Commit 478cd4d
fix: nym TLS works on Android (OCSP bypass) + logger init reliability
Three coupled changes to make Nym wallet open work end-to-end on Android.
Why Nym was broken on Android only
----------------------------------
reqwest's `rustls` feature pulls in `rustls-platform-verifier`, which on
Android routes every TLS handshake through `CertPathValidator`. Let's
Encrypt has been removing the OCSP responder URL from its certificates
through 2024-2025; when the platform verifier hits one of those certs
(validator.nymtech.net is one), Android raises a
CertPathValidatorException("Certificate does not specify OCSP responder")
*before* the SOFT_FAIL revocation option can take effect, and the chain
hard-fails as "Revoked". iOS and CLI builds are unaffected because they
use SecTrust / webpki-roots respectively, which tolerate the missing
OCSP info.
The fix lives in the upstream branches we now consume:
* zingolabs/nym @ nym_wallet_poc_2_1-zingo-mobile-fix — patches the
nym-http-api-client `default_builder()` to install a preconfigured
rustls ClientConfig backed by webpki-roots, gated behind
`cfg(target_os = "android")`. Covers all Nym-internal HTTP clients
(notably the gateway fetch in nym-client-core::init::helpers).
* zingolabs/zingo-common @ chore/echo-server-zingo-mobile-fix —
pins to the above nym branch and also explicitly overrides TLS in
NymProxy::discover_providers.
Upstream context: rustls/rustls-platform-verifier#179
Why we couldn't see any of this in logcat (separate bug, fixed here)
--------------------------------------------------------------------
android_logger 0.11 silently failed to register as the global `log`
logger on this Android version — `log::error!` calls went into the
void, making the Nym failure invisible from logcat. Bumped to 0.14
(API change: with_min_level(Level) -> with_max_level(LevelFilter)),
which registers correctly.
While at it, the previous filter spec "debug,hello::crate=zingolib"
was malformed (`hello::crate` was a stale example module name and
`zingolib` is not a valid log level). env_logger silently dropped the
invalid directive, so the effective filter was just "debug" — but the
surprise was real. Replaced with "debug,zingo=trace,...".
Also moved `android_logger::init_once` into `ensure_android_logger`,
guarded by `Once`, and called it from `with_panic_guard`. This way
every FFI entry point sets the logger up on its first invocation,
independent of whether JS calls `RPCModule.initLogging` first. The
existing `init_logging` FFI is now a no-op kept for backwards
compatibility with Kotlin's RPCModule.
Logs from Rust now appear under tag `zingo_rs`. Filter with:
adb logcat -s zingo_rs:V
Cleanup
-------
The two stray `let _ = rustls::crypto::ring::default_provider()
.install_default();` calls inside init_new and get_latest_block_server
are gone — JS already calls `RPCModule.setCryptoDefaultProvider` at
boot, which exposes the same uniffi function, so those inline calls
were redundant.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>1 parent d93648e commit 478cd4d
3 files changed
Lines changed: 1784 additions & 349 deletions
0 commit comments