Cipher Server
Test suite to validate using one or multiple ciphers to protect DoH connection
TLS v1.3 Connection
Description
Sets up the DUT0 as a server, DUT1 as a client and ensures the communication between them is secured by TLS v1.3.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns proxy static RD protocol dns-over-https hash ec4467518bda940b10464a7630c570e7717035cc032e5ae3bec7c4f937f00d8e set service dns proxy server cert file 'running://dns.dut0.crt' set service dns proxy server cert key 'running://dns.dut0.key' set service dns static host-name teldat.com inet 10.11.12.13
Step 2: Set the following configuration in DUT1:
set service dns static host-name dns.dut0 inet 10.215.168.64 set system certificate trust running://CA.crt set service dns proxy server-name DUT0 set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0 set service dns proxy static DUT0 protocol dns-over-https host port 3000 set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64 set service dns proxy static DUT0 protocol dns-over-https hash 579858515fb1cf6a07d6c7342c871ec575ebc861fb0db3a2de7ce1f98ebe02ee set service dns proxy log level 0 set service dns resolver local
Step 3: Run command system journal show | cat at DUT1 and expect this output:
Show output
-- Logs begin at Wed 2024-06-12 21:52:49 UTC, end at Wed 2024-06-12 21:52:57 UTC. -- Jun 12 21:52:49.381205 osdx systemd-journald[1362]: Runtime journal (/run/log/journal/054ac71dd7e64053b7445b34731f3c87) is 1.2M, max 9.7M, 8.5M free. Jun 12 21:52:49.396601 osdx OSDxCLI[1540]: User 'admin' executed a new command: 'system journal clear'. Jun 12 21:52:50.268562 osdx osdx-coredump[32760]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jun 12 21:52:50.276620 osdx OSDxCLI[1540]: User 'admin' executed a new command: 'system coredump delete all'. Jun 12 21:52:51.663876 osdx OSDxCLI[1540]: User 'admin' entered the configuration menu. Jun 12 21:52:51.808198 osdx OSDxCLI[1540]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.65/24'. Jun 12 21:52:51.903144 osdx OSDxCLI[1540]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 12 21:52:52.016202 osdx OSDxCLI[1540]: User 'admin' added a new cfg line: 'set service ssh'. Jun 12 21:52:52.172953 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 12 21:52:52.322305 osdx systemd[1]: Starting OpenBSD Secure Shell server... Jun 12 21:52:52.335944 osdx sshd[365]: Server listening on 0.0.0.0 port 22. Jun 12 21:52:52.336217 osdx sshd[365]: Server listening on :: port 22. Jun 12 21:52:52.336364 osdx systemd[1]: Started OpenBSD Secure Shell server. Jun 12 21:52:52.355306 osdx cfgd[997]: [1540]Completed change to active configuration Jun 12 21:52:52.393022 osdx OSDxCLI[1540]: User 'admin' committed the configuration. Jun 12 21:52:52.432304 osdx OSDxCLI[1540]: User 'admin' left the configuration menu. Jun 12 21:52:52.623528 osdx OSDxCLI[1540]: User 'admin' executed a new command: 'ping 10.215.168.64 count 1 size 56 timeout 1'. Jun 12 21:52:55.036899 osdx OSDxCLI[1540]: User 'admin' entered the configuration menu. Jun 12 21:52:55.187480 osdx OSDxCLI[1540]: User 'admin' added a new cfg line: 'set service dns static host-name dns.dut0 inet 10.215.168.64'. Jun 12 21:52:55.313661 osdx OSDxCLI[1540]: User 'admin' added a new cfg line: 'set system certificate trust running://CA.crt'. Jun 12 21:52:55.437142 osdx OSDxCLI[1540]: User 'admin' added a new cfg line: 'set service dns proxy server-name DUT0'. Jun 12 21:52:55.594570 osdx OSDxCLI[1540]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0'. Jun 12 21:52:55.700226 osdx OSDxCLI[1540]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host port 3000'. Jun 12 21:52:55.841274 osdx OSDxCLI[1540]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64'. Jun 12 21:52:55.998225 osdx OSDxCLI[1540]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https hash 579858515fb1cf6a07d6c7342c871ec575ebc861fb0db3a2de7ce1f98ebe02ee'. Jun 12 21:52:56.100664 osdx OSDxCLI[1540]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jun 12 21:52:56.204929 osdx OSDxCLI[1540]: User 'admin' added a new cfg line: 'set service dns resolver local'. Jun 12 21:52:56.398433 osdx ca-certificates[430]: Updating certificates in /etc/ssl/certs... Jun 12 21:52:57.127821 osdx ca-certificates[1457]: 1 added, 0 removed; done. Jun 12 21:52:57.133803 osdx ca-certificates[1461]: Running hooks in /etc/ca-certificates/update.d... Jun 12 21:52:57.138899 osdx ca-certificates[1465]: done. Jun 12 21:52:57.305523 osdx systemd[1]: Started DNSCrypt client proxy. Jun 12 21:52:57.309201 osdx cfgd[997]: [1540]Completed change to active configuration Jun 12 21:52:57.316645 osdx OSDxCLI[1540]: User 'admin' committed the configuration. Jun 12 21:52:57.335192 osdx dnscrypt-proxy[1520]: dnscrypt-proxy 2.0.45 Jun 12 21:52:57.335584 osdx dnscrypt-proxy[1520]: Network connectivity detected Jun 12 21:52:57.336113 osdx dnscrypt-proxy[1520]: Dropping privileges Jun 12 21:52:57.338416 osdx dnscrypt-proxy[1520]: Network connectivity detected Jun 12 21:52:57.338721 osdx dnscrypt-proxy[1520]: Now listening to 127.0.0.1:53 [UDP] Jun 12 21:52:57.338811 osdx dnscrypt-proxy[1520]: Now listening to 127.0.0.1:53 [TCP] Jun 12 21:52:57.338913 osdx dnscrypt-proxy[1520]: Firefox workaround initialized Jun 12 21:52:57.338994 osdx dnscrypt-proxy[1520]: Loading the set of cloaking rules from [/tmp/tmpOyY0A_] Jun 12 21:52:57.342318 osdx OSDxCLI[1540]: User 'admin' left the configuration menu. Jun 12 21:52:57.585950 osdx OSDxCLI[1540]: User 'admin' executed a new command: 'system journal show | cat'. Jun 12 21:52:57.641027 osdx dnscrypt-proxy[1520]: [DUT0] TLS version: 304 - Protocol: h2 - Cipher suite: 4867 Jun 12 21:52:57.641044 osdx dnscrypt-proxy[1520]: [DUT0] OK (DoH) - rtt: 139ms Jun 12 21:52:57.641053 osdx dnscrypt-proxy[1520]: Server with the lowest initial latency: DUT0 (rtt: 139ms) Jun 12 21:52:57.641060 osdx dnscrypt-proxy[1520]: dnscrypt-proxy is ready - live servers: 1