Does UE4 support HTTPS?

kkirkfield · August 4, 2015, 2:02am

I’m prototyping a game in Unity 5 and UE4 to see which one fits the game best, and so far I’ve had no luck with getting SSL certs setup with Unity. I see UE4 uses libcurl, so does the FHttpModule support HTTPS and verifying certificates? Also, are there any limitations, E.g. hash length/algorithms? I know Unity has limitations like this, that’s why I ask.

joeGraf · August 4, 2015, 7:26pm

The HTTP code does support SSL and verifies the certificates. We use it to communicate with various online RESTful services.

ambientenergy · January 31, 2017, 1:15pm

This doesn’t appear to be accurate with local testing on my windows 10 workstation using unreal 4.14

Tracing it down, looks like on windows in CurlHttpManager.cpp [484] that the CertBundlePath is null. As a result bVerifyPeer is set to false and by default UE4 doesn’t check anything other than the hostname for a certificate.

Is it just me or is security off by default? Haven’t been able to find documentation referencing this issue.

Info Log :

LogInfo:Display: ExecuteHttpStaticRecv(40): Got http response [200] : https://expired.badssl.com/

LogInfo:Display: ExecuteHttpStaticRecv(40): Got http response [200] : https://sha256.badssl.com/

LogInfo:Display: ExecuteHttpStaticRecv(40): Got http response [200] : https://untrusted-root.badssl.com/

LogInfo:Display: ExecuteHttpStaticRecv(40): Got http response [200] : https://self-signed.badssl.com/

LogInfo:Display: ExecuteHttpStaticRecv(40): Got http response [200] : https://revoked.badssl.com/

LogInfo:Display: ExecuteHttpStaticRecv(40): Got http response [200] : https://incomplete-chain.badssl.com/

ambientenergy · January 31, 2017, 1:20pm

Tracing down on github, I believe this change is responsible?

https://github.com/EpicGames/UnrealEngine/blame/4.14.1-release/Engine/Source/Runtime/Online/HTTP/Private/Curl/CurlHttpManager.cpp#L486

Change 2958724 on 2016/04/28 by #########

moved setting bVerifyPeer flag AFTER CertBundlePath has been set...

otherwise, libCurl is going to try to verify the SSL session - but without a cert file, it makes no sense to try and verify the session

- we could (and probably should) make this an error condition - but the constructor has the bVerifyPeer set to true -- which would mean that all games will need to have a cert file and/or know to set bVerifyPeer to false...

- and so far, only linux and android seem to have code in place to make use of the cert files...

#jira UE-29950 - Orion deticated server MCP authentication fails when using CURL
#lockdown ##########

Randy_Croucher1 · October 4, 2018, 10:13am

Any word on this? I’m not able to download a file from an HTTPS url either.

anonymous_user_6da3364e · January 11, 2019, 2:02am

Hi, this is a UE4 HTTP plugin: