Search Unity

UnityWebRequest - Unable to complete SSL connection

Discussion in 'Editor & General Support' started by TitanUnity, Oct 8, 2018.

  1. newlife

    newlife

    Joined:
    Jan 20, 2010
    Posts:
    754
    Its unlikely but its what its happening. Try for yourself.
     
    unpuzzlebarcelona likes this.
  2. ode1ay

    ode1ay

    Joined:
    Feb 19, 2019
    Posts:
    2
    I'm also experiencing the same problem so I leave a post.
    We use UnityWebRequest(to connect Google Cloud Speech) in UWP(Hololens),
    but we've got the error in unity 2018.2.2.x ("Unable to complete SSL connection"), in unity 2018.3.x("Unknown error").
    Not all Hololens, but some Hololens devices. I don't know the cause.
    After many tests, I've tried it in unity 2018.1.9(using .NET 4.x), and finally it works.
    But for this to work, we have to change our whole environment.
    I would like to know how to solve this problem in Unity 2018.2 and later.
     
    Last edited: Apr 5, 2019
  3. dariuszpietrala

    dariuszpietrala

    Joined:
    Oct 5, 2012
    Posts:
    148
    You can implement a custom certificate validation:
    https://docs.unity3d.com/ScriptReference/Networking.CertificateHandler.ValidateCertificate.html

    Code (CSharp):
    1. UnityWebRequest www = UnityWebRequest.Get(getUrl);
    2. MyCertificateHandler certificateHandler = new MyCertificateHandler();
    3. www.certificateHandler = certificateHandler;
    4. yield return www.SendWebRequest();
    I don't know how it works exactly, but what will happen if the PUB_KEY changes? Can it change when renewed? How does it work? That would mean that it would give the same error as before and the game would have to be updated to work properly.
     
  4. Aurimas-Cernius

    Aurimas-Cernius

    Unity Technologies

    Joined:
    Jul 31, 2013
    Posts:
    2,226
    By default it (without certificate handler) it works like this:
    - Unity pulls a list of trusted root certificates (CA certificates) from the system store
    - Every site that uses a certificate issued by Certificate Authority (CA) that is trusted by the OS vendor will be trusted (assuming up to date OS store)
    - Anything else will not be trusted, you get an error

    By attaching a certificate handler you take the trust establishment into your hands. It up to you to say, whether you trust or not. Normally you would embed your certificate into the app and compare against it. Granted, that means you have to update app if you change the certificate.
    If you don't want to update app after changing certificate, the only option is to reduce the security with least secure way being to trust all certificates. Somewhat more secure way is to decode the certificate and check whatever parts of it that won't change with certificate update, but the only truly secure way is to compare against the actual certificate.
     
  5. dariuszpietrala

    dariuszpietrala

    Joined:
    Oct 5, 2012
    Posts:
    148
    OK, so the question is why the certificate doesn't work in Unity. It's a paid certificate, 100% safe. It works on every device in any browser I've checked, but it doesn't work on those devices in a Unity build or editor.
     
  6. Aurimas-Cernius

    Aurimas-Cernius

    Unity Technologies

    Joined:
    Jul 31, 2013
    Posts:
    2,226
    You actually do have a device it doesn't work on? That would help a lot!
    I think web browsers tend to have and maintain their own certificate stores. Unity takes certificates from the Operating System store. We already know that Windows come with not so much certificates and somehow updates that store (maybe visiting the website using IE/Edge updates the store?), this is being worked on.
     
  7. dariuszpietrala

    dariuszpietrala

    Joined:
    Oct 5, 2012
    Posts:
    148
    OK, you can check this link:
    https://appv1.skijumpgame.com:3020/hello

    It works in every browser on my Win10 machine, but it shows "Unable to complete SSL connection" in the editor on the same machine.
     
  8. Aurimas-Cernius

    Aurimas-Cernius

    Unity Technologies

    Joined:
    Jul 31, 2013
    Posts:
    2,226
    Nope, Firefox on my machine complains about unkown issuer. Have you manually trausted the certificate?
     
