UnityWebRequest - Unable to complete SSL connection

Hi,

Our team noticed occasional reports of users being unable to communicate with our web service over https.

After seeing occasional reports from players being unable to connect to our game, we built a system that captures the error event when it occurs and gives us a bit more context about the error. To our surprise we found that the issue happens hundreds of times each day for over 200 unique users.

The specific error message we see is: "Unable to complete SSL connection"

Specifically, this error occurs for a limited set of users when we make calls like the one below. For the vast majority of our users, including ALL of inhouse staff, we're unable to recreate this problem and everything works fine. But for over 200 unique users each day we get lots of reports of "Unable to complete SSL connection" which fires as a part of a isNetworkError response:

Code (CSharp):

1. UnityWebRequest www = UnityWebRequest.Post("https://www.oursite.com/example", form);
2. StartCoroutine(WaitForRequestLoad(www));
3.  
4.  private IEnumerator WaitForRequestLoad(UnityWebRequest www)
5.     {
6.         using (www)
7.         {
8.             yield return www.SendWebRequest();
9.             if (www.isHttpError)
10.             {
11.                   // HttpError
12.             }
13.             else if (www.isNetworkError)
14.             {
15.                   // THIS IS WHERE THE PROBLEM OCCURS
16.                   // www.error = "Unable to complete SSL connection"
17.             }
18.             else if(www.error != null)
19.             {
20.                   // Double check no error messages
21.             }
22.             else
23.             {            
24.                  // EVERYTHING WORKS FINE, PROCEED NORMALLY
25.             }
26.         }
27.  
28.     }
29.  

We've seen this problem across many similar calls in our game, including plenty of WebAPI calls and AssetBundle loads using UnityWebRequestAssetBundle.GetAssetBundle().

We've found this to be a problem for users across platforms including Android, iOS, and Standalone builds of our game. We've checked our SSL configuration on the server and things look ok. Given that we can not recreate the problem inhouse it's difficult to troubleshoot for users. We've reached out to several of these users and haven't been able to arrive at a conclusion why they're having issues. For a while now we've blamed their local isp or local configurations, but it now seems like there are too many reports for this to make sense.

It would be super helpful if we could get some information on what is happening behind the scenes when calling UnityWebRequest.Post() that could result in the SSL error we're seeing. Any information about this would help us troubleshoot if there is something wrong on our end or a problem with the editor.

The one interesting point is that ALL of the users that have reported this issue have confirmed that they can successfully access the same URL from a web browser on the same device. This made us think that maybe something was wrong at the Unity level.

 

Hey, we've been seeing this issue for a while now, but our most recently client is actually built with Unity 2018.2.11f1, just pushed out yesterday and we already have over 100 unique users with error reports containing some form of "Unable to complete SSL connection"

We've collected extensive information about these errors. To temporarily reduce the problem we are now using http for our PC / OSX standalone clients and of course the SSL errors have gone away on those platforms. But the errors remain for Android primarily since that's where the vast majority of our users play:

Here is the information we know from users playing from yesterday (10-8-2018) and today (10-9-2018):

Top 20 Device Types of users with SSL problems:


Top 20 Operating Systems of users with SSL problems:
(You'll see a small number of Windows platforms here as we still require SSL for any login related requests.)


Top 20 Countries of users with SSL problems:


I'll post more details about our SSL config shortly..

 

Our servers and Cloudflare are setup to support TLS 1.0, 1.1, 1.2
We had TLS 1.3 enabled, but recently disabled it with no change.

 

Also, we're really confused why users in a web browser on the same device are able to access the same Web api urls successfully, but these fail in Unity. Is there something different about the UnityWebRequest implementation?

What's making this tough is that we don't really understand what is happening under the hood within the UnityWebRequest.

I'm looking into certificateHandler stuff now, but not fully understanding what that is doing compared to what Unity would do without a certificateHandler. Can you explain the difference between using a certificateHandler and not (the default behavior?)

Specifically, what does Unity do by default to determine if the certificate is not valid? I noticed if I write my own certificate handler and return false, I can recreate the "Unable to complete SSL connection." It would be helpful to know what Unity is doing when no certificate handler is present.

 

Bug Created:
https://fogbugz.unity3d.com/default.asp?1089500_ba8c4n2vgmkf0sv9

 

Any updates on this issue? Our team is little bit confused about the purpose of the custom certificate handler. Why would we want to override the system's default certificate verification process? I was able to implement this based on the examples in the documentation where a simple comparison is made between public keys, but we're not understanding how this can be applied in our case to ensure security... it feels like we're just bypassing the security measures of ssl, is there something we're not fully understanding?

