koobas.hobune.stream
How to validate SSL certificate before sending data via https?
My app sends data to a server with a WWWForm. Before I send the data, I'd like to validate that the destination has a valid SSL certificate to prevent the data getting sent to some other untrusted destination (eg. via rewrite rules).
If i understand correctly the WWW object doesn't automatically handle enforcing SSL certificate validity when dealing with https requests. I'm looking for the simplest possible way enforce this, and to not send the data if no valid certificate is found.
I've looked at some .Net documentation for dealing with this kind of scenario but so far I've found it difficult to understand. Does anyone have (or could anyone write) some example code demonstrating how this can be achieved in the simplest way? (I'm open to using a paid-for asset if this would make things simpler here).
Here's a stripped down version of the (no enforcing) code I have at the moment:
var form:WWWForm = new WWWForm();
form.AddField("field1","value1");
form.AddField("field2","value2");
// TODO: Only send data if valid certificate is found
var www:WWW = new WWW("https://my.sitewithvalidsslcertificate.com", form);
// Wait until the download is done
yield www;
if(www.error != null){
Debug.Log(www.error);
} else {
// TODO: process www.text here
}
Where did you get your info about WWW not enforcing SSL certificate validity? I'm looking for the opposite, I'm hoping it doesn't validate because I want to use a self-signed certificate, but I don't just want to test on one or two platforms I have access to, I want to know for sure before I start my project.
http://answers.unity3d.com/questions/445951/using-https-and-ssl.html -- based on your comment here and Benproductions1 answer, and the fact he has over 10k rep here, I guess that might be enough "proof" for me. Sorry can't answer your question. At the very least I think you'll need to use some native .NET classes, and they will likely not be available on most platforms (even less with the free version of Unity).
Just tested on a Windows RT Surface (Windows Store build) and on that platform it does complain if certificate is invalid. Guess I'll have to test in HTTP mode and switch to HTTPS after I purchase a certificate + domain.
I read that the trusted certificate store that mono uses (non-windows platforms) doesn't necessarily have anything in it. And my app isn't necessarily going to have or be able to get the necessary permissions to be able to add certs to it. So it seems like any use of https on the part of my unity app is going to be vulnerable to $$anonymous$$IT$$anonymous$$ attacks. So I'm looking now at using http, but using a "payload" post variable, which is an encrypted string with serialized data.
Hello has anybody solved this problem with WWW and https?
There is error code in Android:
11-18 11:28:09.857 7407-7426/? E/Unity﹕ ParseDataTest: data:javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
(Filename: ./artifacts/generated/common/runtime/UnityEngineDebugBindings.gen.cpp Line: 65)
And Unity error code:
arseDataTest: data:SSL: certificate subject name 'localhost' does not match target host name 'test.example.com'
Thank you.
