From 0936b7d3444f782f11248b10b048c705fe030645 Mon Sep 17 00:00:00 2001
From: boks1971 <raja.gobi@tutanota.com>
Date: Tue, 9 Dec 2025 18:46:44 +0530
Subject: [PATCH] Option to check for fingerprint in DTLS handshake

---
 dtlstransport.go | 58 +++++++++++++++++-------------------------------
 1 file changed, 20 insertions(+), 38 deletions(-)

diff --git a/dtlstransport.go b/dtlstransport.go
index 90ed241c..40251821 100644
--- a/dtlstransport.go
+++ b/dtlstransport.go
@@ -371,6 +371,26 @@ func (t *DTLSTransport) Start(remoteParameters DTLSParameters) error { //nolint:
 	dtlsConfig.ClientHelloMessageHook = t.api.settingEngine.dtls.clientHelloMessageHook
 	dtlsConfig.ServerHelloMessageHook = t.api.settingEngine.dtls.serverHelloMessageHook
 	dtlsConfig.CertificateRequestMessageHook = t.api.settingEngine.dtls.certificateRequestMessageHook
+	dtlsConfig.VerifyPeerCertificate = func(rawCerts [][]byte, _verifiedChains [][]*x509.Certificate) error {
+		if len(rawCerts) == 0 {
+			return errNoRemoteCertificate
+		}
+
+		t.lock.Lock()
+		defer t.lock.Unlock()
+		t.remoteCertificate = rawCerts[0]
+
+		if t.api.settingEngine.disableCertificateFingerprintVerification {
+			return nil
+		}
+
+		parsedRemoteCert, parseErr := x509.ParseCertificate(t.remoteCertificate)
+		if parseErr != nil {
+			return parseErr
+		}
+
+		return t.validateFingerPrint(parsedRemoteCert)
+	}
 
 	// Connect as DTLS Client/Server, function is blocking and we
 	// must not hold the DTLSTransport lock
@@ -421,44 +441,6 @@ func (t *DTLSTransport) Start(remoteParameters DTLSParameters) error { //nolint:
 		return ErrNoSRTPProtectionProfile
 	}
 
-	// Check the fingerprint if a certificate was exchanged
-	connectionState, ok := dtlsConn.ConnectionState()
-	if !ok {
-		t.onStateChange(DTLSTransportStateFailed)
-
-		return errNoRemoteCertificate
-	}
-
-	if len(connectionState.PeerCertificates) == 0 {
-		t.onStateChange(DTLSTransportStateFailed)
-
-		return errNoRemoteCertificate
-	}
-	t.remoteCertificate = connectionState.PeerCertificates[0]
-
-	if !t.api.settingEngine.disableCertificateFingerprintVerification { //nolint:nestif
-		parsedRemoteCert, err := x509.ParseCertificate(t.remoteCertificate)
-		if err != nil {
-			if closeErr := dtlsConn.Close(); closeErr != nil {
-				t.log.Error(err.Error())
-			}
-
-			t.onStateChange(DTLSTransportStateFailed)
-
-			return err
-		}
-
-		if err = t.validateFingerPrint(parsedRemoteCert); err != nil {
-			if closeErr := dtlsConn.Close(); closeErr != nil {
-				t.log.Error(err.Error())
-			}
-
-			t.onStateChange(DTLSTransportStateFailed)
-
-			return err
-		}
-	}
-
 	t.conn = dtlsConn
 	t.onStateChange(DTLSTransportStateConnected)