Search Issue Tracker
Won't Fix
Won't Fix in 2023.2.X
Votes
0
Found in
2020.3.44f1
2021.3.18f1
2022.2.7f1
2023.1.0b3
2023.2.0a2
Issue ID
UUM-27702
Regression
No
SSL CA Certificate Error on Android <7.1.1
Reproduction steps:
1. Open the attached project “BugRepro”
2. Build and Run on an Android device with an OS version older than 7.1.1
3. Observe the top left corner of the screen
Expected result: SSL certificate request succeeds
Actual result: SSL certificate error is shown
Reproducible with: 2020.3.44f1, 2021.3.18f1, 2022.2.7f1, 2023.1.0b3, 2023.2.0a2
Built using MacOS 12.6 (Intel)
Reproducible on: Xiaomi Mi Note Pro (MI NOTE Pro), CPU: Snapdragon 810 MSM8994, GPU: Adreno 430, OS: 7.0.0
Not reproducible on: Samsung Galaxy S9 (SM-G960F), CPU: Exynos 9 Series 9810, GPU: Mali-G72, OS: 10.0.0
Google Pixel 3 (Pixel 3), CPU: Snapdragon 845, GPU: Adreno 630, OS: 12.0.0
Add comment
All about bugs
View bugs we have successfully reproduced, and vote for the bugs you want to see fixed most urgently.
Latest issues
- Out-of-bounds memory access with multiple CanvasRenderers under a Canvas when using Mesh API
- Inspector tries to access file after it was deleted when the file was locked in Inspector window
- Changing Transform values in Search window Inspector loses focus while dragging and stopping mouse without releasing dragging action
- Saving changes on the dirty VFX Graph during the Play mode throws "The referenced script (Unknown) on this Behaviour is missing!" warnings
- VFX Graph Debug Info overlaps the "Initialize" block debug info by default
Resolution Note:
Our apologies for the misunderstanding. You are correct that our initial comprehension of the issue was wrong.
After investigating this further, we nevertheless decided not to address this issue. Let's Encrypt's workaround for their change in certificate authority relies on the expiration date of trust anchors not being checked. Our understanding of the relevant standards is that it is up to the TLS implementation to decide whether to do this verification or not. By performing the verification, we are still compliant even if that behavior is different than Android's stock TLS implementation. We do understand that this can cause some confusion and frustration, but for our implementation to match Android's behavior, we would have to modify security-critical code in cURL and MbedTLS (the libraries we use under the hood for UnityWebRequest). We are unwilling to make such modifications as we do not want to risk introducing security vulnerabilities. Furthermore, on Android it is possible to provide a custom certificate handler to UnityWebRequest (see https://docs.unity3d.com/ScriptReference/Networking.UnityWebRequest-certificateHandler.html). This could be used as a workaround to provide certificate validation that matches Android's behavior.
Resolution Note (2023.2.X):
Our apologies for the misunderstanding. You are correct that our initial comprehension of the issue was wrong.
After investigating this further, we nevertheless decided not to address this issue. Let's Encrypt's workaround for their change in certificate authority relies on the expiration date of trust anchors not being checked. Our understanding of the relevant standards is that it is up to the TLS implementation to decide whether to do this verification or not. By performing the verification, we are still compliant even if that behavior is different than Android's stock TLS implementation. We do understand that this can cause some confusion and frustration, but for our implementation to match Android's behavior, we would have to modify security-critical code in cURL and MbedTLS (the libraries we use under the hood for UnityWebRequest). We are unwilling to make such modifications as we do not want to risk introducing security vulnerabilities. Furthermore, on Android it is possible to provide a custom certificate handler to UnityWebRequest (see https://docs.unity3d.com/ScriptReference/Networking.UnityWebRequest-certificateHandler.html). This could be used as a workaround to provide certificate validation that matches Android's behavior.