During SDP creation, each peer automatically generates a self-signed DTLS certificate and includes its SHA-256 fingerprint in the a=fingerprint:sha-256 attribute of the SDP offer or answer.
Exchange the SDP (offer/answer) between peers via your signaling channel; each peer extracts the remote fingerprint from the received SDP and stores it for later verification.
After ICE connectivity checks succeed, both peers perform a DTLS handshake over the ICE-selected candidate pair; each side verifies that the certificate presented in the handshake matches the fingerprint from the SDP.
If fingerprints match, DTLS derives the SRTP master keys (this is the DTLS-SRTP key exchange defined in RFC 5764); all subsequent media is encrypted with SRTP using those keys.
To troubleshoot DTLS failures, check the browser's WebRTC internals (chrome://webrtc-internals) for DTLS state transitions; a stuck 'connecting' state usually indicates a firewall blocking UDP or a certificate fingerprint mismatch.
As of 2025, modern browsers are migrating toward DTLS 1.3 (RFC 9147) and phasing out DTLS 1.0/1.1; ensure your SFU or media server supports at least DTLS 1.2, preferably 1.3.
Known gotchas
DTLS certificates are ephemeral per browser session by default; do not cache or reuse them across sessions as fingerprints will not match.
A man-in-the-middle attack is prevented only when the fingerprint in the SDP is transported over an authenticated signaling channel (e.g., TLS-protected WebSocket); plain HTTP signaling removes this protection.
DTLS operates over UDP by default in WebRTC; if a TURN TCP relay is used, DTLS still runs over the TCP channel but the framing changes — ensure your TURN server supports DTLS over TCP.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp