|
2 | 2 | id: secure-connection |
3 | 3 | title: Create secure client and server |
4 | 4 | --- |
5 | | -The unity transport protocol can be configure to encrypt the connection between the server and the client while ensuring the server's/client's authenticity. |
6 | | -This secure connection relies on UnityTLS and is available with the following editor versions: |
7 | | -`2020.3 (2020.3.34 minimum and above), 2021.3 (2021.3.1f1 minimum and above) and 2022.1 (2022.1.0b16 minimum and above)` |
| 5 | + |
| 6 | +You can configure the Unity Transport package to encrypt the server-client connection while ensuring the authenticity of both the server and the client. |
| 7 | + |
| 8 | +Secure connections are available with Editor versions 2020.3 (starting at 2020.3.34), 2021.3, and 2022.1 and above. |
8 | 9 |
|
9 | 10 | ## Server authentication |
10 | 11 |
|
11 | 12 | :::warning Warning |
12 | | -Be sure private keys are not included in your code base or client builds. |
| 13 | +This example uses hardcoded certificates to illustrate the process better. However, in an actual deployment, you should keep the server certificates separate from the client builds. You can do this by keeping the server certificates on a separate assembly or by loading the server certificates from a file on the server. |
13 | 14 | ::: |
14 | 15 |
|
15 | 16 | ### High level authentication process |
16 | | -In this configuration, the server will provide a certificate to the client (`certificate`) containing the server host name. |
17 | | -The client will compare the server hostname to the one it knows (`serverName`) and will then validate the provided certificate against its own root certificate (`caCertificate`) confirming the server identity. |
| 17 | + |
| 18 | +In this configuration, the server provides a certificate to the client (`certificate`) to prove its identity. The client uses its own root certificate (`caCertificate`) to validate the certificate from the server. |
18 | 19 |
|
19 | 20 | :::note |
20 | | -Root certificate is also sometimes referred as CA Certificate. |
| 21 | +Root certificates are also sometimes referred to as CA certificates. |
21 | 22 | ::: |
22 | 23 |
|
23 | | -Once its identity confirmed, the server will then use the private key (`privateKey`) to establish the secure communication. |
| 24 | +After confirming its identity, the server uses the private key (`privateKey`) to establish a secure communication channel. |
24 | 25 |
|
25 | 26 | ### Requirements |
26 | | -To use the client server secure workflow, you need a `valid certificate` and the `root certificate` it has been generated from. You also need the `private key` that has been used to create the certificate. |
27 | | -If you don't have these, they can be generated using OpenSSL. The procedure is detailed hereafter. |
| 27 | + |
| 28 | +You need the following before you can use the client-server secure workflow: |
| 29 | + |
| 30 | +- A valid certificate |
| 31 | +- The root certificate used to sign the certificate |
| 32 | +- The private key used to create the certificate |
| 33 | + |
| 34 | +You can use OpenSSL to generate these if you don't have them. The procedure is detailed hereafter. |
28 | 35 |
|
29 | 36 | ### Generating the required keys and certificates with OpenSSL |
30 | 37 |
|
31 | 38 | It is assumed that you have [OpenSSL](https://www.openssl.org/) installed on your machine. |
32 | 39 |
|
33 | | -#### Generate the Certification Authority root certificate. |
34 | | -First thing first is to generate a private key. We will use it later on to generate the Certification Authority root certificate. |
| 40 | +#### Generate the root certificate |
| 41 | + |
| 42 | +First, generate a root private key. You will need it later to generate the root certificate. |
| 43 | + |
35 | 44 | ```shell |
36 | 45 | openssl genrsa -out clientPrivateKeyForRootCA.pem 2048 |
37 | 46 | ``` |
38 | | -Now that you have a private key, you can now generate the root certificate. |
| 47 | + |
| 48 | +Now that you have a root private key, you can generate the root certificate. |
39 | 49 |
|
40 | 50 | ```shell |
41 | 51 | openssl req -x509 -new -nodes -key clientPrivateKeyForRootCA.pem -sha256 -days 1095 -out myGameClientCA.pem |
42 | 52 | ``` |
43 | | -You will be prompted to answer several questions. Most of the answers are not that important within the present context. |
44 | | -It is however useful to use a `common name` that makes sense for you to identify this certificate amongst others. |
45 | | -Ideally, you would want to use your domain name if you have one. |
46 | 53 |
|
| 54 | +You will be prompted to answer several questions. Most of the answers are not that important within the present context. It is, however, useful to use a common name that makes sense for you to identify this certificate amongst others. Ideally, you would want to use your domain name if you have one. |
