Search Issue Tracker
Won't Fix
Votes
0
Found in
2020.3.44f1
2021.3.18f1
2022.2.7f1
2023.1.0b3
2023.2.0a2
Issue ID
UUM-27702
Regression
No
SSL CA Certificate Error on Android <7.1.1
Reproduction steps:
1. Open the attached project “BugRepro”
2. Build and Run on an Android device with an OS version older than 7.1.1
3. Observe the top left corner of the screen
Expected result: SSL certificate request succeeds
Actual result: SSL certificate error is shown
Reproducible with: 2020.3.44f1, 2021.3.18f1, 2022.2.7f1, 2023.1.0b3, 2023.2.0a2
Built using MacOS 12.6 (Intel)
Reproducible on: Xiaomi Mi Note Pro (MI NOTE Pro), CPU: Snapdragon 810 MSM8994, GPU: Adreno 430, OS: 7.0.0
Not reproducible on: Samsung Galaxy S9 (SM-G960F), CPU: Exynos 9 Series 9810, GPU: Mali-G72, OS: 10.0.0
Google Pixel 3 (Pixel 3), CPU: Snapdragon 845, GPU: Adreno 630, OS: 12.0.0
Add comment
All about bugs
View bugs we have successfully reproduced, and vote for the bugs you want to see fixed most urgently.
Latest issues
- NavMesh Surface is baked too high above the ground, making the NavMesh Agents hover above the ground when the HeightMesh is not built
- [Android] Crash on ProcessDynamicBatchGeometryJob with OpenGL or on DrawSharedGeometryJobs with Vulkan
- VFX Graph Memory leak when calling the ClearPropertyBinders and AddRemoveVFXProperty
- Entering "Configure Avatar" inside the Inspector locks it
- [Render Graph Viewer] Resource list icons cropped and in inconsistent positions
Resolution Note:
Our apologies for the misunderstanding. You are correct that our initial comprehension of the issue was wrong.
After investigating this further, we nevertheless decided not to address this issue. Let's Encrypt's workaround for their change in certificate authority relies on the expiration date of trust anchors not being checked. Our understanding of the relevant standards is that it is up to the TLS implementation to decide whether to do this verification or not. By performing the verification, we are still compliant even if that behavior is different than Android's stock TLS implementation. We do understand that this can cause some confusion and frustration, but for our implementation to match Android's behavior, we would have to modify security-critical code in cURL and MbedTLS (the libraries we use under the hood for UnityWebRequest). We are unwilling to make such modifications as we do not want to risk introducing security vulnerabilities. Furthermore, on Android it is possible to provide a custom certificate handler to UnityWebRequest (see https://docs.unity3d.com/ScriptReference/Networking.UnityWebRequest-certificateHandler.html). This could be used as a workaround to provide certificate validation that matches Android's behavior.