github Devolutions/devolutions-gateway v2026.1.1
on GitHub

4 hours ago

Features

  • installer: warn on, instead of hiding, unvalidated certificates (#1697) (40a4247279) (DGW-356)

    When searching for a certificate in the system store we call
    X509Certificate2Collection.Find with the validOnly parameter set to
    true.

    validOnly
    Boolean
    true to allow only valid certificates to be returned from the search;
    otherwise, false.

    The performs basic validation, and only returns valid certificates.

    However, the result is confusing for users as they don't realize that
    the certificate they are searching for is invalid, they think that the
    search isn't working.

    Instead, we now return all certificates but if the certificate is
    determined to be invalid, we flag it in the UI with a warning icon and a
    text explanation.

  • installer: add a German localization (cb63344500) (DGW-357)

  • jetsocat: add warning field to doctor diagnostic output (1f8e7a0441)

    Adds support for surfacing warnings in the doctor tool's diagnostic
    output, allowing external tools to distinguish between complete success,
    success with warnings, and failure.

    The diagnostic JSON output now includes an optional "warning" field, and
    the human-readable output displays a warning emoji (⚠️) instead of a
    success checkmark (✅) when warnings are present.

    This enables better integration with external monitoring and diagnostic
    tools that need to detect and report warning conditions even when the
    overall diagnostic succeeds.

  • jetsocat: add SAN and EKU diagnostics to doctor module (251795b0f5) (DGW-350)

    Add certificate extension checks mirroring the gateway's TlsVerifyStrict
    validation. Each TLS backend (rustls, openssl, schannel) now runs two new
    diagnostics on the end-entity certificate:

    • check_san_extension: verifies the Subject Alternative Name extension is present
    • check_server_auth_eku: verifies the Extended Key Usage includes serverAuth

  • dgw: add periodic keyframe forcing for improved seekability (#1705) (9619444aea) (DGW-358)

  • jetsocat: detect missing intermediate certificate in doctor (#1727) (ea52ff75ca) (DGW-349)

    When a TLS server presents only the leaf certificate (or leaf + root CA
    but no intermediate), clients fail with an opaque "unknown issuer" error
    that is hard to diagnose.

    The doctor command now performs a structural analysis of the presented
    chain before invoking the trust engine:

    • If the chain contains only a leaf and no certificate whose Subject
      matches the leaf's Issuer, a warning "an intermediate certificate is
      likely missing" is attached to the read-chain diagnostic.
    • On chain verification failure (UnknownIssuer /
      CERT_TRUST_IS_PARTIAL_CHAIN / CERT_TRUST_IS_UNTRUSTED_ROOT), actionable
      help "intermediate certificate is likely missing" is shown instead of
      the generic "unknown issuer" message.
    • Omitting the root CA (the normal server configuration) does not
      trigger the warning.
    • Self-signed (root-only) certificates are also not flagged.

  • dgw: encrypt in-memory credentials at rest with ChaCha20-Poly1305 (#1689) (86775146ed) (DGW-326)

    Add ChaCha20-Poly1305 encryption for credentials stored in the
    credential store. Passwords are encrypted at rest with a randomly generated 256-bit
    master key held in a protected page.

    The page protection hardening is performed using the best available OS
    hardening in a best-effort basis:

    • Windows: VirtualLock, guard pages (PAGE_NOACCESS), PAGE_READONLY after
      write, WerRegisterExcludedMemoryBlock for WER crash report exclusion.
    • Linux: mlock, guard pages (PROT_NONE), PROT_READ after write,
      madvise(MADV_DONTDUMP) for core dump exclusion.
    • All: zeroize-before-free on drop; plain heap fallback with
      zeroize-on-drop on unsupported platforms.

    In concrete terms: this protects users from leaking important secrets in
    the event of a memory dump captured for debugging purposes.

Bug Fixes

  • dgw: fix adaptive frame skipping during EOF waits in session shadowing (#1678) (a1566fd0f9) (DGW-341)

    Fixes video playback freezing permanently during live session shadowing.
    After brief pauses in the recording stream (e.g., during network hiccups
    or slow file writes), the shadow player would stop rendering new frames
    entirely, requiring a session restart.

    With this fix, shadow sessions now recover gracefully from temporary
    recording pauses, maintaining smooth video playback throughout the
    session.

  • installer: prevent issues with deferred properties containing semi-colons (e031fa32b1) (DGW-359)

  • dgw: add codec-aware VP9 keyframe detection (#1702) (737b750425)

    Add VP9 keyframe detection alongside existing VP8 support, based on
    the VP9 bitstream specification (profiles 0-3). Thread the VpxCodec
    type through the iterator and block tag layers so keyframe checks use
    the correct codec-specific logic. Set VpxEncoderPreset::BestPerformance
    on the re-encoding encoder for improved throughput during session shadowing.

  • dgw: improve unified shutdown correctness (#1703) (9e417f9006)

    Replace scattered shutdown mechanisms with a single tokio::sync::watch
    channel as the source of truth. Handle task now signals ClientDisconnected
    on client disconnect and uses select! on ws_frame.next() for shutdown
    awareness. Bridge task is aborted on webm_stream exit to prevent
    control_task from hanging indefinitely.

  • dgw: update cadeau native library to v2026.3.13.0 (#1708) (836bbedbf8) (DVLS-14057) (DGW-363)

  • dgw: fix service subcommand parsing (#1710) (aa8805aa87) (DGW-360)

  • dgw: fix minimum glibc version in deb manifest (#1716) (674818a4d0) (DGW-361)

    We cross-compile against an ubuntu-18.04 sysroot (via cbake), which
    ships glibc 2.27, not 2.31.

  • dgw: fix RPM webapp directories installed under wrong names (#1717) (1cbb8b9f59) (DGW-362)

    fpm installs a source directory by name inside the destination when
    given a bare directory path. Specifying explicit target paths ensures
    webapp/client and webapp/player are consistent with the DEB package.

  • jetsocat: fix schannel doctor backend (de4747c937)

    Set end_entity_info in schannel_read_chain for the leaf certificate, so
    that cert checks work when loading a chain from a PEM file.

  • dgw: fix RPM webapp directories installed under wrong names (#1722) (5668b18384) (DGW-362)

    fpm installs a source directory by name inside the destination when
    given a bare directory path. This is identical to #1717 but targets the
    currently active code path found in tlk.ps1.

  • dgw: reduce log noise for missing recording storage disk (#1728) (cceb72b21f) (DGW-353)

    When the recording storage disk cannot be found during a heartbeat or
    preflight check, only the first occurrence is now logged at WARN.
    Subsequent repeated occurrences are downgraded to DEBUG until the disk
    becomes available again, at which point the condition can surface at
    WARN once more. The recording path is included in the log event for
    context.

  • dgw: support network drives and UNC paths for recording storage space on Windows (#1729) (f2da923b1e) (DGW-354)

  • dgw: use statvfs for recording storage space on Unix (#1730) (b5de812542) (DGW-355)

    Replaces the sysinfo disk-enumeration approach on Linux/macOS with a
    direct statvfs(2) call against the configured recording path. This fixes
    incorrect or missing space values for network filesystems (NFS,
    CIFS/Samba) and any mount point the previous heuristic could not
    resolve.

Build

  • jetsocat: enable detect-proxy for Windows jetsocat builds (#1721) (d51d0c4cec)
Check out latest releases or
releases around Devolutions/devolutions-gateway v2026.1.1

Don't miss a new devolutions-gateway release

NewReleases is sending notifications on new releases.

Get notifications