Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLSv1.3 Fatal, Unknown CA #430

Closed
drwidgit opened this issue Apr 12, 2024 · 3 comments
Closed

TLSv1.3 Fatal, Unknown CA #430

drwidgit opened this issue Apr 12, 2024 · 3 comments

Comments

@drwidgit
Copy link

We're using VA Rest in a production product running on UE4.26. In 99.9% of the computers, it works just fine, however on a machine with a stock Windows 10 (or Windows 11) install with all Windows updates, and then adding our software, we have some cases of our license server not responding. When I ran Wire Shark on the machine that was failing, I saw that I'm getting a TLSv1.3 protocol "Alert (Level: Fatal, Description: Unknown CA)" message which I'm assuming means that somewhere in the transmission, the wrong client certificate is being sent.

I'm a bit out of my depth on this one so it's entirely possible that it isn't anything to do with your plugin. This works on thousands of different systems, but a tiny number of customers (probably less than 10) have run into this. One of our customers was able to recreate it with a fresh system, and since then we've also been able to recreate this problem on 3 separate systems that have just a stock install of Windows and then our software. Any insight that you might be able to provide would be appreciated! Thanks!
@ufna
Copy link
Owner

ufna commented Apr 14, 2024

Hi @drwidgit , I'm not so familiar with this, it's definitely issue of client-server negotiation on curl level. It sounds like clean install hasn't intermediate certs, or something like that.

@drwidgit
Copy link
Author

drwidgit commented Apr 21, 2024
edited
Loading

We eventually solved the issue and it was indeed nothing to do with the plug-in. A fresh install of windows only includes a small subset of the certificate authorities installed. As I understand it, Microsoft updates this list every couple weeks through Windows update, but you're kinda stuck until that happens (even if you do all the windows updates). The only work around is to manually install the CA (in our case Go Daddy).

I also understand, though don't have the expertise to confirm, that web browsers ship with their own internal set of CA's so even though we could contact our authentication server via the browser, it wasn't working through our app until we installed the CA.

@ufna
Copy link
Owner

ufna commented Apr 22, 2024

Thanks @drwidgit , it sounds very legit!

@ufna ufna closed this as completed Apr 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ufna @drwidgit