Proper implementation for SSL connections

After going live with a project and running into multiple issues related to the SSL connections, I would like to know how other people are doing it? Better late than never I guess - our testing never brought up these problems.

The current setup is a server on Digital Ocean with a load balancer to handle the SSL. The certificate is from LetsEncrypt and auto-renews every 60 days.

The problems since launch are on Android and iOS and fall into two categories (which frankly is probably the same underlying cause):

  • the socket connection errors out with: Handshake failed - error code: UNITYTLS_INTERNAL_ERROR, verify result: 4294957312
  • the certificate gets rejected on some small percentage of players with errors like ‘SSL CA certificate error’ and ‘Curl error 60’

We have been in emergency mode since going live so the workarounds used so far are less than ideal. It was easy to side-step the socket by disabling it.

For the SSL certificate, searching on Unity forum revealed that

Various Android devices have a problem with out of date certificate stores and Let’s Encrypt root certificate did expire not so long ago, so if device does not have a renewed one, it will not work.

It seems unavoidable that some device with old certificate stores will error out. That left the only solution to accept any certificates via a custom certificate handler passed to the UnityWebRequest.

I supposed that using Heroic Cloud would have given a more stable SSL certificate and would have not run into problems? But what are other developers doing to mitigate these issues?

I have considered relocating the SSL certificate to the Nakama server itself but it is apparently not recommended to do so but no explanation were given on the pitfalls. Is anyone using that for production?

Hi @adbourdages;

The reason why we don’t recommend SSL termination with Nakama is due to SSL attacks and lack of being able to mitigate DDoS attacks using honeypotting.

We can’t comment on self-hosted infrastructure sadly. I do recommend that you use our Heroic Cloud which deploys production dedicated infrastructure (tested with many games at scale).