Added option to configure DTLS Cipher Suites

Added new option to SettingEngine to configure DTLS Cipher Suites
2025-12-24 11:51:03 +08:00 · 2025-11-21 16:32:34 +01:00
parent d32d5cd252
commit e6d249ecf8
3 changed files with 16 additions and 2 deletions
--- a/dtlstransport.go
+++ b/dtlstransport.go
@@ -340,6 +340,7 @@ func (t *DTLSTransport) Start(remoteParameters DTLSParameters) error { //nolint:
 			ClientAuth:         dtls.RequireAnyClientCert,
 			LoggerFactory:      t.api.settingEngine.LoggerFactory,
 			InsecureSkipVerify: !t.api.settingEngine.dtls.disableInsecureSkipVerify,
+			CipherSuites:       t.api.settingEngine.dtls.cipherSuites,
 			CustomCipherSuites: t.api.settingEngine.dtls.customCipherSuites,
 		}, nil
 	}
--- a/settingengine.go
+++ b/settingengine.go
@@ -74,6 +74,7 @@ type SettingEngine struct {
 		clientCAs                     *x509.CertPool
 		rootCAs                       *x509.CertPool
 		keyLogWriter                  io.Writer
+		cipherSuites                  []dtls.CipherSuiteID
 		customCipherSuites            func() []dtls.CipherSuite
 		clientHelloMessageHook        func(handshake.MessageClientHello) handshake.Message
 		serverHelloMessageHook        func(handshake.MessageServerHello) handshake.Message
@@ -497,8 +498,15 @@ func (e *SettingEngine) SetSCTPMaxMessageSize(maxMessageSize uint32) {
 	e.sctp.maxMessageSize = maxMessageSize
 }

-// SetDTLSCustomerCipherSuites allows the user to specify a list of DTLS CipherSuites.
-// This allow usage of Ciphers that are reserved for private usage.
+// SetDTLSCipherSuites allows the user to specify a list of DTLS CipherSuites.
+// This allow to control which ciphers implemented by pion/dtls are used during the DTLS handshake.
+// It can be used for DTLS connection hardening.
+func (e *SettingEngine) SetDTLSCipherSuites(cipherSuites ...dtls.CipherSuiteID) {
+	e.dtls.cipherSuites = cipherSuites
+}
+
+// SetDTLSCustomerCipherSuites allows the user to specify a list of custom DTLS CipherSuites.
+// It allows to use custom/private DTLS CipherSuites in addition to the ones implemented by pion/dtls.
 func (e *SettingEngine) SetDTLSCustomerCipherSuites(customCipherSuites func() []dtls.CipherSuite) {
 	e.dtls.customCipherSuites = customCipherSuites
 }
--- a/settingengine_test.go
+++ b/settingengine_test.go
@@ -586,6 +586,7 @@ func TestSettingEngine_DTLSSetters(t *testing.T) {
 	se.SetDTLSClientCAs(clientCAs)
 	se.SetDTLSRootCAs(rootCAs)
 	se.SetDTLSKeyLogWriter(&keyBuf)
+	se.SetDTLSCipherSuites(dtls.TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, dtls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)

 	called := false
 	se.SetDTLSCustomerCipherSuites(func() []dtls.CipherSuite {
@@ -603,6 +604,10 @@ func TestSettingEngine_DTLSSetters(t *testing.T) {
 	assert.Equal(t, rootCAs, se.dtls.rootCAs)
 	_, _ = se.dtls.keyLogWriter.Write([]byte("test"))
 	assert.NotZero(t, keyBuf.Len())
+	assert.Equal(t, []dtls.CipherSuiteID{
+		dtls.TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
+		dtls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+	}, se.dtls.cipherSuites)
 	_ = se.dtls.customCipherSuites()
 	assert.True(t, called)
 }