Cipher Server
Test suite to validate using one or multiple ciphers to protect DoH connection
TLS v1.3 Connection
Description
Sets up the DUT0 as a server, DUT1 as a client and ensures the communication between them is secured by TLS v1.3.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server cert file 'running://dns.dut0.crt' set service dns proxy server cert key 'running://dns.dut0.key' set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns static host-name teldat.com inet 10.11.12.13 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.215.168.65/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name DUT0 set service dns proxy static DUT0 protocol dns-over-https hash 09427c4c5457fd45962cb188cd01e471f6dcddcc036a676a320e180adb604619 set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0 set service dns proxy static DUT0 protocol dns-over-https host port 3000 set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64 set service dns resolver local set service dns static host-name dns.dut0 inet 10.215.168.64 set service ssh set system certificate trust 'running://CA.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Run command system journal show | cat at DUT1 and expect this output:
Show output
Jul 03 16:22:45.261060 osdx systemd-journald[1553]: Runtime Journal (/run/log/journal/831aeca402c6428e9ad074105f874d77) is 2.5M, max 9.7M, 7.2M free. Jul 03 16:22:45.264807 osdx systemd-journald[1553]: Received client request to rotate journal, rotating. Jul 03 16:22:45.264875 osdx systemd-journald[1553]: Vacuuming done, freed 0B of archived journals from /run/log/journal/831aeca402c6428e9ad074105f874d77. Jul 03 16:22:45.277681 osdx OSDxCLI[51782]: User 'admin' executed a new command: 'system journal clear'. Jul 03 16:22:45.713085 osdx osdx-coredump[117000]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jul 03 16:22:45.720664 osdx OSDxCLI[51782]: User 'admin' executed a new command: 'system coredump delete all'. Jul 03 16:22:46.730328 osdx OSDxCLI[51782]: User 'admin' entered the configuration menu. Jul 03 16:22:46.811025 osdx OSDxCLI[51782]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.65/24'. Jul 03 16:22:46.885867 osdx OSDxCLI[51782]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 03 16:22:46.944427 osdx OSDxCLI[51782]: User 'admin' added a new cfg line: 'set service ssh'. Jul 03 16:22:47.052797 osdx OSDxCLI[51782]: User 'admin' added a new cfg line: 'show working'. Jul 03 16:22:47.149573 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 03 16:22:47.277077 osdx systemd[1]: Starting ssh.service - OpenBSD Secure Shell server... Jul 03 16:22:47.299302 osdx sshd[117066]: Server listening on 0.0.0.0 port 22. Jul 03 16:22:47.299608 osdx sshd[117066]: Server listening on :: port 22. Jul 03 16:22:47.299749 osdx systemd[1]: Started ssh.service - OpenBSD Secure Shell server. Jul 03 16:22:47.327349 osdx cfgd[1223]: [51782]Completed change to active configuration Jul 03 16:22:47.362644 osdx OSDxCLI[51782]: User 'admin' committed the configuration. Jul 03 16:22:47.387505 osdx OSDxCLI[51782]: User 'admin' left the configuration menu. Jul 03 16:22:47.518278 osdx OSDxCLI[51782]: User 'admin' executed a new command: 'ping 10.215.168.64 count 1 size 56 timeout 1'. Jul 03 16:22:49.285074 osdx OSDxCLI[51782]: User 'admin' entered the configuration menu. Jul 03 16:22:49.361841 osdx OSDxCLI[51782]: User 'admin' added a new cfg line: 'set service dns static host-name dns.dut0 inet 10.215.168.64'. Jul 03 16:22:49.455160 osdx OSDxCLI[51782]: User 'admin' added a new cfg line: 'set system certificate trust running://CA.crt'. Jul 03 16:22:49.516486 osdx OSDxCLI[51782]: User 'admin' added a new cfg line: 'set service dns proxy server-name DUT0'. Jul 03 16:22:49.622860 osdx OSDxCLI[51782]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0'. Jul 03 16:22:49.678681 osdx OSDxCLI[51782]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host port 3000'. Jul 03 16:22:49.784653 osdx OSDxCLI[51782]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64'. Jul 03 16:22:49.849281 osdx OSDxCLI[51782]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https hash 09427c4c5457fd45962cb188cd01e471f6dcddcc036a676a320e180adb604619'. Jul 03 16:22:49.934325 osdx OSDxCLI[51782]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jul 03 16:22:49.991656 osdx OSDxCLI[51782]: User 'admin' added a new cfg line: 'set service dns resolver local'. Jul 03 16:22:50.112105 osdx OSDxCLI[51782]: User 'admin' added a new cfg line: 'show working'. Jul 03 16:22:50.201855 osdx ca-certificates[117140]: Updating certificates in /etc/ssl/certs... Jul 03 16:22:50.767558 osdx ca-certificates[118144]: 1 added, 0 removed; done. Jul 03 16:22:50.773396 osdx ca-certificates[118148]: Running hooks in /etc/ca-certificates/update.d... Jul 03 16:22:50.777775 osdx ca-certificates[118152]: done. Jul 03 16:22:50.893045 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jul 03 16:22:50.896160 osdx cfgd[1223]: [51782]Completed change to active configuration Jul 03 16:22:50.902632 osdx OSDxCLI[51782]: User 'admin' committed the configuration. Jul 03 16:22:50.918980 osdx OSDxCLI[51782]: User 'admin' left the configuration menu. Jul 03 16:22:50.924935 osdx dnscrypt-proxy[118212]: dnscrypt-proxy 2.0.45 Jul 03 16:22:50.925277 osdx dnscrypt-proxy[118212]: Network connectivity detected Jul 03 16:22:50.925480 osdx dnscrypt-proxy[118212]: Dropping privileges Jul 03 16:22:50.927709 osdx dnscrypt-proxy[118212]: Network connectivity detected Jul 03 16:22:50.927922 osdx dnscrypt-proxy[118212]: Now listening to 127.0.0.1:53 [UDP] Jul 03 16:22:50.927966 osdx dnscrypt-proxy[118212]: Now listening to 127.0.0.1:53 [TCP] Jul 03 16:22:50.928017 osdx dnscrypt-proxy[118212]: Firefox workaround initialized Jul 03 16:22:50.928058 osdx dnscrypt-proxy[118212]: Loading the set of cloaking rules from [/tmp/tmpdtm6an72] Jul 03 16:22:51.077551 osdx OSDxCLI[51782]: User 'admin' executed a new command: 'system journal show | cat'. Jul 03 16:22:51.155951 osdx dnscrypt-proxy[118212]: [DUT0] TLS version: 304 - Protocol: h2 - Cipher suite: 4867 Jul 03 16:22:51.155970 osdx dnscrypt-proxy[118212]: [DUT0] OK (DoH) - rtt: 116ms Jul 03 16:22:51.155981 osdx dnscrypt-proxy[118212]: Server with the lowest initial latency: DUT0 (rtt: 116ms) Jul 03 16:22:51.155990 osdx dnscrypt-proxy[118212]: dnscrypt-proxy is ready - live servers: 1