Security
-
dgw: redact passwords in preflight API debug logs (#1613) (cc09f344c1) (DGW-324)
Passwords in provision-credentials preflight requests are now redacted
when logged at DEBUG level, preventing credential leakage in logs. The
redaction applies to all password fields recursively, replacing them
with "REDACTED" while preserving other request details for
debugging.
Features
-
agent: add debug updater overrides (#1610) (8703bc430e)
Adds debug configuration switches for the updater so developers can test
local productinfo and packages:- Supports overriding productinfo URL (including file://) and validates
CDN URLs by default. - Allows opt-in unsafe URLs for local testing and optional skipping of
hash/MSI signature validation. - Productinfo loader and package downloader now handle file:// sources
- Supports overriding productinfo URL (including file://) and validates
-
installer: allow untrusted certificates for key downloads (#1635) (0a04f823c6)
Using the installer, the user has the option to download the provisioner
public key direct from a DVLS instance. However, if the DVLS certificate
was not trusted this would fail with a nondescript error message
("failed to send request").Now, the user will be prompted to accept an untrusted certificate.
Certificate exceptions are serialized in a semi-colon delimited text
string in the form: -
webapp: update SSH package with deprecated algorithm and keyboard interactive auth support (#1642) (9f0666cd7c) (DGW-327)
Update @devolutions/web-ssh-gui from 0.4.0 to 0.6.2 with the following
improvements:- Add Keyboard_Interactive authentication mode for SSH connections
- Support for deprecated SSH algorithms (for legacy server
compatibility) - Fix deadlock between terminal visibility and host key verification
- Library now emits connected status when WebSocket connects, allowing
users to see and respond to host key verification prompts
-
dgw: add support for credential injection for RDCleanPath (#1614) (a881961328)
This allows web clients to benefit from the proxy-based credential injection features.
-
agent: RDM messages and pipe passthrough logic (#1538) (198fce96ba) (PI-651)
Adds RDM (Remote Desktop Manager) message handling capabilities to
devolutions-session, enabling bidirectional communication between the
agent and RDM through the NOW protocol over the named pipe. -
webapp: upgrade to Angular 20 and PrimeNG 20 (#1652) (607ef38127)
Upgrades the standalone webapp to Angular 20 and PrimeNG 20. This keeps the
frontend on current, supported framework versions and enables continued UI
improvements with the latest PrimeNG components. -
dgw,agent: add HTTP/SOCKS proxy configuration support (#1639) (57ade80d14) (DGW-328)
Adds configurable HTTP/HTTPS/SOCKS4/SOCKS5 proxy support for outbound
requests in both Gateway and Agent. Proxy settings can be configured
manually or auto-detected from environment variables (HTTP_PROXY,
HTTPS_PROXY, NO_PROXY) or system settings (per-user and machine-wide
settings with WinHTTP fallback on Windows,/etc/sysconfig/proxyon
RHEL/SUSE systems, SCDynamicStoreCopyProxies() on macOS).This replaces reqwest's system-proxy feature with the proxy_cfg crate
for better system integration and per-URL proxy selection, improving
support for PAC files and complex enterprise proxy environments. -
agent: add window recording support via now proto dvc (#1583) (4e183f0121) (ARC-353)
Adds window recording support to the Devolutions Agent. The
implementation uses Windows event hooks to receive foreground window
change notifications and optional polling to detect title changes within
the same window.
Bug Fixes
-
agent: improve error reporting when checking for updates (#1602) (f11b4567bf)
-
dgw: improve system store certificate resolver error logging (#1619) (819de83454) (DGW-320)
The system store certificate resolver now accumulates and displays
detailed key acquisition errors at the default log level when no
suitable certificate is found. Previously, these errors (such as "keyset
does not exist" / error code 0x80090016) were only visible at DEBUG
level, making it difficult to diagnose issues like missing private key
permissions for the NETWORK SERVICE user.The error message now includes specific failure details for each
certificate attempt, including both key acquisition and signing key
creation failures. -
installer: allow certificate passwords to contain single quotes (9a9f31ad71)
-
dgw: downgrade benign client disconnects from ERROR to DEBUG (#1620) (592da4dbbc) (DGW-319)
Reduces log noise by treating common socket disconnections (BrokenPipe,
ConnectionReset, UnexpectedEof) as benign events during HTTP/HTTPS
serving and TLS handshake. These disconnects typically occur from health
checks, port scanners, aborted browser requests, or early connection
termination, and do not indicate server faults.ERROR logs now only appear for genuine server issues, making it easier
to identify actionable problems in production deployments. -
dgw: self-signed TLS certificate generation of the Docker image build (#1650) (53b1c1801a)
Fixes this error:
Get-Content: Cannot find path '/tmp/gateway-{hostname}.pem' because it does not exist. Exception: Empty certificate chain!Hit when generating the self-signed TLS certificate generation in the Docker entrypoint.
-
dgw: honor TCP_PORT in Linux container entrypoint (#1667) (4fa5ae984a)
Fixes an issue where the TCP_PORT environment variable was ignored by
the Linux Docker entrypoint.
Even when TCP_PORT was set, the gateway continued to use the default TCP
port.
This change ensures the gateway now correctly applies the configured
TCP_PORT value at startup. -
agent: add RDM multi-instance support for Jump messages (#1669) (3c97b11ac6) (RDMW-21183)
Add RDM multi-instance support for Jump messages (separate named pipe
for each RDM instance in session)
Build
-
dgw: add ARM64 Docker image support (#1607) (b2f5172d0b) (DGW-325)
Adds native ARM64 Docker images for Devolutions Gateway, enabling
deployment on ARM-based devices like Raspberry Pi and AWS Graviton
instances with full native performance. Multi-arch manifests
automatically select the correct image for the user's platform.