rfq+tapcfg: disable tls when flag present

jtobin · jtobin · commit f03cb78edd0b · 2025-08-31T16:09:11.000-02:30
Ensures the price oracle TLS toggle fits the existing pattern of flags
defaulting to false.
diff --git a/rfq/cli.go b/rfq/cli.go
@@ -22,9 +22,9 @@ const (
 type CliConfig struct {
 	PriceOracleAddress string `long:"priceoracleaddress" description:"Price oracle gRPC server address (rfqrpc://<hostname>:<port>). To use the integrated mock, use the following value: use_mock_price_oracle_service_promise_to_not_use_on_mainnet"`
 
-	PriceOracleTLS bool `long:"priceoracletls" description:"Enable TLS for communication with a price oracle."`
+	PriceOracleTLSDisable bool `long:"priceoracletlsdisable" description:"Disable TLS for price oracle communication."`
 
-	PriceOracleTLSInsecure bool `long:"priceoracletlsinsecure" description:"Disable verification of price oracle certificates."`
+	PriceOracleTLSInsecure bool `long:"priceoracletlsinsecure" description:"Disable price oracle certificate verification."`
 
 	PriceOracleTLSNoSystemCAs bool `long:"priceoracletlsnosystemcas" description:"Disable use of the operating system's list of root CA's when verifiying price oracle certificates."`
 
diff --git a/sample-tapd.conf b/sample-tapd.conf
@@ -435,8 +435,8 @@
 ; use_mock_price_oracle_service_promise_to_not_use_on_mainnet
 ; experimental.rfq.priceoracleaddress=
 
-; Enable TLS for price oracle communication.
-; experimental.rfq.priceoracletls=true
+; Disable TLS for price oracle communication.
+; experimental.rfq.priceoracletlsdisable=false
 
 ; Skip price oracle certificate verification, yielding an insecure (cleartext)
 ; channel with the price oracle. Should only be used for testing.
diff --git a/tapcfg/config.go b/tapcfg/config.go
@@ -144,9 +144,9 @@ const (
 	// mailbox message retrieval client authentication.
 	defaultMailboxAuthTimeout = 10 * time.Second
 
-	// defaultPriceOracleTLS is the default TLS setting to use when
-	// communicating with price oracles.
-	defaultPriceOracleTLS = true
+	// defaultPriceOracleTLSDisable disables TLS for price oracle
+	// communication.
+	defaultPriceOracleTLSDisable = false
 
 	// defaultPriceOracleTLSInsecure is the default value we'll use for
 	// deciding to verify certificates in TLS connections with price
@@ -500,7 +500,7 @@ func DefaultConfig() Config {
 		Experimental: &ExperimentalConfig{
 			Rfq: rfq.CliConfig{
 				AcceptPriceDeviationPpm:   rfq.DefaultAcceptPriceDeviationPpm,
-				PriceOracleTLS:            defaultPriceOracleTLS,
+				PriceOracleTLSDisable:     defaultPriceOracleTLSDisable,
 				PriceOracleTLSInsecure:    defaultPriceOracleTLSInsecure,
 				PriceOracleTLSNoSystemCAs: defaultPriceOracleTLSNoSystemCAs,
 				PriceOracleTLSCertPath:    defaultPriceOracleTLSCertPath,
@@ -1193,7 +1193,9 @@ func getPriceOracleTLSConfig(rfqCfg rfq.CliConfig) (*rfq.TLSConfig, error) {
 
 	// Construct the oracle's TLS configuration.
 	tlsConfig := &rfq.TLSConfig{
-		Enabled:            rfqCfg.PriceOracleTLS,
+		// Note the subtle flip on the flag, since the user has
+		// configured whether to *disable* TLS.
+		Enabled:            !rfqCfg.PriceOracleTLSDisable,
 		InsecureSkipVerify: rfqCfg.PriceOracleTLSInsecure,
 		// Note the subtle flip on the flag, since the user has
 		// configured whether to *not* trust the system CA's.
