feat(dgw): new TlsVerifyStrict option (#1415)

This adds a `TlsVerifyStrict` option for controlling the new stricter
checks on TLS certificates.

When enabled (`true`), the client performs additional checks on the
server certificate, including:

- Ensuring the presence of the **Subject Alternative Name (SAN)**
  extension.
- Verifying that the **Extended Key Usage (EKU)** extension includes
  `serverAuth`.

Certificates that do not meet these requirements are increasingly
rejected by modern clients (e.g., Chrome, macOS). Therefore, we strongly
recommend using certificates that comply with these standards.

The default configuration for fresh installs will include the
`TlsVerifyStrict` key set to `true`.

Issue: DGW-293

Author: CBenoit

README.md

@@ -122,6 +122,18 @@ Stable options are:
     additional measures like securing access to the files or using the system certificate store (see
     **TlsCertificateSource** option).
 
+- **TlsVerifyStrict** (_Boolean_): Enables strict TLS certificate verification (default is `true`).
+
+    When enabled (`true`), the client performs additional checks on the server certificate,
+    including:
+
+    - Ensuring the presence of the **Subject Alternative Name (SAN)** extension.
+    - Verifying that the **Extended Key Usage (EKU)** extension includes `serverAuth`.
+
+    Certificates that do not meet these requirements are increasingly rejected by modern clients
+    (e.g., Chrome, macOS). Therefore, we strongly recommend using certificates that comply with
+    these standards.
+
 - **Listeners** (_Array_): Array of listener URLs.
 
     Each element has the following schema: 

devolutions-gateway/src/config.rs

@@ -58,8 +58,9 @@ impl fmt::Debug for Tls {
 }
 
 impl Tls {
-    fn init(cert_source: crate::tls::CertificateSource) -> anyhow::Result<Self> {
-        let tls_server_config = crate::tls::build_server_config(cert_source).context("failed to build TLS config")?;
+    fn init(cert_source: crate::tls::CertificateSource, strict_checks: bool) -> anyhow::Result<Self> {
+        let tls_server_config =
+            crate::tls::build_server_config(cert_source, strict_checks).context("failed to build TLS config")?;
 
         let acceptor = tokio_rustls::TlsAcceptor::from(Arc::new(tls_server_config));
 
@@ -151,6 +152,8 @@ impl Conf {
             .iter()
             .any(|l| matches!(l.internal_url.scheme(), "https" | "wss"));
 
+        let strict_checks = conf_file.tls_verify_strict.unwrap_or(true);
+
         let tls = match conf_file.tls_certificate_source.unwrap_or_default() {
             dto::CertSource::External => match conf_file.tls_certificate_file.as_ref() {
                 None if requires_tls => anyhow::bail!("TLS usage implied, but TLS certificate file is missing"),
@@ -181,7 +184,9 @@ impl Conf {
                         private_key,
                     };
 
-                    Tls::init(cert_source).context("failed to init TLS config")?.pipe(Some)
+                    Tls::init(cert_source, strict_checks)
+                        .context("failed to init TLS config")?
+                        .pipe(Some)
                 }
             },
             dto::CertSource::System => match conf_file.tls_certificate_subject_name.clone() {
@@ -202,7 +207,9 @@ impl Conf {
                         store_name,
                     };
 
-                    Tls::init(cert_source).context("failed to init TLS config")?.pipe(Some)
+                    Tls::init(cert_source, strict_checks)
+                        .context("failed to init TLS config")?
+                        .pipe(Some)
                 }
             },
         };
@@ -963,6 +970,20 @@ pub mod dto {
         /// Location of the Windows Certificate Store to use
         #[serde(skip_serializing_if = "Option::is_none")]
         pub tls_certificate_store_location: Option<CertStoreLocation>,
+        /// Enables strict TLS certificate verification.
+        ///
+        /// When enabled (`true`), the client performs additional checks on the server certificate,
+        /// including:
+        /// - Ensuring the presence of the **Subject Alternative Name (SAN)** extension.
+        /// - Verifying that the **Extended Key Usage (EKU)** extension includes `serverAuth`.
+        ///
+        /// Certificates that do not meet these requirements are increasingly rejected by modern clients
+        /// (e.g., Chrome, macOS). Therefore, we strongly recommend using certificates that comply with
+        /// these standards.
+        ///
+        /// If unset, the default is `true`.
+        #[serde(skip_serializing_if = "Option::is_none")]
+        pub tls_verify_strict: Option<bool>,
 