  9. royvaneijndhoven

    royvaneijndhoven

    Joined:
    Jun 1, 2017
    Posts:
    58
    Is there a possibility to let Unity do it's validation and when that fails make the custom CertificateHandler do its thing?

    What we tried was the piece of code below, but apparently the base.ValidateCertificate() does not actually do anything, it just returns False.

    Code (CSharp):
    1. protected override bool ValidateCertificate(byte[] certificateData)
    2. {
    3.     bool validation = base.ValidateCertificate(certificateData);
    4.  
    5.     if (!validation)
    6.     {
    7.         X509Certificate2 certificate = new X509Certificate2(certificateData);
    8.         // Do custom validation that puts it's result into the validation boolean.
    9.     }
    10.      
    11.     return validation;
    12. }
    So that resulted in failing calls to our backend that have a redirect to a different domain with the actual data that we want to get. The call to our backend goes well because of the custom CertificateHandler but the redirect is handled by the same CertificateHandler and that would fail even though the Root CA was in the System Store because obviously the custom CertificateHandler was specifically made to accept only our own certificates.
     
  10. Aurimas-Cernius

    Aurimas-Cernius

    Unity Technologies

    Joined:
    Jul 31, 2013
    Posts:
    2,226
    No. You have to either ensure the validity yourself, or have a certificate issues by a trusted issuer.
     
  11. royvaneijndhoven

    royvaneijndhoven

    Joined:
    Jun 1, 2017
    Posts:
    58
    Just to be clear, the certificates are issued by a trusted issuer, the problem is the system store being out-of-date or just missing trusted root ca's.

    We can't implement custom validation for the domains that we get data from but don't have control over, that would mean that as soon as one of those domains changes their certificate a portion of our functionality would drop. There's also no way to actually add certificates to the system store in Unity or that Unity does this by itself like some browsers actually do.

    Are those functionalities that Unity is working on or thinking about?
     
  12. dariuszpietrala

    dariuszpietrala

    Joined:
    Oct 5, 2012
    Posts:
    148
    I have a Domain Validation 256bit certificate with 200k Euro guaranty, 100% sure it should be trusted, biggest company in Poland. Maybe this should be an OV or EV certificate?
     
  13. Aurimas-Cernius

    Aurimas-Cernius

    Unity Technologies

    Joined:
    Jul 31, 2013
    Posts:
    2,226
    Microsoft Edge does accept it, Firefox doesn't. Likely the root certificate is fairly new, hasn't reached everyone yet.
     
  14. Fenrirr

    Fenrirr

    Joined:
    Mar 5, 2015
    Posts:
    15
    (Hello guys
    I might have some new insight on this issue. I recently started working on SSL connections on a little app I made and its been unsuccessful.
    I will not post my whole problem here, but I did describe it on another post (https://forum.unity.com/threads/rest-request-to-ssl-server-failed-to-receive-data.651616/)

    tl.dr: My application does not connect on my SSL server (despite any other software does) and returns an weird "Failed to receive data" message.
    After exchanging some ideas with @JeffDUnity3D in the mentioned post, I found out that, when using Charles Proxy (a monitoring program) to monitor my REST requests, the requests actually worked, and when the program was shutdown, the requests just stopped working again.

    I honestly don't know if the issues are related, but... :shrug:

    If you guys need any info, I'll be watching both topics!
     
  15. unpuzzlebarcelona

    unpuzzlebarcelona

    Joined:
    Oct 4, 2018
    Posts:
    5
    I face the same issue, only on some Android devices. Using latest 2018.3.11 version and 4.X Equivalent.

    It's shocking to me that this has been a real problem for months, I think that there are enough cases here to know exactly who has the problem and that the problem is with Unity. With .NET Http it works, with UnityWebRequest it doesn't. With older versions of Unity it works, 2018.2+ it fails. I think it's pretty clear.

    Any news on these? Or we have to assume that a lot of users will not be able to play our games because Unity is not working properly?

    Kinda desperate at this point.
     
