Enable certificate validation when server

We currently only check the peer certificate when running as a client. pions/dtls added support for ClientAuth, so start using this feature and checking the remote certificate. Resolves pion#413
aler9 · Feb 17, 2019 · b711ec2 · b711ec2
1 parent 5fcbc74
commit b711ec2
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 12 deletions.
diff --git a/go.mod b/go.mod
@@ -2,7 +2,7 @@ module github.com/pions/webrtc
 
 require (
 	github.com/pions/datachannel v1.2.0
-	github.com/pions/dtls v1.2.0
+	github.com/pions/dtls v1.2.1
 	github.com/pions/rtcp v1.0.0
 	github.com/pions/rtp v1.0.0
 	github.com/pions/sctp v1.3.1

diff --git a/go.sum b/go.sum
@@ -19,8 +19,8 @@ github.com/onsi/gomega v1.4.3 h1:RE1xgDvH7imwFD45h+u2SgIfERHlS2yNG4DObb5BSKU=
 github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/pions/datachannel v1.2.0 h1:N12qhHSRVlgBcaal2Hi4skdz7VI4yz6bNC5IJDMzCNw=
 github.com/pions/datachannel v1.2.0/go.mod h1:MKPEKJRwX/a9/tyQvcVTUI9szyf8ZuUyZxSA9AVMSro=
-github.com/pions/dtls v1.2.0 h1:l1raMH2W+atX+2zGF4c1RWl1RFPBmHSu0udh6KNGvdM=
-github.com/pions/dtls v1.2.0/go.mod h1:OgJcO0SqrDdQzqkCTdAp4xCQlbCmwZtGyhbthbq9zIA=
+github.com/pions/dtls v1.2.1 h1:QR7HLXROoi61iBUnHXDIJ1dtzFCiiXlHMe+lqgAH4W8=
+github.com/pions/dtls v1.2.1/go.mod h1:OgJcO0SqrDdQzqkCTdAp4xCQlbCmwZtGyhbthbq9zIA=
 github.com/pions/qtls-vendor-extracted v0.0.0-20190210024908-018998217c65 h1:skcEQZ2eUdm1WKlYu7y1y0HBzOwa1pgSAwvhG6PrI2s=
 github.com/pions/qtls-vendor-extracted v0.0.0-20190210024908-018998217c65/go.mod h1:tSUehzG/8OAT3JvWvnovveLfRMM8NvgfN1LzwSrBX5s=
 github.com/pions/quic-go v0.7.1-0.20190211221741-ec20a8498576 h1:fD1z2bI0qf8yiZGDg5dxhVPP6xtsACP6FN5rDhpDVfM=

diff --git a/rtcdtlstransport.go b/rtcdtlstransport.go
@@ -181,7 +181,12 @@ func (t *RTCDtlsTransport) Start(remoteParameters RTCDtlsParameters) error {
 	// TODO: handle multiple certs
 	cert := t.certificates[0]
 
-	dtlsCofig := &dtls.Config{Certificate: cert.x509Cert, PrivateKey: cert.privateKey, SRTPProtectionProfiles: []dtls.SRTPProtectionProfile{dtls.SRTP_AES128_CM_HMAC_SHA1_80}}
+	dtlsCofig := &dtls.Config{
+		Certificate:            cert.x509Cert,
+		PrivateKey:             cert.privateKey,
+		SRTPProtectionProfiles: []dtls.SRTPProtectionProfile{dtls.SRTP_AES128_CM_HMAC_SHA1_80},
+		ClientAuth:             dtls.RequireAnyClientCert,
+	}
 	if t.isClient() {
 		// Assumes the peer offered to be passive and we accepted.
 		dtlsConn, err := dtls.Client(dtlsEndpoint, dtlsCofig)
@@ -200,16 +205,11 @@ func (t *RTCDtlsTransport) Start(remoteParameters RTCDtlsParameters) error {
 
 	// Check the fingerprint if a certificate was exchanged
 	remoteCert := t.conn.RemoteCertificate()
-	if remoteCert != nil {
-		err := t.validateFingerPrint(remoteParameters, remoteCert)
-		if err != nil {
-			return err
-		}
-	} else {
-		fmt.Println("Warning: Certificate not checked")
+	if remoteCert == nil {
+		return fmt.Errorf("Peer didn't provide certificate via DTLS")
 	}
 
-	return nil
+	return t.validateFingerPrint(remoteParameters, remoteCert)
 }
 
 // Stop stops and closes the RTCDtlsTransport object.