Pion DTLS
A Go implementation of DTLS
Native DTLS 1.2 implementation in the Go programming language.
A long term goal is a professional security review, and maybe an inclusion in stdlib.
RFCs
Implemented
- RFC 6347: Datagram Transport Layer Security Version 1.2
- RFC 5705: Keying Material Exporters for Transport Layer Security (TLS)
- RFC 7627: Transport Layer Security (TLS) - Session Hash and Extended Master Secret Extension
- RFC 7301: Transport Layer Security (TLS) - Application-Layer Protocol Negotiation Extension
Goals/Progress
This will only be targeting DTLS 1.2, and the most modern/common cipher suites. We would love contributions that fall under the 'Planned Features' and any bug fixes!
Current features
- DTLS 1.2 Client/Server
- Key Exchange via ECDHE(curve25519, nistp256, nistp384) and PSK
- Packet loss and re-ordering is handled during handshaking
- Key export (RFC 5705)
- Serialization and Resumption of sessions
- Extended Master Secret extension (RFC 7627)
- ALPN extension (RFC 7301)
Supported ciphers
ECDHE
- TLS_ECDHE_ECDSA_WITH_AES_128_CCM (RFC 6655)
- TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (RFC 6655)
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (RFC 5289)
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (RFC 5289)
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (RFC 5289)
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (RFC 5289)
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (RFC 8422)
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (RFC 8422)
PSK
- TLS_PSK_WITH_AES_128_CCM (RFC 6655)
- TLS_PSK_WITH_AES_128_CCM_8 (RFC 6655)
- TLS_PSK_WITH_AES_256_CCM_8 (RFC 6655)
- TLS_PSK_WITH_AES_128_GCM_SHA256 (RFC 5487)
- TLS_PSK_WITH_AES_128_CBC_SHA256 (RFC 5487)
ECDHE & PSK
- TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 (RFC 5489)
Planned Features
- Chacha20Poly1305
Excluded Features
- DTLS 1.0
- Renegotiation
- Compression
Using
This library needs at least Go 1.13, and you should have Go modules enabled.
Pion DTLS
For a DTLS 1.2 Server that listens on 127.0.0.1:4444
go run examples/listen/selfsign/main.goFor a DTLS 1.2 Client that connects to 127.0.0.1:4444
go run examples/dial/selfsign/main.goOpenSSL
Pion DTLS can connect to itself and OpenSSL.
// Generate a certificate
openssl ecparam -out key.pem -name prime256v1 -genkey
openssl req -new -sha256 -key key.pem -out server.csr
openssl x509 -req -sha256 -days 365 -in server.csr -signkey key.pem -out cert.pem
// Use with examples/dial/selfsign/main.go
openssl s_server -dtls1_2 -cert cert.pem -key key.pem -accept 4444
// Use with examples/listen/selfsign/main.go
openssl s_client -dtls1_2 -connect 127.0.0.1:4444 -debug -cert cert.pem -key key.pemUsing with PSK
Pion DTLS also comes with examples that do key exchange via PSK
Pion DTLS
go run examples/listen/psk/main.gogo run examples/dial/psk/main.goOpenSSL
// Use with examples/dial/psk/main.go
openssl s_server -dtls1_2 -accept 4444 -nocert -psk abc123 -cipher PSK-AES128-CCM8
// Use with examples/listen/psk/main.go
openssl s_client -dtls1_2 -connect 127.0.0.1:4444 -psk abc123 -cipher PSK-AES128-CCM8Community
Pion has an active community on the Slack.
Follow the Pion Twitter for project updates and important WebRTC news.
We are always looking to support your projects. Please reach out if you have something to build! If you need commercial support or don't want to use public methods you can contact us at team@pion.ly
Contributing
Check out the contributing wiki to join the group of amazing people making this project possible
License
MIT License - see LICENSE for full text