How to disable certificate verification? Is it deprecated?

[redred77]

Is your feature request related to a problem? Please describe. I want to connect via ssl but certificate verification is the problem.

Describe the solution you'd like I just want to skip that verification.

Describe alternatives you've considered I could find some comments and discussions but anything works for latest version.

https://github.com/ethereum-mining/ethminer/blob/master/libpoolprotocols/stratum/EthStratumClient.cpp#L571 "* Disable certificate verification all-together via command-line option.";

What is the option for this? Is it deprecated?

Additional context Add any other context or screenshots about the feature request here.

[smurfy]

The option was lost by an refactor. But it makes sense, in my opinion, to re-add a way.

[AndreaLanfranchi]

Agree ... may be useful for controlled environments with self-signed certificates.

[AndreaLanfranchi]

@redred77 could you please clarify whether you're experiencing problems with public pools or if your're trying to connect to some self-signed certificate ? Exactly which is the issue ?

[redred77]

@AndreaLanfranchi I want to connect to miningpoolhub.com miningpoolhub's all mining ports are compatible with ssl(tls) connections but it's self-signed.

[AndreaLanfranchi]

@redred77 I'm not sure about your statement. The site miningpoolhub.com has a public valid certificate. Nevertheless I can't see on their site any indication about ssl/tls ports for stratum mining.

miningpoolhub's all mining ports are compatible with ssl(tls)

This makes no sense to me: a port can be either protected or not protected ... a port can't be both.

[miningpoolhub]

@AndreaLanfranchi Hi This is miningpoolhub. We use some trick to distinguish secure/normal connection attempts and allocate appropriate socket for each of them. About a year ago we tried to support zcash miner's tls connection and applied this trick to all ports. Currently, "us-east.ethash-hub.miningpoolhub.com:20535" port supports both normal and secure connection for ethereum mining. This works well with claymore -checkert 0 option. (Actually no miner checked certification at that time, so we used self signed)

Website uses cloudflare's certification. We haven't applied public valid certification to mining ports. I think it's good to enable that option.

[AndreaLanfranchi]

@miningpoolhub interesting to hear. This means, I guess, you implemented an intermediate layer (a proxy) to identify plain vs encrypted connections and eventually redirect to effective port.

I personally strongly discourage the override of certificate chain validation as it silently exposes users to risks like spoofing and ip redirect: certificate validation is there to ensure both endpoints are what they're meant to be.

Nevertheless the option has been re-enabled. Hope you'll implement public certificate validation soon.

Regards.

[StefanOberhumer]

@miningpoolhub Using letsencrypt would cost no coin :wink: - maybe you can use it? (Knowing the certificate has "only" a ~3 month valid time)

[miningpoolhub]

@AndreaLanfranchi Yeah it's similar. Little trick but makes things less confusing for users. I understand and agree the need of certificate validation in security point. But actually I couldn't see some serious demand for this feature because nobody asked about this before.

@StefanOberhumer Thank you for the info. I knew letsencrypt but a bit lazy to implement it. I'll look into it. Or maybe I'll purchase other simple traditional one.

[AndreaLanfranchi]

Solved by PR #1630