DefGuard · j-chmielewski · Apr 8, 2026 · Mar 30, 2026 · Mar 30, 2026 · Mar 30, 2026
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/defguard/src/main.rs b/crates/defguard/src/main.rs
@@ -233,6 +233,7 @@ async fn main() -> Result<(), anyhow::Error> {
     update_counts(&pool).await?;
 
     let (proxy_control_tx, proxy_control_rx) = channel::<ProxyControlMessage>(100);
+    let (web_reload_tx, _web_reload_rx) = tokio::sync::broadcast::channel::<()>(8);
     let proxy_secret_key = settings.secret_key_required()?;
     let proxy_manager = ProxyManager::new(
         pool.clone(),
@@ -270,6 +271,7 @@ async fn main() -> Result<(), anyhow::Error> {
             webhook_tx,
             webhook_rx,
             gateway_tx.clone(),
+            web_reload_tx,
             pool.clone(),
             failed_logins,
             api_event_tx,

diff --git a/crates/defguard_certs/src/lib.rs b/crates/defguard_certs/src/lib.rs
@@ -9,7 +9,10 @@ use rcgen::{
 use rustls_pki_types::{CertificateDer, CertificateSigningRequestDer, pem::PemObject};
 use thiserror::Error;
 use time::{Duration, OffsetDateTime};
-use x509_parser::parse_x509_certificate;
+use x509_parser::{
+    extensions::{GeneralName, ParsedExtension},
+    parse_x509_certificate,
+};
 
 const CA_NAME: &str = "Defguard CA";
 const NOT_BEFORE_OFFSET_SECS: Duration = Duration::minutes(5);
@@ -144,6 +147,7 @@ impl CertificateAuthority<'_> {
 
 pub struct CertificateInfo {
     pub subject_common_name: String,
+    pub subject_email: Option<String>,
     pub not_before: NaiveDateTime,
     pub not_after: NaiveDateTime,
     pub serial: String,
@@ -158,6 +162,19 @@ impl CertificateInfo {
 
         let subject = &parsed.tbs_certificate.subject;
         let serial = parsed.raw_serial_as_string();
+        let subject_email = parsed
+            .tbs_certificate
+            .extensions()
+            .iter()
+            .filter_map(|ext| match ext.parsed_extension() {
+                ParsedExtension::SubjectAlternativeName(san) => Some(san),
+                _ => None,
+            })
+            .flat_map(|san| san.general_names.iter())
+            .find_map(|name| match name {
+                GeneralName::RFC822Name(email) => Some(email.to_string()),
+                _ => None,
+            });
 
         let cn = subject
             .iter_common_name()
@@ -174,6 +191,7 @@ impl CertificateInfo {
 
         Ok(Self {
             subject_common_name: cn.to_string(),
+            subject_email,
             not_before: chrono::DateTime::from_timestamp(not_before.unix_timestamp(), 0)
                 .ok_or_else(|| {
                     CertificateError::ParsingError(format!(
@@ -425,30 +443,15 @@ mod tests {
 
     #[test]
     fn test_ca_email() {
-        use x509_parser::parse_x509_certificate;
-
         let expected_email = "contact@defguard.net";
         let ca = CertificateAuthority::new("Test CA", expected_email, 365).unwrap();
 
-        let (_rem, parsed) = parse_x509_certificate(ca.cert_der()).unwrap();
+        let info = CertificateInfo::from_der(ca.cert_der()).unwrap();
 
-        let san_ext = parsed
-            .tbs_certificate
-            .extensions()
-            .iter()
-            .find(|ext| ext.oid == x509_parser::oid_registry::OID_X509_EXT_SUBJECT_ALT_NAME)
-            .expect("Subject Alternative Name extension not found");
-
-        let san_value = san_ext.value;
-
-        let email_bytes = expected_email.as_bytes();
-        let email_found = san_value
-            .windows(email_bytes.len())
-            .any(|window| window == email_bytes);
-
-        assert!(
-            email_found,
-            "Email '{expected_email}' should be present in Subject Alternative Names"
+        assert_eq!(
+            info.subject_email.as_deref(),
+            Some(expected_email),
+            "Email should be parsed from Subject Alternative Names"
         );
     }
 

diff --git a/crates/defguard_common/src/types/proxy.rs b/crates/defguard_common/src/types/proxy.rs
@@ -14,6 +14,7 @@ pub enum ProxyControlMessage {
         cert_pem: String,
         key_pem: String,
     },
+    ClearHttpsCerts,
 }
 
 #[derive(ToSchema, Serialize)]

diff --git a/crates/defguard_core/Cargo.toml b/crates/defguard_core/Cargo.toml
@@ -46,6 +46,7 @@ rand = { workspace = true }
 reqwest = { workspace = true }
 rsa = { workspace = true }
 rust-ini = { workspace = true }
+rustls = { workspace = true }
 secrecy = { workspace = true }
 semver = { workspace = true }
 serde = { workspace = true }

diff --git a/crates/defguard_core/src/appstate.rs b/crates/defguard_core/src/appstate.rs
@@ -30,6 +30,7 @@ pub struct AppState {
     pub pool: PgPool,
     tx: UnboundedSender<AppEvent>,
     pub wireguard_tx: Sender<GatewayEvent>,
+    pub web_reload_tx: tokio::sync::broadcast::Sender<()>,
     pub failed_logins: Arc<Mutex<FailedLoginMap>>,
     key: Key,
     pub event_tx: UnboundedSender<ApiEvent>,
@@ -116,6 +117,7 @@ impl AppState {
         tx: UnboundedSender<AppEvent>,
         rx: UnboundedReceiver<AppEvent>,
         wireguard_tx: Sender<GatewayEvent>,
+        web_reload_tx: tokio::sync::broadcast::Sender<()>,
         key: Key,
         failed_logins: Arc<Mutex<FailedLoginMap>>,
         event_tx: UnboundedSender<ApiEvent>,
@@ -128,6 +130,7 @@ impl AppState {
             pool,
             tx,
             wireguard_tx,
+            web_reload_tx,
             failed_logins,
             key,
             event_tx,