Added option to configure DTLS Cipher Suites

sirzooro · sirzooro · commit e6d249ecf804 · 2025-11-21T17:03:22.000+01:00
Added new option to SettingEngine to configure DTLS Cipher Suites
diff --git a/dtlstransport.go b/dtlstransport.go
@@ -340,6 +340,7 @@ func (t *DTLSTransport) Start(remoteParameters DTLSParameters) error { //nolint:
 			ClientAuth:         dtls.RequireAnyClientCert,
 			LoggerFactory:      t.api.settingEngine.LoggerFactory,
 			InsecureSkipVerify: !t.api.settingEngine.dtls.disableInsecureSkipVerify,
+			CipherSuites:       t.api.settingEngine.dtls.cipherSuites,
 			CustomCipherSuites: t.api.settingEngine.dtls.customCipherSuites,
 		}, nil
 	}
diff --git a/settingengine.go b/settingengine.go
@@ -74,6 +74,7 @@ type SettingEngine struct {
 		clientCAs                     *x509.CertPool
 		rootCAs                       *x509.CertPool
 		keyLogWriter                  io.Writer
+		cipherSuites                  []dtls.CipherSuiteID
 		customCipherSuites            func() []dtls.CipherSuite
 		clientHelloMessageHook        func(handshake.MessageClientHello) handshake.Message
 		serverHelloMessageHook        func(handshake.MessageServerHello) handshake.Message
@@ -497,8 +498,15 @@ func (e *SettingEngine) SetSCTPMaxMessageSize(maxMessageSize uint32) {
 	e.sctp.maxMessageSize = maxMessageSize
 }
 
-// SetDTLSCustomerCipherSuites allows the user to specify a list of DTLS CipherSuites.
-// This allow usage of Ciphers that are reserved for private usage.
+// SetDTLSCipherSuites allows the user to specify a list of DTLS CipherSuites.
+// This allow to control which ciphers implemented by pion/dtls are used during the DTLS handshake.
+// It can be used for DTLS connection hardening.
+func (e *SettingEngine) SetDTLSCipherSuites(cipherSuites ...dtls.CipherSuiteID) {
+	e.dtls.cipherSuites = cipherSuites
+}
+
+// SetDTLSCustomerCipherSuites allows the user to specify a list of custom DTLS CipherSuites.
+// It allows to use custom/private DTLS CipherSuites in addition to the ones implemented by pion/dtls.
 func (e *SettingEngine) SetDTLSCustomerCipherSuites(customCipherSuites func() []dtls.CipherSuite) {
 	e.dtls.customCipherSuites = customCipherSuites
 }
diff --git a/settingengine_test.go b/settingengine_test.go
@@ -586,6 +586,7 @@ func TestSettingEngine_DTLSSetters(t *testing.T) {
 	se.SetDTLSClientCAs(clientCAs)
 	se.SetDTLSRootCAs(rootCAs)
 	se.SetDTLSKeyLogWriter(&keyBuf)
+	se.SetDTLSCipherSuites(dtls.TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, dtls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
 
 	called := false
 	se.SetDTLSCustomerCipherSuites(func() []dtls.CipherSuite {
@@ -603,6 +604,10 @@ func TestSettingEngine_DTLSSetters(t *testing.T) {
 	assert.Equal(t, rootCAs, se.dtls.rootCAs)
 	_, _ = se.dtls.keyLogWriter.Write([]byte("test"))
 	assert.NotZero(t, keyBuf.Len())
+	assert.Equal(t, []dtls.CipherSuiteID{
+		dtls.TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
+		dtls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+	}, se.dtls.cipherSuites)
 	_ = se.dtls.customCipherSuites()
 	assert.True(t, called)
 }

Original file line number	Diff line number	Diff line change
`@@ -340,6 +340,7 @@ func (t *DTLSTransport) Start(remoteParameters DTLSParameters) error { //nolint:`
`340`	`340`	`ClientAuth: dtls.RequireAnyClientCert,`
`341`	`341`	`LoggerFactory: t.api.settingEngine.LoggerFactory,`
`342`	`342`	`InsecureSkipVerify: !t.api.settingEngine.dtls.disableInsecureSkipVerify,`
	`343`	`+ CipherSuites: t.api.settingEngine.dtls.cipherSuites,`
`343`	`344`	`CustomCipherSuites: t.api.settingEngine.dtls.customCipherSuites,`
`344`	`345`	`}, nil`
`345`	`346`	`}`