question

illuminia-studios avatar image
illuminia-studios asked

unable to complete ssl connection since Unity 2018.2

Hi Guys, it seems like since Unity 2018.2 rolled out its full TLS support and start enforcing the (https://blogs.unity3d.com/2018/07/11/scripting-runtime-improvements-in-unity-2018-2/) many users on Xbox One (we are using the Creators Program not id@xbox) are unable to Login into playfab with the error: "unable to complete ssl connection"

This is our current configuration:

Unity: 2018.2.10f1

PlayFab SDK: 2.58.181218

Xbox One: OS Edition November 2018.

This thread seems to come closets to the root of the problem (https://forum.unity.com/threads/unitywebrequest-unable-to-complete-ssl-connection.566380/).

From what I can gather the problem has to do with the OS root cert store. When i check the playfab endpoint - https://titleid.playfabapi.com/, the playfab cert is issue by Amazon. This is a theory but it is possible that certain Xbox One devices dont have a proper Amazon root CA (the issue is not happening on all Xbox One, I will say 50% of our population are affected by it, including our test xboxes).

In the forum that i referred to earlier, one of the tech guys from Unity suggest bundling your own root ca and overriding how Unity Access the device root ca.

The reason I am posting this issue here (even if it is obvisouly a unity issue since 2018.2.10f1, we didn't have this issue with 2018.1.x) is:

  1. Are the you guys aware of this issue?
  2. And will a patch where the PlayFab SDK bundles the Amazon root CA for such scenarios be something that can be implemented on your end.

We are small team, so we don't have the bandwidth to try to implement the whole root certifcate override thing for Unity.

I will keep searching around the net, but our game went live yesterday, and initially we though it was just a local hitch, because we got it working after enabling Fiddler on the Xbox Ones (false postive as by using fiddler the Xbox ends up using fiddlers root cert and PCs certs which are pretty much to trust everything).

Final note: We dont get this issue on the same UWP build that runs on Windows 10 PC, nore our Android builds (atleast not that we are aware of).

Any suggesting will really be appreciated as our half our population can't login :S

1 comment
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

JayZuo avatar image JayZuo ♦ commented ·

Have you tried to provide a custom certificateHandler to see if it works?

0 Likes 0 ·
brendan avatar image
brendan answered

It does appear that the TLS 1.2 change introduced in Unity 2018.2 has some issues that we'll have to look into. In addition to this thread, we've also seen another (https://community.playfab.com/questions/25551/playfab-not-working-on-amazon-linux-20183.html) showing that Amazon Linux servers also have issues (this would be the source of the CertificateHandler recommendation, since it was what unblocked that developer). If the CertificateHandler isn't supported for your target platform, I'd have to recommend backing off to pre-2018.2 for now. Our SDK team has a work item to look into these issues.

2 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

illuminia-studios avatar image illuminia-studios commented ·

Update: Based on the theory that this has to do with Amazon root certs (and any root cert that isn't on the Xbox console by default), I tried the follow experiment on a live Xbox One: I basically played a game that connects to AWS, in my case Fortnite. Turns out whatever they are doing it updates the Xbox One root certs. After login into Fortnite, I exited the game and reopened our game (BOAA Tech Demo) and we are able to login.

This explains why some players were able to login and others aren't (Those that have play a title that connects to AWS are able to login). We are using UWP so we dont have 100% access to the Xbox One,so that might be a reason for the root cert not automatically being update by the console (or the guys at Epic are pinning the root cert directly into the Xbox One OS somehow).

I will try the Unity certifcateHandler on our test Xbox One and report back.

0 Likes 0 ·
brendan avatar image brendan illuminia-studios commented ·

Nice catch. I'll reach out to the XBL folks to ask about the Fortnite case, though I can say that even they wouldn't have the right permissions to pin a root certificate. Still, it at least provides us with a specific example to check on.

0 Likes 0 ·
illuminia-studios avatar image
illuminia-studios answered

@JayZuo, do you have references as to how to actually make use ofhte certificateHandler. Also the Unity docs say it is only supported Android, iOS, tvOS and desktop platforms. Not sure about UWP. Will give search around for a howto examples

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

illuminia-studios avatar image
illuminia-studios answered

@Brendan, thanks for your follow-up. I will try the custom handler based on the code from the other thread for the uwp build and xbox one. Will report back shortly

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

illuminia-studios avatar image
illuminia-studios answered

Hi Guys, (@Brendan)

We finally found a solution to the problem of SSL connection failure due to certificate root. As suggest by the other posts we had to implement a custom certificate handler to specifically handle the Amazon public certificate for Playfab

The certificate handler code can be found in the attached file below (just rename it to .cs to add it to your project)

amazoncertificatehandler.txt

You will also need to modify the class

PlayFabUnityHttp.cs to use the custom handler:

Add this code

//On Xbox
            AmazonCertificateHandler amazonCertificateHandler = new AmazonCertificateHandler();
            www.certificateHandler = amazonCertificateHandler;

to the method:

private IEnumerator Post(CallRequestContainer reqContainer)

after the code

var www = new UnityWebRequest(reqContainer.FullUrl)
            {
                uploadHandler = new UploadHandlerRaw(reqContainer.Payload),
                downloadHandler = new DownloadHandlerBuffer(),
                method = "POST"
            };

This should unblock anyone having this issue till there is an official fix.

As for how secure it is for live environment, from my research this is technically more secure than solely depending on the system root store (especially for open system such as Windows, Linux system, where the system cert stores can easily be modified).

As for the strange behavior on Xbox One, where by if you played a non UWP Xbox game the system seems to then add the Amazon root cert (or possibly just the play fab public cert) to the system and then the UWP Xbox game will be able to connect to PlayFab after, the only explanation (without going into too much details about how the low level Xbox One back-end works) is that 3rd parties and Xbox@id studios have to explicitly add what end points their games are allowed to access.

Hope this helps

Cheers.


10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.