Search Unity

HTTPS / TLS 1.2 Support

Discussion in 'Experimental Scripting Previews' started by GordonM, Nov 16, 2017.

  1. GordonM

    GordonM

    Joined:
    Nov 13, 2015
    Posts:
    33
    The net framework 4.6 upgrade is coming along nicely I see, I'm using it in production currently and have a few questions about your stances on TLS at Unity.

    I've written this issue up to make it clearer,
    https://nodrogdev.tumblr.com/post/167503665217/tls-12

    We need TLS 1.2 to be available. If it doesn't become available what should we do when we need to secure our player data in a good way.

    A few assets exist on the unity asset store but we hesitate to use them because they haven't been properly tested and we value our player information. We don't want to accidentally end up giving hackers something they can use if we use HTTP without TLS.

    Now, you're probably thinking, it's not our job to secure the game. I totally agree, I want to secure our game but literally can't, in a tangible way because of the outdated version of Mono.

    Can you please look into the new version of the mono runtime, it has working TLS 1.2 for Mac, Linux and Windows, and it would be really awesome of you people to get it working during the .NET runtime upgrade.

    From what I've read it's fairly ready for production use, and I can easily get it audited by professionals at the end of next month if you provide a build with the experimental support, which would save you money down the line.

    Anyway, any information which can be provided would be useful.
     
  2. bddckr

    bddckr

    Joined:
    Sep 13, 2016
    Posts:
    26
    It's in their plans already:
     
  3. GordonM

    GordonM

    Joined:
    Nov 13, 2015
    Posts:
    33
    Thank you for the reply.

    I need a time-frame or estimated version when they're going to have it by?

    If they're working on it within the next 3-6 months then It's OK as we don't launch until at least 3-6 months from now.

    It's really the last bit we need to get the system we have secure, if we don't have it within the 3-6 month mark we will have to implement our own system, probably using libcurl or something.
     
  4. joncham

    joncham

    Unity Technologies

    Joined:
    Dec 1, 2011
    Posts:
    248
    We are working on proper TLS 1.2 support in the updated version of Mono we support. I don't have an exact time frame, but likely some support will exist in the 2018.1 release. I am not sure what platforms this will cover.

    I think UnityWebRequest does fully support TLS 1.2, so that may be an option until we ensure the .NET web APIs support it: https://docs.unity3d.com/Manual/UnityWebRequest.html
     
  5. GordonM

    GordonM

    Joined:
    Nov 13, 2015
    Posts:
    33
    I don't think it does. At least your documentation doesn't state that it does?
     
  6. eriQue

    eriQue

    Unity Technologies

    Joined:
    May 25, 2010
    Posts:
    592
    UnityWebRequest uses the platform SDK/API for http(s)-transfer, where available.
    As such we only "own" the implementation on platforms where no such API exists (specifically the desktop platforms, where the UWR is currently backed by libcurl/OpenSSL - which supports TLS1.2).

    On the platforms we support with a recent (latest?) version of Unity, where UWR/https is also supported generally, TLS1.2 should also be supported (but it's up to the platform's SDK/API to handle that).
     
  7. GordonM

    GordonM

    Joined:
    Nov 13, 2015
    Posts:
    33
    Yeah, general support would be good. I can't use UWR because we use the same code in other applications which are non unity. We link a console app for a server to some of the classes we have in the game, and we only want one file to handle these requests, so that changes are distributed to both applications without causing things to break.

    We use async for our system, and normal System.Net.HTTP. If we get absolutely stuck against a wall we will use our own implementation of libcurl.

    I'm glad that it is now using the platform implementation in the mono alpha release, because that really is better than what is currently available.

    TLS 1.3 is being drafted at the moment and due for release by next year apparently; so keep your eyes open for it's release please.

    Our dedicated server is extremely stable and announces itself to a matchmaking list etc, but I've disabled HTTPS until we have been deployed a working TLS 1.2 implementation using System.Net.HTTP in Unity3D.

    Also, how are you going to handle the mono compiler option that you have to enable to make TLS 1.2 actually work in builds?

    Is it just going to be on by default?
     
  8. GordonM

    GordonM

    Joined:
    Nov 13, 2015
    Posts:
    33
  9. kerede

    kerede

    Joined:
    Apr 3, 2013
    Posts:
    6
    I'm really curious about this as well. We're building an extension that utilizes IBM Watson, and they are disabling TLS 1.0 and 1.1 support in March 2018: https://console.bluemix.net/docs/troubleshoot/appsectls.html#tlssupportwithdraw

    So, we need TLS 1.2! It sounds like this might not be built into mono by that date. I'm curious about the possibility of using UnityWebRequest to gain 1.2 support, does that really work? Our platforms are Mac/Windows desktop, iOS, Android, and Hololens.
     
  10. hyphenbash

    hyphenbash

    Joined:
    Dec 31, 2018
    Posts:
    13
    Last edited: Sep 11, 2019 at 10:06 AM