Cipher Server
Test suite to validate using one or multiple ciphers to protect DoH connection
TLS v1.3 Connection
Description
Sets up the DUT0 as a server, DUT1 as a client and ensures the communication between them is secured by TLS v1.3.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server cert file 'running://dns.dut0.crt' set service dns proxy server cert key 'running://dns.dut0.key' set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 9318e2e56982477fc6b475380974063c5118b284c903c789dc529dd2081e79b9 set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns static host-name teldat.com inet 10.11.12.13 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.215.168.65/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name DUT0 set service dns proxy static DUT0 protocol dns-over-https hash af37129577e94e0bcc80ca2697505c06019e1d392333c145febeca5961ef312b set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0 set service dns proxy static DUT0 protocol dns-over-https host port 3000 set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64 set service dns resolver local set service dns static host-name dns.dut0 inet 10.215.168.64 set service ssh set system certificate trust 'running://CA.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Run command system journal show | cat at DUT1 and expect this output:
Show output
Oct 09 09:32:05.507794 osdx systemd-journald[1556]: Runtime Journal (/run/log/journal/74236e08c7024a4484070d6014d45b65) is 2.4M, max 9.7M, 7.3M free. Oct 09 09:32:05.508648 osdx systemd-journald[1556]: Received client request to rotate journal, rotating. Oct 09 09:32:05.508716 osdx systemd-journald[1556]: Vacuuming done, freed 0B of archived journals from /run/log/journal/74236e08c7024a4484070d6014d45b65. Oct 09 09:32:05.524525 osdx OSDxCLI[9385]: User 'admin' executed a new command: 'system journal clear'. Oct 09 09:32:06.310277 osdx osdx-coredump[112503]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Oct 09 09:32:06.322341 osdx OSDxCLI[9385]: User 'admin' executed a new command: 'system coredump delete all'. Oct 09 09:32:08.229234 osdx OSDxCLI[9385]: User 'admin' entered the configuration menu. Oct 09 09:32:08.418564 osdx OSDxCLI[9385]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.65/24'. Oct 09 09:32:08.531020 osdx OSDxCLI[9385]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 09 09:32:08.650964 osdx OSDxCLI[9385]: User 'admin' added a new cfg line: 'set service ssh'. Oct 09 09:32:08.832321 osdx OSDxCLI[9385]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:32:09.056458 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 09 09:32:09.336878 osdx systemd[1]: Starting ssh.service - OpenBSD Secure Shell server... Oct 09 09:32:09.363893 osdx sshd[112595]: Server listening on 0.0.0.0 port 22. Oct 09 09:32:09.364211 osdx sshd[112595]: Server listening on :: port 22. Oct 09 09:32:09.364373 osdx systemd[1]: Started ssh.service - OpenBSD Secure Shell server. Oct 09 09:32:09.399192 osdx cfgd[1223]: [9385]Completed change to active configuration Oct 09 09:32:09.446716 osdx OSDxCLI[9385]: User 'admin' committed the configuration. Oct 09 09:32:09.528964 osdx OSDxCLI[9385]: User 'admin' left the configuration menu. Oct 09 09:32:09.753117 osdx OSDxCLI[9385]: User 'admin' executed a new command: 'ping 10.215.168.64 count 1 size 56 timeout 1'. Oct 09 09:32:12.943988 osdx OSDxCLI[9385]: User 'admin' entered the configuration menu. Oct 09 09:32:13.071355 osdx OSDxCLI[9385]: User 'admin' added a new cfg line: 'set service dns static host-name dns.dut0 inet 10.215.168.64'. Oct 09 09:32:13.258902 osdx OSDxCLI[9385]: User 'admin' added a new cfg line: 'set system certificate trust running://CA.crt'. Oct 09 09:32:13.441499 osdx OSDxCLI[9385]: User 'admin' added a new cfg line: 'set service dns proxy server-name DUT0'. Oct 09 09:32:13.610508 osdx OSDxCLI[9385]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0'. Oct 09 09:32:13.721738 osdx OSDxCLI[9385]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host port 3000'. Oct 09 09:32:13.857395 osdx OSDxCLI[9385]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64'. Oct 09 09:32:13.989443 osdx OSDxCLI[9385]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https hash af37129577e94e0bcc80ca2697505c06019e1d392333c145febeca5961ef312b'. Oct 09 09:32:14.110932 osdx OSDxCLI[9385]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Oct 09 09:32:14.229147 osdx OSDxCLI[9385]: User 'admin' added a new cfg line: 'set service dns resolver local'. Oct 09 09:32:14.440347 osdx OSDxCLI[9385]: User 'admin' added a new cfg line: 'show working'. Oct 09 09:32:14.641312 osdx ca-certificates[112669]: Updating certificates in /etc/ssl/certs... Oct 09 09:32:15.556382 osdx ca-certificates[113673]: 1 added, 0 removed; done. Oct 09 09:32:15.566638 osdx ca-certificates[113677]: Running hooks in /etc/ca-certificates/update.d... Oct 09 09:32:15.573968 osdx ca-certificates[113681]: done. Oct 09 09:32:15.844978 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Oct 09 09:32:15.848944 osdx cfgd[1223]: [9385]Completed change to active configuration Oct 09 09:32:15.860093 osdx OSDxCLI[9385]: User 'admin' committed the configuration. Oct 09 09:32:15.907340 osdx OSDxCLI[9385]: User 'admin' left the configuration menu. Oct 09 09:32:15.910994 osdx dnscrypt-proxy[113741]: dnscrypt-proxy 2.0.45 Oct 09 09:32:15.911494 osdx dnscrypt-proxy[113741]: Network connectivity detected Oct 09 09:32:15.912058 osdx dnscrypt-proxy[113741]: Dropping privileges Oct 09 09:32:15.916028 osdx dnscrypt-proxy[113741]: Network connectivity detected Oct 09 09:32:15.916513 osdx dnscrypt-proxy[113741]: Now listening to 127.0.0.1:53 [UDP] Oct 09 09:32:15.916622 osdx dnscrypt-proxy[113741]: Now listening to 127.0.0.1:53 [TCP] Oct 09 09:32:15.916759 osdx dnscrypt-proxy[113741]: Firefox workaround initialized Oct 09 09:32:15.916891 osdx dnscrypt-proxy[113741]: Loading the set of cloaking rules from [/tmp/tmp849nw38x] Oct 09 09:32:16.108609 osdx dnscrypt-proxy[113741]: [DUT0] TLS version: 304 - Protocol: h2 - Cipher suite: 4867 Oct 09 09:32:16.108631 osdx dnscrypt-proxy[113741]: [DUT0] OK (DoH) - rtt: 118ms Oct 09 09:32:16.108644 osdx dnscrypt-proxy[113741]: Server with the lowest initial latency: DUT0 (rtt: 118ms) Oct 09 09:32:16.108652 osdx dnscrypt-proxy[113741]: dnscrypt-proxy is ready - live servers: 1