UnityWebRequest - Unable to complete SSL connection

Hi,

Our team noticed occasional reports of users being unable to communicate with our web service over https.

After seeing occasional reports from players being unable to connect to our game, we built a system that captures the error event when it occurs and gives us a bit more context about the error. To our surprise we found that the issue happens hundreds of times each day for over 200 unique users.

The specific error message we see is: “Unable to complete SSL connection”

Specifically, this error occurs for a limited set of users when we make calls like the one below. For the vast majority of our users, including ALL of inhouse staff, we’re unable to recreate this problem and everything works fine. But for over 200 unique users each day we get lots of reports of “Unable to complete SSL connection” which fires as a part of a isNetworkError response:

UnityWebRequest www = UnityWebRequest.Post("https://www.oursite.com/example", form);
StartCoroutine(WaitForRequestLoad(www));

 private IEnumerator WaitForRequestLoad(UnityWebRequest www)
    {
        using (www)
        {
            yield return www.SendWebRequest();
            if (www.isHttpError)
            {
                  // HttpError
            }
            else if (www.isNetworkError)
            {
                  // THIS IS WHERE THE PROBLEM OCCURS
                  // www.error = "Unable to complete SSL connection"
            }
            else if(www.error != null)
            {
                  // Double check no error messages
            }
            else
            {             
                 // EVERYTHING WORKS FINE, PROCEED NORMALLY
            }
        }

    }

We’ve seen this problem across many similar calls in our game, including plenty of WebAPI calls and AssetBundle loads using UnityWebRequestAssetBundle.GetAssetBundle().

We’ve found this to be a problem for users across platforms including Android, iOS, and Standalone builds of our game. We’ve checked our SSL configuration on the server and things look ok. Given that we can not recreate the problem inhouse it’s difficult to troubleshoot for users. We’ve reached out to several of these users and haven’t been able to arrive at a conclusion why they’re having issues. For a while now we’ve blamed their local isp or local configurations, but it now seems like there are too many reports for this to make sense.

It would be super helpful if we could get some information on what is happening behind the scenes when calling UnityWebRequest.Post() that could result in the SSL error we’re seeing. Any information about this would help us troubleshoot if there is something wrong on our end or a problem with the editor.

The one interesting point is that ALL of the users that have reported this issue have confirmed that they can successfully access the same URL from a web browser on the same device. This made us think that maybe something was wrong at the Unity level.

2 Likes

Which Unity version are you on? Sounds like something fairly recent.
One reason for this failure is an out of date root certificate store on users system which may not have a root certificate for you site certificate.

A way to mitigate this issue is to attach custom certificate handler to UnityWebRequest and manually validate the certificate, that way you would not depend on users system being up to date.

Otherwise you need to collect more data to find out a pattern for this failure. Which TLS version are you using for your site, what OS versions do users with failures use, which regions are they from etc.

1 Like

Hey, we’ve been seeing this issue for a while now, but our most recently client is actually built with Unity 2018.2.11f1, just pushed out yesterday and we already have over 100 unique users with error reports containing some form of “Unable to complete SSL connection”

We’ve collected extensive information about these errors. To temporarily reduce the problem we are now using http for our PC / OSX standalone clients and of course the SSL errors have gone away on those platforms. But the errors remain for Android primarily since that’s where the vast majority of our users play:

Here is the information we know from users playing from yesterday (10-8-2018) and today (10-9-2018):

Top 20 Device Types of users with SSL problems:
3766648--314461--Top20_Devices.JPG

Top 20 Operating Systems of users with SSL problems:
(You’ll see a small number of Windows platforms here as we still require SSL for any login related requests.)
3766648--314467--Top20_OS.JPG

Top 20 Countries of users with SSL problems:
3766648--314464--Top20_Country.JPG

I’ll post more details about our SSL config shortly…

1 Like

Our servers and Cloudflare are setup to support TLS 1.0, 1.1, 1.2
We had TLS 1.3 enabled, but recently disabled it with no change.

Also, we’re really confused why users in a web browser on the same device are able to access the same Web api urls successfully, but these fail in Unity. Is there something different about the UnityWebRequest implementation?

What’s making this tough is that we don’t really understand what is happening under the hood within the UnityWebRequest.

I’m looking into certificateHandler stuff now, but not fully understanding what that is doing compared to what Unity would do without a certificateHandler. Can you explain the difference between using a certificateHandler and not (the default behavior?)

Specifically, what does Unity do by default to determine if the certificate is not valid? I noticed if I write my own certificate handler and return false, I can recreate the “Unable to complete SSL connection.” It would be helpful to know what Unity is doing when no certificate handler is present.

1 Like

Sounds like a bug on our side then. We validate certificates against the system root certificate store. Can you report a bug to us?

By attaching the CertificateHandler you bypass the builtin certificate checking completely and take over the control. By returning true or false from the handler you tell whether you trust the certificate or not. You get the certificate as an argument, so can validate it if it is yours.

Bug Created:
https://fogbugz.unity3d.com/default.asp?1089500_ba8c4n2vgmkf0sv9

Any updates on this issue? Our team is little bit confused about the purpose of the custom certificate handler. Why would we want to override the system’s default certificate verification process? I was able to implement this based on the examples in the documentation where a simple comparison is made between public keys, but we’re not understanding how this can be applied in our case to ensure security… it feels like we’re just bypassing the security measures of ssl, is there something we’re not fully understanding?

Also, would using a custom certificate handler be compliant with the iOS requirement that all communication is completed via https?

