n.VerifyPeer
n.VerifyPeer
#Overview
name: n.VerifyPeer
This variable is created as a Console Variable (cvar).
- type:
Var - help:
Sets libcurl\'s CURLOPT_SSL_VERIFYPEER option to verify authenticity of the peer\'s certificate.\n 0 = disable (allows self-signed certificates)\n 1 = enable [default]
It is referenced in 11 C++ source files. Also referenced in 1 C# build file meaning it may affect the build system logic.
#Summary
#Usage in the C++ source code
The purpose of n.VerifyPeer is to control the SSL certificate verification process in Unreal Engine’s HTTP communication system, specifically when using libcurl for network requests.
This setting variable is primarily used by the HTTP module in Unreal Engine, which is part of the Online subsystem. It directly affects how the engine handles HTTPS connections and certificate verification.
The value of this variable is set in multiple places:
- It’s initially defined as a console variable in ConsoleManager.cpp with a default value of 1 (enabled).
- It can be configured in the project settings under the NetworkSettings class.
- It’s read from the configuration file (GEngineIni) during the initialization of the CurlHttpManager.
The associated variable bVerifyPeer interacts closely with n.VerifyPeer. They share the same value and purpose, with bVerifyPeer being used within the C++ code to control the actual behavior.
Developers must be aware of the following when using this variable:
- Setting it to 0 disables peer certificate verification, which can be a security risk as it allows self-signed certificates.
- It affects all HTTPS connections made through the engine’s HTTP module.
- Changing this value at runtime may not affect existing connections.
Best practices when using this variable include:
- Keep it enabled (set to 1) in production environments to ensure secure connections.
- Only disable it temporarily for development or testing purposes when working with self-signed certificates.
- Be cautious when disabling it, as it can expose the application to man-in-the-middle attacks.
Regarding the associated variable bVerifyPeer:
- It’s a boolean flag used internally in the HTTP module to control the actual SSL verification behavior.
- It’s set based on the value of n.VerifyPeer during initialization.
- It’s used directly in the libcurl setup to enable or disable peer verification (CURLOPT_SSL_VERIFYPEER).
- Developers should generally not modify bVerifyPeer directly, but instead use the n.VerifyPeer console variable or project settings to control this behavior.
#References in C++ code
#Callsites
This variable is referenced in the following C++ source code:
#Loc: <Workspace>/Engine/Source/Runtime/Core/Private/HAL/ConsoleManager.cpp:4106
Scope: file
Source code excerpt:
static TAutoConsoleVariable<int32> CVarVerifyPeer(
TEXT("n.VerifyPeer"),
1,
TEXT("Sets libcurl's CURLOPT_SSL_VERIFYPEER option to verify authenticity of the peer's certificate.\n"
" 0 = disable (allows self-signed certificates)\n"
" 1 = enable [default]"),
ECVF_ReadOnly);
#Loc: <Workspace>/Engine/Source/Runtime/Engine/Classes/Engine/NetworkSettings.h:36
Scope (from outer to inner):
file
class class UNetworkSettings : public UDeveloperSettings
Source code excerpt:
UPROPERTY(config, EditAnywhere, Category=libcurl, meta=(
ConsoleVariable="n.VerifyPeer",DisplayName="Verify Peer",
ToolTip="If true, libcurl authenticates the peer's certificate. Disable to allow self-signed certificates."))
uint32 bVerifyPeer:1;
UPROPERTY(config, EditAnywhere, Category=World, meta = (
ConsoleVariable = "p.EnableMultiplayerWorldOriginRebasing", DisplayName = "Enable Multiplayer World Origin Rebasing",
ToolTip="If true, origin rebasing is enabled in multiplayer games, meaning that servers and clients can have different local world origins."))
#Loc: <Workspace>/Engine/Source/Runtime/Online/HTTP/Private/Curl/CurlHttpManager.cpp:255
Scope (from outer to inner):
file
function void FCurlHttpManager::InitCurl
Source code excerpt:
CurlRequestOptions.bVerifyPeer = bVerifyPeer;
#else
if (GConfig->GetBool(TEXT("/Script/Engine.NetworkSettings"), TEXT("n.VerifyPeer"), bVerifyPeer, GEngineIni))
{
CurlRequestOptions.bVerifyPeer = bVerifyPeer;
}
#endif
bool bAcceptCompressedContent = true;
#Associated Variable and Callsites
This variable is associated with another variable named bVerifyPeer. They share the same value. See the following C++ source code.
#Loc: <Workspace>/Engine/Source/Runtime/Engine/Classes/Engine/NetworkSettings.h:38
Scope (from outer to inner):
file
class class UNetworkSettings : public UDeveloperSettings
Source code excerpt:
ConsoleVariable="n.VerifyPeer",DisplayName="Verify Peer",
ToolTip="If true, libcurl authenticates the peer's certificate. Disable to allow self-signed certificates."))
uint32 bVerifyPeer:1;
UPROPERTY(config, EditAnywhere, Category=World, meta = (
ConsoleVariable = "p.EnableMultiplayerWorldOriginRebasing", DisplayName = "Enable Multiplayer World Origin Rebasing",
ToolTip="If true, origin rebasing is enabled in multiplayer games, meaning that servers and clients can have different local world origins."))
