Skip to content

Fix iOS Certificate Validation Issue for Tendermint Balance Streaming #2674

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
onur-ozkan merged 4 commits into from
Oct 31, 2025
Merged

Fix iOS Certificate Validation Issue for Tendermint Balance Streaming #2674

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f5f07b5
use webpki roots for rustls
smk762 Oct 31, 2025
b1f1e42
isolate webpki dep update to ios only
smk762 Oct 31, 2025
de15469
add platform specific certificate validation
ca333 Oct 31, 2025
246f1df
fmt tcp_stream.rs
ca333 Oct 31, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,7 +197,7 @@ time = "0.3.36"
timed-map = { version = "1.5", features = ["rustc-hash", "serde", "wasm"] }
tokio = { version = "1.47", default-features = false }
tokio-rustls = { version = "0.24", default-features = false }
tokio-tungstenite-wasm = { git = "https://github.com/KomodoPlatform/tokio-tungstenite-wasm", rev = "8fc7e2f", default-features = false, features = ["rustls-tls-native-roots"]}
tokio-tungstenite-wasm = { git = "https://github.com/KomodoPlatform/tokio-tungstenite-wasm", rev = "8fc7e2f", default-features = false }
tonic = { version = "0.10", default-features = false }
tonic-build = { version = "0.10", default-features = false, features = ["prost"] }
tower-service = "0.3"
Expand Down
14 changes: 12 additions & 2 deletions mm2src/coins/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,7 +118,6 @@ sha3.workspace = true
utxo_signer = { path = "utxo_signer" }
# using the same version as cosmrs
tendermint-rpc.workspace = true
tokio-tungstenite-wasm = { workspace = true, features = ["rustls-tls-native-roots"]}
url.workspace = true
uuid.workspace = true
# One of web3 dependencies is the old `tokio-uds 0.1.7` which fails cross-compiling to ARM.
Expand Down Expand Up @@ -176,13 +175,24 @@ timed-map = { workspace = true, features = ["rustc-hash"] }
tokio.workspace = true
tokio-rustls.workspace = true
tonic = { workspace = true, features = ["codegen", "prost", "gzip", "tls", "tls-webpki-roots"] }
webpki-roots.workspace = true
zcash_client_sqlite.workspace = true
zcash_proofs = { workspace = true, features = ["local-prover", "multicore"] }

[target.'cfg(all(not(target_arch = "wasm32"), not(target_os = "ios")))'.dependencies]
webpki-roots.workspace = true

[target.'cfg(windows)'.dependencies]
winapi.workspace = true

# iOS-specific dependencies to fix certificate validation issues with Let's Encrypt ECDSA certificates
[target.'cfg(target_os = "ios")'.dependencies]
Copy link
Copy Markdown

@ca333 ca333 Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since we re adding this as a iOS specific override this means both are active since rustls-tls-native-roots is enabled by the gen dependency. so if we want to differentiate platform wise we d need "per target" sections for diff. between native and webpki.

alternatively (how i tested in a local fix): we just update it to webpki globally cc @onur-ozkan whats preferred / more solid from?

Copy link
Copy Markdown

@onur-ozkan onur-ozkan Oct 31, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we must use webpki for IOS, I suggest doing it for IOS only and keep native roots for others (as we have no issues with it, at least so far?). Relying on OS roots are better than relying on the roots that are bundled with the dependency which will not be updated for a quite long time (we don't update our deps very often).

Copy link
Copy Markdown

@ca333 ca333 Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks - will update this PR accordingly to handle it platform-specific shortly and keep the native everywhere else as there weren't any issues with it (yet)

tokio-tungstenite-wasm = { workspace = true, features = ["rustls-tls-webpki-roots"] }
webpki-roots = "0.26"

# Non-iOS platforms use native certificate roots
[target.'cfg(not(target_os = "ios"))'.dependencies]
tokio-tungstenite-wasm = { workspace = true, features = ["rustls-tls-native-roots"] }

[dev-dependencies]
mm2_test_helpers = { path = "../mm2_test_helpers" }
mocktopus.workspace = true
Expand Down
10 changes: 10 additions & 0 deletions mm2src/coins/utxo/rpc_clients/electrum_rpc/tcp_stream.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,16 @@ impl rustls::client::ServerCertVerifier for NoCertificateVerification {
fn rustls_client_config(unsafe_conf: bool) -> Arc<ClientConfig> {
let mut cert_store = RootCertStore::empty();

#[cfg(target_os = "ios")]
cert_store.add_trust_anchors(TLS_SERVER_ROOTS.iter().map(|ta| {
OwnedTrustAnchor::from_subject_spki_name_constraints(
ta.subject.to_vec(),
ta.subject_public_key_info.to_vec(),
ta.name_constraints.as_ref().map(|nc| nc.to_vec()),
)
}));

#[cfg(not(target_os = "ios"))]
cert_store.add_trust_anchors(
TLS_SERVER_ROOTS
.iter()
Expand Down
Loading