| 55 | + |
| 56 | +#### Generate the root-signed certificate to use with the server |
| 57 | + |
| 58 | +Now, create a private key for the server. |
47 | 59 |
|
48 | | -#### Generate the CA-signed certificate to use with the server |
49 | | -Create now a private key for the server. |
50 | 60 | ```shell |
51 | | -openssl genrsa -out myGameServerPrivate.pem 2048 |
| 61 | +openssl genrsa -out myGameServerPrivateKey.pem 2048 |
52 | 62 | ``` |
53 | | -From this private key, you can generate a certificate signing request. |
| 63 | + |
| 64 | +You can use this private key to generate a certificate signing request. |
| 65 | + |
54 | 66 | ```shell |
55 | | -openssl req -new -key myGameServerPrivate.pem -out myGameServerCertificateSigningRequest.pem |
| 67 | +openssl req -new -key myGameServerPrivateKey.pem -out myGameServerCertificateSigningRequest.pem |
56 | 68 | ``` |
57 | | -You'll be prompted with the same questions as for generating the root certificate. |
58 | | -The answers are no more important, except for the `common name` : use the host name of your server if you have one. This common name |
59 | | -will appear in the generated certificate and will be compare by the Client against the common name it received as parameter (`serverName`). |
60 | 69 |
|
61 | | -Finally, using the different files generated, we can create the certificate file the server will use to authenticate itself : |
| 70 | +You'll be prompted with the same questions you answered when generating the root certificate. The answers are no more important (except for the common name: it is recommended to use the server's hostname). |
| 71 | + |
| 72 | +Finally, you can create the certificate file the server will use to authenticate itself using the generated files: |
| 73 | + |
62 | 74 | ```shell |
63 | 75 | openssl.exe x509 -req -in myGameServerCertificateSigningRequest.pem -CA myGameClientCA.pem -CAkey clientPrivateKeyForRootCA.pem -CAcreateserial -out myGameServerCertificate.pem -days 365 -sha256 |
64 | 76 | ``` |
65 | | -You should have now generated a total of five files. Out of these, only three will be used later on : |
66 | | -* The content of the `myGameClientCA.pem` file, will be used client side as the `caCertificate` parameter. |
67 | | -* On the server end, `myGameServerPrivate.pem` file content will be used for the `privateKey` parameter. |
68 | | -* `myGameServerCertificate.pem` will be used by the `certificate` parameter on the server end. |
69 | | - |
70 | | -### Boiler Plate file holding the secure parameters |
71 | | -Create a `SecureParameters.cs` script file to hold your certificates and the private key. Place it in the same folder as the minimal server and minimal client scripts. |
72 | | -Add the following dependencies: |
73 | | -```cs |
74 | | -using Unity.Collections; |
75 | | -using Unity.Networking.Transport.TLS; |
76 | | -``` |
77 | | -Then declare the secureParameters class and the boilerplate code that will hold your secure information: |
78 | | -```cs |
| 77 | + |
| 78 | +You should have now generated a total of five files. You only need to use the following three: `myGameClientCA.pem`, `myGameServerCertificate.pem`, and `myGameServerPrivateKey.pem`. |
| 79 | + |
| 80 | +- On the client side, you need the content of the `myGameClientCA.pem` for the `caCertificate` parameter. |
| 81 | +- On the server end, you need the contents of `myGameServerCertificate.pem` for the `certificate` parameter. |
| 82 | +- On the server end, you need the contents of `myGameServerPrivateKey.pem` for the `privateKey` parameter. |
| 83 | + |
| 84 | +### Boilerplate file holding the secure parameters |
| 85 | + |
| 86 | +Create a `SecureParameters.cs` script file to hold your certificates and the private key. Place it in the same folder as the minimal server and minimal client scripts. Then, declare the `SecureParameters` static class and the boilerplate code that will hold your secure information: |
| 87 | + |
| 88 | +```csharp |
79 | 89 | public static class SecureParameters |
80 | 90 | { |
81 | | - public static FixedString32Bytes ServerCommonName = new FixedString32Bytes("server_certificate_host_name"); // Use the common name you used to define the server certificate. |
82 | | - public static FixedString4096Bytes MyGameClientCA = new FixedString4096Bytes( |
| 91 | + // Use the common name you used to create the server certificate. |
| 92 | + public static readonly string ServerCommonName = "localserver"; |
| 93 | + |
| 94 | + public static readonly string MyGameClientCA = |
| 95 | +@"-----BEGIN CERTIFICATE----- |
| 96 | +*** Contents of myGameClientCA.pem *** |
| 97 | +-----END CERTIFICATE-----"; |
| 98 | + |
| 99 | + public static readonly string MyGameServerCertificate = |
83 | 100 | @"-----BEGIN CERTIFICATE----- |
84 | | - *** |
