Not signed in
Copyright © 2026 Unity Technologies
Our apologies for the misunderstanding. You are correct that our initial comprehension of the issue was wrong. After investigating this further, we nevertheless decided not to address this issue. Let's Encrypt's workaround for their change in certificate authority relies on the expiration date of trust anchors not being checked. Our understanding of the relevant standards is that it is up to the TLS implementation to decide whether to do this verification or not. By performing the verification, we are still compliant even if that behavior is different than Android's stock TLS implementation. We do understand that this can cause some confusion and frustration, but for our implementation to match Android's behavior, we would have to modify security-critical code in cURL and MbedTLS (the libraries we use under the hood for UnityWebRequest). We are unwilling to make such modifications as we do not want to risk introducing security vulnerabilities. Furthermore, on Android it is possible to provide a custom certificate handler to UnityWebRequest (see https://docs.unity3d.com/ScriptReference/Networking.UnityWebRequest-certificateHandler.html). This could be used as a workaround to provide certificate validation that matches Android's behavior.
Reproduction steps:
1. Open the attached project “BugRepro”
2. Build and Run on an Android device with an OS version older than 7.1.1
3. Observe the top left corner of the screen
Expected result: SSL certificate request succeeds
Actual result: SSL certificate error is shown
Reproducible with: 2020.3.44f1, 2021.3.18f1, 2022.2.7f1, 2023.1.0b3, 2023.2.0a2
Built using MacOS 12.6 (Intel)
Reproducible on: Xiaomi Mi Note Pro (MI NOTE Pro), CPU: Snapdragon 810 MSM8994, GPU: Adreno 430, OS: 7.0.0
Not reproducible on: Samsung Galaxy S9 (SM-G960F), CPU: Exynos 9 Series 9810, GPU: Mali-G72, OS: 10.0.0
Google Pixel 3 (Pixel 3), CPU: Snapdragon 845, GPU: Adreno 630, OS: 12.0.0
Sign in to see your voted issues