Search Unity

  1. Welcome to the Unity Forums! Please take the time to read our Code of Conduct to familiarize yourself with the forum rules and how to post constructively.
  2. Unite 2023 Registrations are now LIVE! We are thrilled to announce that Unite 2023 Registration is now live and open for all!
    Dismiss Notice
New Forum User Notice Unite 2023 Registrations are now LIVE!

Question How does Unity load SSL certificates in Editor?

Discussion in 'macOS' started by amarcolina, Apr 8, 2021.

  1. amarcolina

    amarcolina

    Joined:
    Jun 19, 2014
    Posts:
    65
    I am having issues where a URL that can be reached from the computer cannot be reached from code running inside the Editor on macOS devices. I can easily verify the URL in question is reachable and properly authenticated. I can run curl URL_IN_QUESTION in the terminal and get a response back no problem. But when I simply attempt to construct an HttpWebRequest for the same URL, I get an error back when I try to read the response.

    Response error: System.Net.WebException
    System.Net.WebException: Error: TrustFailure (One or more errors occurred.) ---> System.AggregateException: One or more errors occurred. ---> System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> Mono.Security.Interface.TlsException: Handshake failed - error code: UNITYTLS_INTERNAL_ERROR, verify result: UNITYTLS_X509VERIFY_FLAG_NOT_TRUSTED
    at Mono.Unity.Debug.CheckAndThrow (Mono.Unity.UnityTls+unitytls_errorstate errorState, Mono.Unity.UnityTls+unitytls_x509verify_result verifyResult, System.String context, Mono.Security.Interface.AlertDescription defaultAlert) [0x00036] in <ef151b6abb5d474cb2c1cb8906a8b5a4>:0
    at Mono.Unity.UnityTlsContext.ProcessHandshake () [0x00082] in <ef151b6abb5d474cb2c1cb8906a8b5a4>:0
    at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status) [0x0003e] in <ef151b6abb5d474cb2c1cb8906a8b5a4>:0
    at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus)
    at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00006] in <ef151b6abb5d474cb2c1cb8906a8b5a4>:0
    at Mono.Net.Security.AsyncProtocolRequest+<ProcessOperation>d__24.MoveNext () [0x000ff] in <ef151b6abb5d474cb2c1cb8906a8b5a4>:0
    --- End of stack trace from previous location where exception was thrown ---
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <9577ac7a62ef43179789031239ba8798>:0
    at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x0003e] in <9577ac7a62ef43179789031239ba8798>:0
    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x00028] in <9577ac7a62ef43179789031239ba8798>:0
    at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x00008] in <9577ac7a62ef43179789031239ba8798>:0
    at System.Runtime.CompilerServices.ConfiguredTaskAwaitable+ConfiguredTaskAwaiter.GetResult () [0x00000] in <9577ac7a62ef43179789031239ba8798>:0
    at Mono.Net.Security.AsyncProtocolRequest+<StartOperation>d__23.MoveNext () [0x0008b] in <ef151b6abb5d474cb2c1cb8906a8b5a4>:0
    --- End of inner exception stack trace ---
    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <9577ac7a62ef43179789031239ba8798>:0
    at Mono.Net.Security.MobileAuthenticatedStream+<ProcessAuthentication>d__47.MoveNext () [0x00254] in <ef151b6abb5d474cb2c1cb8906a8b5a4>:0
    --- End of inner exception stack trace ---
    at System.Threading.Tasks.Task.ThrowIfExceptional (System.Boolean includeTaskCanceledExceptions) [0x00011] in <9577ac7a62ef43179789031239ba8798>:0
    at System.Threading.Tasks.Task.Wait (System.Int32 millisecondsTimeout, System.Threading.CancellationToken cancellationToken) [0x00043] in <9577ac7a62ef43179789031239ba8798>:0
    at System.Threading.Tasks.Task.Wait () [0x00000] in <9577ac7a62ef43179789031239ba8798>:0
    at Mono.Net.Security.MobileAuthenticatedStream.AuthenticateAsClient (System.String targetHost, System.Security.Cryptography.X509Certificates.X509CertificateCollection clientCertificates, System.Security.Authentication.SslProtocols enabledSslProtocols, System.Boolean checkCertificateRevocation) [0x0000d] in <ef151b6abb5d474cb2c1cb8906a8b5a4>:0
    at Mono.Net.Security.MonoTlsStream.CreateStream (System.Byte[] buffer) [0x0007b] in <ef151b6abb5d474cb2c1cb8906a8b5a4>:0
    at System.Net.WebConnection.CreateStream (System.Net.HttpWebRequest request) [0x00073] in <ef151b6abb5d474cb2c1cb8906a8b5a4>:0
    --- End of inner exception stack trace ---
    at System.Net.HttpWebRequest.EndGetResponse (System.IAsyncResult asyncResult) [0x00058] in <ef151b6abb5d474cb2c1cb8906a8b5a4>:0
    at System.Net.HttpWebRequest.GetResponse () [0x0000e] in <ef151b6abb5d474cb2c1cb8906a8b5a4>:0

    How does Unity acquire and use the certificates from the machine, precisely? Reading, it seems like Unity 2018.2 added correct support for loading certificates, but how does this function precisely? Is it possible it is loading them in a way that is incompatible with the way other software like curl might be, and that it is missing important certificates in certain situations?
     
    amarcolina, Apr 8, 2021
    #1

  2. andreasreich

    andreasreich

    Unity Technologies

    Joined:
    Sep 24, 2017
    Posts:
    55
    Unity internally queries the system certificate store to let a TLS backend library behind a shared interface ("UnityTls") do the verification (this way we have to worry only about platform specific system certificate store fetching and very few backends over several applications - today everything TLS goes almost always to MbedTLS).

    For Mac this certificate store querying was done using the `SecTrustCopyAnchorCertificates` api until very recently. However, recently that was changed since doing it this way misses some trusted certificates, in particularly those added by users in their keychain. Now, there is a much more complicated fetching using `SecTrustSettingsCopyCertificates` going through different domains. So I wouldn't be surprised if you also run into an issue like this!
    The new version didn't make it to 2021.1 and so far there was no plan of bringing it back since it seemed to niche (plus a bit of a risky change). But it's in the alpha releases, so could you try your URL briefly with the latest Alpha release?
    If it turns out working there I can look into getting it into patch releases - which Unity version are you on right now?
    If you can create a bug report with a repro case that would be very appreciated of course as well in any case, then we have a better chance of verifying what's going on :)
     
    andreasreich, Apr 9, 2021
    #2
    amarcolina likes this.

  3. amarcolina

    amarcolina

    Joined:
    Jun 19, 2014
    Posts:
    65
    Unfortunately upgrading to the latest version of the 2021.2 alpha does not fix the issue. I'd love to submit a repro case but unfortunately this is an issue we are encountering on our internal enterprise network, and so external access isn't really possible.
     
    amarcolina, Apr 13, 2021
    #3