n.VerifyPeer

n.VerifyPeer

#Overview

name: n.VerifyPeer

This variable is created as a Console Variable (cvar).

It is referenced in 11 C++ source files. Also referenced in 1 C# build file meaning it may affect the build system logic.

#Summary

#Usage in the C++ source code

The purpose of n.VerifyPeer is to control the SSL certificate verification process in Unreal Engine’s HTTP communication system, specifically when using libcurl for network requests.

This setting variable is primarily used by the HTTP module in Unreal Engine, which is part of the Online subsystem. It directly affects how the engine handles HTTPS connections and certificate verification.

The value of this variable is set in multiple places:

  1. It’s initially defined as a console variable in ConsoleManager.cpp with a default value of 1 (enabled).
  2. It can be configured in the project settings under the NetworkSettings class.
  3. It’s read from the configuration file (GEngineIni) during the initialization of the CurlHttpManager.

The associated variable bVerifyPeer interacts closely with n.VerifyPeer. They share the same value and purpose, with bVerifyPeer being used within the C++ code to control the actual behavior.

Developers must be aware of the following when using this variable:

  1. Setting it to 0 disables peer certificate verification, which can be a security risk as it allows self-signed certificates.
  2. It affects all HTTPS connections made through the engine’s HTTP module.
  3. Changing this value at runtime may not affect existing connections.

Best practices when using this variable include:

  1. Keep it enabled (set to 1) in production environments to ensure secure connections.
  2. Only disable it temporarily for development or testing purposes when working with self-signed certificates.
  3. Be cautious when disabling it, as it can expose the application to man-in-the-middle attacks.

Regarding the associated variable bVerifyPeer:

#References in C++ code

#Callsites

This variable is referenced in the following C++ source code:

#Loc: <Workspace>/Engine/Source/Runtime/Core/Private/HAL/ConsoleManager.cpp:4106

Scope: file

Source code excerpt:


static TAutoConsoleVariable<int32> CVarVerifyPeer(
	TEXT("n.VerifyPeer"),
	1,
	TEXT("Sets libcurl's CURLOPT_SSL_VERIFYPEER option to verify authenticity of the peer's certificate.\n"
		 "  0 = disable (allows self-signed certificates)\n"
		 "  1 = enable [default]"),
	ECVF_ReadOnly);

#Loc: <Workspace>/Engine/Source/Runtime/Engine/Classes/Engine/NetworkSettings.h:36

Scope (from outer to inner):

file
class        class UNetworkSettings : public UDeveloperSettings

Source code excerpt:


	UPROPERTY(config, EditAnywhere, Category=libcurl, meta=(
		ConsoleVariable="n.VerifyPeer",DisplayName="Verify Peer",
		ToolTip="If true, libcurl authenticates the peer's certificate. Disable to allow self-signed certificates."))
	uint32 bVerifyPeer:1;

	UPROPERTY(config, EditAnywhere, Category=World, meta = (
		ConsoleVariable = "p.EnableMultiplayerWorldOriginRebasing", DisplayName = "Enable Multiplayer World Origin Rebasing",
		ToolTip="If true, origin rebasing is enabled in multiplayer games, meaning that servers and clients can have different local world origins."))

#Loc: <Workspace>/Engine/Source/Runtime/Online/HTTP/Private/Curl/CurlHttpManager.cpp:255

Scope (from outer to inner):

file
function     void FCurlHttpManager::InitCurl

Source code excerpt:

	CurlRequestOptions.bVerifyPeer = bVerifyPeer;
#else
	if (GConfig->GetBool(TEXT("/Script/Engine.NetworkSettings"), TEXT("n.VerifyPeer"), bVerifyPeer, GEngineIni))
	{
		CurlRequestOptions.bVerifyPeer = bVerifyPeer;
	}
#endif

	bool bAcceptCompressedContent = true;

#Associated Variable and Callsites

This variable is associated with another variable named bVerifyPeer. They share the same value. See the following C++ source code.

#Loc: <Workspace>/Engine/Source/Runtime/Engine/Classes/Engine/NetworkSettings.h:38

Scope (from outer to inner):

file
class        class UNetworkSettings : public UDeveloperSettings

Source code excerpt:

		ConsoleVariable="n.VerifyPeer",DisplayName="Verify Peer",
		ToolTip="If true, libcurl authenticates the peer's certificate. Disable to allow self-signed certificates."))
	uint32 bVerifyPeer:1;

	UPROPERTY(config, EditAnywhere, Category=World, meta = (
		ConsoleVariable = "p.EnableMultiplayerWorldOriginRebasing", DisplayName = "Enable Multiplayer World Origin Rebasing",
		ToolTip="If true, origin rebasing is enabled in multiplayer games, meaning that servers and clients can have different local world origins."))
	uint32 bEnableMultiplayerWorldOriginRebasing : 1;

#Loc: <Workspace>/Engine/Source/Runtime/Online/HTTP/Private/Curl/CurlHttp.cpp:56

Scope (from outer to inner):

file
function     static CURLcode sslctx_function

Source code excerpt:


	CertificateManager.AddCertificatesToSslContext(Context);
	if (FCurlHttpManager::CurlRequestOptions.bVerifyPeer)
	{
		FCurlHttpRequest* Request = static_cast<FCurlHttpRequest*>(parm);
		SSL_CTX_set_verify(Context, SSL_CTX_get_verify_mode(Context), SslCertVerify);
		SSL_CTX_set_app_data(Context, Request);
	}

