UnityWebRequest - Unable to complete SSL connection

@jotamaza @NakOhz

The download speed now should be about the same as a native implementation since v2.2.0.

By default the plugin accepts all certificates, but by using the TLS Security Addon you have full control over TLS certificate validation and what certificates (root and intermediate) you want to trust.

As a plus, both the plugin and addon has the very same behavior on all supported platforms (except under WebGL where the plugin can be only a wrapper over XmlHTTPRequest), no additional setting or workaround needed for various platforms.

 

Past Few Days the error Comes again. Whats the reason....Some times i cant connect to the database even net is working.

Did i want change something in code or in SSL certificates?

 

Experiencing this issue randomly in cases of posting both an audio file and image to server. It seems to work sometimes but not other times. Server SSL passes the usual SSL online tests. Unity 2020.1.14f1 iOS

V2021-03-06 23:54:43.875617-0800 appname[6231:1594419] [tcp] tcp_output [C27.1:3] flags=[R.] seq=400190022, ack=457886080, win=2048 state=CLOSED rcv_nxt=457886080, snd_una=400190022

2021-03-06 23:54:43.876132-0800 appname[6231:1594419] Connection 27: received failure notification

2021-03-06 23:54:43.876210-0800 appname[6231:1594419] Connection 27: failed to connect 3:-9816, reason -1

2021-03-06 23:54:43.876241-0800 appname[6231:1594419] Connection 27: encountered error(3:-9816)

2021-03-06 23:54:44.026903-0800 appname[6231:1593593] [boringssl] boringssl_context_handle_fatal_alert(1763) [C34.1:2][0x14c668640] read alert, level: fatal, description: protocol version

2021-03-06 23:54:44.027445-0800 appname[6231:1593593] [boringssl] boringssl_session_handshake_incomplete(90) [C34.1:2][0x14c668640] SSL library error

2021-03-06 23:54:44.027503-0800 appname[6231:1593593] [boringssl] boringssl_session_handshake_error_print(41) [C34.1:2][0x14c668640] Error: 5545878584:error:1000042e:SSL routines:OPENSSL_internal:TLSV1_ALERT_PROTOCOL_VERSION:/Library/Caches/com.apple.xbs/Sources/boringssl/boringssl-351.40.2/ssl/tls_record.cc:592:SSL alert number 70

2021-03-06 23:54:44.027560-0800 appname[6231:1593593] [boringssl] nw_protocol_boringssl_handshake_negotiate_proceed(767) [C34.1:2][0x14c668640] handshake failed at state 12288: not completed

2021-03-06 23:54:44.028065-0800 appname[6231:1593593] Connection 34: received failure notification

2021-03-06 23:54:44.028146-0800 appname[6231:1593593] Connection 34: failed to connect 3:-9836, reason -1

2021-03-06 23:54:44.028177-0800 appname[6231:1593593] Connection 34: encountered error(3:-9836)

2021-03-06 23:54:44.028979-0800 appname[6231:1593593] Task <8513830E-7B7C-4C71-B959-003189769A30>.<18> HTTP load failed, 0/0 bytes (error code: -1200 [3:-9836])

 

My team and I are experiencing some irregular issues as described in the OP. Our difficulty is that the error is being produced through a Unity developed SDK, the Player Identity package. So it is a system that is totally out of our control to debug and fix. Not sure if there are any dots that can be connected internally for Unity between this post and the development team, but it would be great for this to be resolved in a package that you yourselves have made.

 

In our case the server-side certificate did not contain full chain of trust. Some clients could build that chain, and some could not. Try to Google "ssl chain of trust" and see how you can alter your server-side certificate to include it. Hope this helps.

 

Hey all, I have been getting this same error "unable to complete SSL connection" using unity 2020.3.5f1 and trying to access a site hosted on Netlify. It should be easy to reproduce - if you create a new site from git on netlify then go into unity and try access it with something like this (just using the default netlify provided url you dont need a custom domain):

Code (CSharp):

1.     private IEnumerator Request()
2.     {
3.         using (UnityWebRequest req = UnityWebRequest.Get("https://....."))
4.         {
5.             yield return req.SendWebRequest();
6.  
7.             while (!req.isDone)
8.             {
9.                 yield return null;
10.             }  
11.  
12.             byte[] result = req.downloadHandler.data;
13.         }
14.     }

You should get the error. It will always fail to get any result

This is not happening in 2019.2.5f1 with the exact same setup

Not sure if this will help identify the issue but I'd love to know how to fix it in 2020.x

Also the trick of setting the validator to always return true does not work :'(

 

Since it's working in unity 2019.2.5f1 that must count for something though right?

 

Has a bug been reported?
Am experiencing the same issue with netlify calls, but only started recently without change of Unity version (2020.2.1f1). Code that worked fine in the past has this month stopped working and giving us "Unable to complete SSL connection", log file shows "Curl error 35: Handshake did not perform verification. UnityTls error code: 7"

 

Hi I hope the topic is still kinda active, I am hitting a similar issue at the moment. Working on a standalone windows .exe using Unity 2018.4.36f1 LTS.

