I’m prototyping a game in Unity 5 and UE4 to see which one fits the game best, and so far I’ve had no luck with getting SSL certs setup with Unity. I see UE4 uses libcurl, so does the FHttpModule support HTTPS and verifying certificates? Also, are there any limitations, E.g. hash length/algorithms? I know Unity has limitations like this, that’s why I ask.
The HTTP code does support SSL and verifies the certificates. We use it to communicate with various online RESTful services.
This doesn’t appear to be accurate with local testing on my windows 10 workstation using unreal 4.14
Tracing it down, looks like on windows in CurlHttpManager.cpp [484] that the CertBundlePath is null. As a result bVerifyPeer is set to false and by default UE4 doesn’t check anything other than the hostname for a certificate.
Is it just me or is security off by default? Haven’t been able to find documentation referencing this issue.
Info Log :
LogInfo:Display: ExecuteHttpStaticRecv(40): Got http response [200] : https://expired.badssl.com/
LogInfo:Display: ExecuteHttpStaticRecv(40): Got http response [200] : https://sha256.badssl.com/
LogInfo:Display: ExecuteHttpStaticRecv(40): Got http response [200] : https://untrusted-root.badssl.com/
LogInfo:Display: ExecuteHttpStaticRecv(40): Got http response [200] : https://self-signed.badssl.com/
LogInfo:Display: ExecuteHttpStaticRecv(40): Got http response [200] : https://revoked.badssl.com/
LogInfo:Display: ExecuteHttpStaticRecv(40): Got http response [200] : https://incomplete-chain.badssl.com/
Tracing down on github, I believe this change is responsible?
Change 2958724 on 2016/04/28 by #########
moved setting bVerifyPeer flag AFTER CertBundlePath has been set...
otherwise, libCurl is going to try to verify the SSL session - but without a cert file, it makes no sense to try and verify the session
- we could (and probably should) make this an error condition - but the constructor has the bVerifyPeer set to true -- which would mean that all games will need to have a cert file and/or know to set bVerifyPeer to false...
- and so far, only linux and android seem to have code in place to make use of the cert files...
#jira UE-29950 - Orion deticated server MCP authentication fails when using CURL
#lockdown ##########
Any word on this? I’m not able to download a file from an HTTPS url either.
Hi, this is a UE4 HTTP plugin: