fix(dtls): upgrade pion/dtls v2.2.6 to v3.1.1 fixing CVE-2026-26014

Upgrade github.com/pion/dtls from v2.2.6 to v3.1.1 to fix nonce reuse
vulnerability in AES-GCM ciphers (GHSA-9f3f-wv7r-qc8r). Migrate from
deprecated Config-struct API to ListenWithOptions/ClientWithOptions
options-based API.

v2 Config fields mapped to v3 functional options:
- Certificates, InsecureSkipVerify, ExtendedMasterSecret, ServerName,
  RootCAs, ClientCAs, ClientAuth, FlightInterval, MTU

ConnectContextMaker removed — no longer exists in v3; explicit
HandshakeContext(ctx) on *Conn is the replacement for timeout control.
This commit is contained in:
ginuerzh
2026-05-23 18:48:21 +08:00
parent 982ffa8149
commit 5a838a7d47
4 changed files with 28 additions and 64 deletions
+10 -12
View File
@@ -12,7 +12,7 @@ import (
"github.com/go-gost/x/internal/net/proxyproto"
xdtls "github.com/go-gost/x/internal/util/dtls"
"github.com/go-gost/x/registry"
"github.com/pion/dtls/v2"
"github.com/pion/dtls/v3"
)
func init() {
@@ -64,17 +64,15 @@ func (d *dtlsDialer) Dial(ctx context.Context, addr string, opts ...dialer.DialO
InsecureSkipVerify: true,
}
}
config := dtls.Config{
Certificates: tlsCfg.Certificates,
InsecureSkipVerify: tlsCfg.InsecureSkipVerify,
ExtendedMasterSecret: dtls.RequireExtendedMasterSecret,
ServerName: tlsCfg.ServerName,
RootCAs: tlsCfg.RootCAs,
FlightInterval: d.md.flightInterval,
MTU: d.md.mtu,
}
c, err := dtls.ClientWithContext(ctx, conn, &config)
c, err := dtls.ClientWithOptions(conn.(net.PacketConn), conn.RemoteAddr(),
dtls.WithCertificates(tlsCfg.Certificates...),
dtls.WithInsecureSkipVerify(tlsCfg.InsecureSkipVerify),
dtls.WithExtendedMasterSecret(dtls.RequireExtendedMasterSecret),
dtls.WithServerName(tlsCfg.ServerName),
dtls.WithRootCAs(tlsCfg.RootCAs),
dtls.WithFlightInterval(d.md.flightInterval),
dtls.WithMTU(d.md.mtu),
)
if err != nil {
return nil, err
}