TLS/SSL certificates

前言

It is often desired to use TLS connections (also known as SSL connections) for communications to avoid "man in the middle" attacks. Godot has a connection wrapper, StreamPeerTLS, which can take a regular connection and add security around it. The HTTPClient and HTTPRequest classes also support HTTPS using this same wrapper.

Godot will try to use the TLS certificate bundle provided by the operating system, but also includes the TLS certificate bundle from Mozilla as a fallback.

You can alternatively force your own certificate bundle in the Project Settings:

设置 TLS 证书捆绑包覆盖项目设置

设置 TLS 证书捆绑包覆盖项目设置

When set, this file overrides the operating system provided bundle by default. This file should contain any number of public certificates in PEM format.

获取证书有两种方法:

Obtain a certificate from a certificate authority

获取证书的主要方法是使用证书颁发机构(CA),例如 Let's Encrypt。这一过程比使用自签名证书更为繁琐,但更加“官方”,并且能确保你的身份得到清晰的表示。生成的证书也会被诸如网页浏览器等应用程序信任,而自签名证书则需要在客户端进行额外配置才能被视为可信。

这些证书无需在客户端进行任何配置即可工作,因为 Godot 已经在编辑器和导出的项目中捆绑了 Mozilla 证书捆绑包。

生成自签名证书

对于大多数使用场景,建议通过证书颁发机构(CA)来处理,因为像 Let's Encrypt 这样的证书颁发机构提供免费的服务。但是,如果使用证书颁发机构不是一个选项,那么你可以生成自签名证书,并告诉客户端将你的自签名证书视为可信证书。

创建自签名证书的方法是:生成一对私钥和公钥,然后将(PEM 格式的)公钥添加到“项目设置”中指定的 CRT 文件中。

警告

私钥应部署到你的服务器上。客户端必须不能访问它:否则,证书的安全性将会被破坏。

警告

When specifying a self-signed certificate as TLS bundle in the project settings, normal domain name validation is enforced via the certificate CN and alternative names. See TLSOptions to customize domain name validation.

For development purposes Godot can generate self-signed certificates via Crypto.generate_self_signed_certificate.

Alternatively, OpenSSL has some documentation about generating keys and certificates.