godot
godot copied to clipboard
godotengine
HTTPRequest: TLS handshake error
Tested versions
Reproducible in Godot Engine v4.2.stable.official.46dc27791
System information
Godot v4.2.stable - Windows 10.0.19045 - Vulkan (Forward+) - dedicated Quadro P620 () - Intel(R) Core(TM) i7-10875H CPU @ 2.30GHz (16 Threads)
Issue description
I created a web server with https support Issued self signed ssl certificate (OpenSSL 3.2) Added crt to Certificate bundle override in Godot When trying to execute HttpRequest in gdscript got error: E 0:00:14:0222 _do_handshake: TLS handshake error: -9984 <C++ Source> modules/mbedtls/stream_peer_mbedtls.cpp:89 @ _do_handshake()
Without https all works as intended In browser and in postman all endpoints works with https with no issues
Steps to reproduce
- create simple web server with 1 endpoint
- issue self signed certificate with openssl 3.2
- secure web server with ssl
- add certificate to godot project settings
- try to execute HttpRequest to web server
Minimal reproduction project (MRP)
HttpRequest.request() will be enough
In this MRP project #84559 , using Godot's HttpRequest node in c# to access https://www.example.com sometimes gives similar errors.
godot : USER ERROR: TLS handshake error: -27648
godot : at: _do_handshake (modules/mbedtls/stream_peer_mbedtls.cpp:89)
I am also experiencing the same issue with self signed certificates (which does not include website address obviously). I have https server set up on my machine. I am using this certificate for testing purposes on localhost/LAN networks/VPNs. Adding this certificate in project settings does not change anything.
System: 6.6.10-arch1-1, ryzen 5 3600
The problem is apparent in godot 4.1.3 and godot 4.2.1, both without mono.
I have tested my backend with curl and found out that my server required --insecure option for curl to perform a request, because it didn't work with --cacert option.
I do not know why godot nor curl does not work with specified CA certificate.
I don't want to open up a new Issue, because I think the Problem is similar, while using ENetMultiplayerPeer and setting up the Connection with client_unsafe() on the Client-Side. This should skip the Certificate Verification which it doesn't.
Error Codes are a bit different (Client: -9984 -> X509 Cert. Verification failed | Server: -30592 -> SSL fatal Alert Msg.), but it seems the Problem lies in the X509-Cert Module.
I am no expert in C/C++ and definetely no expert in Cryptography and I wouldn't consider myself a good coder. I don't know if the following Solution, does make the Network communication in Godot fataly insecure. Use the following Solution at Your own Risk.
So after doing some digging I changed following Lines as shown bellow:
if (*flags != 0) { return MBEDTLS_ERR_X509_CERT_VERIFY_FAILED; }
if (*flags != 0 && *flags != MBEDTLS_X509_BADCERT_NOT_TRUSTED) { return MBEDTLS_ERR_X509_CERT_VERIFY_FAILED; }
While using client_unsafe() the flag results in the Value 8 (= MBEDTLS_X509_BADCERT_NOT_TRUSTED) and while using client() it results in = 12 if I remember correctly (Couldn't find no Error Message for this one).
I tested this only with self signed Certificates, but using client() does throw an Error, which it should and using client_unsafe() does allow for the Connection to be made. Also the Communication is encrypted when monitored with Wireshark.
I hope this will help, at least somewhat, to resolve this Issue :)
im only trying to use asset lib and this happens (sorry for the update spam, forgot about it)
@IGN-Styly Please edit your comment with more information instead of posting 4 updates in a row, this generates a lot of notification spam.
I have the same issue in my project.
In Godot 4.2.2, to resolve it, I added set_tls_options(TLSOptions.client_unsafe()) in my HTTPRequest node.
In Godot 4.3, the problem reappeared. The project is exactly the same.
In Godot 4.3, it seems that set_tls_options(TLSOptions.client_unsafe()) is not being taken into account.
If the client certificate does not have the correct common name associated with it, you need to use TLSOption.client_unsafe and specify the certificate you want to pin (see https://docs.godotengine.org/en/stable/classes/class_tlsoptions.html#class-tlsoptions-method-client-unsafe ) Alternatively, you should give the proper common name (DNS name) to the certificate. If client_unsafe is not working in 4.3, it might be a regression. I'll be AFK for another week, I'll try to investigate when I'm back.
On Fri, Aug 16, 2024, 21:10 Styly @.***> wrote:
Seems to be an mbedtls issue.
— Reply to this email directly, view it on GitHub https://github.com/godotengine/godot/issues/85953#issuecomment-2294164604, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAM4C3THHXBZGSDVAIPQUBLZRZMFFAVCNFSM6AAAAABANSNY5GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEOJUGE3DINRQGQ . You are receiving this because you were assigned.Message ID: @.***>
Godot it self trying to access the asset lib gets tls handshake error. no code written make a project go to the asset lib and you get the error. tried mutiple compile options and prebuilt bin. can someone mark it as a regression.
If your issue is with asset lib please open a new issue with the proper information (Godot version, OS, etc). This issue is about self signed certificates.
On Sun, Aug 18, 2024, 01:26 Styly @.***> wrote:
Godot it self trying to access the asset lib gets tls handshake error. no code written make a project go to the asset lib and you get the error. tried mutiple compile options and prebuilt bin.
— Reply to this email directly, view it on GitHub https://github.com/godotengine/godot/issues/85953#issuecomment-2295041146, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAM4C3XYMWFU4HIEMLUQJA3ZR7S3XAVCNFSM6AAAAABANSNY5GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEOJVGA2DCMJUGY . You are receiving this because you were assigned.Message ID: @.***>
The issues are related, or the same one. can't make an issue as currently my mouse is broken.
I'm pretty confident they are not related (and definitely not the same). One is about self signed certificates (which needs special handling). Your issue is about the asset library, which has a valid (i.e. not self signed certificate), and which we didn't get any other report about, so it's probably something specific about your configuration.
On Sun, Aug 18, 2024, 17:48 Styly @.***> wrote:
The issues are related, or the same one. can't make an issue as currently my mouse is broken.
— Reply to this email directly, view it on GitHub https://github.com/godotengine/godot/issues/85953#issuecomment-2295323696, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAM4C3SFXMLMR7OI7K6TREDZSDF7VAVCNFSM6AAAAABANSNY5GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEOJVGMZDGNRZGY . You are receiving this because you were assigned.Message ID: @.***>
我的项目里也存在同样的问题。
在 Godot 4.2.2 中,为了解决这个问题,我添加了
set_tls_options(TLSOptions.client_unsafe())HTTPRequest 节点。在 Godot 4.3 中,问题再次出现。项目完全一样。 在 Godot 4.3 中,似乎
set_tls_options(TLSOptions.client_unsafe())没有考虑到这一点。
Same problem, same project just upgraded to godot 4.3, then RESULT_TLS_HANDSHAKE_ERROR error
Opened https://github.com/godotengine/godot/issues/96170 to track the 4.3 regression regarding TLSOptions.client_unsafe reported by @Fifut .
Updated the title of this PR to reflect the OP issue and opened https://github.com/godotengine/godot-docs/pull/9847 to update and clarify the documentation around TLS certificates in project settings.
We should track the issue reported around the Asset Library in https://github.com/godotengine/godot/issues/96103
Opened #96170 to track the 4.3 regression regarding
TLSOptions.client_unsafereported by @Fifut .Updated the title of this PR to reflect the OP issue and opened godotengine/godot-docs#9847 to update and clarify the documentation around TLS certificates in project settings.
We should track the issue reported around the Asset Library in #96103
I wonder if that works for Websockets served in wss
