|
1 | 1 | --- |
2 | 2 | id: secure-connection |
3 | | -title: Secure client and server |
| 3 | +title: Create secure client and server |
4 | 4 | --- |
5 | | -The unity transport protocol can be configure to encrypt the connection between the server and the client while ensuring the server's/client's authenticity. |
6 | | -This secure connection relies on UnityTLS and is available with the following editor versions: |
7 | | -`2020.3 (2020.3.34 minimum and above), 2021.3 (2021.3.1f1 minimum and above) and 2022.1 (2022.1.0b16 minimum and above)` |
| 5 | +The Unity Transport package can be configure to encrypt the connection between the server and the client while ensuring the server's/client's authenticity. |
| 6 | + |
| 7 | +Secure connections are available with editor versions 2020.3 (starting at 2020.3.34), 2021.3, and 2022.1 and above. |
8 | 8 |
|
9 | 9 | ## Server authentication |
10 | 10 |
|
11 | 11 | :::warning Warning |
12 | | -Be sure private keys are not included in your code base or client builds. |
| 12 | +This example uses hardcoded certificates to make understanding the process easier, but in a real deployment the server certificates should be kept separate from client builds. One way to achieve this is to put them on a separate assembly, or load them from a file on the server. |
13 | 13 | ::: |
14 | 14 |
|
15 | 15 | ### High level authentication process |
16 | | -In this configuration, the server will provide a certificate to the client (`certificate`) containing the server host name. |
17 | | -The client will compare the server hostname to the one it knows (`serverName`) and will then validate the provided certificate against its own root certificate (`caCertificate`) confirming the server identity. |
| 16 | + |
| 17 | +In this configuration, the server will provide a certificate to the client (`certificate`) to prove its identity. The client will validate the certificate against its own root certificate (`caCertificate`) to validate its identity. |
18 | 18 |
|
19 | 19 | :::note |
20 | | -Root certificate is also sometimes referred as CA Certificate. |
| 20 | +Root certificates are also sometimes referred to as CA certificates. |
21 | 21 | ::: |
22 | 22 |
|
23 | | -Once its identity confirmed, the server will then use the private key (`privateKey`) to establish the secure communication. |
| 23 | +Once its identity confirmed, the server will then use the private key (`privateKey`) to establish the secure communication channel. |
24 | 24 |
|
25 | 25 | ### Requirements |
26 | | -To use the client server secure workflow, you need a `valid certificate` and the `root certificate` it has been generated from. You also need the `private key` that has been used to create the certificate. |
27 | | -If you don't have these, they can be generated using OpenSSL. The procedure is detailed hereafter. |
| 26 | + |
| 27 | +To use the client/server secure workflow, you need a valid certificate and the root certificate that was used to sign it. You also need the private key that has been used to create the certificate. If you don't have these, they can be generated using OpenSSL. The procedure is detailed hereafter. |
28 | 28 |
|
29 | 29 | ### Generating the required keys and certificates with OpenSSL |
30 | 30 |
|
31 | 31 | It is assumed that you have [OpenSSL](https://www.openssl.org/) installed on your machine. |
32 | 32 |
|
33 | | -#### Generate the Certification Authority root certificate. |
34 | | -First thing first is to generate a private key. We will use it later on to generate the Certification Authority root certificate. |
| 33 | +#### Generate the root certificate |
| 34 | + |
| 35 | +First thing first is to generate a root private key. We will use it later on to generate the root certificate. |
| 36 | + |
35 | 37 | ```shell |
36 | 38 | openssl genrsa -out clientPrivateKeyForRootCA.pem 2048 |
37 | 39 | ``` |
38 | | -Now that you have a private key, you can now generate the root certificate. |
| 40 | + |
| 41 | +Now that you have a root private key, you can now generate the root certificate. |
39 | 42 |
|
40 | 43 | ```shell |
41 | 44 | openssl req -x509 -new -nodes -key clientPrivateKeyForRootCA.pem -sha256 -days 1095 -out myGameClientCA.pem |
42 | 45 | ``` |
| 46 | + |
43 | 47 | You will be prompted to answer several questions. Most of the answers are not that important within the present context. |
44 | | -It is however useful to use a `common name` that makes sense for you to identify this certificate amongst others. |
45 | | -Ideally, you would want to use your domain name if you have one. |
| 48 | +It is however useful to use a common name that makes sense for you to identify this certificate amongst others. Ideally, you would want to use your domain name if you have one. |
46 | 49 |
|
