Cipher Server
Test suite to validate using one or multiple ciphers to protect DoH connection
TLS v1.3 Connection
Description
Sets up the DUT0 as a server, DUT1 as a client and ensures the communication between them is secured by TLS v1.3.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server cert file 'running://dns.dut0.crt' set service dns proxy server cert key 'running://dns.dut0.key' set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 84d1def583e3b4c6c5ca8d144836b5b575700e2b0aa569e2508e1087287ca81e set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns static host-name teldat.com inet 10.11.12.13 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.215.168.65/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name DUT0 set service dns proxy static DUT0 protocol dns-over-https hash 53f45a356381e0c7872c02ec0d423f1dc44baa591beae8e528824a41481c13f7 set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0 set service dns proxy static DUT0 protocol dns-over-https host port 3000 set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64 set service dns resolver local set service dns static host-name dns.dut0 inet 10.215.168.64 set service ssh set system certificate trust 'running://CA.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Run command system journal show | cat at DUT1 and expect this output:
Show output
May 11 23:50:46.382249 osdx systemd-journald[1386]: Runtime Journal (/run/log/journal/2e53bb94cf5347b6b7c2aa8cefa11818) is 1.3M, max 9.7M, 8.4M free. May 11 23:50:46.384166 osdx systemd-journald[1386]: Received client request to rotate journal, rotating. May 11 23:50:46.384229 osdx systemd-journald[1386]: Vacuuming done, freed 0B of archived journals from /run/log/journal/2e53bb94cf5347b6b7c2aa8cefa11818. May 11 23:50:46.400776 osdx OSDxCLI[77508]: User 'admin' executed a new command: 'system journal clear'. May 11 23:50:47.028165 osdx osdx-coredump[176212]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... May 11 23:50:47.038358 osdx OSDxCLI[77508]: User 'admin' executed a new command: 'system coredump delete all'. May 11 23:50:48.685008 osdx OSDxCLI[77508]: User 'admin' entered the configuration menu. May 11 23:50:48.873115 osdx OSDxCLI[77508]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.65/24'. May 11 23:50:49.002632 osdx OSDxCLI[77508]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. May 11 23:50:49.105619 osdx OSDxCLI[77508]: User 'admin' added a new cfg line: 'set service ssh'. May 11 23:50:49.231486 osdx OSDxCLI[77508]: User 'admin' added a new cfg line: 'show working'. May 11 23:50:49.368160 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 May 11 23:50:49.640719 osdx systemd[1]: Starting ssh.service - OpenBSD Secure Shell server... May 11 23:50:49.666619 osdx sshd[176305]: Server listening on 0.0.0.0 port 22. May 11 23:50:49.666917 osdx sshd[176305]: Server listening on :: port 22. May 11 23:50:49.667107 osdx systemd[1]: Started ssh.service - OpenBSD Secure Shell server. May 11 23:50:49.702819 osdx cfgd[1050]: [77508]Completed change to active configuration May 11 23:50:49.747693 osdx OSDxCLI[77508]: User 'admin' committed the configuration. May 11 23:50:49.798994 osdx OSDxCLI[77508]: User 'admin' left the configuration menu. May 11 23:50:50.040554 osdx OSDxCLI[77508]: User 'admin' executed a new command: 'ping 10.215.168.64 count 1 size 56 timeout 1'. May 11 23:50:52.961814 osdx OSDxCLI[77508]: User 'admin' entered the configuration menu. May 11 23:50:53.103314 osdx OSDxCLI[77508]: User 'admin' added a new cfg line: 'set service dns static host-name dns.dut0 inet 10.215.168.64'. May 11 23:50:53.241553 osdx OSDxCLI[77508]: User 'admin' added a new cfg line: 'set system certificate trust running://CA.crt'. May 11 23:50:53.336138 osdx OSDxCLI[77508]: User 'admin' added a new cfg line: 'set service dns proxy server-name DUT0'. May 11 23:50:53.459350 osdx OSDxCLI[77508]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0'. May 11 23:50:53.551487 osdx OSDxCLI[77508]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host port 3000'. May 11 23:50:53.665156 osdx OSDxCLI[77508]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64'. May 11 23:50:53.804990 osdx OSDxCLI[77508]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https hash 53f45a356381e0c7872c02ec0d423f1dc44baa591beae8e528824a41481c13f7'. May 11 23:50:53.919163 osdx OSDxCLI[77508]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. May 11 23:50:54.030763 osdx OSDxCLI[77508]: User 'admin' added a new cfg line: 'set service dns resolver local'. May 11 23:50:54.206121 osdx OSDxCLI[77508]: User 'admin' added a new cfg line: 'show working'. May 11 23:50:54.372236 osdx ca-certificates[176379]: Updating certificates in /etc/ssl/certs... May 11 23:50:55.257877 osdx ca-certificates[177382]: 1 added, 0 removed; done. May 11 23:50:55.263654 osdx ca-certificates[177389]: Running hooks in /etc/ca-certificates/update.d... May 11 23:50:55.269826 osdx ca-certificates[177391]: done. May 11 23:50:55.480770 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. May 11 23:50:55.483713 osdx cfgd[1050]: [77508]Completed change to active configuration May 11 23:50:55.492180 osdx OSDxCLI[77508]: User 'admin' committed the configuration. May 11 23:50:55.525874 osdx dnscrypt-proxy[177451]: dnscrypt-proxy 2.0.45 May 11 23:50:55.525974 osdx dnscrypt-proxy[177451]: Network connectivity detected May 11 23:50:55.526060 osdx OSDxCLI[77508]: User 'admin' left the configuration menu. May 11 23:50:55.526282 osdx dnscrypt-proxy[177451]: Dropping privileges May 11 23:50:55.529510 osdx dnscrypt-proxy[177451]: Network connectivity detected May 11 23:50:55.529911 osdx dnscrypt-proxy[177451]: Now listening to 127.0.0.1:53 [UDP] May 11 23:50:55.530014 osdx dnscrypt-proxy[177451]: Now listening to 127.0.0.1:53 [TCP] May 11 23:50:55.530150 osdx dnscrypt-proxy[177451]: Firefox workaround initialized May 11 23:50:55.530250 osdx dnscrypt-proxy[177451]: Loading the set of cloaking rules from [/tmp/tmpcqhr6uwq] May 11 23:50:55.755624 osdx OSDxCLI[77508]: User 'admin' executed a new command: 'system journal show | cat'. May 11 23:50:55.865574 osdx dnscrypt-proxy[177451]: [DUT0] TLS version: 304 - Protocol: h2 - Cipher suite: 4867 May 11 23:50:55.865603 osdx dnscrypt-proxy[177451]: [DUT0] OK (DoH) - rtt: 162ms May 11 23:50:55.865624 osdx dnscrypt-proxy[177451]: Server with the lowest initial latency: DUT0 (rtt: 162ms) May 11 23:50:55.865634 osdx dnscrypt-proxy[177451]: dnscrypt-proxy is ready - live servers: 1