  16. ode1ay

    ode1ay

    Joined:
    Feb 19, 2019
    Posts:
    2
    I left a post above because of the error that UnityWebRequest(to Google Cloud Speech) did not work properly on UWP(Hololens) after unity 2018.2.x.
    My colleague resolved that problem with a makeshift solution, so I write it here.
    After installing the Google Chrome browser on Hololens, UnityWebRequest works normally.
    I don't know the exact reason, but with the idea of @eisenpony in other thread(https://forum.unity.com/threads/rest-request-to-ssl-server-failed-to-receive-data.651616/),
    I guess that Chrome may have negotiating TLS connection attempts,
    while Edge, the default browser of Hololens, does not support it.
    Well, just to let you know.
     
  17. Nerzal

    Nerzal

    Joined:
    Aug 5, 2015
    Posts:
    2
    I have similar issues.. also with Unity 2019.1
     
    AIriarte and yuliyF like this.
  18. unity_bKCq68fLApGWxg

    unity_bKCq68fLApGWxg

    Joined:
    Apr 22, 2019
    Posts:
    1
    UPD: I reached topic where SEC_ERROR_UNKNOWN_ISSUER in Firefox browser interpreted as not installed SSLCertificateChainFile (*.ca-bundle file) or Intermediate Certificates in my case (several CA *.cer). So Chrome is working with only installed root certificate, as well as iOS requests are handled correctly, that's why I was mistakenly sure my certificates were set up correctly.


    Hi guys,

    while investigating the same issue from Editor (Unity 2018.2.20f1) find an interesting thing.
    I've logged via Microsoft Network Monitor 3.4 different scenarios:
    1) Fiddler is running, traffic is capturing, HTTPS traffic is decrypted – there is a normal request to the server.
    2) Fiddler is running, traffic is capturing, but HTTPS traffic decryption is turned off – request doesn't reach the server.
    In case traffic capturing is turned off, Network Monitor doesn't see any requests to the server at all.
    The main difference between these two scenarios is that in case 1 - Destination is my domain name, but in case 2 there is an IP shown. As I understood certificate is giving for the domain name and connection can't be verified for the direct IP.
    May it be a reason — that domain name is resolved before the certificate is checked?
     
    Last edited: Apr 22, 2019
  19. GustavNinja

    GustavNinja

    Joined:
    Jun 13, 2016
    Posts:
    34
    My application is experiencing the same errors as most people here. We are using 2018.1.9f2.
    Basically we get about 2000 error reports a day about people not being able to login via UnityWebRequest. However we have built in a downgrade system so if UnityWebRequest fails 5 times we switch to use WWW and that always succeeds.
    This does limit us to upgrade to a newer Unity version but we are looking in to switching out WWW for
    HttpWebRequest. And also since we use AWS as servers maybe the certificate might be old on certain devices. I found another thread on another forum.
    https://community.playfab.com/quest...complete-ssl-connection-since-unity-2018.html

    For us the problem is mainly Android but sometimes iOS devices has the same problem.
     
  20. Aurimas-Cernius

    Aurimas-Cernius

    Unity Technologies

    Joined:
    Jul 31, 2013
    Posts:
    2,226
    WWW is a wrapper on top of UnityWebRequest! The only thing it does is set chunkedTransfer to false (it's false by default in UWR too, but I don't remember since which version).
    So fallback to WWW is not helping you, only a retry does.
     
    yuliyF likes this.
  21. ajhatch

    ajhatch

    Joined:
    Oct 21, 2016
    Posts:
    7
    My team has encountered this problem intermittently for several months, and it is clearly this exact issue because visiting an HTTPS page in Edge resolves it. @Aurimas-Cernius, can you share any updates about how this is being addressed internally? This is becoming a major pain point both in our development team and among our customers and the "hacky" workaround required is not a good look for us at all.
     
  22. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    6,364
    I can. We reached out to Microsoft for help because their certificate validation APIs fail, and only start working after visiting a certain website through Edge.
     
  23. dejarajs

    dejarajs

    Joined:
    Dec 11, 2012
    Posts:
    1
    @Tautvydas-Zilys We have a similar issue in most of our platforms (iOS, Android, Standalone).. very intermittent and is impacting some of our users. We would not like to have a custom validation added as we'll need to rebuild the app each time the certificate expires. Is there a fix planned?
     
