Cipher Server
Test suite to validate using one or multiple ciphers to protect DoH connection
TLS v1.3 Connection
Description
Sets up the DUT0 as a server, DUT1 as a client and ensures the communication between them is secured by TLS v1.3.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac set service dns proxy server cert file 'running://dns.dut0.crt' set service dns proxy server cert key 'running://dns.dut0.key' set service dns static host-name teldat.com inet 10.11.12.13
Step 2: Set the following configuration in DUT1:
set service dns static host-name dns.dut0 inet 10.215.168.64 set system certificate trust running://CA.crt set service dns proxy server-name DUT0 set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0 set service dns proxy static DUT0 protocol dns-over-https host port 3000 set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64 set service dns proxy static DUT0 protocol dns-over-https hash d5161e58eb8219b8a115737a5ff66d7b2c9e4279fed416d38c2f4f14fe94d49c set service dns proxy log level 0 set service dns resolver local
Step 3: Run command system journal show | cat at DUT1 and expect this output:
Show output
-- Logs begin at Tue 2024-04-09 09:44:28 UTC, end at Tue 2024-04-09 09:44:37 UTC. -- Apr 09 09:44:28.473962 osdx systemd-journald[1405]: Runtime journal (/run/log/journal/e9babbf8af8f476fa9480b3a59b5bfa8) is 1.2M, max 9.7M, 8.5M free. Apr 09 09:44:28.487738 osdx OSDxCLI[6276]: User 'admin' executed a new command: 'system journal clear'. Apr 09 09:44:29.427212 osdx osdx-coredump[14981]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Apr 09 09:44:29.435468 osdx OSDxCLI[6276]: User 'admin' executed a new command: 'system coredump delete all'. Apr 09 09:44:30.967931 osdx OSDxCLI[6276]: User 'admin' entered the configuration menu. Apr 09 09:44:31.125362 osdx OSDxCLI[6276]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.65/24'. Apr 09 09:44:31.212510 osdx OSDxCLI[6276]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 09 09:44:31.339086 osdx OSDxCLI[6276]: User 'admin' added a new cfg line: 'set service ssh'. Apr 09 09:44:31.498413 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 09 09:44:31.648432 osdx systemd[1]: Starting OpenBSD Secure Shell server... Apr 09 09:44:31.663008 osdx sshd[15054]: Server listening on 0.0.0.0 port 22. Apr 09 09:44:31.663297 osdx sshd[15054]: Server listening on :: port 22. Apr 09 09:44:31.663460 osdx systemd[1]: Started OpenBSD Secure Shell server. Apr 09 09:44:31.683462 osdx cfgd[1036]: [6276]Completed change to active configuration Apr 09 09:44:31.722570 osdx OSDxCLI[6276]: User 'admin' committed the configuration. Apr 09 09:44:31.775724 osdx OSDxCLI[6276]: User 'admin' left the configuration menu. Apr 09 09:44:32.036937 osdx OSDxCLI[6276]: User 'admin' executed a new command: 'ping 10.215.168.64 count 1 size 56 timeout 1'. Apr 09 09:44:34.730367 osdx OSDxCLI[6276]: User 'admin' entered the configuration menu. Apr 09 09:44:34.847105 osdx OSDxCLI[6276]: User 'admin' added a new cfg line: 'set service dns static host-name dns.dut0 inet 10.215.168.64'. Apr 09 09:44:35.000071 osdx OSDxCLI[6276]: User 'admin' added a new cfg line: 'set system certificate trust running://CA.crt'. Apr 09 09:44:35.173584 osdx OSDxCLI[6276]: User 'admin' added a new cfg line: 'set service dns proxy server-name DUT0'. Apr 09 09:44:35.358769 osdx OSDxCLI[6276]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0'. Apr 09 09:44:35.487503 osdx OSDxCLI[6276]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host port 3000'. Apr 09 09:44:35.615429 osdx OSDxCLI[6276]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64'. Apr 09 09:44:35.782756 osdx OSDxCLI[6276]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https hash d5161e58eb8219b8a115737a5ff66d7b2c9e4279fed416d38c2f4f14fe94d49c'. Apr 09 09:44:35.925586 osdx OSDxCLI[6276]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Apr 09 09:44:36.057292 osdx OSDxCLI[6276]: User 'admin' added a new cfg line: 'set service dns resolver local'. Apr 09 09:44:36.244722 osdx ca-certificates[15119]: Updating certificates in /etc/ssl/certs... Apr 09 09:44:37.091049 osdx ca-certificates[16104]: 1 added, 0 removed; done. Apr 09 09:44:37.098909 osdx ca-certificates[16108]: Running hooks in /etc/ca-certificates/update.d... Apr 09 09:44:37.106582 osdx ca-certificates[16112]: done. Apr 09 09:44:37.273935 osdx systemd[1]: Started DNSCrypt client proxy. Apr 09 09:44:37.277194 osdx cfgd[1036]: [6276]Completed change to active configuration Apr 09 09:44:37.287938 osdx OSDxCLI[6276]: User 'admin' committed the configuration. Apr 09 09:44:37.314359 osdx dnscrypt-proxy[16163]: dnscrypt-proxy 2.0.45 Apr 09 09:44:37.314977 osdx dnscrypt-proxy[16163]: Network connectivity detected Apr 09 09:44:37.315382 osdx dnscrypt-proxy[16163]: Dropping privileges Apr 09 09:44:37.318285 osdx dnscrypt-proxy[16163]: Network connectivity detected Apr 09 09:44:37.318619 osdx dnscrypt-proxy[16163]: Now listening to 127.0.0.1:53 [UDP] Apr 09 09:44:37.318715 osdx dnscrypt-proxy[16163]: Now listening to 127.0.0.1:53 [TCP] Apr 09 09:44:37.318821 osdx dnscrypt-proxy[16163]: Firefox workaround initialized Apr 09 09:44:37.318930 osdx dnscrypt-proxy[16163]: Loading the set of cloaking rules from [/tmp/tmp7CJsOE] Apr 09 09:44:37.354250 osdx OSDxCLI[6276]: User 'admin' left the configuration menu. Apr 09 09:44:37.610776 osdx dnscrypt-proxy[16163]: [DUT0] TLS version: 304 - Protocol: h2 - Cipher suite: 4867 Apr 09 09:44:37.610801 osdx dnscrypt-proxy[16163]: [DUT0] OK (DoH) - rtt: 122ms Apr 09 09:44:37.610815 osdx dnscrypt-proxy[16163]: Server with the lowest initial latency: DUT0 (rtt: 122ms) Apr 09 09:44:37.610825 osdx dnscrypt-proxy[16163]: dnscrypt-proxy is ready - live servers: 1 Apr 09 09:44:37.623044 osdx OSDxCLI[6276]: User 'admin' executed a new command: 'system journal show | cat'.