         /// Listeners to launch at startup
         #[serde(default, skip_serializing_if = "Vec::is_empty")]
@@ -1038,6 +1059,7 @@ pub mod dto {
                 tls_certificate_subject_name: None,
                 tls_certificate_store_name: None,
                 tls_certificate_store_location: None,
+                tls_verify_strict: Some(true),
                 listeners: vec![
                     ListenerConf {
                         internal_url: "tcp://*:8181".to_owned(),

devolutions-gateway/src/tls.rs

@@ -66,7 +66,10 @@ pub enum CertificateSource {
     },
 }
 
-pub fn build_server_config(cert_source: CertificateSource) -> anyhow::Result<rustls::ServerConfig> {
+pub fn build_server_config(
+    cert_source: CertificateSource,
+    strict_checks: bool,
+) -> anyhow::Result<rustls::ServerConfig> {
     let builder = rustls::ServerConfig::builder().with_no_client_auth();
 
     match cert_source {
@@ -76,18 +79,20 @@ pub fn build_server_config(cert_source: CertificateSource) -> anyhow::Result<rus
         } => {
             let first_certificate = certificates.first().context("empty certificate list")?;
 
-            if let Ok(report) = check_certificate_now(&first_certificate) {
-                if report.issues.intersects(
-                    CertIssues::MISSING_SERVER_AUTH_EXTENDED_KEY_USAGE | CertIssues::MISSING_SUBJECT_ALT_NAME,
-                ) {
-                    let serial_number = report.serial_number;
-                    let subject = report.subject;
-                    let issuer = report.issuer;
-                    let not_before = report.not_before;
-                    let not_after = report.not_after;
-                    let issues = report.issues;
-
-                    anyhow::bail!("found significant issues with the certificate: serial_number = {serial_number}, subject = {subject}, issuer = {issuer}, not_before = {not_before}, not_after = {not_after}, issues = {issues}");
+            if strict_checks {
+                if let Ok(report) = check_certificate_now(&first_certificate) {
+                    if report.issues.intersects(
+                        CertIssues::MISSING_SERVER_AUTH_EXTENDED_KEY_USAGE | CertIssues::MISSING_SUBJECT_ALT_NAME,
+                    ) {
+                        let serial_number = report.serial_number;
+                        let subject = report.subject;
+                        let issuer = report.issuer;
+                        let not_before = report.not_before;
+                        let not_after = report.not_after;
+                        let issues = report.issues;
+
+                        anyhow::bail!("found significant issues with the certificate: serial_number = {serial_number}, subject = {subject}, issuer = {issuer}, not_before = {not_before}, not_after = {not_after}, issues = {issues}");
+                    }
                 }
             }
 
@@ -103,9 +108,14 @@ pub fn build_server_config(cert_source: CertificateSource) -> anyhow::Result<rus
             store_location,
             store_name,
         } => {
-            let resolver =
-                windows::ServerCertResolver::new(machine_hostname, cert_subject_name, store_location, store_name)
-                    .context("create ServerCertResolver")?;
+            let resolver = windows::ServerCertResolver::new(
+                machine_hostname,
+                cert_subject_name,
+                store_location,
+                store_name,
+                strict_checks,
+            )
+            .context("create ServerCertResolver")?;
             Ok(builder.with_cert_resolver(Arc::new(resolver)))
         }
         #[cfg(not(windows))]
@@ -146,6 +156,7 @@ pub mod windows {
         store_type: CertStoreType,
         store_name: String,
         cached_key: Mutex<Option<KeyCache>>,
+        strict_checks: bool,
     }
 