#Loc: <Workspace>/Engine/Source/Runtime/Online/HTTP/Private/Curl/CurlHttp.cpp:106

Scope (from outer to inner):

file
function     FCurlHttpRequest::FCurlHttpRequest

Source code excerpt:


	// set certificate verification (disable to allow self-signed certificates)
	if (FCurlHttpManager::CurlRequestOptions.bVerifyPeer)
	{
		curl_easy_setopt(EasyHandle, CURLOPT_SSL_VERIFYPEER, 1L);
	}
	else
	{
		curl_easy_setopt(EasyHandle, CURLOPT_SSL_VERIFYPEER, 0L);

#Loc: <Workspace>/Engine/Source/Runtime/Online/HTTP/Private/Curl/CurlHttpManager.cpp:248

Scope (from outer to inner):

file
function     void FCurlHttpManager::InitCurl

Source code excerpt:

#if WITH_SSL
	// Set default verify peer value based on availability of certificates
	CurlRequestOptions.bVerifyPeer = SslModule.GetCertificateManager().HasCertificatesAvailable();
#endif

	bool bVerifyPeer = true;
#if DISABLE_UNVERIFIED_CERTIFICATE_LOADING
	CurlRequestOptions.bVerifyPeer = bVerifyPeer;
#else
	if (GConfig->GetBool(TEXT("/Script/Engine.NetworkSettings"), TEXT("n.VerifyPeer"), bVerifyPeer, GEngineIni))
	{
		CurlRequestOptions.bVerifyPeer = bVerifyPeer;
	}
#endif

	bool bAcceptCompressedContent = true;
	if (GConfig->GetBool(TEXT("HTTP"), TEXT("AcceptCompressedContent"), bAcceptCompressedContent, GEngineIni))
	{

#Loc: <Workspace>/Engine/Source/Runtime/Online/HTTP/Private/Curl/CurlHttpManager.cpp:310

Scope (from outer to inner):

file
function     void FCurlHttpManager::FCurlRequestOptions::Log

Source code excerpt:

	UE_LOG(LogInit, Log, TEXT(" CurlRequestOptions (configurable via config and command line):"));
		UE_LOG(LogInit, Log, TEXT(" - bVerifyPeer = %s  - Libcurl will %sverify peer certificate"),
		bVerifyPeer ? TEXT("true") : TEXT("false"),
		bVerifyPeer ? TEXT("") : TEXT("NOT ")
		);

	const FString& ProxyAddress = FHttpModule::Get().GetProxyAddress();
	const bool bUseHttpProxy = !ProxyAddress.IsEmpty();
	UE_LOG(LogInit, Log, TEXT(" - bUseHttpProxy = %s  - Libcurl will %suse HTTP proxy"),
		bUseHttpProxy ? TEXT("true") : TEXT("false"),

#Loc: <Workspace>/Engine/Source/Runtime/Online/HTTP/Private/Curl/CurlHttpManager.h:33

Scope (from outer to inner):

file
class        class FCurlHttpManager : public FHttpManager
function     FCurlRequestOptions

Source code excerpt:

	{
		FCurlRequestOptions()
			:	bVerifyPeer(true)
			,	bDontReuseConnections(false)
			,	bAcceptCompressedContent(true)
			,	MaxHostConnections(0)
			,	BufferSize(64*1024)
		{}

#Loc: <Workspace>/Engine/Source/Runtime/Online/HTTP/Private/Curl/CurlHttpManager.h:44

Scope (from outer to inner):

file
class        class FCurlHttpManager : public FHttpManager

Source code excerpt:


		/** Whether or not should verify peer certificate (disable to allow self-signed certs) */
		bool bVerifyPeer;

		/** Forbid reuse connections (for debugging purposes, since normally it's faster to reuse) */
		bool bDontReuseConnections;

		/** Allow servers to send compressed content.  Can have a very small cpu cost, and huge bandwidth and response time savings from correctly configured servers. */
		bool bAcceptCompressedContent;

#Loc: <Workspace>/Engine/Source/Runtime/Online/HTTP/Private/Windows/WindowsPlatformHttp.cpp:186

Scope (from outer to inner):

file
function     bool FWindowsPlatformHttp::VerifyPeerSslCertificate

Source code excerpt:

bool FWindowsPlatformHttp::VerifyPeerSslCertificate(bool verify)
{
	bool bPreviousValue = FCurlHttpManager::CurlRequestOptions.bVerifyPeer;
	FCurlHttpManager::CurlRequestOptions.bVerifyPeer = verify;
	return bPreviousValue;
}

#References in C# build files

This variable is referenced in the following C# build files:

Location: <Workspace>/Engine/Source/Programs/AutomationTool/Scripts/CopyBuildToStagingDirectory.Automation.cs:1542

					if (PlatformEngineConfig != null)
					{
						PlatformEngineConfig.GetBool("/Script/Engine.NetworkSettings", "n.VerifyPeer", out bStageSSLCertificates);
					}

					if (bStageSSLCertificates)
					{
						// Game's SSL certs
						FileReference ProjectCertFile = FileReference.Combine(SC.ProjectRoot, "Content", "Certificates", "cacert.pem");