Added RPC-SSL support for Monero node connections

.github/workflows/test-sync.yml

@@ -33,7 +33,7 @@ jobs:
     - name: Build libcurl
       run: |
         cd external/src/curl
-        cmake . -DCMAKE_C_COMPILER=gcc-12 -DCMAKE_C_FLAGS='-fsanitize=thread -Og -fno-omit-frame-pointer -g' -DBUILD_CURL_EXE=OFF -DBUILD_SHARED_LIBS=OFF -DCURL_DISABLE_INSTALL=ON -DCURL_ENABLE_EXPORT_TARGET=OFF -DCURL_DISABLE_HEADERS_API=ON -DCURL_DISABLE_BINDLOCAL=ON -DBUILD_LIBCURL_DOCS=OFF -DBUILD_MISC_DOCS=OFF -DENABLE_CURL_MANUAL=OFF -DCURL_ZLIB=OFF -DCURL_DISABLE_ALTSVC=ON -DCURL_DISABLE_COOKIES=ON -DCURL_DISABLE_DOH=ON -DCURL_DISABLE_GETOPTIONS=ON -DCURL_DISABLE_HSTS=ON -DCURL_DISABLE_LIBCURL_OPTION=ON -DCURL_DISABLE_MIME=ON -DCURL_DISABLE_NETRC=ON -DCURL_DISABLE_NTLM=ON -DCURL_DISABLE_PARSEDATE=ON -DCURL_DISABLE_PROGRESS_METER=ON -DCURL_DISABLE_SHUFFLE_DNS=ON -DCURL_DISABLE_SOCKETPAIR=ON -DCURL_DISABLE_VERBOSE_STRINGS=ON -DHTTP_ONLY=ON -DCURL_ENABLE_SSL=OFF -DUSE_LIBIDN2=OFF -DCURL_USE_LIBPSL=OFF -DCURL_USE_LIBSSH2=OFF -DENABLE_UNIX_SOCKETS=OFF -DCURL_DISABLE_TESTS=ON -DUSE_NGHTTP2=OFF -DBUILD_EXAMPLES=OFF
+        cmake . -DCMAKE_C_COMPILER=gcc-12 -DCMAKE_C_FLAGS='-fsanitize=thread -Og -fno-omit-frame-pointer -g' -DBUILD_CURL_EXE=OFF -DBUILD_SHARED_LIBS=OFF -DCURL_DISABLE_INSTALL=ON -DCURL_ENABLE_EXPORT_TARGET=OFF -DCURL_DISABLE_HEADERS_API=ON -DCURL_DISABLE_BINDLOCAL=ON -DBUILD_LIBCURL_DOCS=OFF -DBUILD_MISC_DOCS=OFF -DENABLE_CURL_MANUAL=OFF -DCURL_ZLIB=OFF -DCURL_DISABLE_ALTSVC=ON -DCURL_DISABLE_COOKIES=ON -DCURL_DISABLE_DOH=ON -DCURL_DISABLE_GETOPTIONS=ON -DCURL_DISABLE_HSTS=ON -DCURL_DISABLE_LIBCURL_OPTION=ON -DCURL_DISABLE_MIME=ON -DCURL_DISABLE_NETRC=ON -DCURL_DISABLE_NTLM=ON -DCURL_DISABLE_PARSEDATE=ON -DCURL_DISABLE_PROGRESS_METER=ON -DCURL_DISABLE_SHUFFLE_DNS=ON -DCURL_DISABLE_SOCKETPAIR=ON -DCURL_DISABLE_VERBOSE_STRINGS=ON -DHTTP_ONLY=ON -DCURL_ENABLE_SSL=OFF -DUSE_LIBIDN2=OFF -DCURL_USE_LIBPSL=OFF -DCURL_USE_LIBSSH2=OFF -DENABLE_UNIX_SOCKETS=OFF -DCURL_DISABLE_TESTS=ON -DUSE_NGHTTP2=OFF -DBUILD_EXAMPLES=OFF -DP2POOL_BORINGSSL=ON -DOPENSSL_INCLUDE_DIR=../grpc/third_party/boringssl-with-bazel/src/include
         make -j$(nproc)
         cd lib && mkdir .libs && cp libcurl.a .libs
 
