v2023.1.1

Improvements

• dgw: better TLS leaf certificate public key extracting (#390) (a4dec08e23)

  Use x509-cert crate to extract the public key from the leaf
  TLS certificate. x509-cert supports more certificates.

Build

• Update dependencies (ef1e889bac)

• jetsocat: set execute permission in binary (#388) (e08fd2300c)

v2023.1.0

Features

• dgw: clean path PDU extension for RDP (3bc0643818) (ARC-109)

• installer: show *.cer when browsing for certificate files (#383) (2de4a3880d)

  .cer is another popular extension for certificate files.

• jetsocat: file-based pipes (#385) (62394d3b48)

  • write-file://<PATH>: write file at the specified location
  • read-file://<PATH>: read wile at the specified location

• dgw: add service version to health check JSON response (d9f5472120)

Bug Fixes

• jetsocat: use rustls-native-certs on macOS and Linux (#382) (7305ce42be)

  Let rustls use the platform’s native certificate store.

Build

• Update Rust toolchain to 1.67.0 (f581e9bdc7)

Continuous Integration

• jetsocat: enable hardened runtime on macOS (#378) (84b5c33b47)

• jetsocat: build the jetsocat nuget in package.yml (#380) (2e0d0eef4d)

  Build the jetsocat nuget package as part of the packaging workflow (instead of the old standalone workflow, which just took the latest release from GitHub).

  If running the package workflow manually, the version number of the package may be specified; else it defaults to the current date.

• jetsocat: add Linux binary to nuget package (#384) (8a74ff86ca)

v2022.3.4

Bug Fixes

• pwsh: nil UUID when creating an empty DGatewayConfig (#372) (370ed02947) (DGW-73)

  Without this patch, the nil UUID is used as the "missing" value instead of $null.

• installer: ensure default config on install, properly set access URI host (a506c871ee) (DGW-72)

  Ensures a default config is created using the Devolutions Gateway binary before applying "Configure now".

• installer: avoid Unicode char literals (#376) (8d94f94b81) (DGW-74)

  Unicode character literals in source files can be problematic, depending on the editor and encoding.
  Instead, avoid the issue by masking the character with an asterisk instead of a Unicode "bullet".

Build

• Update Rust toolchain to 1.66 (561dcbbc46)

Documentation

• pwsh: fix links in PowerShell module manifest (#369) (03e26cbbca)

Features

• dgw: add Telnet protocol variant (b89d553095) (DGW-70)

  This change is making possible to omit the port in the target host
  field. The Telnet default port will be inferred as appropriate.

v2022.3.3

Improvements

• dgw: set default TCP port to 8181 (#364) (9df3a0e) (DGW-66)

• Normalize file extensions (#367) (5d26d73) (DGW-67)

  By convention:

  • .pem -> public key
  • .key -> private key
  • .crt -> certificate

  Note that this is merely a convention, not a standard, and file openers
  should be able to select a .key file when choosing a public key (through
  the drop-down menu typically)

• installer: start the Gateway service at install time (#363) (b07ccd4)

Bug Fixes

• dgw: Accept header parsing in health route (#366) (136cfb0) (DGW-68)

v2022.3.2

Improvements

• installer: install service as "Local Service" again (fewer permissions) (#353, #354)
• jetsocat: automatically clean old log files (#346) (d032530)
• dgw: IPv6 support (#350) (d591085)
• dgw: support for full TLS certificate chain (#359) (ee1f560)

Features

• installer: enable configuration of Devolutions Gateway via installer UI on Windows (#348) (6392ed9)

Build

• dgw: disable sogar (#355) (90d57ac)

v2022.3.1

Improvements

• dgw: improve CLI output (#338) (d7bd9dc)

Features

• dgw: extend subkey capabilities to KDC tokens (#334) (cdc53d0)

  With this change, a subkey is allowed to sign a short-lived KDC token.

Build

• jetsocat-nuget: add win-arm64 to nuget package (#339) (2a676ca)

v2022.3.0

Bug Fixes

• dgw: revert service as "Local Service" (c4f8d24)

• dgw: Content-Type header present twice for Json responses (#315) (c0976d8)

  Indeed, Content-Type is a "singleton field": a single member is anticipated as the field value.

  RFC9110 says:

  Although Content-Type is defined as a singleton field,
  it is sometimes incorrectly generated multiple times,
  resulting in a combined field value that appears to be a list.
  Recipients often attempt to handle this error by using
  the last syntactically valid member of the list, leading to
  potential interoperability and security issues if different
  implementations have different error handling behaviors.

