x

Search in
Sort by:

Question Status:

Search help

  • Simple searches use one or more words. Separate the words with spaces (cat dog) to search cat,dog or both. Separate the words with plus signs (cat +dog) to search for items that may contain cat but must contain dog.
  • You can further refine your search on the search results page, where you can search by keywords, author, topic. These can be combined with each other. Examples
    • cat dog --matches anything with cat,dog or both
    • cat +dog --searches for cat +dog where dog is a mandatory term
    • cat -dog -- searches for cat excluding any result containing dog
    • [cats] —will restrict your search to results with topic named "cats"
    • [cats] [dogs] —will restrict your search to results with both topics, "cats", and "dogs"

HTTP module accepting expired, self-signed and untrusted SSL certificates

While testing requests to my own API, I noticed that the built-in HTTP module accepts invalid SSL certificates despite bVerifyPeer being true.

I sent some POST requests to badssl.com for testing purposes.

wrong host

Request URL: "https://wrong.host.badssl.com/"

As expected, the request is not successful in this case:

 subjectAltName does not match wrong.host.badssl.com

expired certificate

Request URL: "https://expired.badssl.com/"

The request is successful.

 SSL certificate verify result: certificate has expired (10), continuing anyway.

self-signed certificate

Request URL: "https://self-signed.badssl.com/"

The request is successful.

 SSL certificate verify result: self signed certificate (18), continuing anyway.

untrusted root certificate

Request URL: "https://untrusted-root.badssl.com/"

The request is successful.

 SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

revoked certificate

Request URL: "https://revoked.badssl.com/"

The fact that the certificate is revoked is not detected.

 SSL certificate verify ok.


Why are expired, self-signed and untrusted certificates accepted even if they are detected as invalid? This behavior is unacceptable and insecure. Is this a bug or is it possible to change this?

bVerifyPeer is already true, OS is Windows.

Product Version: UE 4.21
Tags:
more ▼

asked Feb 15 '19 at 02:45 PM in Bug Reports

avatar image

CHD Gaming
1

avatar image Jeff A ♦♦ STAFF Feb 15 '19 at 09:50 PM

Hello,

We've recently made a switch to a new bug reporting method using a more structured form. Please visit the link below for more details and report the issue using the new Bug Submission Form. Feel free to continue to use this thread for community discussion around the issue.

https://epicsupport.force.com/unrealengine/s/

Thanks

avatar image PlayerOneBo Jun 27 '19 at 08:01 AM

Hi @CHD Gaming, can you please shed some light on how are you adding the SSL certificates to your https requests? I'm having troubles HTTPs requests using OS installed certificates. (All my requests return invalid certificate, even tho the certs are installed within windows and other API testing tools are able to perform valid requests using the OS certs) Thanks in advance!

(comments are locked)
10|2000 characters needed characters left
Viewable by all users

0 answers: sort voted first
Be the first one to answer this question
toggle preview:

Up to 5 attachments (including images) can be used with a maximum of 5.2 MB each and 5.2 MB total.

Follow this question

Once you sign in you will be able to subscribe for any updates here

Answers to this question