  24. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    6,364
    If you're facing a similar issue on other platforms, then it is a different issue than the one I'm talking about. I'll leave it up to @Aurimas-Cernius to comment on it. In either case, you should submit a bug report.
     
  25. Aurimas-Cernius

    Aurimas-Cernius

    Unity Technologies

    Joined:
    Jul 31, 2013
    Posts:
    2,226
    Windows standalone has a known issue with on-demand certificate store update, performed by Microsofts browsers.
    On Android the SSL related error might occur due to connection loss during handshake.
    I've never heard of issues on iOS so far. There was one bug related to renegotiation, which was fixed. I don't think I've hear of issues on OSX standalone either.
     
  26. Mijndert

    Mijndert

    Joined:
    May 5, 2017
    Posts:
    4
    Hello, I am experiencing the same issue using WWW to connect to api.paypal.com in Unity 2018.2 on Windows 10. Doesn't work either with the custom certification. Working fine in Unity 5.
     
  27. wbronchar

    wbronchar

    Joined:
    Mar 20, 2013
    Posts:
    13
    We are also reproducing this issue too:

    Here's are our latest findings.
    1. Reproduces on a Hololens device when it is factory reset (responseCode=0)
    2. Workaround by using edge to go to the url that is failing works
    We have the following small reproducible example:
    Code (CSharp):
    1. public class RequestTest : MonoBehaviour
    2. {
    3.     void Start()
    4.     {
    5.         StartCoroutine(DoTheRequest());
    6.     }
    7.  
    8.     IEnumerator DoTheRequest()
    9.     {
    10.         Debug.Log("DoTheRequest");
    11.  
    12.         string[] requests = new string[] {
    13.             // Google (FAILS)
    14.             "https://google.com/",
    15.             "https://www.google.com/",
    16.             "172.217.164.174", // (google.com), works but this forwards to HTTP so that makes sense
    17.  
    18.             // Cloudflare (SUCCESS)
    19.             "https://spatial.is/",
    20.             "https://api.spatial.is/",
    21.  
    22.             // Lets Encrypt (FAIL at first, then we browsed to the lift url with edge, and now both work!)
    23.             "https://help.lyft.com/hc/en-us",
    24.             "https://www.basketball-reference.com/",
    25.  
    26.             // DigiCert (SUCCESS)
    27.             "https://s3.amazonaws.com/[REDACTED].json", // HL: success
    28.             "https://www.cheatsheet.com/",
    29.  
    30.             // HTTP
    31.             "http://www.baidu.com/",
    32.             "104.193.88.77", //baidu ip1
    33.             "104.193.88.123", //baidu ip2
    34.         };
    35.  
    36.         foreach (string url in requests)
    37.         {
    38.             var r = UnityWebRequest.Get(url);
    39.             yield return r.SendWebRequest();
    40.             Debug.Log($"`{url}`: responseCode={r.responseCode}, isError={r.isNetworkError}");
    41.         }
    42.     }
    43. }
    1. We reproduced the issue with our api.spatial.is domains, Lyft, Google and basketball-reference.com
    2. Once we moved our api to route through cloudflare (which now uses cloudflares certificate provider instead of "Lets Encrypt" that it was using before), all requests to api.spatial.is work fine!
    3. To confirm our theory that this issue may be related to certificate provider, we tried the following
      1. We confirmed again that both lyft.com and basketball-reference.com still weren't working:
        `https://help.lyft.com/hc/en-us`: responseCode=0, isError=True
        `https://www.basketball-reference.com/`: responseCode=0, isError=True
      2. Closed the app
      3. Opened the Edge browser on Hololens and went to "https://help.lyft.com/hc/en-us"
      4. Re-ran the same app and confirmed that both lyft.com and basketball-reference.com requests now work!
        `https://help.lyft.com/hc/en-us`: responseCode=200, isError=False
        `https://www.basketball-reference.com/`: responseCode=200, isError=False
    Since switching our specific api to route through cloudflare, our issue is resolved but the larger issue still exists and this sounds like a pretty large issue to me.
    Another thing we confirmed is that adding the following code makes all requests work fine (code 200) (this is including Lyft, Google and the old api.spatial.is that was using Lets Encrypt):