     #[derive(Debug)]
@@ -160,6 +171,7 @@ pub mod windows {
             cert_subject_name: String,
             store_type: dto::CertStoreLocation,
             store_name: String,
+            strict_checks: bool,
         ) -> anyhow::Result<Self> {
             let store_type = match store_type {
                 dto::CertStoreLocation::LocalMachine => CertStoreType::LocalMachine,
@@ -173,6 +185,7 @@ pub mod windows {
                 store_type,
                 store_name,
                 cached_key: Mutex::new(None),
+                strict_checks,
             })
         }
 
@@ -255,14 +268,18 @@ pub mod windows {
                             cert_issues |= report.issues;
 
                             // Skip the certificate if any of the following is true:
-                            // - The certificate is not yet valid.
-                            // - The certificate is missing the server auth extended key usage.
-                            // - The certificate is missing a subject alternative name (SAN) extension.
-                            let skip = report.issues.intersects(
+                            // - the certificate is not yet valid,
+                            // - (if strict) the certificate is missing the server auth extended key usage,
+                            // - (if strict) the certificate is missing a subject alternative name (SAN) extension.
+                            let issues_to_check = if self.strict_checks {
                                 CertIssues::NOT_YET_VALID
                                     | CertIssues::MISSING_SERVER_AUTH_EXTENDED_KEY_USAGE
-                                    | CertIssues::MISSING_SUBJECT_ALT_NAME,
-                            );
+                                    | CertIssues::MISSING_SUBJECT_ALT_NAME
+                            } else {
+                                CertIssues::NOT_YET_VALID
+                            };
+
+                            let skip = report.issues.intersects(issues_to_check);
 
                             if skip {
                                 debug!(

devolutions-gateway/tests/config.rs

@@ -19,6 +19,7 @@ fn hub_sample() -> Sample {
         	"Hostname": "hostname.example.io",
         	"TlsPrivateKeyFile": "/path/to/tls-private.key",
         	"TlsCertificateFile": "/path/to/tls-certificate.pem",
+        	"TlsVerifyStrict": true,
         	"ProvisionerPublicKeyFile": "/path/to/provisioner.pub.key",
             "SubProvisionerPublicKey": {
                 "Id": "subkey-id",
@@ -69,6 +70,7 @@ fn hub_sample() -> Sample {
             tls_certificate_subject_name: None,
             tls_certificate_store_location: None,
             tls_certificate_store_name: None,
+            tls_verify_strict: Some(true),
             listeners: vec![
                 ListenerConf {
                     internal_url: "tcp://*:8080".to_owned(),
@@ -121,6 +123,7 @@ fn legacy_sample() -> Sample {
             tls_certificate_subject_name: None,
             tls_certificate_store_location: None,
             tls_certificate_store_name: None,
+            tls_verify_strict: None,
             listeners: vec![],
             subscriber: None,
             log_file: Some("/path/to/log/file.log".into()),
@@ -163,6 +166,7 @@ fn system_store_sample() -> Sample {
             tls_certificate_subject_name: Some("localhost".to_owned()),
             tls_certificate_store_location: Some(CertStoreLocation::LocalMachine),
             tls_certificate_store_name: Some("My".to_owned()),
+            tls_verify_strict: None,
             listeners: vec![],
             subscriber: None,
             log_file: None,
@@ -221,6 +225,7 @@ fn standalone_custom_auth_sample() -> Sample {
             tls_certificate_subject_name: None,
             tls_certificate_store_location: None,
             tls_certificate_store_name: None,
+            tls_verify_strict: None,
             listeners: vec![
                 ListenerConf {
                     internal_url: "tcp://*:8080".to_owned(),
@@ -295,6 +300,7 @@ fn standalone_no_auth_sample() -> Sample {
             tls_certificate_subject_name: None,
             tls_certificate_store_location: None,
             tls_certificate_store_name: None,
+            tls_verify_strict: None,
             listeners: vec![
                 ListenerConf {
                     internal_url: "tcp://*:8080".to_owned(),