@@ -119,7 +119,7 @@ jobs:
     - name: Build libcurl
       run: |
         cd external/src/curl
-        cmake . -DCMAKE_C_COMPILER=clang-19 -DCMAKE_C_FLAGS='-fsanitize=memory -fsanitize-recover -fsanitize-memory-track-origins -Og -fno-omit-frame-pointer -g' -DBUILD_CURL_EXE=OFF -DBUILD_SHARED_LIBS=OFF -DCURL_DISABLE_INSTALL=ON -DCURL_ENABLE_EXPORT_TARGET=OFF -DCURL_DISABLE_HEADERS_API=ON -DCURL_DISABLE_BINDLOCAL=ON -DBUILD_LIBCURL_DOCS=OFF -DBUILD_MISC_DOCS=OFF -DENABLE_CURL_MANUAL=OFF -DCURL_ZLIB=OFF -DCURL_DISABLE_ALTSVC=ON -DCURL_DISABLE_COOKIES=ON -DCURL_DISABLE_DOH=ON -DCURL_DISABLE_GETOPTIONS=ON -DCURL_DISABLE_HSTS=ON -DCURL_DISABLE_LIBCURL_OPTION=ON -DCURL_DISABLE_MIME=ON -DCURL_DISABLE_NETRC=ON -DCURL_DISABLE_NTLM=ON -DCURL_DISABLE_PARSEDATE=ON -DCURL_DISABLE_PROGRESS_METER=ON -DCURL_DISABLE_SHUFFLE_DNS=ON -DCURL_DISABLE_SOCKETPAIR=ON -DCURL_DISABLE_VERBOSE_STRINGS=ON -DHTTP_ONLY=ON -DCURL_ENABLE_SSL=OFF -DUSE_LIBIDN2=OFF -DCURL_USE_LIBPSL=OFF -DCURL_USE_LIBSSH2=OFF -DENABLE_UNIX_SOCKETS=OFF -DCURL_DISABLE_TESTS=ON -DUSE_NGHTTP2=OFF -DBUILD_EXAMPLES=OFF
+        cmake . -DCMAKE_C_COMPILER=clang-19 -DCMAKE_C_FLAGS='-fsanitize=memory -fsanitize-recover -fsanitize-memory-track-origins -Og -fno-omit-frame-pointer -g' -DBUILD_CURL_EXE=OFF -DBUILD_SHARED_LIBS=OFF -DCURL_DISABLE_INSTALL=ON -DCURL_ENABLE_EXPORT_TARGET=OFF -DCURL_DISABLE_HEADERS_API=ON -DCURL_DISABLE_BINDLOCAL=ON -DBUILD_LIBCURL_DOCS=OFF -DBUILD_MISC_DOCS=OFF -DENABLE_CURL_MANUAL=OFF -DCURL_ZLIB=OFF -DCURL_DISABLE_ALTSVC=ON -DCURL_DISABLE_COOKIES=ON -DCURL_DISABLE_DOH=ON -DCURL_DISABLE_GETOPTIONS=ON -DCURL_DISABLE_HSTS=ON -DCURL_DISABLE_LIBCURL_OPTION=ON -DCURL_DISABLE_MIME=ON -DCURL_DISABLE_NETRC=ON -DCURL_DISABLE_NTLM=ON -DCURL_DISABLE_PARSEDATE=ON -DCURL_DISABLE_PROGRESS_METER=ON -DCURL_DISABLE_SHUFFLE_DNS=ON -DCURL_DISABLE_SOCKETPAIR=ON -DCURL_DISABLE_VERBOSE_STRINGS=ON -DHTTP_ONLY=ON -DCURL_ENABLE_SSL=OFF -DUSE_LIBIDN2=OFF -DCURL_USE_LIBPSL=OFF -DCURL_USE_LIBSSH2=OFF -DENABLE_UNIX_SOCKETS=OFF -DCURL_DISABLE_TESTS=ON -DUSE_NGHTTP2=OFF -DBUILD_EXAMPLES=OFF -DP2POOL_BORINGSSL=ON -DOPENSSL_INCLUDE_DIR=../grpc/third_party/boringssl-with-bazel/src/include
         make -j$(nproc)
         cd lib && mkdir .libs && cp libcurl.a .libs
 