• jmux-proxy: properly cancel proxy task (#327) (f62143e)

  Previously, JMUX proxy task wasn't properly shut down because tokio
  tasks are detached by default (similar to std::thread::spawn). This
  adds a helper wrapper to explicitely specify whether a task should be
  joined or detached.

Features

• OpenAPI document and auto-generated C# and TypeScript clients

• dgw: retrieve KDC token from the path (f9b66c1)

• dgw: subkey tokens (#287) (bebee0e)

• dgw: support for CORS calls (#288) (388b1f6)

• dgw: expose gateway ID in configuration endpoint (f15d33a)

• dgw: add general claim jet_gw_id (#293) (7a22ea1)

  When this claim is specified, a given token can only be used on a Gateway with the very same ID.

• dgw: wildcard scope tokens (#294) (1c98c15)

• dgw: config pushing endpoint (8ff1ebe)

• dgw: lossless and simpler config DTO (ba68301)

• dgw: subscriber API (a80282e)

• dgw: add --config-init-only cli option (89cd2b7)

• dgw: limit JMUX wildcard addresses (#302) (8a95130)

  The same port must be used.

• dgw: jet/health endpoint now returns Gateway identity

  The Accept HTTP header must be set to application/json for this.

• powershell: update module (71e15a4)

  • Deprecate PrivateKeyFile and CertificateFile in favor of
    TlsPrivateKeyFile and TlsCertificateFile. This change is backward
    compatible (older naming are recognized by cmdlets).

  • Add Id, Subscriber and SubProvisionerPublicKey to config class.

  • Allow Set-DGatewayConfig to set Id, Subscriber and
    SubProvisionerPublicKey values.

• dgw: forced session termination support (16c119b)

  This adds the endpoint POST /jet/session/<id>/terminate.
  This is similar to what we had back in Wayk Bastion except it’s not P2P.

• dgw: maximum session lifetime enforcing (9b80162)

  This adds a new claim jet_ttl specifying the maximum lifetime for a
  given session. Devolutions Gateway will kill the session if it is still
  running after the deadline.

• jetsocat: HTTP proxy listener (04bd6da)

  HTTP proxy listener now handles both HTTPS (tunneling) proxy requests
  and HTTP (regular forwarding).

Security

• dgw: Smaller token reuse interval for RDP sessions (832d00b)

  With this change, we do not allow reuse for RDP sessions more than a few
  seconds following the previous use. The interval is 10 seconds which is
  expected to give plenty of time to RDP handshake and negotiations. Once
  this interval is exceeded, we consider the RDP session is fully started
  and the same token can't be reused anymore.

  Two reasons why this is beneficial:

  • Security wise: the reuse interval is considerably shortened
  • Feature wise: more efficient forced RDP session termination

  Regarding the second point: Windows’ mstsc will keep alive the session
  by re-opening it immediately. Because we allow token reuse in a limited
  fashion for RDP, as long as the association token is not expired,
  the terminate action has effectively no visible effect (besides that
  multiple sessions occurred). Reducing the reuse interval greatly
  improves the situation.

v2022.2.2

• Update dependencies with CVE reports
• pwsh: update token generation cmdlet
• dgw: remove unused /jet/sessions/count route
• dgw: lossless unknown application strings

  With this change, unknown application protocols will get displayed in session information as well.
  Previously, any unknown value was just treated as the "unknown" string.

v2022.2.1

• Migrate logging infrastructure to tracing
• dgw: duplicate /jmux and /KdcProxy endpoints under /jet
• dgw: log files are now rotated on a daily basis (old log files are deleted automatically)
• dgw: new LogDirective config option
• dgw: downgrade health route logs to debug level
• dgw: JMUX filtering through claims (* is used to generate an "allow all" rule)
• dgw: optional application protocol claim in JMUX tokens to find good default ports
• dgw: PowerShell via SSH application protocol has been renamed from pwsh to ssh-pwsh
• dgw: new known application protocols
  • PowerShell via WinRM (winrm-http-pwsh, winrm-https-pwsh)
  • VNC (vnc)
  • SCP (scp)
  • HTTP (http)
  • HTTPS (https)
• jetsocat: process watcher option (--watch-parent, --watch-process)
• jetsocat: pipe timeout option (--pipe-timeout)
• jetsocat: HTTP(S) tunneling (proxy) listener for JMUX proxy (http-listen://<BINDING_ADDRESS>)

v2022.1.1

• diagnostics/configuration endpoint now also returns Gateway's version
• New diagnostics/clock endpoint to troubleshoot clock drift
• Initial KDC proxy implementation
• Windows installer (MSI) now installs Gateway service as "Local Service" (fewer permissions)