Option to check for fingerprint in DTLS handshake

2025-12-24 11:51:03 +08:00 · 2025-12-09 18:46:44 +05:30
parent 79d7571f25
commit 0936b7d344
1 changed files with 20 additions and 38 deletions
--- a/dtlstransport.go
+++ b/dtlstransport.go
@@ -371,6 +371,26 @@ func (t *DTLSTransport) Start(remoteParameters DTLSParameters) error { //nolint:
 	dtlsConfig.ClientHelloMessageHook = t.api.settingEngine.dtls.clientHelloMessageHook
 	dtlsConfig.ServerHelloMessageHook = t.api.settingEngine.dtls.serverHelloMessageHook
 	dtlsConfig.CertificateRequestMessageHook = t.api.settingEngine.dtls.certificateRequestMessageHook
+	dtlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, _verifiedChains [][]*x509.Certificate) error {
+		if len(rawCerts) == 0 {
+			return errNoRemoteCertificate
+		}
+
+		t.lock.Lock()
+		defer t.lock.Unlock()
+		t.remoteCertificate = rawCerts[0]
+
+		if t.api.settingEngine.disableCertificateFingerprintVerification {
+			return nil
+		}
+
+		parsedRemoteCert, parseErr := x509.ParseCertificate(t.remoteCertificate)
+		if parseErr != nil {
+			return parseErr
+		}
+
+		return t.validateFingerPrint(parsedRemoteCert)
+	}

 	// Connect as DTLS Client/Server, function is blocking and we
 	// must not hold the DTLSTransport lock
@@ -421,44 +441,6 @@ func (t *DTLSTransport) Start(remoteParameters DTLSParameters) error { //nolint:
 		return ErrNoSRTPProtectionProfile
 	}

-	// Check the fingerprint if a certificate was exchanged
-	connectionState, ok := dtlsConn.ConnectionState()
-	if !ok {
-		t.onStateChange(DTLSTransportStateFailed)
-
-		return errNoRemoteCertificate
-	}
-
-	if len(connectionState.PeerCertificates) == 0 {
-		t.onStateChange(DTLSTransportStateFailed)
-
-		return errNoRemoteCertificate
-	}
-	t.remoteCertificate = connectionState.PeerCertificates[0]
-
-	if !t.api.settingEngine.disableCertificateFingerprintVerification { //nolint:nestif
-		parsedRemoteCert, err := x509.ParseCertificate(t.remoteCertificate)
-		if err != nil {
-			if closeErr := dtlsConn.Close(); closeErr != nil {
-				t.log.Error(err.Error())
-			}
-
-			t.onStateChange(DTLSTransportStateFailed)
-
-			return err
-		}
-
-		if err = t.validateFingerPrint(parsedRemoteCert); err != nil {
-			if closeErr := dtlsConn.Close(); closeErr != nil {
-				t.log.Error(err.Error())
-			}
-
-			t.onStateChange(DTLSTransportStateFailed)
-
-			return err
-		}
-	}
-
 	t.conn = dtlsConn
 	t.onStateChange(DTLSTransportStateConnected)