    Code (CSharp):
    1.         // (...)
    2.  
    3.         foreach (string url in requests)
    4.         {
    5.             var r = UnityWebRequest.Get(url);
    6.             // this certificate handler
    7.             r.certificateHandler = new AcceptAllCertificatesSignedWithASpecificKeyPublicKey();
    8.             yield return r.SendWebRequest();
    9.             Debug.Log($"`{url}`: responseCode={r.responseCode}, isError={r.isNetworkError}");
    10.         }
    11.     }
    12. }
    13.  
    14. class AcceptAllCertificatesSignedWithASpecificKeyPublicKey : CertificateHandler
    15. {
    16.     protected override bool ValidateCertificate(byte[] certificateData)
    17.     {
    18.         return true;
    19.     }
    20. }
     
  28. chanon81

    chanon81

    Joined:
    Oct 6, 2015
    Posts:
    88
    Has this problem been fixed for you yet?
    I am beginning to do https web calls and I am not sure if UnityWebRequest would be ok for Android / iOS.
     
  29. starmindfr

    starmindfr

    Joined:
    Nov 7, 2016
    Posts:
    34
    On my side even with the code for acceptallcertificates it's still failing on several devices with error 0. We also figured out that one Centos 7 WM allow use to reproduce issue 100% of time where android and PC are quite client random.

    edit :
    using UnityWebRequest.Post not GET
    Unity 2019.2.0b7
     
    Last edited: Jul 13, 2019
  30. Aurimas-Cernius

    Aurimas-Cernius

    Unity Technologies

    Joined:
    Jul 31, 2013
    Posts:
    2,226
    Centos is unrelated. It's a Red Hat based distro with a different location for certificates. Unity only officially supports Ubuntu AFAIK.
     
  31. ForceMagic

    ForceMagic

    Joined:
    Feb 27, 2015
    Posts:
    36
    We are actually having the same issue here, we are in the process of going through Unity 2017 to 2018 LTS on .Net 4.x and our Android Automation farm report the same error UnityWebRequest - Unable to complete SSL connection. We saw an increase of our user base having those kind of error since our rollout that we had to halt.

    Any update or clue on this?
     
  32. wbronchar

    wbronchar

    Joined:
    Mar 20, 2013
    Posts:
    13
    Last edited: Jul 24, 2019
  33. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    6,364
    You request wasn't closed - it was linked to another bug report which is a duplicate. We are working with Microsoft on the HoloLens issue, and we currently think it's an OS bug. I know this is taking forever and I wish I could make it go faster :(.
     
    wbronchar likes this.
  34. piginhat

    piginhat

    Joined:
    Feb 17, 2016
    Posts:
    67
    I've just stumbled across this thread trying to figure out why I am getting a 403 from a call to UnityWebRequest to simply download a text file from an HTTPS address, the same address my browser has no difficulty accessing.

    So is my issue the same as this thread topic? And if so....its this problematic to download just a text file?
     
  35. Aurimas-Cernius

    Aurimas-Cernius

    Unity Technologies

    Joined:
    Jul 31, 2013
    Posts:
    2,226
    No, your issue is completely different and it's very likely an issue with your request. 403 means successful HTTP communication (so TLS works fine), it just means server has rejected your request, most likely due to missing credentials.
    Sounds like you are accessing a site that requires you to log in. It probably works in browser, because you are already logged in there. Try different browser.
     
    piginhat likes this.
  36. piginhat

    piginhat

    Joined:
    Feb 17, 2016
    Posts:
    67
    Thanks, found out it was as you say a missing credentials!
     
  37. CliffCawley

    CliffCawley

    Joined:
    Mar 30, 2009
    Posts:
    15
    Just adding that I've experienced this same issue with some of my users. (I'm using Unity 2018.4.5f1).

    Interested in the solution so reduce my support requests :D
     
  38. wbronchar

    wbronchar

    Joined:
    Mar 20, 2013
    Posts:
    13
  39. ksc_3899

    ksc_3899

    Joined:
    Jan 1, 2019
    Posts:
    11
    I'm using WWW and sending an API request. The response JSON has an array of 39 elements. Even in the editor I'll able to view only half of the JSON and not completely. It's throwing the error unable to complete SSL connection. Even in the editor.
     
