Stratum-over-TLS: worker-side wiring for an encrypted miner↔stack link (companion to Pithead #261)

[VijitSingh97]

Why

Follow-on to default-on stratum auth (#113): once the Pithead stack can offer stratum-over-TLS (p2pool-starter-stack/pithead#261), workers should connect over the encrypted link. RigForge already has the building block — per-pool outbound stratum TLS (pools[].tls, rigforge.sh:304, shipped in #21) — so this is mostly setup wiring + trust + docs, not new transport code.

Scope (worker side)

• At setup, when the stack offers stratum TLS, write pools[].tls: true (plus any cert / SNI / fingerprint trust) into the worker's xmrig config.
• Handle the cert trust model the stack documents (internal CA / self-signed / operator cert).
• Docs in docs/pithead-integration.md.

Acceptance criteria

• Worker setup can enable TLS on the stratum pool against a TLS-offering stack.
• Documented trust model; connects to the stack's encrypted :3333.
• No regression for cleartext stratum when the stack isn't offering TLS.

Related

• Stratum-over-TLS: encrypt the miner↔stack stratum link (follow-on to stratum auth #208) pithead#261 — stack-side stratum-over-TLS (the companion).
• Worker setup: fetch the stratum access-password → default-on stratum auth (Pithead #208 · #152 Phase 2) #113 — default-on stratum auth (access control; TLS adds confidentiality). Make the pool endpoint fully configurable (port + TLS) for general-pool use #21 — pool-endpoint TLS config (the shipped building block).

[VijitSingh97]

Moved out of v1.1 → v1.6. The security payoff of stratum auth/TLS is confined to untrusted-network / internet-exposed / remote deployments — on a firewalled LAN the existing stratum_bind + firewall guidance already covers it, and in the P2Pool model there's no payout-theft vector on this link. So it's deferred to v1.6, lockstep with Pithead's Deploy anywhere milestone (pithead#208 / pithead#261). v1.1 shipped the tooling/DX + supply-chain hardening instead.

[VijitSingh97]

Moved v1.6 → v1.5. Clustering the worker↔stack link hardening (stratum auth/TLS) with the integration harness (#114) and the enriched-feed work (#99) in v1.5, which is now the next RigForge release. Lockstep with Pithead v1.5 (pithead#208/#261).