How to create custom CertificateHandler, which uses the base handler inside itself?

In general, some users get this kind of error:

Webrequest fails with Curl error 60, when is createdUnityWebRequest.

I would like to make my own CertificateHandler, which calls the base CertificateHandler inside itself (that is, the system first tried to resolve everything) and if it didn’t work out, then the additional logic of my handler came into play.

I had an option to add my Handler after an error (that is, first we don’t assign anything to the handler property), but I don’t understand how to catch this particular error.

She seems to have no code, and there is only the text SSL CA certificate error. And it’s probably not good to navigate only by text, since it changes from system to system ...

If you are implementing your custom certificate handler you can simply do e.g.

public class MyCertificateHandler : CertificateHandler
{
     protected override bool ValidateCertificate(byte[] certificateData)     
     {
         if (base.ValidateCertificate(certificateData)) return true; 

         return YourOwnCheck();
    }
}

depending on whether you want to do your own or the default checks first.

Not sure right now but the CertificateHandler actually seems to simply implement

protected virtual bool ValidateCertificate(byte[] certificateData) => false;

... in that case you would actually need to use the normal system validation and e.g. go through X509Chain

// Create an X509Certificate2 object from the received certificate data
var certificate = new X509Certificate2(certificateData);

// Use the system default certificate validation
var chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
chain.ChainPolicy.RevocationFlag = X509RevocationFlag.ExcludeRoot;
chain.ChainPolicy.VerificationFlags = X509VerificationFlags.AllowUnknownCertificateAuthority;

if (chain.Build(certificate))
{
    return true;
}

return YourOwnCheck();

Note that those flags are basically a bit wider, you might of course want to use more strict ones to trigger your custom validation more often - depends on your exact needs.

See

• X509RevocationMode

  This is mainly whether revocation (invalidation) of certs should be checked.

  The used X509RevocationMode.NoCheck is of course the less strict one. You would later rather use Online (use online cert lists) or Offline (use locally cached cert list).

• X509RevocationFlag

  This specifies how the revocation should be checked, either only on this specific cert itself (EndCertificateOnly), the EntireChain or the entire chain except the root (ExceptRoot) to save some performance.

  The most strict would of course be EntireChain.

• X509VerificationFlags

  This finally allows certain exceptions. For instance the used AllowUnknownCertificateAuthority allows custom signed certificates that are not signed by an officially known Root Cert Authority.

  The most strict here would be NoFlags indicating we don't want to ignore any rules.

In general usually you as a developer know which URLs you are using the UnityWebRequest on so usually it is enough to have a CertificateHandler check that specific target certificate.