@@ -283,7 +283,7 @@ jobs:
     - name: Build libcurl
       run: |
         cd external/src/curl
-        cmake . -DCMAKE_C_COMPILER="$(brew --prefix llvm@15)/bin/clang" -DCMAKE_AR="$(brew --prefix llvm@15)/bin/llvm-ar" -DCMAKE_RANLIB="$(brew --prefix llvm@15)/bin/llvm-ranlib" -DCMAKE_C_FLAGS="${{ matrix.config.flags }}" -DBUILD_CURL_EXE=OFF -DBUILD_SHARED_LIBS=OFF -DCURL_DISABLE_INSTALL=ON -DCURL_ENABLE_EXPORT_TARGET=OFF -DCURL_DISABLE_HEADERS_API=ON -DCURL_DISABLE_BINDLOCAL=ON -DBUILD_LIBCURL_DOCS=OFF -DBUILD_MISC_DOCS=OFF -DENABLE_CURL_MANUAL=OFF -DCURL_ZLIB=OFF -DCURL_DISABLE_ALTSVC=ON -DCURL_DISABLE_COOKIES=ON -DCURL_DISABLE_DOH=ON -DCURL_DISABLE_GETOPTIONS=ON -DCURL_DISABLE_HSTS=ON -DCURL_DISABLE_LIBCURL_OPTION=ON -DCURL_DISABLE_MIME=ON -DCURL_DISABLE_NETRC=ON -DCURL_DISABLE_NTLM=ON -DCURL_DISABLE_PARSEDATE=ON -DCURL_DISABLE_PROGRESS_METER=ON -DCURL_DISABLE_SHUFFLE_DNS=ON -DCURL_DISABLE_SOCKETPAIR=ON -DCURL_DISABLE_VERBOSE_STRINGS=ON -DHTTP_ONLY=ON -DCURL_ENABLE_SSL=OFF -DUSE_LIBIDN2=OFF -DCURL_USE_LIBPSL=OFF -DCURL_USE_LIBSSH2=OFF -DENABLE_UNIX_SOCKETS=OFF -DCURL_DISABLE_TESTS=ON -DUSE_NGHTTP2=OFF -DBUILD_EXAMPLES=OFF
+        cmake . -DCMAKE_C_COMPILER="$(brew --prefix llvm@15)/bin/clang" -DCMAKE_AR="$(brew --prefix llvm@15)/bin/llvm-ar" -DCMAKE_RANLIB="$(brew --prefix llvm@15)/bin/llvm-ranlib" -DCMAKE_C_FLAGS="${{ matrix.config.flags }}" -DBUILD_CURL_EXE=OFF -DBUILD_SHARED_LIBS=OFF -DCURL_DISABLE_INSTALL=ON -DCURL_ENABLE_EXPORT_TARGET=OFF -DCURL_DISABLE_HEADERS_API=ON -DCURL_DISABLE_BINDLOCAL=ON -DBUILD_LIBCURL_DOCS=OFF -DBUILD_MISC_DOCS=OFF -DENABLE_CURL_MANUAL=OFF -DCURL_ZLIB=OFF -DCURL_DISABLE_ALTSVC=ON -DCURL_DISABLE_COOKIES=ON -DCURL_DISABLE_DOH=ON -DCURL_DISABLE_GETOPTIONS=ON -DCURL_DISABLE_HSTS=ON -DCURL_DISABLE_LIBCURL_OPTION=ON -DCURL_DISABLE_MIME=ON -DCURL_DISABLE_NETRC=ON -DCURL_DISABLE_NTLM=ON -DCURL_DISABLE_PARSEDATE=ON -DCURL_DISABLE_PROGRESS_METER=ON -DCURL_DISABLE_SHUFFLE_DNS=ON -DCURL_DISABLE_SOCKETPAIR=ON -DCURL_DISABLE_VERBOSE_STRINGS=ON -DHTTP_ONLY=ON -DCURL_ENABLE_SSL=OFF -DUSE_LIBIDN2=OFF -DCURL_USE_LIBPSL=OFF -DCURL_USE_LIBSSH2=OFF -DENABLE_UNIX_SOCKETS=OFF -DCURL_DISABLE_TESTS=ON -DUSE_NGHTTP2=OFF -DBUILD_EXAMPLES=OFF -DP2POOL_BORINGSSL=ON -DOPENSSL_INCLUDE_DIR=../grpc/third_party/boringssl-with-bazel/src/include
         make -j4
         cd lib && mkdir .libs && cp libcurl.a .libs
 

