diff --git a/Assets/Mirror/Transports/SimpleWeb/Client/StandAlone/ClientHandshake.cs b/Assets/Mirror/Transports/SimpleWeb/Client/StandAlone/ClientHandshake.cs index ebe302c2b..769df2484 100644 --- a/Assets/Mirror/Transports/SimpleWeb/Client/StandAlone/ClientHandshake.cs +++ b/Assets/Mirror/Transports/SimpleWeb/Client/StandAlone/ClientHandshake.cs @@ -28,6 +28,10 @@ public bool TryHandshake(Connection conn, Uri uri) byte[] keySumBytes = Encoding.ASCII.GetBytes(keySum); Log.Verbose($"[SimpleWebTransport] Handshake Hashing {Encoding.ASCII.GetString(keySumBytes)}"); + // SHA1 is the websocket standard: + // https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API/Writing_WebSocket_servers#server_handshake_response + // we should follow the standard, even though SHA1 is considered weak: + // https://stackoverflow.com/questions/38038841/why-is-sha-1-considered-insecure byte[] keySumHash = SHA1.Create().ComputeHash(keySumBytes); string expectedResponse = Convert.ToBase64String(keySumHash); diff --git a/Assets/Mirror/Transports/SimpleWeb/Server/ServerHandshake.cs b/Assets/Mirror/Transports/SimpleWeb/Server/ServerHandshake.cs index 6ba7c4229..e752ac14d 100644 --- a/Assets/Mirror/Transports/SimpleWeb/Server/ServerHandshake.cs +++ b/Assets/Mirror/Transports/SimpleWeb/Server/ServerHandshake.cs @@ -19,6 +19,10 @@ internal class ServerHandshake // this isn't an official max, just a reasonable size for a websocket handshake readonly int maxHttpHeaderSize = 3000; + // SHA1 is the websocket standard: + // https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API/Writing_WebSocket_servers#server_handshake_response + // we should follow the standard, even though SHA1 is considered weak: + // https://stackoverflow.com/questions/38038841/why-is-sha-1-considered-insecure readonly SHA1 sha1 = SHA1.Create(); readonly BufferPool bufferPool;