Skip to content

feat(dgw): new TlsVerifyStrict option #1415

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
CBenoit merged 1 commit into from
Jul 9, 2025
Merged

feat(dgw): new TlsVerifyStrict option #1415

CBenoit merged 1 commit into from
Jul 9, 2025

Conversation

@CBenoit
Copy link
Member

@CBenoit CBenoit commented Jul 9, 2025
edited
Loading

This adds a TlsVerifyStrict option for controlling the new stricter verifications on TLS certificates.

When enabled (true), the client performs additional checks on the server certificate, including:

  • Ensuring the presence of the Subject Alternative Name (SAN) extension.
  • Verifying that the Extended Key Usage (EKU) extension includes serverAuth.

Certificates that do not meet these requirements are increasingly rejected by modern clients (e.g., Chrome, macOS). Therefore, we strongly recommend using certificates that comply with these standards.

The default configuration for fresh installs will include the TlsVerifyStrict key set to true.

Issue: DGW-293

@CBenoit CBenoit enabled auto-merge (squash) July 9, 2025 15:55
@CBenoit CBenoit requested a review from a team July 9, 2025 16:33
@CBenoit
feat(dgw): new TlsVerifyStrict option
511d5d5 
This adds a `TlsVerifyStrict` option for controlling the new stricter
verifications on TLS certificates.

When enabled (`true`), the client performs additional checks on the
server certificate, including:

- Ensuring the presence of the **Subject Alternative Name (SAN)**
  extension.
- Verifying that the **Extended Key Usage (EKU)** extension includes
  `serverAuth`.

Certificates that do not meet these requirements are increasingly
rejected by modern clients (e.g., Chrome, macOS). Therefore, we strongly
recommend using certificates that comply with these standards.

Issue: DGW-293
@CBenoit CBenoit disabled auto-merge July 9, 2025 17:21
@CBenoit CBenoit enabled auto-merge (squash) July 9, 2025 17:22
@CBenoit CBenoit force-pushed the DGW-293 branch 2 times, most recently from 393bf4d to 511d5d5 Compare July 9, 2025 17:35
@CBenoit CBenoit merged commit 257d941 into master Jul 9, 2025
78 checks passed
@CBenoit CBenoit deleted the DGW-293 branch July 9, 2025 17:51
@CBenoit CBenoit mentioned this pull request Jul 11, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thenextman thenextman thenextman approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@CBenoit @thenextman