CMakeLists.txt

@@ -238,8 +238,13 @@ if (CMAKE_CXX_COMPILER_ID MATCHES MSVC)
 	find_library(ZMQ_LIBRARY NAMES libzmq-v142-mt-s-4_3_6 PATHS "external/lib/libzmq/Release")
 	find_library(UV_LIBRARY_DEBUG NAMES libuv PATHS "external/lib/libuv/Debug")
 	find_library(UV_LIBRARY NAMES libuv PATHS "external/lib/libuv/Release")
-	find_library(CURL_LIBRARY_DEBUG NAMES libcurl-d PATHS "external/lib/libcurl/Debug")
-	find_library(CURL_LIBRARY NAMES libcurl PATHS "external/lib/libcurl/Release")
+	if (WITH_TLS)
+		find_library(CURL_LIBRARY_DEBUG NAMES libcurl-d PATHS "external/lib/libcurl_tls/Debug")
+		find_library(CURL_LIBRARY NAMES libcurl PATHS "external/lib/libcurl_tls/Release")
+	else()
+		find_library(CURL_LIBRARY_DEBUG NAMES libcurl-d PATHS "external/lib/libcurl/Debug")
+		find_library(CURL_LIBRARY NAMES libcurl PATHS "external/lib/libcurl/Release")
+	endif()
 	add_definitions(-D_DISABLE_VECTOR_ANNOTATION)
 	add_definitions(-D_DISABLE_STRING_ANNOTATION)
 elseif (CMAKE_CXX_COMPILER_ID MATCHES GNU OR CMAKE_CXX_COMPILER_ID MATCHES Clang)

cmake/flags.cmake

@@ -17,7 +17,7 @@ if (CMAKE_CXX_COMPILER_ID MATCHES GNU)
 		set(GENERAL_FLAGS "${GENERAL_FLAGS} -fno-omit-frame-pointer -fsanitize=address")
 	endif()
 
-	set(WARNING_FLAGS "-Wall -Wextra -Wcast-qual -Wlogical-op -Wundef -Wformat=2 -Wpointer-arith -Werror")
+	set(WARNING_FLAGS "-Wall -Wextra -Wcast-qual -Wlogical-op -Wundef -Wformat=2 -Wpointer-arith -Werror -Wno-error=inline")
 
 	if (CMAKE_CXX_COMPILER_VERSION VERSION_GREATER 7.5.0)
 		set(WARNING_FLAGS "${WARNING_FLAGS} -Wstrict-overflow=2")

