Cipher Server

Test suite to validate using one or multiple ciphers to protect DoH connection

TLS v1.3 Connection

Description

Sets up the DUT0 as a server, DUT1 as a client and ensures the communication between them is secured by TLS v1.3.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set service dns proxy static RD protocol dns-over-https hash ec4467518bda940b10464a7630c570e7717035cc032e5ae3bec7c4f937f00d8e
set service dns proxy server cert file 'running://dns.dut0.crt'
set service dns proxy server cert key 'running://dns.dut0.key'
set service dns static host-name teldat.com inet 10.11.12.13

Step 2: Set the following configuration in DUT1:

set service dns static host-name dns.dut0 inet 10.215.168.64
set system certificate trust running://CA.crt
set service dns proxy server-name DUT0
set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0
set service dns proxy static DUT0 protocol dns-over-https host port 3000
set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64
set service dns proxy static DUT0 protocol dns-over-https hash cf57946cc250b3d3c6f8b04616f8a2dbc8922ea1fcb5cbc716951d71c4c8e3ce
set service dns proxy log level 0
set service dns resolver local

Step 3: Run command system journal show | cat at DUT1 and expect this output:

Show output

-- Logs begin at Wed 2024-05-22 08:20:00 UTC, end at Wed 2024-05-22 08:20:08 UTC. --
May 22 08:20:00.377389 osdx systemd-journald[1363]: Runtime journal (/run/log/journal/45fcbf1f72434cdcb3afa54f808d79fa) is 2.4M, max 9.7M, 7.3M free.
May 22 08:20:00.396937 osdx OSDxCLI[1539]: User 'admin' executed a new command: 'system journal clear'.
May 22 08:20:01.176276 osdx osdx-coredump[27344]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
May 22 08:20:01.183875 osdx OSDxCLI[1539]: User 'admin' executed a new command: 'system coredump delete all'.
May 22 08:20:02.575879 osdx OSDxCLI[1539]: User 'admin' entered the configuration menu.
May 22 08:20:02.709970 osdx OSDxCLI[1539]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.65/24'.
May 22 08:20:02.787839 osdx OSDxCLI[1539]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 22 08:20:02.869395 osdx OSDxCLI[1539]: User 'admin' added a new cfg line: 'set service ssh'.
May 22 08:20:03.011192 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 22 08:20:03.145308 osdx systemd[1]: Starting OpenBSD Secure Shell server...
May 22 08:20:03.158658 osdx sshd[27422]: Server listening on 0.0.0.0 port 22.
May 22 08:20:03.158958 osdx sshd[27422]: Server listening on :: port 22.
May 22 08:20:03.159109 osdx systemd[1]: Started OpenBSD Secure Shell server.
May 22 08:20:03.178451 osdx cfgd[993]: [1539]Completed change to active configuration
May 22 08:20:03.215363 osdx OSDxCLI[1539]: User 'admin' committed the configuration.
May 22 08:20:03.239721 osdx OSDxCLI[1539]: User 'admin' left the configuration menu.
May 22 08:20:03.409275 osdx OSDxCLI[1539]: User 'admin' executed a new command: 'ping 10.215.168.64      count 1 size 56 timeout 1'.
May 22 08:20:05.652836 osdx OSDxCLI[1539]: User 'admin' entered the configuration menu.
May 22 08:20:05.747804 osdx OSDxCLI[1539]: User 'admin' added a new cfg line: 'set service dns static host-name dns.dut0 inet 10.215.168.64'.
May 22 08:20:05.861566 osdx OSDxCLI[1539]: User 'admin' added a new cfg line: 'set system certificate trust running://CA.crt'.
May 22 08:20:05.953550 osdx OSDxCLI[1539]: User 'admin' added a new cfg line: 'set service dns proxy server-name DUT0'.
May 22 08:20:06.064278 osdx OSDxCLI[1539]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0'.
May 22 08:20:06.166626 osdx OSDxCLI[1539]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host port 3000'.
May 22 08:20:06.253406 osdx OSDxCLI[1539]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64'.
May 22 08:20:06.350214 osdx OSDxCLI[1539]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https hash cf57946cc250b3d3c6f8b04616f8a2dbc8922ea1fcb5cbc716951d71c4c8e3ce'.
May 22 08:20:06.428295 osdx OSDxCLI[1539]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
May 22 08:20:06.547343 osdx OSDxCLI[1539]: User 'admin' added a new cfg line: 'set service dns resolver local'.
May 22 08:20:06.690441 osdx ca-certificates[27487]: Updating certificates in /etc/ssl/certs...
May 22 08:20:07.333600 osdx ca-certificates[28469]: 1 added, 0 removed; done.
May 22 08:20:07.339347 osdx ca-certificates[28475]: Running hooks in /etc/ca-certificates/update.d...
May 22 08:20:07.344459 osdx ca-certificates[28479]: done.
May 22 08:20:07.482523 osdx systemd[1]: Started DNSCrypt client proxy.
May 22 08:20:07.484757 osdx cfgd[993]: [1539]Completed change to active configuration
May 22 08:20:07.489521 osdx OSDxCLI[1539]: User 'admin' committed the configuration.
May 22 08:20:07.515939 osdx OSDxCLI[1539]: User 'admin' left the configuration menu.
May 22 08:20:07.774428 osdx dnscrypt-proxy[28532]: dnscrypt-proxy 2.0.45
May 22 08:20:07.774827 osdx dnscrypt-proxy[28532]: Network connectivity detected
May 22 08:20:07.775302 osdx dnscrypt-proxy[28532]: Dropping privileges
May 22 08:20:07.777268 osdx OSDxCLI[1539]: User 'admin' executed a new command: 'system journal show | cat'.
May 22 08:20:07.778795 osdx dnscrypt-proxy[28532]: Network connectivity detected
May 22 08:20:07.779089 osdx dnscrypt-proxy[28532]: Now listening to 127.0.0.1:53 [UDP]
May 22 08:20:07.779193 osdx dnscrypt-proxy[28532]: Now listening to 127.0.0.1:53 [TCP]
May 22 08:20:07.779295 osdx dnscrypt-proxy[28532]: Firefox workaround initialized
May 22 08:20:07.779377 osdx dnscrypt-proxy[28532]: Loading the set of cloaking rules from [/tmp/tmpsi3wxL]
May 22 08:20:08.062497 osdx OSDxCLI[1539]: User 'admin' executed a new command: 'system journal show | cat'.
May 22 08:20:08.066170 osdx dnscrypt-proxy[28532]: [DUT0] TLS version: 304 - Protocol: h2 - Cipher suite: 4867
May 22 08:20:08.066194 osdx dnscrypt-proxy[28532]: [DUT0] OK (DoH) - rtt: 131ms
May 22 08:20:08.066219 osdx dnscrypt-proxy[28532]: Server with the lowest initial latency: DUT0 (rtt: 131ms)
May 22 08:20:08.066228 osdx dnscrypt-proxy[28532]: dnscrypt-proxy is ready - live servers: 1

---