Skip to content

Commit 478cd4d

Browse files
juanky201271claude
andcommitted
fix: nym TLS works on Android (OCSP bypass) + logger init reliability
Three coupled changes to make Nym wallet open work end-to-end on Android. Why Nym was broken on Android only ---------------------------------- reqwest's `rustls` feature pulls in `rustls-platform-verifier`, which on Android routes every TLS handshake through `CertPathValidator`. Let's Encrypt has been removing the OCSP responder URL from its certificates through 2024-2025; when the platform verifier hits one of those certs (validator.nymtech.net is one), Android raises a CertPathValidatorException("Certificate does not specify OCSP responder") *before* the SOFT_FAIL revocation option can take effect, and the chain hard-fails as "Revoked". iOS and CLI builds are unaffected because they use SecTrust / webpki-roots respectively, which tolerate the missing OCSP info. The fix lives in the upstream branches we now consume: * zingolabs/nym @ nym_wallet_poc_2_1-zingo-mobile-fix — patches the nym-http-api-client `default_builder()` to install a preconfigured rustls ClientConfig backed by webpki-roots, gated behind `cfg(target_os = "android")`. Covers all Nym-internal HTTP clients (notably the gateway fetch in nym-client-core::init::helpers). * zingolabs/zingo-common @ chore/echo-server-zingo-mobile-fix — pins to the above nym branch and also explicitly overrides TLS in NymProxy::discover_providers. Upstream context: rustls/rustls-platform-verifier#179 Why we couldn't see any of this in logcat (separate bug, fixed here) -------------------------------------------------------------------- android_logger 0.11 silently failed to register as the global `log` logger on this Android version — `log::error!` calls went into the void, making the Nym failure invisible from logcat. Bumped to 0.14 (API change: with_min_level(Level) -> with_max_level(LevelFilter)), which registers correctly. While at it, the previous filter spec "debug,hello::crate=zingolib" was malformed (`hello::crate` was a stale example module name and `zingolib` is not a valid log level). env_logger silently dropped the invalid directive, so the effective filter was just "debug" — but the surprise was real. Replaced with "debug,zingo=trace,...". Also moved `android_logger::init_once` into `ensure_android_logger`, guarded by `Once`, and called it from `with_panic_guard`. This way every FFI entry point sets the logger up on its first invocation, independent of whether JS calls `RPCModule.initLogging` first. The existing `init_logging` FFI is now a no-op kept for backwards compatibility with Kotlin's RPCModule. Logs from Rust now appear under tag `zingo_rs`. Filter with: adb logcat -s zingo_rs:V Cleanup ------- The two stray `let _ = rustls::crypto::ring::default_provider() .install_default();` calls inside init_new and get_latest_block_server are gone — JS already calls `RPCModule.setCryptoDefaultProvider` at boot, which exposes the same uniffi function, so those inline calls were redundant. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent d93648e commit 478cd4d

3 files changed

Lines changed: 1784 additions & 349 deletions

File tree

0 commit comments

Comments
 (0)