docs/COMMAND_LINE.MD

@@ -1,41 +1,43 @@
 ### P2Pool command line options
 
 ```
---wallet             Wallet address to mine to. Subaddresses and integrated addresses are not supported!
---host               IP address of your Monero node, default is 127.0.0.1
---rpc-port           monerod RPC API port number, default is 18081
---zmq-port           monerod ZMQ pub port number, default is 18083 (same port as in monerod's "--zmq-pub" command line parameter)
---stratum            Comma-separated list of IP:port for stratum server to listen on
---p2p                Comma-separated list of IP:port for p2p server to listen on
---addpeers           Comma-separated list of IP:port of other p2pool nodes to connect to
---light-mode         Don't allocate RandomX dataset, saves 2GB of RAM
---loglevel           Verbosity of the log, integer number between 0 and 6
---data-dir           Path to store general p2pool files (log, cache, peer data, etc.), default is current directory
---config             Deprecated, will be removed in the next version. Use --sidechain-config instead
---sidechain-config   Name of the p2pool sidechain parameters file (only use it if you run your own sidechain)
---data-api           Path to the p2pool JSON data (use it in tandem with an external web-server). Not affected by --data-dir setting!
---local-api          Enable /local/ path in api path for Stratum Server and built-in miner statistics
---stratum-api        An alias for --local-api
---no-cache           Disable p2pool.cache
---no-color           Disable colors in console output
---no-randomx         Disable internal RandomX hasher: p2pool will use RPC calls to monerod to check PoW hashes
---out-peers N        Maximum number of outgoing connections for p2p server (any value between 10 and 450)
---in-peers N         Maximum number of incoming connections for p2p server (any value between 10 and 450)
---start-mining N     Start built-in miner using N threads (any value between 1 and 64)
---mini               Connect to p2pool-mini sidechain. Note that it will also change default p2p port from 37889 to 37888
---no-autodiff        Disable automatic difficulty adjustment for miners connected to stratum (WARNING: incompatible with Nicehash and MRR)
---rpc-login          Specify username[:password] required for Monero RPC server
---socks5             Specify IP:port of a SOCKS5 proxy to use for outgoing connections
---no-dns             Disable DNS queries, use only IP addresses to connect to peers (seed node DNS will be unavailable too)
---p2p-external-port  Port number that your router uses for mapping to your local p2p port. Use it if you are behind a NAT and still want to accept incoming connections
---no-upnp            Disable UPnP port forwarding
---no-igd             An alias for --no-upnp
---upnp-stratum       Port forward Stratum port (it's not forwarded by default)
---merge-mine         IP:port and wallet address for another blockchain to merge mine with
---version            Print p2pool's version and build details
---tls-cert file      Load TLS certificate chain from "file" in the PEM format
---tls-cert-key file  Load TLS certificate private key from "file" in the PEM format
---no-stratum-http    Disable HTTP on Stratum ports
+--wallet              Wallet address to mine to. Subaddresses and integrated addresses are not supported!
+--host                IP address of your Monero node, default is 127.0.0.1
+--rpc-port            monerod RPC API port number, default is 18081
+--zmq-port            monerod ZMQ pub port number, default is 18083 (same port as in monerod's "--zmq-pub" command line parameter)
+--stratum             Comma-separated list of IP:port for stratum server to listen on
+--p2p                 Comma-separated list of IP:port for p2p server to listen on
+--addpeers            Comma-separated list of IP:port of other p2pool nodes to connect to
+--light-mode          Don't allocate RandomX dataset, saves 2GB of RAM
+--loglevel            Verbosity of the log, integer number between 0 and 6
+--data-dir            Path to store general p2pool files (log, cache, peer data, etc.), default is current directory
+--config              Deprecated, will be removed in the next version. Use --sidechain-config instead
+--sidechain-config    Name of the p2pool sidechain parameters file (only use it if you run your own sidechain)
+--data-api            Path to the p2pool JSON data (use it in tandem with an external web-server). Not affected by --data-dir setting!
+--local-api           Enable /local/ path in api path for Stratum Server and built-in miner statistics
+--stratum-api         An alias for --local-api
+--no-cache            Disable p2pool.cache
+--no-color            Disable colors in console output
+--no-randomx          Disable internal RandomX hasher: p2pool will use RPC calls to monerod to check PoW hashes
+--out-peers N         Maximum number of outgoing connections for p2p server (any value between 10 and 450)
+--in-peers N          Maximum number of incoming connections for p2p server (any value between 10 and 450)
+--start-mining N      Start built-in miner using N threads (any value between 1 and 64)
+--mini                Connect to p2pool-mini sidechain. Note that it will also change default p2p port from 37889 to 37888
+--no-autodiff         Disable automatic difficulty adjustment for miners connected to stratum (WARNING: incompatible with Nicehash and MRR)
+--rpc-login           Specify username[:password] required for Monero RPC server
+--socks5              Specify IP:port of a SOCKS5 proxy to use for outgoing connections
+--no-dns              Disable DNS queries, use only IP addresses to connect to peers (seed node DNS will be unavailable too)
+--p2p-external-port   Port number that your router uses for mapping to your local p2p port. Use it if you are behind a NAT and still want to accept incoming connections
+--no-upnp             Disable UPnP port forwarding
+--no-igd              An alias for --no-upnp
+--upnp-stratum        Port forward Stratum port (it's not forwarded by default)
+--merge-mine          IP:port and wallet address for another blockchain to merge mine with
+--version             Print p2pool's version and build details
+--tls-cert file       Load TLS certificate chain from "file" in the PEM format
+--tls-cert-key file   Load TLS certificate private key from "file" in the PEM format
+--rpc-ssl             Enable SSL on RPC connections to the Monero node
+--rpc-ssl-fingerprint base64-encoded fingerprint of the Monero node's certificate (optional, use it for certificate pinning)
+--no-stratum-http     Disable HTTP on Stratum ports
 ```
 
