From 8babcee3eaab4d8b0b60c2a113386419b86bc9d9 Mon Sep 17 00:00:00 2001
From: praveen-kd-23 <114381678+praveen-kd-23@users.noreply.github.com>
Date: Thu, 2 Apr 2026 20:33:28 +0530
Subject: [PATCH] [Core] Fix DTLS Peer Certificate verification

---
 src/include/switch_core.h |  2 +-
 src/switch_rtp.c          | 18 ++++++++++++------
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/src/include/switch_core.h b/src/include/switch_core.h
index ff04fa0954..f72cbc7880 100644
--- a/src/include/switch_core.h
+++ b/src/include/switch_core.h
@@ -147,7 +147,7 @@ typedef void(*switch_device_state_function_t)(switch_core_session_t *session, sw
 
 #define DTLS_SRTP_FNAME "dtls-srtp"
 #define MAX_FPLEN 64
-#define MAX_FPSTRLEN 192
+#define MAX_FPSTRLEN 193
 
 typedef struct dtls_fp_s {
 	uint32_t len;
diff --git a/src/switch_rtp.c b/src/switch_rtp.c
index 20fba2720a..d038566d90 100644
--- a/src/switch_rtp.c
+++ b/src/switch_rtp.c
@@ -3233,8 +3233,13 @@ static int dtls_state_setup(switch_rtp_t *rtp_session, switch_dtls_t *dtls)
 	if ((dtls->type & DTLS_TYPE_SERVER)) {
 		r = 1;
 	} else if ((cert = SSL_get_peer_certificate(dtls->ssl))) {
-		switch_core_cert_extract_fingerprint(cert, dtls->remote_fp);
-		r = switch_core_cert_verify(dtls->remote_fp);
+		dtls_fingerprint_t fp = {0};
+
+		fp.type = dtls->remote_fp->type;
+
+		switch_core_cert_extract_fingerprint(cert, &fp);
+		r = (!zstr(fp.str) && !strncasecmp(fp.str, dtls->remote_fp->str, MAX_FPSTRLEN));
+
 		X509_free(cert);
 	}
 
@@ -3446,9 +3451,12 @@ static int cb_verify_peer(int preverify_ok, X509_STORE_CTX *ctx)
 	}
 
 	if ((cert = SSL_get_peer_certificate(dtls->ssl))) {
-		switch_core_cert_extract_fingerprint(cert, dtls->remote_fp);
+		dtls_fingerprint_t fp = {0};
 
-		r = switch_core_cert_verify(dtls->remote_fp);
+		fp.type = dtls->remote_fp->type;
+
+		switch_core_cert_extract_fingerprint(cert, &fp);
+		r = (!zstr(fp.str) && !strncasecmp(fp.str, dtls->remote_fp->str, MAX_FPSTRLEN));
 
 		X509_free(cert);
 	} else {
@@ -4019,8 +4027,6 @@ SWITCH_DECLARE(switch_status_t) switch_rtp_add_dtls(switch_rtp_t *rtp_session, d
 	}
 	
 	BIO_ctrl(dtls->filter_bio, BIO_CTRL_DGRAM_SET_MTU, dtls->mtu, NULL);
-	
-	switch_core_cert_expand_fingerprint(remote_fp, remote_fp->str);
 
 	if ((type & DTLS_TYPE_RTP)) {
 		rtp_session->dtls = dtls;
-- 
2.47.3