From cbbecdc9cd9b4aed5e01f06fca9f48c2d3626451 Mon Sep 17 00:00:00 2001
From: createkr <228850445+createkr@users.noreply.github.com>
Date: Sat, 4 Apr 2026 15:51:16 +0800
Subject: [PATCH] security: enforce TLS certificate validation by default

---
 rustchain-miner/.env.example     |  6 ++++++
 rustchain-miner/README.md        | 23 +++++++++++++++++------
 rustchain-miner/src/transport.rs | 29 ++++++++++++++++++++++++-----
 rustchain-wallet/README.md       | 13 +++++++++++++
 rustchain-wallet/src/client.rs   | 28 +++++++++++++++++++++++-----
 5 files changed, 83 insertions(+), 16 deletions(-)

diff --git a/rustchain-miner/.env.example b/rustchain-miner/.env.example
index dd9f76b44..e5e246123 100644
--- a/rustchain-miner/.env.example
+++ b/rustchain-miner/.env.example
@@ -24,3 +24,9 @@ RUSTCHAIN_NODE_URL=https://50.28.86.131
 
 # Enable verbose logging (true/false)
 # RUSTCHAIN_VERBOSE=false
+
+# ⚠️  DISABLE TLS CERTIFICATE VALIDATION (DEVELOPMENT ONLY)
+# Setting this to 1 or true disables TLS certificate validation.
+# This is INSECURE and exposes the miner to man-in-the-middle attacks.
+# NEVER use in production or with real mining operations.
+# RUSTCHAIN_DEV_INSECURE_TLS=false
diff --git a/rustchain-miner/README.md b/rustchain-miner/README.md
index fcac99c90..4c4e457ad 100644
--- a/rustchain-miner/README.md
+++ b/rustchain-miner/README.md
@@ -54,6 +54,7 @@ cargo install --path .
 | `RUSTCHAIN_ATTESTATION_TTL` | Attestation TTL in seconds | `580` |
 | `RUSTCHAIN_DRY_RUN` | Enable dry-run mode | `false` |
 | `RUSTCHAIN_VERBOSE` | Enable verbose logging | `false` |
+| `RUSTCHAIN_DEV_INSECURE_TLS` | Disable TLS cert validation (dev only) | `false` |
 
 ### .env File
 
@@ -205,12 +206,22 @@ cargo build --release
 
 ### TLS/SSL Errors
 
-If you encounter TLS errors on legacy systems:
-
-```bash
-# Use HTTP proxy instead
-./target/release/rustchain-miner --proxy http://192.168.0.160:8089
-```
+TLS certificate validation is **enabled by default**. If you encounter TLS errors
+on legacy systems or local test servers with self-signed certificates, you have
+two options:
+
+1. **Use an HTTP proxy** (recommended for legacy systems):
+   ```bash
+   ./target/release/rustchain-miner --proxy http://192.168.0.160:8089
+   ```
+
+2. **Disable TLS validation** (development only — **INSECURE**):
+   ```bash
+   export RUSTCHAIN_DEV_INSECURE_TLS=1
+   ./target/release/rustchain-miner
+   ```
+   **WARNING**: This disables TLS certificate validation and exposes the miner to
+   **man-in-the-middle attacks**. Never use this in production.
 
 ### Attestation Failed
 
diff --git a/rustchain-miner/src/transport.rs b/rustchain-miner/src/transport.rs
index 0c7c3b9b2..95252bf71 100644
--- a/rustchain-miner/src/transport.rs
+++ b/rustchain-miner/src/transport.rs
@@ -14,13 +14,32 @@ pub struct NodeTransport {
 }
 
