Realtime Client - mbedtls question

Hey,

Me and the team I work with have been going through getting the newer Realtime C# client sdk working on Unity across the different platforms and while going through the cmake we noticed that it’s fetching the source of mbedtls v2.16.2 release and embedding it.

It works for the most part to my knowledge, but I was wondering if the team has any plans on updating this to a more recent version of mbedtls? 2.16.2 was released in June, 2019 and well over 5k commits have happened since then (1 major release and 11 minor releases).

I have noticed that occasionally the X509 certs for sessions are failing to pass Unity’s internal certification handshake (Unity has a pretty strong stance on certs having intermediate chains, unsure if certs on gamelift sessions are all the same or differ session to session). Perhaps this updating could help with that?

Hi @Sky_Copeland ,
Thanks for pointing this out. I’ve cut an issue with the GameLift team to update this dependency.

As a work-around (to unblock yourself) are you able to modify the cmake to pull a more recent version yourself and see if that fixes the handshake issues?
A Fleet uses a single certificate, so all GameLift GameSessions from the same fleet should use the same cert.

1 Like

I think up to the latest version of 2.X mbedtls that’s probably a possible workaround? (If that’s even the problem with the X509 handshake, net security really isn’t my area haha). But from what I’ve read 3.0 is a major change release that’ll likely be a more involved update.

I’ll give this a try soon though and update if manually changing to a more recent version has any effects.

On another direction though, so a fleet uses 1 certification for all sessions. That makes sense. Normally when I’ve seen this error it’s consistent for that timespan. For example I’ll spend an entire day with that error, then the next day it’s just gone and works perfectly fine. Does the fleet refresh at some point and get a new cert? Or if I left the fleet up for a year it’ll be the same cert at the start and end of that year?

A given fleet keeps the same certificate for 13 months, and all instances under that fleet use the same certificate, so it shouldn’t vary from day to day. The certificate is issued by AWS Certificate Manager: ACM certificate characteristics - AWS Certificate Manager

The behavior described does sound strange. Some follow up questions to help us understand the issue better:

  • Is the exception being thrown by a Unity CertificateHandler somewhere or by mbedtls itself?
  • If a Unity CertificateHandler is involved, when is it called?
  • What Realtime Client API is being called when this error occurs (e.g. SendMessage?)
  • Do you have an example error/exception log that you can share?