Also, would using a custom certificate handler be compliant with the iOS requirement that all communication is completed via https?

 

I have the same issue unfortunately. My build from earlier this year works fine (2018.1.6.52276) with no SSL issue. My current build however after having an updated Unity version (using 2018.2.2.36079) always has the error. This occurs on same machine. I'm thinking it is either how the build is being done with settings, or a difference in cert handling (maybe I need to refresh tokens in my new build?) - anyways, let me know if you find a solution.

 

My team and I has the same issue consistent with everything mentioned by TitanUnity. Our game is running on 2017.4.14f and the majority of customers having this issue seem to be running Android. A few have reported that the issue suddenly fixed itself overnight, but that does not seem to be the case for all.

I'll report back if we find any new leads not already mentioned.

 

Here is an update on this issue from our team. I was able to get in direct contact with a few players that are actively experiencing the issue 'Unable to complete SSL connection' during various loads our client makes. We tried a custom certificate handler and found that unfortunately that did not work for these users either.

Interesting, I decided to build a custom client where the certificate handler always passes true (figuring that it would certainly work for these users as a temporary solution)... but oddly even this fails when these users attempt basic data loads over https.

And this isn't coming from a small number, as I reported earlier, we have hundreds of unique users each day that encounter some flavor SSL error.

Figured I would share as we continue to investigate this problem.

 

Hmmm, it just seems like too many users to be simply a connection loss issue. Over 100 unique users a day encountering these problems. Running out of ideas to try here..

To be clear, these users confirm successfully playing other games, streaming videos, browsing the web and generally not having issues.

 

We actually have a user right now that can get this error everysingle time. I had the user manually try to load the same calls from his browser on his Android device and all the calls work ok. When he attempts to make the same calls from the Unity client, they fail with an SSL error.

More and more this seems like a Unity implementation issue.

 

Here is a summary of information we've gathered from one of our players that is experiencing the 'Unable to complete SSL connection' error everytime on Android with our client built with Unity 2018.2.15f1:

- UnityWebRequest fails every time with 'Unable to complete SSL connection'
- User reinstalled app, no luck
- User confirmed no 3rd modifications or OS changes running
- User updated Android OS, no luck
- We tried custom certification handler that passes true everytime with no luck
- User can successfully make both GET and POST requests from their browser to multiple endpoints our network
(confirming the user is not blocked by CloudFlare)
- User confirmed multiple successful hits to the same Web API via browser from the same Android device

Here is the unusual part:
- This user was able to create a wifi hotspot with their phone using the same mobile data network at the same location and connect to our game successfully using our Steam PC client with no issues. (They connect the PC client to the phone's hotspot network)

But, to be clear, we have a variety of users experiencing this problem across all platforms including over 100 unique users today already 11/20/2018 at 9:30am, including on Android, PC, and iOS. The only common theme we've found among reports is that SSL communication fails within Unity but 100% of users we've contacted are able to connect to the same https endpoint via their browser with no problems.

We could definitely use additional help on this as we're running out of things to try.

 

I'll look further into those avenues, but this user claims the problem started when we launched our most recent version live on Monday this week (our first live client built with 2018.2.15f1). However, we have had this issue for many months now and many have reported the same problem on 2018.2.6f1 so it may be unrelated.

 

Hi, I have had the same friggin issue as you. I don't want to know how long time I searched for answers regarding this. I managed to solve this by changing:
UnityWebRequest www = new UnityWebRequest(https://pathToYourAsset);
to ->
UnityWebRequest www = UnityWebRequest.Get(https://pathToYourAsset);

Why that worked and the default doesn't, I have no idea...

Then when the www gives me a responce, I use this:
AssetBundle bundle = AssetBundle.LoadFromMemory(www.downloadHandler.data);

To get the asset bundle.

Maybe this can help you Unity guys to try and pinpoint the issue or maybe this helps someone with similar issue as I have had.

 

Oh ok
Well its very strange that even with a new project and I type in the same. I get the same result.
In any case, hope you find this bug!

