Search Issue Tracker
Won't Fix
Votes
0
Found in
2020.3.44f1
2021.3.18f1
2022.2.7f1
2023.1.0b3
2023.2.0a2
Issue ID
UUM-27702
Regression
No
SSL CA Certificate Error on Android <7.1.1
Reproduction steps:
1. Open the attached project “BugRepro”
2. Build and Run on an Android device with an OS version older than 7.1.1
3. Observe the top left corner of the screen
Expected result: SSL certificate request succeeds
Actual result: SSL certificate error is shown
Reproducible with: 2020.3.44f1, 2021.3.18f1, 2022.2.7f1, 2023.1.0b3, 2023.2.0a2
Built using MacOS 12.6 (Intel)
Reproducible on: Xiaomi Mi Note Pro (MI NOTE Pro), CPU: Snapdragon 810 MSM8994, GPU: Adreno 430, OS: 7.0.0
Not reproducible on: Samsung Galaxy S9 (SM-G960F), CPU: Exynos 9 Series 9810, GPU: Mali-G72, OS: 10.0.0
Google Pixel 3 (Pixel 3), CPU: Snapdragon 845, GPU: Adreno 630, OS: 12.0.0
Add comment
All about bugs
View bugs we have successfully reproduced, and vote for the bugs you want to see fixed most urgently.
Latest issues
- Crash on MonoBehaviour::CallMethodIfAvailable when performing various actions
- Incorrect rotations on bones when importing FBX animations with a Humanoid Rig
- Render Graph Viewer “Pass List” section is flickering when resizing vertically and the Render Graph Viewer window is docked
- Render Graph Viewer Capture button plays the click animation but does not do anything when the Capture button is pressed with the “Enter” key on the keyboard
- UI Builder Scrollview is unable to scroll all the way down when the window is downsized vertically
Resolution Note:
Our apologies for the misunderstanding. You are correct that our initial comprehension of the issue was wrong.
After investigating this further, we nevertheless decided not to address this issue. Let's Encrypt's workaround for their change in certificate authority relies on the expiration date of trust anchors not being checked. Our understanding of the relevant standards is that it is up to the TLS implementation to decide whether to do this verification or not. By performing the verification, we are still compliant even if that behavior is different than Android's stock TLS implementation. We do understand that this can cause some confusion and frustration, but for our implementation to match Android's behavior, we would have to modify security-critical code in cURL and MbedTLS (the libraries we use under the hood for UnityWebRequest). We are unwilling to make such modifications as we do not want to risk introducing security vulnerabilities. Furthermore, on Android it is possible to provide a custom certificate handler to UnityWebRequest (see https://docs.unity3d.com/ScriptReference/Networking.UnityWebRequest-certificateHandler.html). This could be used as a workaround to provide certificate validation that matches Android's behavior.