 impl NodeTransport {
-    /// Create a new transport with the given configuration
+    /// Create a new transport with the given configuration.
+    ///
+    /// By default, TLS certificate validation is **enabled**.
+    /// To disable validation (e.g. for local development against a test server
+    /// with self-signed certificates), set the environment variable
+    /// `RUSTCHAIN_DEV_INSECURE_TLS=1`. This is **strongly discouraged** in
+    /// production — it exposes the miner to man-in-the-middle attacks.
     pub fn new(node_url: String, proxy_url: Option<String>, timeout: Duration) -> crate::Result<Self> {
+        let insecure = std::env::var("RUSTCHAIN_DEV_INSECURE_TLS")
+            .map(|v| v == "1" || v.eq_ignore_ascii_case("true"))
+            .unwrap_or(false);
+
+        let builder = Client::builder().timeout(timeout);
+        let builder = if insecure {
+            eprintln!(
+                "WARNING: TLS certificate validation is DISABLED. \
+                 This is INSECURE and exposes the miner to man-in-the-middle attacks. \
+                 Do NOT use in production. Set via RUSTCHAIN_DEV_INSECURE_TLS=1."
+            );
+            builder.danger_accept_invalid_certs(true)
+        } else {
+            builder
+        };
+
         let transport = Self {
-            client: Client::builder()
-                .timeout(timeout)
-                .danger_accept_invalid_certs(true)
-                .build()?,
+            client: builder.build()?,
             node_url: node_url.trim_end_matches('/').to_string(),
             proxy_url: proxy_url.map(|u| u.trim_end_matches('/').to_string()),
             use_proxy: false,
diff --git a/rustchain-wallet/README.md b/rustchain-wallet/README.md
index f780c0e19..e2733c3d1 100644
--- a/rustchain-wallet/README.md
+++ b/rustchain-wallet/README.md
@@ -156,6 +156,19 @@ rustchain-wallet/
 - File permissions set to 600 on Unix
 - Zeroize-capable key handling
 - Ed25519 signatures on canonical JSON for tamper-proof transactions
+- **TLS certificate validation is enabled by default** for all API connections
+
+### Development TLS Bypass
+
+For local development against test servers with self-signed certificates, you may
+disable TLS validation by setting:
+
+```bash
+export RUSTCHAIN_DEV_INSECURE_TLS=1
+```
+
+**WARNING**: This disables TLS certificate validation and exposes the wallet to
+**man-in-the-middle attacks**. Never use this in production or with real funds.
 
 ## Dependencies
 
diff --git a/rustchain-wallet/src/client.rs b/rustchain-wallet/src/client.rs
index 293e0d8cc..defab2a11 100644
--- a/rustchain-wallet/src/client.rs
+++ b/rustchain-wallet/src/client.rs
@@ -66,12 +66,30 @@ pub struct NetworkInfo {
 }
 
 impl RustChainClient {
-    /// Create a new client with the specified API URL
+    /// Create a new client with the specified API URL.
+    ///
+    /// By default, TLS certificate validation is **enabled**.
+    /// To disable validation (e.g. for local development against a test server
+    /// with self-signed certificates), set the environment variable
+    /// `RUSTCHAIN_DEV_INSECURE_TLS=1`. This is **strongly discouraged** in
+    /// production — it exposes the wallet to man-in-the-middle attacks.
     pub fn new(api_url: String) -> Self {
-        let http_client = Client::builder()
-            .danger_accept_invalid_certs(true)
-            .build()
-            .unwrap_or_else(|_| Client::new());
+        let insecure = std::env::var("RUSTCHAIN_DEV_INSECURE_TLS")
+            .map(|v| v == "1" || v.eq_ignore_ascii_case("true"))
+            .unwrap_or(false);
+
+        let builder = Client::builder();
+        let builder = if insecure {
+            eprintln!(
+                "WARNING: TLS certificate validation is DISABLED. \
+                 This is INSECURE and exposes the wallet to man-in-the-middle attacks. \
+                 Do NOT use in production. Set via RUSTCHAIN_DEV_INSECURE_TLS=1."
+            );
+            builder.danger_accept_invalid_certs(true)
+        } else {
+            builder
+        };
+        let http_client = builder.build().unwrap_or_else(|_| Client::new());
 
         Self {
             api_url,