85 | | ------END CERTIFICATE-----"); // This should contain the content of myGameClientCA.pem |
86 | | - |
87 | | - public static FixedString4096Bytes MyGameServerCertificate = new FixedString4096Bytes( |
88 | | -@"-----BEGIN CERTIFICATE----- |
89 | | - *** |
90 | | ------END CERTIFICATE-----");; // This should contain the content of myGameServerCertificate.pem |
91 | | -
|
92 | | - public static FixedString4096Bytes MyGameServerPrivate = new FixedString4096Bytes( |
93 | | -@"-----BEGIN RSA PRIVATE KEY----- |
94 | | - *** |
95 | | ------END RSA PRIVATE KEY-----"); // This should contain the content of myGameServerPrivate.pem |
| 101 | +*** Contents of myGameServerCertificate.pem *** |
| 102 | +-----END CERTIFICATE-----"; |
| 103 | + |
| 104 | + public static readonly string MyGameServerPrivateKey = |
| 105 | +@"-----BEGIN RSA PRIVATE KEY----- |
| 106 | +*** Contents of myGameServerPrivateKey.pem *** |
| 107 | +-----END RSA PRIVATE KEY-----"; |
96 | 108 | } |
97 | 109 | ``` |
98 | 110 |
|
99 | | -### Creating the Secure Server |
| 111 | +### Creating the secure server |
100 | 112 |
|
| 113 | +Starting from the minimal server sample code, create a `NetworkSettings` object in the `Start` method and configure it as follows: |
101 | 114 |
|
102 | | -Starting from the minimal server sample code, create a `NetworkSettings` object. |
| 115 | +```csharp |
| 116 | +void Start () |
| 117 | +{ |
| 118 | + var settings = new NetworkSettings(); |
| 119 | + settings.WithSecureServerParameters( |
| 120 | + certificate: SecureParameters.MyGameServerCertificate, |
| 121 | + privateKey: SecureParameters.myGameServerPrivateKey); |
103 | 122 |
|
104 | | -```cs |
105 | | -private NetworkSettings settings = new NetworkSettings(); |
| 123 | + // ... |
| 124 | +} |
106 | 125 | ``` |
107 | 126 |
|
108 | | -Within the `start()` method, configure this `NetworkSettings` as following: |
109 | | -```cs |
110 | | -void Start () |
111 | | - { |
112 | | - settings.WithSecureServerParameters( |
113 | | - certificate: ref SecureParameters.MyGameServerCertificate, // The content of the `myGameServerCertificate.pem` |
114 | | - privateKey: ref SecureParameters.MyGameServerPrivate // The content of `myGameServerPrivate.pem` |
115 | | - ); |
116 | | -``` |
117 | | -Call create method of the network driver but this time, integrate the `NetworkSettings` object. |
118 | | -```cs |
| 127 | +When creating the `NetworkDriver`, pass in this `NetworkSettings` object: |
| 128 | + |
| 129 | +```csharp |
119 | 130 | m_Driver = NetworkDriver.Create(settings); |
120 | 131 | ``` |
121 | | -That's it for the server ! |
122 | 132 |
|
123 | | -### Creating a Secure Client |
| 133 | +That's it for the server! |
124 | 134 |
|
125 | | -The secure client is very similar to the secure server. Starting from the minimal client sample code, create `NetworkSettings` object. |
126 | | -```cs |
127 | | -private NetworkSettings settings = new NetworkSettings(); |
128 | | -``` |
| 135 | +### Creating a secure client |
129 | 136 |
|
130 | | -The difference between client and server lies with the parameters that will be provided to the NetworkSettings object. |
131 | | -Within the `start()` method, configure this `NetworkSettings` object as following : |
132 | | -```cs |
| 137 | +The secure client is very similar to the secure server. The only difference is in how the `NetworkSettings` object is configured. |
| 138 | + |
| 139 | +```csharp |
133 | 140 | void Start () |
134 | | - { |
135 | | - settings.WithSecureClientParameters( |
136 | | - serverName: ref SecureParameters.ServerCommonName, |
137 | | - caCertificate: ref SecureParameters.MyGameClientCA, // Use the content of myGameClientCA.pem |
138 | | - ); |
| 141 | +{ |
| 142 | + var settings = new NetworkSettings(); |
| 143 | + settings.WithSecureServerParameters( |
| 144 | + serverName: SecureParameters.ServerCommonName, |
| 145 | + caCertificate: SecureParameters.MyGameClientCA); |
| 146 | + m_Driver = NetworkDriver.Create(settings); |
| 147 | + |
| 148 | + // ... |
| 149 | +} |
139 | 150 | ``` |
140 | | -Finally, call the `create` method of the network driver but this time, integrate the `NetworkSettings` object. |
141 | | -```cs |
142 | | -m_Driver = NetworkDriver.Create(settings); |
143 | | -``` |
144 | | -and that's it ! |
145 | | -You should now have a secure connection between the server and its clients. |
| 151 | + |
| 152 | +You should now have a secure connection between the server and its clients! |
146 | 153 |
|
147 | 154 | :::note |
148 | | -If you create clients for multiple platform, it is important for all of these to use the same Root Certificate if they communicate with the same server. |
| 155 | +If you create clients for multiple platforms, it is important for all clients to continue using the same root certificate if they communicate with the same server. |
149 | 156 | ::: |
0 commit comments