| 50 | +#### Generate the root-signed certificate to use with the server |
| 51 | + |
| 52 | +Create now a private key for the server. |
47 | 53 |
|
48 | | -#### Generate the CA-signed certificate to use with the server |
49 | | -Create now a private key for the server. |
50 | 54 | ```shell |
51 | | -openssl genrsa -out myGameServerPrivate.pem 2048 |
| 55 | +openssl genrsa -out myGameServerPrivateKey.pem 2048 |
52 | 56 | ``` |
53 | | -From this private key, you can generate a certificate signing request. |
| 57 | + |
| 58 | +From this private key, you can generate a certificate signing request. |
| 59 | + |
54 | 60 | ```shell |
55 | | -openssl req -new -key myGameServerPrivate.pem -out myGameServerCertificateSigningRequest.pem |
| 61 | +openssl req -new -key myGameServerPrivateKey.pem -out myGameServerCertificateSigningRequest.pem |
56 | 62 | ``` |
57 | | -You'll be prompted with the same questions as for generating the root certificate. |
58 | | -The answers are no more important, except for the `common name` : use the host name of your server if you have one. This common name |
59 | | -will appear in the generated certificate and will be compare by the Client against the common name it received as parameter (`serverName`). |
60 | 63 |
|
61 | | -Finally, using the different files generated, we can create the certificate file the server will use to authenticate itself : |
| 64 | +You'll be prompted with the same questions as for generating the root certificate. The answers are no more important, except for the common name: it is recommended to use the server's hostname. |
| 65 | + |
| 66 | +Finally, using the different files generated, we can create the certificate file the server will use to authenticate itself: |
| 67 | + |
62 | 68 | ```shell |
63 | 69 | openssl.exe x509 -req -in myGameServerCertificateSigningRequest.pem -CA myGameClientCA.pem -CAkey clientPrivateKeyForRootCA.pem -CAcreateserial -out myGameServerCertificate.pem -days 365 -sha256 |
64 | 70 | ``` |
65 | | -You should have now generated a total of five files. Out of these, only three will be used later on : |
66 | | -* The content of the `myGameClientCA.pem` file, will be used client side as the `caCertificate` parameter. |
67 | | -* On the server end, `myGameServerPrivate.pem` file content will be used for the `privateKey` parameter. |
68 | | -* `myGameServerCertificate.pem` will be used by the `certificate` parameter on the server end. |
69 | | - |
70 | | -### Boiler Plate file holding the secure parameters |
71 | | -Create a `SecureParameters.cs` script file to hold your certificates and the private key. Place it in the same folder as the minimal server and minimal client scripts. |
72 | | -Add the following dependencies: |
73 | | -```cs |
74 | | -using Unity.Collections; |
75 | | -using Unity.Networking.Transport.TLS; |
76 | | -``` |
77 | | -Then declare the secureParameters class and the boilerplate code that will hold your secure information: |
78 | | -```cs |
| 71 | + |
| 72 | +You should have now generated a total of five files. Out of these, only three will be used later on: |
| 73 | +* The content of the `myGameClientCA.pem` file will be used client-side as the `caCertificate` parameter. |
| 74 | +* On the server end, the contents of `myGameServerCertificate.pem` will be used for the `certificate` parameter. |
| 75 | +* On the server end, the contents of `myGameServerPrivateKey.pem` will be used for the `privateKey` parameter. |
| 76 | + |
| 77 | +### Boilerplate file holding the secure parameters |
| 78 | + |
| 79 | +Create a `SecureParameters.cs` script file to hold your certificates and the private key. Place it in the same folder as the minimal server and minimal client scripts. Then declare the `SecureParameters` static class and the boilerplate code that will hold your secure information: |
| 80 | + |
| 81 | +```csharp |
79 | 82 | public static class SecureParameters |
80 | 83 | { |
81 | | - public static FixedString32Bytes ServerCommonName = new FixedString32Bytes("server_certificate_host_name"); // Use the common name you used to define the server certificate. |
82 | | - public static FixedString4096Bytes MyGameClientCA = new FixedString4096Bytes( |
| 84 | + // Use the common name you used to create the server certificate. |
| 85 | + public static readonly string ServerCommonName = "localserver"; |
| 86 | + |
| 87 | + public static readonly string MyGameClientCA = |
| 88 | +@"-----BEGIN CERTIFICATE----- |
| 89 | +*** Contents of myGameClientCA.pem *** |
| 90 | +-----END CERTIFICATE-----"; |
| 91 | + |
| 92 | + public static readonly string MyGameServerCertificate = |
83 | 93 | @"-----BEGIN CERTIFICATE----- |
84 | | - *** |
85 | | ------END CERTIFICATE-----"); // This should contain the content of myGameClientCA.pem |