 

Bah, I was making a small project yesterday with the code and suddenly the connection worked regardless of the .GET or not... so it wasn't this as you suspected. Sorry to have wasted your time

 

Hello,

I happen to have the same bug (Unable to complete SSL connection). I have an API that should be contacted by my game (currently running only in the editor) and the error pop every time I try to connect.

I may have an idea of what is causing the problem : being in early dev phase, my website use a certificate from Let's Encrypt ; those are recognized by my browser (and by most, if not all, browser out there), but may or may not be installed in the computer's store ? I did however manually installed them with no luck - I didn't fully restart the computer after installing, however, so I still have a tiny hope...

I can provide any needed log (or even an access to the server itself, since it's basicaly empty anyway). I would also love to try any other method to connect if needed to help debug this.

Thank you !

 

Update from yesterday's message : After rebooting my computer (and manually installing Let's Encrypt's certificate in my computer's store), I no longer face this error. I guess this may be an hint that the initial hypotesis was valid ? Some SSL certifiers may be absent from phone / computer store, even if present in the browsers' one, and as such they may not be recognized by unity even if they work from a browser, giving the symptoms that were described ?

 

Hi Exanis,

We also have used Let's Encrypt but can you elaborate more specifically about manually installing the certificate in your computer's store? This may help our users with this SSL problem.

 

We are experiencing the same problem with Unity 2018.2.2f1 on Android with a Samsung Galaxy Tab III, other devices just work fine. Our server uses a Let's Encrypt certificate as well. I also tried adding a CertificateHandler that always passes validation to test if it can be related to the certifier not being in the system store, but that doesn't change anything.

We offer TLS 1.2 by default but also support TLS 1.0. The server is running nginx 1.13.3. Let me know if there is any more information that can help solve this problem.

 

Hello everyone,

We have also been experiencing problems when connecting to certain endpoints. I've pinpointed our problem to a very narrow issue. We mostly had this with brand new Windows installations. Explanation below:

Problem lies within the (Root)Certificate store of the device and the way Unity handles it's certificates:
- A new device with a fresh Windows installation will have 18 Root certificates (for our devices, amount may differ per installation). After connecting to the internet it will have 20.
- If a browser navigates to a website with an unknown Root certificate, but the certificate is valid, the certificate is added to the device's store.
- If Unity connects to an URL, it will validate the certificate, including the Root certificate, against the device's store. That means that if the device is missing the Root certificate from the URL, it will fail and throw an 'unable to complete ssl connection'. It will not add the certificate to the device's store.

So the above means that we can not connect new devices to a URL which has a Root certificate that is not in the device's store.
Our login uses a certificate from Let's Encrypt -> DST.
Another project of ours uses Global Sign as Root.
When opening our Unity application we open a browser window where the user can log in to our SSO. Our SSO uses the Let's Encrypt (DST) certificate. The SSO opens in the browser and thus the Root certificate will be added to the device's store. Any connection made to an URL using DST will now succeed.
After that, a connection to our API project will be made using credentials obtained from the SSO. Our API uses a certificate with Global Sign as Root, but the Global Sign certificate will be missing because we have not yet visited any site that uses Global Sign in a browser and the certificate is not in the device's store by default.
If you navigate the browser to an URL of the API that is publicly accessible (or any url with Global Sign as Root), the certificate will be available and the connection will from then on succeed.

I have attached 2 images. The first is an image showing the Root certificates for a device that has been active for about 10 minutes. The second shows the certificates for a device that has been used for a longer time and has already visited and thus stored the Root certificates as I've explained.




I hope you can use this explanation to reproduce and/or fix the error.

For now we have added an AJAX call from our SSO page to our API project so the Global Sign certificate will also be added to the device's store, but this is a hack and is not a sustainable solution.

 

@Aurimas-Cernius, do you know whether Unity is working on something that would fix what unity_QBcwkEg8dONugg found (post above)?

 

We had a similar issue using UnityWebRequests in a UWP environment (Hololens). We connect our HoloLens application to a medical simulator that uses a private, company-wide root certificate . There were two things that we ended up having to do:

1) Check if the certificate was already installed on the device's store, and if not, install it via the X509Store / X509Certificate2 commands. We include a copy of the certificate with our application. We then check the certificate data returned from ValidateCertificate against known quantities. This allows our connection to work fine when running from the Unity editor or in a Windows Desktop build.

2) However, in an IL2CPP UWP environment, we use HTTPRequestMessage instead of UnityWebRequest, as UnityWebRequest still doesn't work after doing certificate installs / manual certificate checking. We continue to see SSL related errors.

