From 94de41b06bd5346da136919b0ce40818d0f1f2d6 Mon Sep 17 00:00:00 2001
From: Angelos Veglektsis <angelos@aveworks.com>
Date: Thu, 30 Apr 2026 20:54:15 +0300
Subject: [PATCH] fix(gl-client): use webpki-roots for cross-platform LNURL TLS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

`rustls-tls-native-roots` loads root CAs from the OS at runtime via
the `rustls-native-certs` crate. On Android this reads
`/system/etc/security/cacerts/`, which silently returns no certs on
some Android variants (newer API levels, custom ROMs, restricted-
read apps). Every HTTPS request from `LnUrlHttpClearnetClient` then
fails with `invalid peer certificate: UnknownIssuer`, breaking
Lightning Address resolution and any LNURL flow.

Switch to `rustls-tls-webpki-roots`, which compiles Mozilla's CA
bundle into the binary. Identical behaviour on every platform, no
runtime root-store discovery, no platform-specific code paths. Adds
~250 KB to the binary (Mozilla CA list) — acceptable for a mobile
SDK and the standard choice in LDK / BDK / other Rust mobile libs.

Trade-off: CA-bundle updates require an SDK release rather than
following the OS. In practice CA changes affecting real-world LNURL
servers are rare enough that this is a non-issue, and the previous
behaviour was outright broken on the affected Android configurations.

Refs: rejection observed at runtime as
`error trying to connect: invalid peer certificate: UnknownIssuer`
when resolving lightning addresses (e.g. walletofsatoshi.com
`/.well-known/lnurlp/<user>`).
---
 libs/gl-client/Cargo.toml | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/libs/gl-client/Cargo.toml b/libs/gl-client/Cargo.toml
index 9a63085f1..3e1ebcc6f 100644
--- a/libs/gl-client/Cargo.toml
+++ b/libs/gl-client/Cargo.toml
@@ -34,9 +34,22 @@ picky-asn1-der = "0.4"
 pin-project = "1.1.5"
 prost = "0.12"
 prost-derive = "0.12"
+# `rustls-tls-webpki-roots` compiles Mozilla's CA bundle into the
+# binary. Identical TLS behaviour on every platform — Android, iOS,
+# desktop — with no runtime OS root-store discovery. We previously
+# used `rustls-tls-native-roots`, which silently returned an empty
+# cert set on some Android variants and broke every HTTPS request
+# from `LnUrlHttpClearnetClient` with `UnknownIssuer`.
+#
+# When bumping reqwest to 0.12+, switch to `rustls-platform-verifier`
+# instead. It uses Android's `KeyStore` (via JNI), iOS's `SecTrust`,
+# and the Windows / macOS native verifiers — strictly better than
+# either webpki-roots (CA updates follow OS) or native-roots (no
+# discovery breakage). Requires reqwest >= 0.12, which we don't have
+# on this 0.11 line.
 reqwest = { version = "^0.11", features = [
     "json",
-    "rustls-tls-native-roots",
+    "rustls-tls-webpki-roots",
 ], default-features = false }
 ring = "~0.16.20"
 runeauth = "0.1"