 ### Example command line
@@ -48,9 +50,9 @@ p2pool.exe --host 127.0.0.1 --rpc-port 18081 --zmq-port 18083 --wallet YOUR_WALL
 
 You can have multiple hosts in command line. If P2Pool detects that the host it's currently using is down or stuck, it will cycle through hosts until it finds a working one. It will not switch back as long as the current host it found is working.
 
-Each new host uses RPC and zmq-pub port numbers from the previous host (or default 18081/18083 if none were specified). Note that `--rpc-login` is not copied from the previous host, you must specify it for each host that has username/password.
+Each new host uses RPC and zmq-pub port numbers from the previous host (or default 18081/18083 if none were specified). Note that `--rpc-login`, `--rpc-ssl` and `--rpc-ssl-fingerprint` are not copied from the previous host, you must specify it for each host that has username/password or RPC-SSL enabled.
 
-In this example, you have local Monero host running on ports 18081/18083 (RPC/zmq-pub), and several backup hosts running on ports 18089/18084.
+In the following example, you have local Monero host running on ports 18081/18083 (RPC/zmq-pub), and several backup hosts running on ports 18089/18084.
 
 
 ```
@@ -89,3 +91,15 @@ If you want to use your own certificate, please refer to your certificate provid
 Note that you need to use certificate files and `--tls...` parameters to be able to use certificate pinning in XMRig miners that connect to your P2Pool instance.
 
 `--tls-cert` and `--tls-cert-key` parameters must always be used together.
+
+### RPC-SSL
+
+Starting from v4.4, P2Pool supports RPC-SSL connections to Monero nodes. You need to add `--rpc-ssl=enabled` to monerod command line to enable it on Monero side, and `--rpc-ssl` on P2Pool side.
+
+P2Pool supports certificate pinning on RPC-SSL connections. To get your node certificate's fingerprint, run
+
+```
+openssl x509 -in rpc_ssl.crt -pubkey -noout -inform pem | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
+```
+
+where `rpc_ssl.crt` can be found in Monero data directory. By default, it's `/home/username/.bitmonero/rpc_ssl.crt` on Linux and `C:\ProgramData\bitmonero\rpc_ssl.crt` on Windows.