feat(dgw): add CredSSP certificate configuration keys#1676
feat(dgw): add CredSSP certificate configuration keys#1676
Conversation
Add optional `CredSspCertificateFile` and `CredSspPrivateKeyFile` configuration keys allowing usage of a different certificate for CredSSP credential injection instead of the main TLS certificate. When unset, the existing TLS certificate is used (no behavior change).
There was a problem hiding this comment.
Pull request overview
This PR adds support for configuring a separate certificate for CredSSP credential injection, allowing operators to use a different certificate than the main TLS certificate when performing proxy-based RDP credential injection. When the new configuration options are not set, the gateway falls back to using the existing TLS certificate, ensuring backward compatibility.
Changes:
- Added
CredSspCertificateFileandCredSspPrivateKeyFileconfiguration options - Updated configuration schema and documentation to reflect the new options
- Modified RDP proxy and clean path handlers to use the CredSSP certificate when available, falling back to TLS certificate
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| devolutions-gateway/src/config.rs | Added credssp_tls field and initialization logic for CredSSP-specific certificates |
| devolutions-gateway/src/rdp_proxy.rs | Updated to use credssp_tls with fallback to tls |
| devolutions-gateway/src/rd_clean_path.rs | Updated to use credssp_tls with fallback to tls |
| devolutions-gateway/tests/config.rs | Added new fields to all test configuration samples |
| config_schema.json | Added JSON schema definitions for the new configuration options |
| README.md | Documented the new configuration options with usage guidelines |
| docs/COOKBOOK.md | Added note about optional CredSSP certificate configuration |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| Some(certificate_path) => { | ||
| let (certificates, private_key) = match certificate_path.extension() { | ||
| Some("pfx" | "p12") => { | ||
| read_pfx_file(certificate_path, None).context("read CredSSP PFX/PKCS12 file")? |
There was a problem hiding this comment.
Missing password support for CredSSP PFX/PKCS12 files. The TLS certificate configuration supports password-protected PFX files via tls_private_key_password, but CredSSP PFX files always use None for the password parameter. This creates an inconsistency where users cannot use password-protected PFX files for CredSSP certificates. Consider adding a credssp_private_key_password configuration field and passing it here, similar to how it's done for TLS at line 641.
| read_pfx_file(certificate_path, None).context("read CredSSP PFX/PKCS12 file")? | |
| read_pfx_file( | |
| certificate_path, | |
| conf_file.credssp_private_key_password.as_deref(), | |
| ) | |
| .context("read CredSSP PFX/PKCS12 file")? |
There was a problem hiding this comment.
I will address this before merging
2 participants
Add optional
CredSspCertificateFileandCredSspPrivateKeyFileconfiguration keys allowing usage of a different certificate for CredSSP credential injection instead of the main TLS certificate. When unset, the existing TLS certificate is used (no behavior change).