Unity Client + C# SDK - StartMatchmaking getting invalid certificate exception

The problem I’m seeing is the same one as this unanswered question: https://forums.awsgametech.com/t/net-4-6-support/4803/1

I’m using the .NET 3.5 SDK with Unity, calling the StartMatchmaking API. I’ve found no C# SDK Client example/tutorial anywhere, so the code here is what I hacked together from C++ examples ( which have sightly different config parameters ).

Our GameLift code looks like this:


{
var config = new Amazon.GameLift.AmazonGameLiftConfig();
config.RegionEndpoint = Amazon.RegionEndpoint.EUCentral1;
gameLiftClient = new AmazonGameLiftClient("ourId", "ourSecret", config);
Amazon.GameLift.Model.StartMatchmakingRequest req = new Amazon.GameLift.Model.StartMatchmakingRequest();
req.TicketId = matchmakingTicketID;
req.Players = new List<Amazon.GameLift.Model.Player>()
{
new Amazon.GameLift.Model.Player
{
PlayerId = playerID,
PlayerAttributes = attributes
}
};
req.ConfigurationName = "QuickMatch";
gameLiftClient.BeginStartMatchmaking(req, MatchmakingResp, null);
}
void MatchmakingResp(IAsyncResult result)
{
//This is where the result comes loaded with the exception described below
var response = gameLiftClient.EndStartMatchmaking(result);
}

After many seconds we get an exception that starts with:

Amazon.Runtime.AmazonServiceException: A WebException with status SendFailure was thrown.

—> System.Net.WebException: Error getting response stream (Write: The authentication or decryption has failed.): SendFailure

—> System.IO.IOException: The authentication or decryption has failed.

—> Mono.Security.Protocol.Tls.TlsException: Invalid certificate received from server. Error code: 0xffffffff800b010a

There is a matchmaking configuration made, named “QuickMatch”. The accessKey & secret belong to a IAM user with the CreateGameSession, CreatePlayerSession, DescribeGameSessions and SearchGameSessions permissions.

Other than a few other unanswered questions on this forum, I’ve seen nothing in the documentation that can help me figure out why this is happening.

Hey @Crb!

Sorry for the delayed response here. We are not seeing widespread certificate problems on our side, so we are wondering if there is a problem in your certificate chain. Could you give us the following information?

  1. Does your trust store support Amazon Trust Services as a Certificate Authority?
  2. What version of Unity are you using?
  3. Do you see this on all GameLift calls, or just StartMatchmaking?
  4. Do you have a fleetId we can reference to look at logs on our end?
    Thanks!

Hi,

Thanks for responding.

  1. I had no idea what that was. After a quick google and check, there is no Amazon Trust Services host in my local Windows 10 certificate list. Please note we want to deploy the code above directly in our (iOS & Android) clients. Could you point me to any tutorial/docs about these, and how they relate to using your services ?

  2. Unity 2017.3.1f1, on Windows

3.Tried a CreateGameSession call, same error

4.FleetID:

fleet-77b23b6c-fd31-4691-9e16-7302c579cd4e

Thanks

Here is a blog post articulating what to look for with regard to ATS issues:

Our initial suspicion is that it could be related to TLS. Do you know what version of TLS are you using? If you are using 1.2, it might be a Unity issue based on the version of Unity you are using:

Once we know what version of TLS you are using, we can rule in or out some of these theories, too.

Two more Mono links that might help you debug the TLS version:

Hi @Crb, I’m attempting to reproduce the error you’re running into, can you share the exact version of AWSSDK.Core.dll and AWSSDK.GameLift.dll you are using?

That said, we don’t recommend implementing the AWS SDK client directly into your game client. Doing so would require you to ship your game with your AWS credentials included. We recommend setting up a proxy to run the client requests. That way you have a centralized place to manage credentials and can implement metrics ect for those calls.

For example you can see ‘game services’ in our architecture documentation here:

Ben

Hi @Ben & @Matchmaker, thank you for your quick answers. I’ve just come back to this issue today and will be focusing on it until its conclusion.

We’re using the latest stable AWSSDK.GameLift package available on NuGet two weeks ago. Version 3.3.11.5. Same for AWSSDK.Core, version 3.3.22.1

I’ve switched our Unity to the experimental .NET 4.6 version and set TLS to 1.0, since that’s the only one that works in our version AFAIK.

Now requests fail almost immediately with the following exception:

Amazon.Runtime.AmazonServiceException: A WebException with status TrustFailure was thrown. ---> System.Net.WebException: Error: TrustFailure (The authentication or decryption has failed.) ---> System.IO.IOException: The authentication or decryption has failed. ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: Invalid certificate received from server. Error code: 0xffffffff800b010a\r\n

As I’ve already mentioned, there is no ATS CA in my version of Windows. Checking my Android phone, I don’t see ATS there either.

Now I’m wondering whether all of this is pointless since none of our users will have ATS as trusted

Another question I have is, do you know of any version of your C# SDK running on a Unity client, on Windows or mobile ? I feel as though we’re breaking new ground here, and I hope it isn’t so :slight_smile:

Hi @Crb, we have customers who are using the GameLift Server SDK with Unity in their mobile apps. However, we advise that they do not use the AWS Client SDK in their game client. The problem you’re experiencing is a great example why we make this architecture recommendation, beyond the security implications.

Using a proxy for AWS client calls will allow you to have a central place to manage the CA certs needed by the client.

To get started down that path, can you take the client code from Unity and try running it from Visual Studio? To be clear, I don’t mean running it in VS attached to Unity, but stand alone in VS without Unity libraries. That should work. If it doesn’t then we have more investigating to do.

Good luck!

Ben

Excellent idea, @Ben. I feel silly for not trying this sooner.

I copy-pasted the code I had into an empty WPF app and (after fixing my apparently wrong AWS credentials) the StartMatchmaking request worked !

I have also gotten it to “work” in Unity 2017, but only by creating a custom certificate validator that accepts anything. This works in both versions of Unity .NET, as long as you set the SecurityProtocol to Tls in 3.5.

Another thing I should mention is that StartMatchmaking isn’t available in the IAM GameLift-specific action list. I had to add it in the user’s permissions JSON manually.

I’ll try Unity 2018.2 next, since I see they mention TLS 1.2 support.

I consider this question answered, since it looks like the problem lies with Unity.
Thank you very much for your answers and tips, they were very helpful.

@Crb Here is another way to fix that issue

https://stackoverflow.com/a/33391290/2338283

But you only want to put game lift into your game for the first testing and prototyping other wise it should be hosted in some kind of web service.