pion
dtls
Go

DTLS 1.2 implementation for Go (DTLS 1.3 in progress)

Last updated Jul 9, 2026
689
Stars
196
Forks
22
Issues
0
Stars/day
Attention Score
72
Language breakdown
No language data available.
Files click to expand
README


Pion DTLS

A Go implementation of DTLS

Pion DTLS Sourcegraph Widget join us on Discord Follow us on Bluesky
GitHub Workflow Status Go Reference Coverage Status Go Report Card License: MIT


Native [DTLS 1.2][rfc6347] implementation in the Go programming language.

A long term goal is a professional security review, and maybe an inclusion in stdlib.

[!WARNING]
This branch is currently frozen from tagging while DTLS 1.3 work is underway.
>
DTLS 1.3 and breaking changes should target the main branch. Bug fixes and DTLS 1.2 improvments should target the v3 branch, which can be used for tags until DTLS 1.3 is ready.

RFCs

Implemented

  • RFC 6347: [Datagram Transport Layer Security Version 1.2][rfc6347]
  • RFC 5705: [Keying Material Exporters for Transport Layer Security (TLS)][rfc5705]
  • RFC 7627: [Transport Layer Security (TLS) - Session Hash and Extended Master Secret Extension][rfc7627]
  • RFC 7301: [Transport Layer Security (TLS) - Application-Layer Protocol Negotiation Extension][rfc7301]
[rfc5289]: https://tools.ietf.org/html/rfc5289 [rfc5487]: https://tools.ietf.org/html/rfc5487 [rfc5489]: https://tools.ietf.org/html/rfc5489 [rfc5705]: https://tools.ietf.org/html/rfc5705 [rfc6347]: https://tools.ietf.org/html/rfc6347 [rfc6655]: https://tools.ietf.org/html/rfc6655 [rfc7301]: https://tools.ietf.org/html/rfc7301 [rfc7627]: https://tools.ietf.org/html/rfc7627 [rfc7905]: https://tools.ietf.org/html/rfc7905 [rfc8422]: https://tools.ietf.org/html/rfc8422 [rfc9147]: https://tools.ietf.org/html/rfc9147

Goals/Progress

This will only be targeting DTLS 1.2, and the most modern/common cipher suites. We would love contributions that fall under the 'Planned Features' and any bug fixes!

Current features

  • DTLS 1.2 Client/Server
  • Key Exchange via ECDHE(curve25519, nistp256, nistp384) and PSK
  • Packet loss and re-ordering is handled during handshaking
  • Key export ([RFC 5705][rfc5705])
  • Serialization and Resumption of sessions
  • Extended Master Secret extension ([RFC 7627][rfc7627])
  • ALPN extension ([RFC 7301][rfc7301])

Supported ciphers

ECDHE
  • TLSECDHEECDSAWITHAES128CCM ([RFC 6655][rfc6655])
  • TLSECDHEECDSAWITHAES128CCM_8 ([RFC 6655][rfc6655])
  • TLSECDHEECDSAWITHAES128GCM_SHA256 ([RFC 5289][rfc5289])
  • TLSECDHERSAWITHAES128GCM_SHA256 ([RFC 5289][rfc5289])
  • TLSECDHEECDSAWITHAES256GCM_SHA384 ([RFC 5289][rfc5289])
  • TLSECDHERSAWITHAES256GCM_SHA384 ([RFC 5289][rfc5289])
  • TLSECDHEECDSAWITHAES256CBC_SHA ([RFC 8422][rfc8422])
  • TLSECDHERSAWITHAES256CBC_SHA ([RFC 8422][rfc8422])
  • TLSECDHEECDSAWITHCHACHA20POLY1305SHA256 ([RFC 7905][rfc7905])
  • TLSECDHERSAWITHCHACHA20POLY1305SHA256 ([RFC 7905][rfc7905])
PSK
  • TLSPSKWITHAES128_CCM ([RFC 6655][rfc6655])
  • TLSPSKWITHAES128CCM8 ([RFC 6655][rfc6655])
  • TLSPSKWITHAES256CCM8 ([RFC 6655][rfc6655])
  • TLSPSKWITHAES128GCMSHA256 ([RFC 5487][rfc5487])
  • TLSPSKWITHAES128CBCSHA256 ([RFC 5487][rfc5487])
  • TLSPSKWITHCHACHA20POLY1305_SHA256 ([RFC 7905][rfc7905])
ECDHE & PSK
  • TLSECDHEPSKWITHAES128CBC_SHA256 ([RFC 5489][rfc5489])

Planned Features

  • DTLS 1.3 ([RFC 9147][rfc9147])

Excluded Features

  • DTLS 1.0
  • Renegotiation
  • Compression

Using

This library needs at least Go 1.21, and you should have Go modules enabled.

Pion DTLS

For a DTLS 1.2 Server that listens on 127.0.0.1:4444
go run examples/listen/selfsign/main.go

For a DTLS 1.2 Client that connects to 127.0.0.1:4444

go run examples/dial/selfsign/main.go

OpenSSL

Pion DTLS can connect to itself and OpenSSL.
// Generate a certificate
  openssl ecparam -out key.pem -name prime256v1 -genkey
  openssl req -new -sha256 -key key.pem -out server.csr
  openssl x509 -req -sha256 -days 365 -in server.csr -signkey key.pem -out cert.pem

// Use with examples/dial/selfsign/main.go openssl sserver -dtls12 -cert cert.pem -key key.pem -accept 4444

// Use with examples/listen/selfsign/main.go openssl sclient -dtls12 -connect 127.0.0.1:4444 -debug -cert cert.pem -key key.pem

Using with PSK

Pion DTLS also comes with examples that do key exchange via PSK

Pion DTLS

go run examples/listen/psk/main.go
go run examples/dial/psk/main.go

OpenSSL

// Use with examples/dial/psk/main.go
  openssl sserver -dtls12 -accept 4444 -nocert -psk abc123 -cipher PSK-AES128-CCM8

// Use with examples/listen/psk/main.go openssl sclient -dtls12 -connect 127.0.0.1:4444 -psk abc123 -cipher PSK-AES128-CCM8

Community

Pion has an active community on the Discord.

Follow the Pion Bluesky or Pion Twitter for project updates and important WebRTC news.

We are always looking to support your projects. Please reach out if you have something to build! If you need commercial support or don't want to use public methods you can contact us at team@pion.ly

Contributing

Check out the contributing wiki to join the group of amazing people making this project possible

Funding

NLnet foundation logo NLnet foundation logo

The DTLS 1.3 implementation in this project is funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). Learn more on the NLnet project page.

License

MIT License - see LICENSE for full text
🔗 More in this category

© 2026 GitRepoTrend · pion/dtls · Updated daily from GitHub