Search Issue Tracker
Won't Fix
Votes
0
Found in
2020.3.44f1
2021.3.18f1
2022.2.7f1
2023.1.0b3
2023.2.0a2
Issue ID
UUM-27702
Regression
No
SSL CA Certificate Error on Android <7.1.1
Reproduction steps:
1. Open the attached project “BugRepro”
2. Build and Run on an Android device with an OS version older than 7.1.1
3. Observe the top left corner of the screen
Expected result: SSL certificate request succeeds
Actual result: SSL certificate error is shown
Reproducible with: 2020.3.44f1, 2021.3.18f1, 2022.2.7f1, 2023.1.0b3, 2023.2.0a2
Built using MacOS 12.6 (Intel)
Reproducible on: Xiaomi Mi Note Pro (MI NOTE Pro), CPU: Snapdragon 810 MSM8994, GPU: Adreno 430, OS: 7.0.0
Not reproducible on: Samsung Galaxy S9 (SM-G960F), CPU: Exynos 9 Series 9810, GPU: Mali-G72, OS: 10.0.0
Google Pixel 3 (Pixel 3), CPU: Snapdragon 845, GPU: Adreno 630, OS: 12.0.0
Add comment
All about bugs
View bugs we have successfully reproduced, and vote for the bugs you want to see fixed most urgently.
Latest issues
- "NullReferenceException: Object reference not set to an instance of an object" error is thrown when attempting to remove a binding in the UIBuilder for a UxmlObjectReference
- Missing script error when clicking “script” link in Cave scene’s Water Sample Description
- [VFX Graph] Set Position Shape Gizmo isn't refreshed after shaper switch
- NullReferenceException is thrown when trying to access volumeStack from the HDCamera class
- Visual artifacts appear when using an Orthographic camera with a Reflection Probe
Resolution Note:
Our apologies for the misunderstanding. You are correct that our initial comprehension of the issue was wrong.
After investigating this further, we nevertheless decided not to address this issue. Let's Encrypt's workaround for their change in certificate authority relies on the expiration date of trust anchors not being checked. Our understanding of the relevant standards is that it is up to the TLS implementation to decide whether to do this verification or not. By performing the verification, we are still compliant even if that behavior is different than Android's stock TLS implementation. We do understand that this can cause some confusion and frustration, but for our implementation to match Android's behavior, we would have to modify security-critical code in cURL and MbedTLS (the libraries we use under the hood for UnityWebRequest). We are unwilling to make such modifications as we do not want to risk introducing security vulnerabilities. Furthermore, on Android it is possible to provide a custom certificate handler to UnityWebRequest (see https://docs.unity3d.com/ScriptReference/Networking.UnityWebRequest-certificateHandler.html). This could be used as a workaround to provide certificate validation that matches Android's behavior.