feat(dgw): TLS thumbprint anchoring #1570
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Allow "unsecure" TLS if the client provides a thumbprint and the peer certificate matches it. Issue: DGW-318
CBenoit
commented
Nov 12, 2025
Comment on lines
7
to
26
| async fn start_gateway() -> anyhow::Result<(DgwConfigHandle, Child)> { | ||
| let config_handle = DgwConfig::builder() | ||
| .disable_token_validation(true) | ||
| .build() | ||
| .init() | ||
| .context("init config")?; | ||
|
|
||
| // Start JMUX server that will accept JMUX connections. | ||
| let process = dgw_tokio_cmd() | ||
| .env("DGATEWAY_CONFIG_PATH", config_handle.config_dir()) | ||
| .kill_on_drop(true) | ||
| .stdout(std::process::Stdio::piped()) | ||
| .spawn() | ||
| .context("failed to start Devolutions Gateway")?; | ||
|
|
||
| // Give the server a moment to start. | ||
| tokio::time::sleep(std::time::Duration::from_millis(100)).await; | ||
|
|
||
| Ok((config_handle, process)) | ||
| } |
Member
Author
There was a problem hiding this comment.
E2E tests actually spawing a Devolutions Gateway process, and connecting to it the same way a WebBrowser would.
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR implements TLS thumbprint anchoring for Devolutions Gateway, allowing "insecure" TLS connections when a client provides a certificate thumbprint that matches the server's certificate. This enables connections to self-signed or otherwise untrusted certificates while maintaining a degree of security through thumbprint validation.
- Adds
cert_thumb256field to token claims and API endpoints to support thumbprint-based certificate validation - Implements
ThumbprintAnchoredVerifierthat attempts standard TLS verification first, then falls back to thumbprint matching if verification fails - Refactors TLS connection logic into
safe_connect(with optional thumbprint) anddangerous_connect(no verification) - Adds comprehensive test suite for thumbprint anchoring scenarios
Reviewed Changes
Copilot reviewed 18 out of 19 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| devolutions-gateway/src/tls.rs | Implements thumbprint anchoring logic with new verifier and connection methods; adds certificate info extraction for logging |
| devolutions-gateway/src/token.rs | Adds cert_thumb256 field to AssociationTokenClaims for thumbprint passing |
| devolutions-gateway/src/api/fwd.rs | Updates forwarding endpoint to use safe_connect with thumbprint from token |
| devolutions-gateway/src/rdp_proxy.rs | Renames connect to dangerous_connect for clarity |
| devolutions-gateway/src/rd_clean_path.rs | Renames connect to dangerous_connect for clarity |
| devolutions-gateway/src/api/webapp.rs | Sets cert_thumb256: None for session token generation |
| tools/tokengen/src/lib.rs | Adds cert_thumb256 field to token generation library |
| tools/tokengen/src/main.rs | Adds CLI argument for certificate thumbprint |
| tools/tokengen/src/server/server_impl.rs | Passes cert_thumb256 from request to token generation |
| testsuite/tests/cli/dgw/tls_anchoring.rs | Adds integration tests for thumbprint anchoring scenarios |
| testsuite/tests/cli/dgw/mod.rs | Registers new test module |
| testsuite/tests/cli/mod.rs | Includes dgw test module |
| testsuite/src/dgw_config.rs | Adds test infrastructure for DGW configuration |
| testsuite/src/cli.rs | Adds DGW command builders for tests |
| testsuite/src/lib.rs | Exposes dgw_config module |
| testsuite/Cargo.toml | Adds dependencies for WebSocket testing |
| devolutions-gateway/Cargo.toml | Adds dependencies for SHA-256 hashing and native cert loading |
| crates/devolutions-log/src/lib.rs | Adds unrelated FIXME comment about stderr |
| Cargo.lock | Updates lock file with new dependencies |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
Contributor
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 17 out of 18 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Allow "unsecure" TLS if the client provides a thumbprint and the peer certificate matches it.
Issue: DGW-318