .NET runtime: http://answers.unity.com/answers/1144063/view.html


#10

@_az Yup, I’ve seen that. I’ve not checked that yet. I will and tell the result. Really thanks.


#11

I’ve tested. When I’ve run mozroots.exe it said:

ssl

I don’t know how I can use cert-sync but also seems it updates trusted CAs .

I use this piece of code:

IEnumerator Connect()
    {
        HttpWebRequest request = (HttpWebRequest)WebRequest.Create("https://google.com");
        HttpWebResponse response = (HttpWebResponse)request.GetResponse();

        Stream dataStream = response.GetResponseStream();
        StreamReader reader = new StreamReader(dataStream);
        string responseFromServer = reader.ReadToEnd();

        Debug.Log("responseFromServer=" + responseFromServer);

        yield return 0;
    }

but like before Unity returns this error:
TlsException: Invalid certificate received from server. Error code: 0xffffffff800b010a
Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.validateCertificates (Mono.Security.X509.X509CertificateCollection certificates)

If I use this code, there is always response for any kind of server:

IEnumerator Connect()
    {
        ServicePointManager.ServerCertificateValidationCallback = MyRemoteCertificateValidationCallback;

        HttpWebRequest request = (HttpWebRequest)WebRequest.Create("https://temstore.ir");
        HttpWebResponse response = (HttpWebResponse)request.GetResponse();

        Stream dataStream = response.GetResponseStream();
        StreamReader reader = new StreamReader(dataStream);
        string responseFromServer = reader.ReadToEnd();

        Debug.Log("Response From Server:\n" + responseFromServer);

        yield return 0;
    }

    public bool MyRemoteCertificateValidationCallback(System.Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
    {
        bool isOk = true;
        // If there are errors in the certificate chain, look at each error to determine the cause.
        if (sslPolicyErrors != SslPolicyErrors.None)
        {
            for (int i = 0; i < chain.ChainStatus.Length; i++)
            {
                if (chain.ChainStatus[i].Status != X509ChainStatusFlags.RevocationStatusUnknown)
                {
                    chain.ChainPolicy.RevocationFlag = X509RevocationFlag.EntireChain;
                    chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
                    chain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 1, 0);
                    chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllFlags;
                    bool chainIsValid = chain.Build((X509Certificate2)certificate);
                    if (!chainIsValid)
                    {
                        isOk = false;
                    }
                }
            }
        }
        return isOk;
    }

#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.