fix(gl-client): use webpki-roots for cross-platform LNURL TLS#713
Merged
fix(gl-client): use webpki-roots for cross-platform LNURL TLS#713
Conversation
`rustls-tls-native-roots` loads root CAs from the OS at runtime via the `rustls-native-certs` crate. On Android this reads `/system/etc/security/cacerts/`, which silently returns no certs on some Android variants (newer API levels, custom ROMs, restricted- read apps). Every HTTPS request from `LnUrlHttpClearnetClient` then fails with `invalid peer certificate: UnknownIssuer`, breaking Lightning Address resolution and any LNURL flow. Switch to `rustls-tls-webpki-roots`, which compiles Mozilla's CA bundle into the binary. Identical behaviour on every platform, no runtime root-store discovery, no platform-specific code paths. Adds ~250 KB to the binary (Mozilla CA list) — acceptable for a mobile SDK and the standard choice in LDK / BDK / other Rust mobile libs. Trade-off: CA-bundle updates require an SDK release rather than following the OS. In practice CA changes affecting real-world LNURL servers are rare enough that this is a non-issue, and the previous behaviour was outright broken on the affected Android configurations. Refs: rejection observed at runtime as `error trying to connect: invalid peer certificate: UnknownIssuer` when resolving lightning addresses (e.g. walletofsatoshi.com `/.well-known/lnurlp/<user>`).
angelix
force-pushed
the
ave-lnurl-webpki-roots
branch
from
5df7036 to
94de41b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
rustls-tls-native-rootsloads root CAs from the OS at runtime via therustls-native-certscrate. On Android this reads/system/etc/security/cacerts/, which silently returns no certs on some Android variants (newer API levels, custom ROMs, apps without read access). When that happens, every HTTPS request fromLnUrlHttpClearnetClient(gl-client/src/lnurl/models.rs:171) fails with:This breaks Lightning Address resolution and every LNURL flow on the affected configurations.
This PR switches to
rustls-tls-webpki-roots, which compiles Mozilla's CA bundle into the binary. Identical behaviour on every platform, no runtime root-store discovery, no platform-specific code paths.Trade-offs
Why not
rustls-platform-verifier?The modern best-practice for mobile is
rustls-platform-verifier, which uses Android'sKeyStore(via JNI), iOS'sSecTrust, etc. But it requiresreqwest0.12+, and gl-client is pinned to^0.11. Bumping reqwest is a much larger change with cascading dep updates and belongs in a separate PR.Test plan
cargo build -p gl-client— cleancargo build -p gl-sdk— clean (transitive consumer)someuser@walletofsatoshi.com)Reference
Failure observed in production: