SIP Sorcery: Secure Renegotiation handshake error

[MikeRavenelle]

Your environment.
Version: PION WebRTC v4.1.3
PION DTLS v3.0.7

Browser: No web browser. Using SIPSorcery as a C# client. v6.0.11

What did you do?
Attempted to make a webRTC connection with a SIPSorcery Client. DTLS handshake fails.

What did you expect?
A stable DTLS connection and continued renegotiation for keys.

What happened?

SIP Sorcery Log:
[08:37:10 DBG] Starting DLS handshake with role active. [08:37:10 DBG] RTCPeerConnection DoDtlsHandshake started. [08:37:10 DBG] DTLS commencing handshake as client. [08:37:10 WRN] DTLS client raised unexpected alert: fatal(2), handshake_failure(40). [08:37:10 WRN] DTLS handshake as client failed. handshake_failure(40) Org.BouncyCastle.Tls.TlsFatalAlert: handshake_failure(40) at Org.BouncyCastle.Tls.AbstractTlsPeer.NotifySecureRenegotiation(Boolean secureRenegotiation) at Org.BouncyCastle.Tls.DtlsClientProtocol.ProcessServerHello(ClientHandshakeState state, Byte[] body) at Org.BouncyCastle.Tls.DtlsClientProtocol.ClientHandshake(ClientHandshakeState state, DtlsRecordLayer recordLayer) at Org.BouncyCastle.Tls.DtlsClientProtocol.Connect(TlsClient client, DatagramTransport transport) at SIPSorcery.Net.DtlsSrtpTransport.DoHandshakeAsClient(String& handshakeError) [08:37:10 WRN] RTCPeerConnection DTLS handshake failed with error handshake_failure(40). [08:37:10 DBG] Peer connection closed with reason dtls handshake failed. [08:37:10 DBG] RtpIceChannel for [::]:60996 closed. [08:37:10 DBG] RTPChannel closing, RTP receiver on port 60996. Reason: dtls handshake failed. WebRTC Connection State Changed to: closed WebRTC Connection State Changed to: failed

Here is my log from the SFU that uses PION:

sfu-ws INFO: 2025/08/18 13:37:12 ICE connection state changed: connected dtls TRACE: 13:37:12.322634 handshaker.go:189: [handshake:server] Flight 0: Preparing dtls TRACE: 13:37:12.322687 handshaker.go:189: [handshake:server] Flight 0: Sending dtls TRACE: 13:37:12.322698 handshaker.go:189: [handshake:server] Flight 0: Waiting dtls TRACE: 13:37:12.344368 handshaker.go:313: [handshake:server] Flight 0 -> Flight 2 dtls TRACE: 13:37:12.344395 handshaker.go:189: [handshake:server] Flight 2: Preparing dtls TRACE: 13:37:12.344408 handshaker.go:189: [handshake:server] Flight 2: Sending dtls TRACE: 13:37:12.344420 conn.go:484: [handshake:server] -> HelloVerifyRequest (epoch: 0, seq: 0) dtls TRACE: 13:37:12.344512 handshaker.go:189: [handshake:server] Flight 2: Waiting dtls TRACE: 13:37:12.351639 handshaker.go:313: [handshake:server] Flight 2 -> Flight 4 dtls TRACE: 13:37:12.351662 handshaker.go:189: [handshake:server] Flight 4: Preparing dtls TRACE: 13:37:12.351877 handshaker.go:189: [handshake:server] Flight 4: Sending dtls TRACE: 13:37:12.351898 conn.go:484: [handshake:server] -> ServerHello (epoch: 0, seq: 1) dtls TRACE: 13:37:12.351914 conn.go:484: [handshake:server] -> TypeCertificate (epoch: 0, seq: 2) dtls TRACE: 13:37:12.351927 conn.go:484: [handshake:server] -> ServerKeyExchange (epoch: 0, seq: 3) dtls TRACE: 13:37:12.351938 conn.go:484: [handshake:server] -> CertificateRequest (epoch: 0, seq: 4) dtls TRACE: 13:37:12.351948 conn.go:484: [handshake:server] -> ServerHelloDone (epoch: 0, seq: 5) dtls TRACE: 13:37:12.352031 handshaker.go:189: [handshake:server] Flight 4: Waiting dtls TRACE: 13:37:12.359766 conn.go:984: server: <- Alert Fatal: HandshakeFailure

I attached a wireshark trace as well.