  40. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    6,364
    Good news everybody. After working with Microsoft, we figured out how to fix the SSL connection issue affecting Windows devices (HoloLens, Xbox, etc). We're finishing up the fix now and I will be backporting it to 2019.2 and 2018.4.
     
  41. MDoelle

    MDoelle

    Joined:
    Nov 23, 2016
    Posts:
    10
  42. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    6,364
    It's going through code review right now. It's summer time, people are on vacations and we really want to get this right since messing up certificate validation could lead to security holes. I'm doing everything in my power to get this out to you as soon as possible.
     
  43. MDoelle

    MDoelle

    Joined:
    Nov 23, 2016
    Posts:
    10
    @Tautvydas-Zilys I appreciate that. If you have any rough ETA, that would be great.

    In case the ETA is longer than a week, is there any recommended workaround for the moment? We are currently upgrading to prepare for HL2 and therefore need to use 2018.4 (or higher). We've switched to http for testing purposes but can't test the full system since some urls we are calling we don't control (and therefore can't use http with them).

    The workarounds I've personally read about involve ServicePointManager which is not available on HoloLens.
     
  44. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    6,364
    Yeah it will definitely be more than a week.

    A known workaround is to visit those web pages using Edge browser prior to making UnityWebRequest to them.
     
  45. unity_ap6_UEv3h46J3A

    unity_ap6_UEv3h46J3A

    Joined:
    Tuesday
    Posts:
    3
    hi.
    i was working on an unity project and i have a problem with paypal api calls. i found that the next code is working ok in unity 2017.1.2 but when i ported my project to unity 2018.2.8f1 it begun to give the error: "Unable to complete SSL connection" on the following method:



    Code (CSharp):
    1.     IEnumerator MakePayAPIcall() {
    2.  
    3.         Dictionary<string,string> headers = new Dictionary<string, string >();
    4.  
    5.         headers.Add("Accept","application/json");
    6.         headers.Add("Accept-Language","en_US");
    7.         headers.Add("Authorization","Basic " + System.Convert.ToBase64String(System.Text.Encoding.ASCII.GetBytes( clientID + ":" + secret)));
    8.  
    9.         WWWForm postData = new WWWForm();
    10.  
    11.         postData.AddField("grant_type", "client_credentials");
    12.  
    13.         string endpointURL = StoreProperties.INSTANCE.isUsingSandbox () ?
    14.             "https://api.sandbox.paypal.com/v1/oauth2/token" :
    15.             "https://api.paypal.com/v1/oauth2/token";
    16.  
    17.         WWW www = new WWW(endpointURL, postData.data, headers);
    18.  
    19.         Debug.Log("Making call to: " + endpointURL);
    20.  
    21.         yield return www;
    22.  
    23.         //if ok response
    24.         if (www.error == null) {
    25.             Debug.Log("WWW Ok! Full Text: " + www.text);
    26.             handleSuccessResponse (www.text);
    27.  
    28.         } else {
    29.             Debug.Log("WWW Error: "+ www.error);
    30.             handleErrorResponse (www.text, www.error);
    31.         }  
    32.     }

    Like i said it works without problem in unity 2017.1.2f1. it seems like is an unity error. i want to know if somebody has found a solution for that problem.
    Thanks in advance.
     
  46. unity_ap6_UEv3h46J3A

    unity_ap6_UEv3h46J3A

    Joined:
    Tuesday
    Posts:
    3
    Sorry by the double post, but really i am very interested in find a solution for this problem, and i did read that unity will correct it in the 2018.4 release. my question is will that correct the problem using WWW objects like showed in my previous post ? or only will correct the problem using unitywebrequest ?.
    Thanks in advance.
     
  47. Tautvydas-Zilys

    Tautvydas-Zilys

    Unity Technologies

    Joined:
    Jul 25, 2013
    Posts:
    6,364
    Which platform are you targeting?
     
  48. unity_ap6_UEv3h46J3A

    unity_ap6_UEv3h46J3A

    Joined:
    Tuesday
    Posts:
    3
    Hi.

    My target platform is pc (pc, mac and linux standalone)