Code (CSharp):

1.     // Based on https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#.Net
2.     class AcceptAllCertificatesSignedWithASpecificKeyPublicKey : CertificateHandler
3.     {
4.  
5.         // Encoded RSAPublicKey
6.         private static string PUB_KEY = "XXXXXXXXXXXXX";
7.  
8.         protected override bool ValidateCertificate(byte[] certificateData)
9.         {
10.             X509Certificate2 certificate = new X509Certificate2(certificateData);
11.             string pk = certificate.GetPublicKeyString();
12.  
13.             Debug.Log(pk);
14.             if (pk.ToLower().Equals(PUB_KEY.ToLower()))
15.             {
16.                 Debug.Log("match");
17.                 return true;
18.             }
19.             return false;
20.         }
21.     }  
22.  
23. IEnumerator httpWebRequest()
24.     {
25.         {
26.             WWWForm formData = new WWWForm();
27.             formData.AddField("username", "test");
28.             formData.AddField("password", "test");
29.             UnityWebRequest www = UnityWebRequest.Post("https://........", formData);
30.             www.certificateHandler = new AcceptAllCertificatesSignedWithASpecificKeyPublicKey();
31.  
32.             www.chunkedTransfer = false;
33.             yield return www.SendWebRequest();
34.  
35.             if (www.isNetworkError || www.isHttpError)
36.             {
37.                  UnityEngine.Debug.Log("error " + www.error.ToString());
38.             }
39.             else
40.             {
41.                 UnityEngine.Debug.Log(www.downloadHandler.text);
42.             }
43.         }
44.  
45.         yield return null;
46.     }

My CertificateHandler does return true but I get afterwards: "Unable to complete SSL connection".

 

My project cannot be moved to a further version of Unity at the moment, too many things would break. I am trying to work around the issue an implement things directly using System.net but Unity throws me exceptions that don't come up in a native c# app.

Code (CSharp):

1. httpClientHandler.ServerCertificateCustomValidationCallback = (message, cert, chain, sslPolicyErrors) => {
2.                     if (sslPolicyErrors == SslPolicyErrors.None)
3.                     {
4.                         return true;   //Is valid
5.                     }
6.                     if (cert.GetCertHashString().ToLower() == "XXXXXXXXXXX")
7.                     {
8.                         return true;
9.                     }
10.                     return false;
11.                 };
12.  

NotImplementedException: The method or operation is not implemented. System.Net.Http.HttpClientHandler.set_ServerCertificateCustomValidationCallback

 

Yes it is self signed which is hwy I made a custom valisation. In anycase even when returning true all the time, I get those errors. I have tried on Unity 2020, I get this:

Curl error 60: Cert verify failed: UNITYTLS_X509VERIFY_FLAG_UNKNOWN_ERROR

and

error SSL CA certificate error

 

This worked for me:

Code (CSharp):

1. var certificate = new X509Certificate2(certificateData);
2. string pk = certificate.GetPublicKeyString();
3. if (pk == AcceptedKey) return true;
4.  
5. var ce = new X509Certificate2(Convert.FromBase64String(pem));
6. var ce2 = new X509Certificate2(Convert.FromBase64String(pem2));
7. X509Chain chain = new X509Chain(true);
8. chain.ChainPolicy.ExtraStore.Add(ce);
9. chain.ChainPolicy.ExtraStore.Add(ce2);
10. chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
11. chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;
12. bool okay = chain.Build(certificate);
13. if (okay) AcceptedKey = pk;
14. return okay;    
15.  

It is important to use the correct PEMs etc though.

 

Thanks for showing what works for you but I am not sure where this fit. Does this go into a custom certificate handler? I don't understand why my current handler would raise errors (even when forcing it to return true).

Am I supposed to download the .pem and pack them into my software?


EDIT: Getting a closer look at your code, I am still going out of the Validate function at pk == acceptedKey because it is true and it still raises UNITYTLS_X509VERIFY_FLAG_UNKNOWN_ERROR .
The issue happens even if my certification handler returns true.

 

The pem are integrated into the software. Downloading them isn't really viable as you most likely can't reach the servers you would host them on.

The code is the ValidateCertificate function of a custom CertificateHandler. It gets added to each web request via

Code (CSharp):

1. request.certificateHandler = new CustomCertificate();

(pk == acceptedKey) should only be true if the validation was successful once so that you don't have to go through the whole function with each web request. If it is true during your first call then GetPublicKeyString returns an empty string and something else is wrong.

EDIT: And the acceptedKey is of course static so that each certificate handler instance shares one value

 

Just now saw your response. This is way after the fact, but as I mentioned in my comment the code was not our code. It was a call from a Unity built SDK hitting a Unity server. So there wasn't anything for my team to address, as we weren't in charge of the certificates :/

 

Hello! Could you provide any news on this matter? Is there a link to the bug tracker?

 

Is this still broken in Unity 2020.3.29?

 

Reproduces in Unity 2021.3.12f

 

Happened to 1 user (potentially a second one but not confirmed) out of a few hundreds players on Unity 2021.3.23f1

 

Yep, still there.
Unity3d 2021.3.22f1

Any suggestions?

Not all users, but some.

Seems like a problem with outdated root CA Let's Encrypt used. Any solutions?

Added this as try to workaround somehow, still not working

Code (CSharp):

1.     public class AcceptAllCertificateHandler:CertificateHandler
2.     {
3.         protected override bool ValidateCertificate(byte[] certificateData)
4.         {
5.             return true;
6.         }
7.     }

 

I'm getting the same error and yes we also use Let's Encrypt as certificate so seems like that is the problem of it! But no idea how to integrate that into the app.