This issue has existed from 18.1 through current 18.3 releases.

 

This is good to know because our main focus is currently on UWP with the IL2CPP Scripting Backend. Have you tried this in the 2019.1 alpha of Unity?

 

Hello, we are facing the same issue with unity 2018.2 with both legacy WWW class and the new UnityWebRequest class.
Everything seems to work in both the editor and the Android devices we tested, while it always fails on all ios devices we tested.
We don't have access to the server cause are making a request to http://www.geonames.org/countrycode to retrieve country code of the user.
Using a non secure connection (http://www.geonames.org/countrycode) it gives
Unknown error

Using secure connection (https://www.geonames.org/countrycode) it gives
Unable to complete SSL connection error

Again, both in editor and on all Android devices it works like expected.
With the previous version, made with Unity 5.6, everything worked both on Android and on ios.
Is there a way to make something basic like a simple http request work on all devices?
Please advice.

 

We dont have access to xcode project cause we are using cloud build. Anyway, this is a known bug, it has been here at least since one year.
You can test it by yourself by calling geonames.org using secure and non secure connection.
In both cases, on ios devices (at least the ones we tested) it fails.
In the editor and on android devices (at least the ones we tested) it succeeded.
Compare to Unity 5.6 where, in our experience, everything worked like expected.

Anyway, since we have already wasted enough time trying to debug unity, we decide to move to an alternative way (using HttpWebRequest class) as suggested here https://stackoverflow.com/questions/4015324/how-to-make-http-post-web-request#4015346. Keep in mind that this is an old class and microsoft doesn't recommend to use it (it recommends System.Net.Http.HttpClient class which requires .NET 4.5), so there can be some problems with secure connections.

 

As an example, this is the exception fired when trying to get response from https://www.geonames.org/ (secure connection) from unity editor and from an android device using HttpWebRequest class:

TlsException: Invalid certificate received from server. Error code: 0xffffffff800b010a

Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.validateCertificates (Mono.Security.X509.X509CertificateCollection certificates)

Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.ProcessAsTls1 ()

Mono.Security.Protocol.Tls.Handshake.HandshakeMessage.Process ()

(wrapper remoting-invoke-with-check) Mono.Security.Protocol.Tls.Handshake.HandshakeMessage:Process ()

Mono.Security.Protocol.Tls.ClientRecordProtocol.ProcessHandshakeMessage (Mono.Security.Protocol.Tls.TlsStream handMsg)

Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback (IAsyncResult asyncResult)

Rethrow as IOException: The authentication or decryption has failed.

Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult)

Rethrow as WebException: Error getting response stream (Write: The authentication or decryption has failed.): SendFailure

System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult)

System.Net.HttpWebRequest.GetResponse ()

Strangely enough, it works perfectly on ios device.

 

It works cause the published version of our app has been build with unity 5.6 and everything works like expected.
The site (www.geonames.org/) supports TLS 1.0, 1.1 and 1.2 as you can check here http://ssl-checker.online-domain-tools.com/. Anyway I really cant understand why unity should support such a basic feature only since 18.3. This is a bug, period.
Not only, that site supports also non secure connections and, as I stated before, the call always fail with "Unknown error".

 

I just realize that our project uses .NET 3.5 Equivalent as scripting runtime version instead of .NET 4.0 Equivalent.
Can this cause this issue?

 

hi?

 

Hello,

After reading all this thread, I'm unsure if anyone has actually managed to solved this big issue .

I had a project running Unity 2017.4 with .NET3.5, and no user complained.

Since upgrading to Unity 2018.3 with .NET4.x, getting tons of user that are having these errors.

Really thinking of rolling everything back now...

(Connecting to AWS servers)

 

Hello cybergaston, which class are you using to make the call? You can fix this by using .Net classes instead of unity one

 

Hi newlife,

I'm using UnityWebRequest. Basically the exact same code as TitanUnity (first message).

 

Hello cybergaston,
you can use HttpWebRequest class (which is legacy class) or System.Net.Http.HttpClient class which requires .NET 4.5.
I tested HttpWebRequest and it worked in all cases where both legacy WWW class and the new UnityWebRequest class failed.
Most probably also System.Net.Http.HttpClient will, and its surely a better option cause is a more recent implementation.
We stuck to the old HttpWebRequest class cause we are still using .NET 3.5 (due to lower build size, around 10%).