As announced in
we plan to enable a BoringSSL feature that randomizes the order of TLS extensions in the DTLS client hello soon. This should not have any impact to applications but as usual, some interop testing is required.
Please test your services, in particular if you are not using OpenSSL or BoringSSL and in your scenario(s) the browser is sending the DTLS client hello.
To test, launch Chrome (119.0.6038.0 or later, currency Canary) by starting Chrome with
--force-fieldtrials=WebRTC-PermuteTlsClientHello/Enabled/
and ensure the DTLS connection is still established.
In Wireshark this can be observed in the DTLS client hello, in particular the "use_srtp" extension which is normally last as shown below