Cipher Server
Test suite to validate using one or multiple ciphers to protect DoH connection
TLS v1.3 Connection
Description
Sets up the DUT0 as a server, DUT1 as a client and ensures the communication between them is secured by TLS v1.3.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server cert file 'running://dns.dut0.crt' set service dns proxy server cert key 'running://dns.dut0.key' set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 654360ee51829bf4a8cea9c41e387b649d8a86841ca20ec804f6d7b17eea4854 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns static host-name teldat.com inet 10.11.12.13 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.215.168.65/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name DUT0 set service dns proxy static DUT0 protocol dns-over-https hash 383e56abbd2ff46952273a9f2095853c882253f140d0cc82f54c01ca1ae990c7 set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0 set service dns proxy static DUT0 protocol dns-over-https host port 3000 set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64 set service dns resolver local set service dns static host-name dns.dut0 inet 10.215.168.64 set service ssh set system certificate trust 'running://CA.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Run command system journal show | cat at DUT1 and expect this output:
Show output
Jul 17 16:39:44.292576 osdx systemd-journald[1360]: Runtime Journal (/run/log/journal/1136bfd51c6042e9ac02f83740870c06) is 2.4M, max 9.7M, 7.3M free. Jul 17 16:39:44.296699 osdx systemd-journald[1360]: Received client request to rotate journal, rotating. Jul 17 16:39:44.296750 osdx systemd-journald[1360]: Vacuuming done, freed 0B of archived journals from /run/log/journal/1136bfd51c6042e9ac02f83740870c06. Jul 17 16:39:44.303310 osdx OSDxCLI[75437]: User 'admin' executed a new command: 'system journal clear'. Jul 17 16:39:44.728665 osdx osdx-coredump[118945]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jul 17 16:39:44.736142 osdx OSDxCLI[75437]: User 'admin' executed a new command: 'system coredump delete all'. Jul 17 16:39:45.833968 osdx OSDxCLI[75437]: User 'admin' entered the configuration menu. Jul 17 16:39:45.907800 osdx OSDxCLI[75437]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.65/24'. Jul 17 16:39:45.997067 osdx OSDxCLI[75437]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 17 16:39:46.057757 osdx OSDxCLI[75437]: User 'admin' added a new cfg line: 'set service ssh'. Jul 17 16:39:46.178751 osdx OSDxCLI[75437]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:39:46.285802 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 17 16:39:46.410061 osdx systemd[1]: Starting ssh.service - OpenBSD Secure Shell server... Jul 17 16:39:46.427865 osdx sshd[119033]: Server listening on 0.0.0.0 port 22. Jul 17 16:39:46.428053 osdx sshd[119033]: Server listening on :: port 22. Jul 17 16:39:46.428135 osdx systemd[1]: Started ssh.service - OpenBSD Secure Shell server. Jul 17 16:39:46.450676 osdx cfgd[1028]: [75437]Completed change to active configuration Jul 17 16:39:46.476326 osdx OSDxCLI[75437]: User 'admin' committed the configuration. Jul 17 16:39:46.491302 osdx OSDxCLI[75437]: User 'admin' left the configuration menu. Jul 17 16:39:46.634997 osdx OSDxCLI[75437]: User 'admin' executed a new command: 'ping 10.215.168.64 count 1 size 56 timeout 1'. Jul 17 16:39:48.539081 osdx OSDxCLI[75437]: User 'admin' entered the configuration menu. Jul 17 16:39:48.613984 osdx OSDxCLI[75437]: User 'admin' added a new cfg line: 'set service dns static host-name dns.dut0 inet 10.215.168.64'. Jul 17 16:39:48.699231 osdx OSDxCLI[75437]: User 'admin' added a new cfg line: 'set system certificate trust running://CA.crt'. Jul 17 16:39:48.755229 osdx OSDxCLI[75437]: User 'admin' added a new cfg line: 'set service dns proxy server-name DUT0'. Jul 17 16:39:48.858625 osdx OSDxCLI[75437]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0'. Jul 17 16:39:48.913011 osdx OSDxCLI[75437]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host port 3000'. Jul 17 16:39:49.011323 osdx OSDxCLI[75437]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64'. Jul 17 16:39:49.076670 osdx OSDxCLI[75437]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https hash 383e56abbd2ff46952273a9f2095853c882253f140d0cc82f54c01ca1ae990c7'. Jul 17 16:39:49.160935 osdx OSDxCLI[75437]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Jul 17 16:39:49.227426 osdx OSDxCLI[75437]: User 'admin' added a new cfg line: 'set service dns resolver local'. Jul 17 16:39:49.354794 osdx OSDxCLI[75437]: User 'admin' added a new cfg line: 'show working'. Jul 17 16:39:49.450118 osdx ca-certificates[119108]: Updating certificates in /etc/ssl/certs... Jul 17 16:39:49.939835 osdx ca-certificates[120112]: 1 added, 0 removed; done. Jul 17 16:39:49.944146 osdx ca-certificates[120115]: Running hooks in /etc/ca-certificates/update.d... Jul 17 16:39:49.948104 osdx ca-certificates[120119]: done. Jul 17 16:39:50.050103 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Jul 17 16:39:50.052873 osdx cfgd[1028]: [75437]Completed change to active configuration Jul 17 16:39:50.063649 osdx OSDxCLI[75437]: User 'admin' committed the configuration. Jul 17 16:39:50.078482 osdx dnscrypt-proxy[120180]: dnscrypt-proxy 2.0.45 Jul 17 16:39:50.078757 osdx dnscrypt-proxy[120180]: Network connectivity detected Jul 17 16:39:50.078995 osdx dnscrypt-proxy[120180]: Dropping privileges Jul 17 16:39:50.081854 osdx OSDxCLI[75437]: User 'admin' left the configuration menu. Jul 17 16:39:50.083138 osdx dnscrypt-proxy[120180]: Network connectivity detected Jul 17 16:39:50.083330 osdx dnscrypt-proxy[120180]: Now listening to 127.0.0.1:53 [UDP] Jul 17 16:39:50.083365 osdx dnscrypt-proxy[120180]: Now listening to 127.0.0.1:53 [TCP] Jul 17 16:39:50.083417 osdx dnscrypt-proxy[120180]: Firefox workaround initialized Jul 17 16:39:50.083450 osdx dnscrypt-proxy[120180]: Loading the set of cloaking rules from [/tmp/tmpo8hdxb8c] Jul 17 16:39:50.255107 osdx OSDxCLI[75437]: User 'admin' executed a new command: 'system journal show | cat'. Jul 17 16:39:50.307713 osdx dnscrypt-proxy[120180]: [DUT0] TLS version: 304 - Protocol: h2 - Cipher suite: 4867 Jul 17 16:39:50.307724 osdx dnscrypt-proxy[120180]: [DUT0] OK (DoH) - rtt: 119ms Jul 17 16:39:50.307733 osdx dnscrypt-proxy[120180]: Server with the lowest initial latency: DUT0 (rtt: 119ms) Jul 17 16:39:50.307738 osdx dnscrypt-proxy[120180]: dnscrypt-proxy is ready - live servers: 1