InitCrypto fails - unable to enable SSL in Unity Smartfox client

Question

The code I'm using is SFS's Unity sample code - that is, just a proof of concept. The server is SFS 2.13.0.

Here are the things I've done.

• Enabled encryption in the zone configuration (<isEncrypted>true</isEncrypted>).
• Originally used a Let's Encrypt certificate, and then later one from Certum.
• Certificates are imported into a JKS keystore and placed in lib/jetty/etc. lib/jetty/start.d/ssl.ini is updated accordingly and server is restarted.

Upon SFS startup I can connect with the openssl command line tool and see the certificate.

From Unity I'm trying to login using the sample client (Connector.cs). If I disable encryption it works just fine. The moment I add a listener, it fails.

First, there is the event listener:

if (useEncryption) {

    sfs.AddEventListener (SFSEvent.CRYPTO_INIT, OnCryptoInit);
}

Then the event is triggered from OnConnection:

if (useEncryption) {

    trace("Initializing Crypto");
    StartCoroutine(sfs.InitCrypto ());
} else {

    enableInterface ("LOGIN");
    uiState = 2;
}

The OnCryptoInit method looks like this:

private void OnCryptoInit(BaseEvent evt) {

    trace("Crypto Initialized?");

    if ((bool) evt.Params["success"]) {

        trace("....YES!");
        enableInterface ("LOGIN");
        uiState = 2;
    } else {

        trace("Encryption initialization failed: " + (string)evt.Params["errorMessage"]);
    }
}

When I run this, I always get (irrespective of the certificate):

Encryption initialization failed: Unknown Error

Which is not very helpful.

A Wireshark dump showed me a Client Hello, a Server Hello and a Handshake Failure. I enable only one cipher at the Smartfox end (TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) but I can see it in the list of ciphers (85 of them) that the client sends out, so I don't think it is because of inability to negotiate an acceptable cipher.

My original try was with a Let's Encrypt certificate at the Smartfox end. Later on I purchased one from Certum (Certum Domain Validation CA SHA2 is the issuer). I am unable to verify if my Unity installation has the intermediates needed to verify these certificates.

1. How do I figure out the reason for the SSL failure?

2. Does Unity expect all intermediate certificates in its own certificate store?

3. Where is Unity's certificate store, anyway? How do I check if all root certificates are present or not?

4. Any suggestions on how I can debug this issue further?

Answer 1

To those who might reach this question with similar issues: I resolved this with the help of SFS support. Briefly, the issue was that the keystore needed all certificates and keys under one single alias. I had an intermediate certificate listed under a different alias (the script used to generate keystore imported intermediates with a hashed version of their CN as the alias), so they were not served. This resulted in incomplete certificate chain verification at the client end - an error that was not reported accurately to the application code.

The correct command sequence to generate the keystore is:

CN=my.domain.tld
cat $CN.pem IntermediateCert1.pem IntermediateCert2.pem > $CN-chain.pem
openssl pkcs12 -export -in $CN-chain.pem -inkey $CN.key -name $CN -out $CN.p12
keytool -importkeystore -deststorepass xxxxxx -destkeystore $CN.keystore -srckeystore $CN.p12 -srcstoretype PKCS12

This ensures that the end certificate, its private key and all intermediate certificates are all listed under a single alias within the keystore.