86 | | - |
87 | | - public static FixedString4096Bytes MyGameServerCertificate = new FixedString4096Bytes( |
88 | | -@"-----BEGIN CERTIFICATE----- |
89 | | - *** |
90 | | ------END CERTIFICATE-----");; // This should contain the content of myGameServerCertificate.pem |
91 | | -
|
92 | | - public static FixedString4096Bytes MyGameServerPrivate = new FixedString4096Bytes( |
93 | | -@"-----BEGIN RSA PRIVATE KEY----- |
94 | | - *** |
95 | | ------END RSA PRIVATE KEY-----"); // This should contain the content of myGameServerPrivate.pem |
| 94 | +*** Contents of myGameServerCertificate.pem *** |
| 95 | +-----END CERTIFICATE-----"; |
| 96 | + |
| 97 | + public static readonly string MyGameServerPrivateKey = |
| 98 | +@"-----BEGIN RSA PRIVATE KEY----- |
| 99 | +*** Contents of myGameServerPrivateKey.pem *** |
| 100 | +-----END RSA PRIVATE KEY-----"; |
96 | 101 | } |
97 | 102 | ``` |
98 | 103 |
|
99 | | -### Creating the Secure Server |
| 104 | +### Creating the secure server |
100 | 105 |
|
| 106 | +Starting from the minimal server sample code, create a `NetworkSettings` object in the `Start` method and configure it as follows: |
101 | 107 |
|
102 | | -Starting from the minimal server sample code, create a `NetworkSettings` object. |
| 108 | +```csharp |
| 109 | +void Start () |
| 110 | +{ |
| 111 | + var settings = new NetworkSettings(); |
| 112 | + settings.WithSecureServerParameters( |
| 113 | + certificate: SecureParameters.MyGameServerCertificate, |
| 114 | + privateKey: SecureParameters.myGameServerPrivateKey); |
103 | 115 |
|
104 | | -```cs |
105 | | -private NetworkSettings settings = new NetworkSettings(); |
| 116 | + // ... |
| 117 | +} |
106 | 118 | ``` |
107 | 119 |
|
108 | | -Within the `start()` method, configure this `NetworkSettings` as following: |
109 | | -```cs |
110 | | -void Start () |
111 | | - { |
112 | | - settings.WithSecureServerParameters( |
113 | | - certificate: ref SecureParameters.MyGameServerCertificate, // The content of the `myGameServerCertificate.pem` |
114 | | - privateKey: ref SecureParameters.MyGameServerPrivate // The content of `myGameServerPrivate.pem` |
115 | | - ); |
116 | | -``` |
117 | | -Call create method of the network driver but this time, integrate the `NetworkSettings` object. |
118 | | -```cs |
| 120 | +When creating the `NetworkDriver`, pass in this `NetworkSettings` object: |
| 121 | + |
| 122 | +```csharp |
119 | 123 | m_Driver = NetworkDriver.Create(settings); |
120 | 124 | ``` |
121 | | -That's it for the server ! |
122 | 125 |
|
123 | | -### Creating a Secure Client |
| 126 | +That's it for the server! |
124 | 127 |
|
125 | | -The secure client is very similar to the secure server. Starting from the minimal client sample code, create `NetworkSettings` object. |
126 | | -```cs |
127 | | -private NetworkSettings settings = new NetworkSettings(); |
128 | | -``` |
| 128 | +### Creating a secure client |
129 | 129 |
|
130 | | -The difference between client and server lies with the parameters that will be provided to the NetworkSettings object. |
131 | | -Within the `start()` method, configure this `NetworkSettings` object as following : |
132 | | -```cs |
| 130 | +The secure client is very similar to the secure server. The only difference is in how the `NetworkSettings` object is configured. |
| 131 | + |
| 132 | +```csharp |
133 | 133 | void Start () |
134 | | - { |
135 | | - settings.WithSecureClientParameters( |
136 | | - serverName: ref SecureParameters.ServerCommonName, |
137 | | - caCertificate: ref SecureParameters.MyGameClientCA, // Use the content of myGameClientCA.pem |
138 | | - ); |
| 134 | +{ |
| 135 | + var settings = new NetworkSettings(); |
| 136 | + settings.WithSecureServerParameters( |
| 137 | + serverName: SecureParameters.ServerCommonName, |
| 138 | + caCertificate: SecureParameters.MyGameClientCA); |
| 139 | + m_Driver = NetworkDriver.Create(settings); |
| 140 | + |
| 141 | + // ... |
| 142 | +} |
139 | 143 | ``` |
140 | | -Finally, call the `create` method of the network driver but this time, integrate the `NetworkSettings` object. |
141 | | -```cs |
142 | | -m_Driver = NetworkDriver.Create(settings); |
143 | | -``` |
144 | | -and that's it ! |
145 | | -You should now have a secure connection between the server and its clients. |
| 144 | + |
| 145 | +You should now have a secure connection between the server and its clients! |
146 | 146 |
|
147 | 147 | :::note |
148 | | -If you create clients for multiple platform, it is important for all of these to use the same Root Certificate if they communicate with the same server. |
| 148 | +If you create clients for multiple platforms, it is important for all of these to still use the same root certificate if they communicate with the same server. |
149 | 149 | ::: |
0 commit comments