We are using the WWW class to interface with our backend web API, and we recently had a situation in our development environment where our TLS certificate expired. Most of our services (correctly) refused to connect to the server until we updated our certificate, however we noticed that on some platforms Unity would still accept the certificate for some reason. I did a little digging and found several complaints about both WWW and UnityWebRequest classes not properly validating certificates. I also tested and found that Unity fails to catch several other invalid certificate configurations, including self-signed certificates, at least on Linux (editor and player).
Our production environment will require us to properly validate our server’s TLS certificate–allowing expired and self-signed certificates is completely unacceptable for our use case. Is there a way to ensure Unity thoroughly validates a TLS connection, consistently across all our platforms, or do I need to look into a third party solution to integrate to ensure secure communication with our server?