uint32 bEnableMultiplayerWorldOriginRebasing : 1;
#Loc: <Workspace>/Engine/Source/Runtime/Online/HTTP/Private/Curl/CurlHttp.cpp:56
Scope (from outer to inner):
file
function static CURLcode sslctx_function
Source code excerpt:
CertificateManager.AddCertificatesToSslContext(Context);
if (FCurlHttpManager::CurlRequestOptions.bVerifyPeer)
{
FCurlHttpRequest* Request = static_cast<FCurlHttpRequest*>(parm);
SSL_CTX_set_verify(Context, SSL_CTX_get_verify_mode(Context), SslCertVerify);
SSL_CTX_set_app_data(Context, Request);
}
#Loc: <Workspace>/Engine/Source/Runtime/Online/HTTP/Private/Curl/CurlHttp.cpp:106
Scope (from outer to inner):
file
function FCurlHttpRequest::FCurlHttpRequest
Source code excerpt:
// set certificate verification (disable to allow self-signed certificates)
if (FCurlHttpManager::CurlRequestOptions.bVerifyPeer)
{
curl_easy_setopt(EasyHandle, CURLOPT_SSL_VERIFYPEER, 1L);
}
else
{
curl_easy_setopt(EasyHandle, CURLOPT_SSL_VERIFYPEER, 0L);
#Loc: <Workspace>/Engine/Source/Runtime/Online/HTTP/Private/Curl/CurlHttpManager.cpp:248
Scope (from outer to inner):
file
function void FCurlHttpManager::InitCurl
Source code excerpt:
#if WITH_SSL
// Set default verify peer value based on availability of certificates
CurlRequestOptions.bVerifyPeer = SslModule.GetCertificateManager().HasCertificatesAvailable();
#endif
bool bVerifyPeer = true;
#if DISABLE_UNVERIFIED_CERTIFICATE_LOADING
CurlRequestOptions.bVerifyPeer = bVerifyPeer;
#else
if (GConfig->GetBool(TEXT("/Script/Engine.NetworkSettings"), TEXT("n.VerifyPeer"), bVerifyPeer, GEngineIni))
{
CurlRequestOptions.bVerifyPeer = bVerifyPeer;
}
#endif
bool bAcceptCompressedContent = true;
if (GConfig->GetBool(TEXT("HTTP"), TEXT("AcceptCompressedContent"), bAcceptCompressedContent, GEngineIni))
{
#Loc: <Workspace>/Engine/Source/Runtime/Online/HTTP/Private/Curl/CurlHttpManager.cpp:310
Scope (from outer to inner):
file
function void FCurlHttpManager::FCurlRequestOptions::Log
Source code excerpt:
UE_LOG(LogInit, Log, TEXT(" CurlRequestOptions (configurable via config and command line):"));
UE_LOG(LogInit, Log, TEXT(" - bVerifyPeer = %s - Libcurl will %sverify peer certificate"),
bVerifyPeer ? TEXT("true") : TEXT("false"),
bVerifyPeer ? TEXT("") : TEXT("NOT ")
);
const FString& ProxyAddress = FHttpModule::Get().GetProxyAddress();
const bool bUseHttpProxy = !ProxyAddress.IsEmpty();
UE_LOG(LogInit, Log, TEXT(" - bUseHttpProxy = %s - Libcurl will %suse HTTP proxy"),
bUseHttpProxy ? TEXT("true") : TEXT("false"),
#Loc: <Workspace>/Engine/Source/Runtime/Online/HTTP/Private/Curl/CurlHttpManager.h:33
Scope (from outer to inner):
file
class class FCurlHttpManager : public FHttpManager
function FCurlRequestOptions
Source code excerpt:
{
FCurlRequestOptions()
: bVerifyPeer(true)
, bDontReuseConnections(false)
, bAcceptCompressedContent(true)
, MaxHostConnections(0)
, BufferSize(64*1024)
{}
#Loc: <Workspace>/Engine/Source/Runtime/Online/HTTP/Private/Curl/CurlHttpManager.h:44
Scope (from outer to inner):
file
class class FCurlHttpManager : public FHttpManager
Source code excerpt:
/** Whether or not should verify peer certificate (disable to allow self-signed certs) */
bool bVerifyPeer;
/** Forbid reuse connections (for debugging purposes, since normally it's faster to reuse) */
bool bDontReuseConnections;
/** Allow servers to send compressed content. Can have a very small cpu cost, and huge bandwidth and response time savings from correctly configured servers. */
bool bAcceptCompressedContent;
#Loc: <Workspace>/Engine/Source/Runtime/Online/HTTP/Private/Windows/WindowsPlatformHttp.cpp:186
Scope (from outer to inner):
file
function bool FWindowsPlatformHttp::VerifyPeerSslCertificate
Source code excerpt:
bool FWindowsPlatformHttp::VerifyPeerSslCertificate(bool verify)
{
bool bPreviousValue = FCurlHttpManager::CurlRequestOptions.bVerifyPeer;
FCurlHttpManager::CurlRequestOptions.bVerifyPeer = verify;
return bPreviousValue;
}
#References in C# build files
This variable is referenced in the following C# build files:
Location: <Workspace>/Engine/Source/Programs/AutomationTool/Scripts/CopyBuildToStagingDirectory.Automation.cs:1542
if (PlatformEngineConfig != null)
{
PlatformEngineConfig.GetBool("/Script/Engine.NetworkSettings", "n.VerifyPeer", out bStageSSLCertificates);
}
if (bStageSSLCertificates)
{
// Game's SSL certs
FileReference ProjectCertFile = FileReference.Combine(SC.ProjectRoot, "Content", "Certificates", "cacert.pem");