Our QA is still working trying to reproduce it.
The custom certificate handler not necessarily break security, though it can if not coded properly. The certificates are for establishing trust between the app and the server, using certificates app can ensure the server it has connected to is what it claims to be.
The normal process is for servers to use certificates issued by trusted authorities, while the root certificates are present on the system (installed along with OS/browser). The trust is established by validating a chain of certificates, where the later certificate signs the previous one. The end of chain is signed by a root certificate that supposed to be present on the system and that way gives a separate validation. If this validation process fails, it means that either you have connected to the wrong server that cannot be trusted (or something untrusted in between tries to do a dirty job), data corruption occurred during communication - these two are proper failures, the connection is actually insecure. Another failure is for the chain to be signed by a root certificate that is not present in the system store (untrusted root), so the connection cannot be trusted. This can be because the system store is out of date (installing updates might update the root certificate store), root certificate has been revoked (i.e. the give certificate issuer was badly hacked and had reissue all certificates) or the certificate issues proved itself to be not trustworthy and got kicked by OSes.
By using custom certificate handler you take control into your own hands. You can have your own certificate in your app and compare it with what server gives. In they match, the trust is established. This way you make your own certificate a trusted root. This also enables use of self-signed certificates (issued by yourself, not by external issuer organisation). The downside is that if your own validation is coded incorrectly, you can trust the bad guys and/or not trust the good guys. Also, if you ever change your certificate (i.e. it expires), you have to update your app and only update app will be able to connect to your server.

Hope that’s clear enough :slight_smile:

1 Like

I have the same issue unfortunately. My build from earlier this year works fine (2018.1.6.52276) with no SSL issue. My current build however after having an updated Unity version (using 2018.2.2.36079) always has the error. This occurs on same machine. I’m thinking it is either how the build is being done with settings, or a difference in cert handling (maybe I need to refresh tokens in my new build?) - anyways, let me know if you find a solution.

Which platform is this on? If it’s Editor/Standalone, then the difference is that in 2018.1 all certificates were trusted and you would only get SSL errors for invalid stuff. Since 2018.2 we properly support SSL and do check if certificates are valid.
On iOS and Android we had proper SSL support even before 2018.2.

My team and I has the same issue consistent with everything mentioned by TitanUnity. Our game is running on 2017.4.14f and the majority of customers having this issue seem to be running Android. A few have reported that the issue suddenly fixed itself overnight, but that does not seem to be the case for all.

I’ll report back if we find any new leads not already mentioned.

So far we’ve seen such issue on Android and the cause seems to be connection loss at the time TLS connection is being established. Perhaps you can check your server logs if it is the case?

Here is an update on this issue from our team. I was able to get in direct contact with a few players that are actively experiencing the issue ‘Unable to complete SSL connection’ during various loads our client makes. We tried a custom certificate handler and found that unfortunately that did not work for these users either.

Interesting, I decided to build a custom client where the certificate handler always passes true (figuring that it would certainly work for these users as a temporary solution)… but oddly even this fails when these users attempt basic data loads over https.

And this isn’t coming from a small number, as I reported earlier, we have hundreds of unique users each day that encounter some flavor SSL error.

Figured I would share as we continue to investigate this problem.

Custom certificate handler can only help if root certificate is not trusted by device. It will not help in other cases, such certificate being invalid, encryption not passing or simply losing connection right at the time when TLS connection is being established. The cases we were able to reproduce were the last one.

1 Like

Hmmm, it just seems like too many users to be simply a connection loss issue. Over 100 unique users a day encountering these problems. Running out of ideas to try here…

To be clear, these users confirm successfully playing other games, streaming videos, browsing the web and generally not having issues.

We actually have a user right now that can get this error everysingle time. I had the user manually try to load the same calls from his browser on his Android device and all the calls work ok. When he attempts to make the same calls from the Unity client, they fail with an SSL error.

More and more this seems like a Unity implementation issue.

2 Likes

Here is a summary of information we’ve gathered from one of our players that is experiencing the ‘Unable to complete SSL connection’ error everytime on Android with our client built with Unity 2018.2.15f1:

  • UnityWebRequest fails every time with ‘Unable to complete SSL connection’
  • User reinstalled app, no luck
  • User confirmed no 3rd modifications or OS changes running
  • User updated Android OS, no luck
  • We tried custom certification handler that passes true everytime with no luck
  • User can successfully make both GET and POST requests from their browser to multiple endpoints our network
    (confirming the user is not blocked by CloudFlare)
  • User confirmed multiple successful hits to the same Web API via browser from the same Android device

Here is the unusual part:

  • This user was able to create a wifi hotspot with their phone using the same mobile data network at the same location and connect to our game successfully using our Steam PC client with no issues. (They connect the PC client to the phone’s hotspot network)

But, to be clear, we have a variety of users experiencing this problem across all platforms including over 100 unique users today already 11/20/2018 at 9:30am, including on Android, PC, and iOS. The only common theme we’ve found among reports is that SSL communication fails within Unity but 100% of users we’ve contacted are able to connect to the same https endpoint via their browser with no problems.

We could definitely use additional help on this as we’re running out of things to try.

3 Likes

I would really help to check the server side logs. Which TLS version is being used, what kind of failure is seen on server side etc.
Another alternative is to make a simple Android Java app that would connect to the same endpoint using URL.openConnection(), which is what Unity uses under the hood on Android. Catching exceptions and logging it it might reveal what’s happening.

I’ll look further into those avenues, but this user claims the problem started when we launched our most recent version live on Monday this week (our first live client built with 2018.2.15f1). However, we have had this issue for many months now and many have reported the same problem on 2018.2.6f1 so it may be unrelated.