Outdated SSL certificates

Hi,

I’m building a game which requires using websockets for client/server communications.

Everything is working well so far, with one exception regarding SSL certificates.

Keep in mind I’m no networking or security expert, so I might have missed something.

My domain SSL certificate is issued by Sectigo, and I’ve been trying to get the SSL verification working with my defold app for some time now, with no success.

I noticed the built-in CAs doesn’t seem to include Sectigo’s root CAs, and I figured I would try to manually replace it by an up-to-date version of the file found here :

https://curl.se/docs/caextract.html

Downloading the lastest CA file on the webpage mentionned above and using it in my project network settings seems to work as intended when building the game from the engine on my mac, however as soon as I bundle the app for another device (tried on a Windows PC, iPhone and Android phone), it can’t connect to my server and the following line appear in the debug log:

ERROR:DLIB: SSLSocket mbedtls_x509_crt_parse: -0x2180 -

I also tried using Sectigo’s root CA as a replacement in the project settings, but the error is the same.

Reproduced the exact same result using a blank project and the updated CA file in project settings, then bundling and loading it on my Windows PC.

Could you please create an issue on GitHub so that we can take a look at it?

The SSL certificates we bundle (defold/engine/engine/content/builtins/ca-certificates/cacert.pem at dev · defold/defold · GitHub) are from Mozilla (https://hg-edge.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt). I see Sectigo in the latest version, so it’s a surprise if you still have problems even when you’ve updated your certs.

Thanks for your answer. Created an issue on GitHub as requested.