HTTPS / TLS 1.2 Support

The net framework 4.6 upgrade is coming along nicely I see, I'm using it in production currently and have a few questions about your stances on TLS at Unity.

I've written this issue up to make it clearer,
https://nodrogdev.tumblr.com/post/167503665217/tls-12

We need TLS 1.2 to be available. If it doesn't become available what should we do when we need to secure our player data in a good way.

A few assets exist on the unity asset store but we hesitate to use them because they haven't been properly tested and we value our player information. We don't want to accidentally end up giving hackers something they can use if we use HTTP without TLS.

Now, you're probably thinking, it's not our job to secure the game. I totally agree, I want to secure our game but literally can't, in a tangible way because of the outdated version of Mono.

Can you please look into the new version of the mono runtime, it has working TLS 1.2 for Mac, Linux and Windows, and it would be really awesome of you people to get it working during the .NET runtime upgrade.

From what I've read it's fairly ready for production use, and I can easily get it audited by professionals at the end of next month if you provide a build with the experimental support, which would save you money down the line.

Anyway, any information which can be provided would be useful.

 

It's in their plans already:

 

Thank you for the reply.

I need a time-frame or estimated version when they're going to have it by?

If they're working on it within the next 3-6 months then It's OK as we don't launch until at least 3-6 months from now.

It's really the last bit we need to get the system we have secure, if we don't have it within the 3-6 month mark we will have to implement our own system, probably using libcurl or something.

 

I don't think it does. At least your documentation doesn't state that it does?

 

Yeah, general support would be good. I can't use UWR because we use the same code in other applications which are non unity. We link a console app for a server to some of the classes we have in the game, and we only want one file to handle these requests, so that changes are distributed to both applications without causing things to break.

We use async for our system, and normal System.Net.HTTP. If we get absolutely stuck against a wall we will use our own implementation of libcurl.

I'm glad that it is now using the platform implementation in the mono alpha release, because that really is better than what is currently available.

TLS 1.3 is being drafted at the moment and due for release by next year apparently; so keep your eyes open for it's release please.

Our dedicated server is extremely stable and announces itself to a matchmaking list etc, but I've disabled HTTPS until we have been deployed a working TLS 1.2 implementation using System.Net.HTTP in Unity3D.

Also, how are you going to handle the mono compiler option that you have to enable to make TLS 1.2 actually work in builds?

Is it just going to be on by default?

 

Putting this link here for completeness, you unity people would probably like it since it benefits the security of the end user and performance improvements on mobile.

https://blog.cloudflare.com/introducing-tls-1-3/

 

I'm really curious about this as well. We're building an extension that utilizes IBM Watson, and they are disabling TLS 1.0 and 1.1 support in March 2018: https://console.bluemix.net/docs/troubleshoot/appsectls.html#tlssupportwithdraw

So, we need TLS 1.2! It sounds like this might not be built into mono by that date. I'm curious about the possibility of using UnityWebRequest to gain 1.2 support, does that really work? Our platforms are Mac/Windows desktop, iOS, Android, and Hololens.

 

@joncham will you be supporting TLS 1.3 soon? Mono has this feature to be shipped soon as per this PR (already available on mono 6.4.x preview):

https://github.com/mono/mono/pull/14378

 

Hi!
Do you have a plan when TLS 1.3 will be supported?

 

TLS 1.2 not working when using a SmtpClient. Unity 2020.3.26 LTS

 

@joncham any updates on SmtpClient, we have a problem with email transfers, seems like UnityWebRequest is modernized using curl, but smtp is still mono implementation...

 

Hi again, we have an app that sends emails to various clients with them email accounts. Now we have a problem with modern authentication support...Lately we found solution commented in mono/SmtpClient.cs file -- to use modern dotnet SmtpClient from MailKit...

 

We have an app that uses UnityWebRequest to call netlify.com that apparently requires TLS 1.3 and Unity 2020.3.29 is failing with 400 Bad Request.

Is Unity still not supporting TLS 1.3 ???

 

We use "SmtpClient" to send an e-mail over "smtp.office365.com". Microsoft support only TLS1.2 protocol so, we have this error;
"
TLS 1.0 and 1.1 are not supported. Please upgrade/update your client to support TLS 1.2. Visit https://aka.ms/smtp_auth_tls. [AM6P191CA0055.EURP191.PROD.OUTLOOK.COM]
"
Even I added this line to change the security protocol but no chance;

Code (CSharp):

1. System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

Unity should solve this problem at some point @JoshPeterson, doesn't it?

The sample code:

Code (CSharp):

1. MailMessage mail = new MailMessage(senderMailaddress, mailAddressToSend);
2. mail.Subject = mailSubject;
3. mail.Body = mailBody;
4.  
5. System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;  
6.         SmtpClient client;
7.             client = new SmtpClient(senderSmtpHost, senderSmtpPort)
8.             {
9.                 UseDefaultCredentials = false,
10.                 Credentials = new NetworkCredential(senderMailaddress, senderPassword),
11.                 EnableSsl = true,
12.                 DeliveryMethod = SmtpDeliveryMethod.Network,
13.              
14.             };
15.        
16.             ServicePointManager.ServerCertificateValidationCallback =
17.                delegate (object s, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
18.                { return true; };
19.  
20. client.Send(mail);

 

@JoshPeterson
This issue was tracked to following link:
https://issuetracker.unity3d.com/is...s-throw-when-sending-an-email-with-smtpclient

More discussion about this issue:
https://forum.unity.com/threads/tls...pdate-your-client-to-support-tls-1-2.1210347/

Since Smtp isn't recommend to use by Microsoft:
https://docs.microsoft.com/en-us/dotnet/api/system.net.mail.smtpclient?view=net-6.0#remarks
I'm also facing the issue, So I've tired installing other library, Mailkit, following this instruction:
https://docs.microsoft.com/en-us/vi...19#add-packages-from-nuget-to-a-unity-project
The Assembly could not be loaded. So, I planed to temporary use nodejs server provide about email sending.
Do you any suggestion about long term solution about this issue(Email sending error cause TLS)?
1. Wait for Unity fix the issue
2. Try using other libraries such as Mailkit (If you recommend this way, Could you explain how to import other libraries in unity)