Cipher Server
Test suite to validate using one or multiple ciphers to protect DoH connection
TLS v1.3 Connection
Description
Sets up the DUT0 as a server, DUT1 as a client and ensures the communication between them is secured by TLS v1.3.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server cert file 'running://dns.dut0.crt' set service dns proxy server cert key 'running://dns.dut0.key' set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash f8bc50bc5ac15ce0f76e30e6a004a073889a788f693866f15b90a61d26d26c4f set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns static host-name teldat.com inet 10.11.12.13 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.215.168.65/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name DUT0 set service dns proxy static DUT0 protocol dns-over-https hash d8d0f0928c1ff3894ba9214529bae308d01539e5611236bcaca87712e83a18e8 set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0 set service dns proxy static DUT0 protocol dns-over-https host port 3000 set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64 set service dns resolver local set service dns static host-name dns.dut0 inet 10.215.168.64 set service ssh set system certificate trust 'running://CA.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Run command system journal show | cat at DUT1 and expect this output:
Show output
Oct 07 12:43:40.278648 osdx systemd-journald[1498]: Runtime Journal (/run/log/journal/ea535239cdf24d6195135cccfda89139) is 1.2M, max 9.7M, 8.4M free. Oct 07 12:43:40.284391 osdx systemd-journald[1498]: Received client request to rotate journal, rotating. Oct 07 12:43:40.284461 osdx systemd-journald[1498]: Vacuuming done, freed 0B of archived journals from /run/log/journal/ea535239cdf24d6195135cccfda89139. Oct 07 12:43:40.292773 osdx OSDxCLI[117440]: User 'admin' executed a new command: 'system journal clear'. Oct 07 12:43:40.734765 osdx osdx-coredump[194862]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Oct 07 12:43:40.742345 osdx OSDxCLI[117440]: User 'admin' executed a new command: 'system coredump delete all'. Oct 07 12:43:41.783317 osdx OSDxCLI[117440]: User 'admin' entered the configuration menu. Oct 07 12:43:41.862797 osdx OSDxCLI[117440]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.65/24'. Oct 07 12:43:41.949348 osdx OSDxCLI[117440]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 07 12:43:42.015212 osdx OSDxCLI[117440]: User 'admin' added a new cfg line: 'set service ssh'. Oct 07 12:43:42.142721 osdx OSDxCLI[117440]: User 'admin' added a new cfg line: 'show working'. Oct 07 12:43:42.244787 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 07 12:43:42.357027 osdx systemd[1]: Starting ssh.service - OpenBSD Secure Shell server... Oct 07 12:43:42.368893 osdx sshd[194950]: Server listening on 0.0.0.0 port 22. Oct 07 12:43:42.369085 osdx sshd[194950]: Server listening on :: port 22. Oct 07 12:43:42.369180 osdx systemd[1]: Started ssh.service - OpenBSD Secure Shell server. Oct 07 12:43:42.392884 osdx cfgd[1206]: [117440]Completed change to active configuration Oct 07 12:43:42.418127 osdx OSDxCLI[117440]: User 'admin' committed the configuration. Oct 07 12:43:42.452141 osdx OSDxCLI[117440]: User 'admin' left the configuration menu. Oct 07 12:43:42.641621 osdx OSDxCLI[117440]: User 'admin' executed a new command: 'ping 10.215.168.64 count 1 size 56 timeout 1'. Oct 07 12:43:44.549925 osdx OSDxCLI[117440]: User 'admin' entered the configuration menu. Oct 07 12:43:44.660563 osdx OSDxCLI[117440]: User 'admin' added a new cfg line: 'set service dns static host-name dns.dut0 inet 10.215.168.64'. Oct 07 12:43:44.736615 osdx OSDxCLI[117440]: User 'admin' added a new cfg line: 'set system certificate trust running://CA.crt'. Oct 07 12:43:44.851882 osdx OSDxCLI[117440]: User 'admin' added a new cfg line: 'set service dns proxy server-name DUT0'. Oct 07 12:43:44.927888 osdx OSDxCLI[117440]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0'. Oct 07 12:43:45.030429 osdx OSDxCLI[117440]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host port 3000'. Oct 07 12:43:45.110856 osdx OSDxCLI[117440]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64'. Oct 07 12:43:45.227472 osdx OSDxCLI[117440]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https hash d8d0f0928c1ff3894ba9214529bae308d01539e5611236bcaca87712e83a18e8'. Oct 07 12:43:45.293951 osdx OSDxCLI[117440]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Oct 07 12:43:45.394940 osdx OSDxCLI[117440]: User 'admin' added a new cfg line: 'set service dns resolver local'. Oct 07 12:43:45.504793 osdx OSDxCLI[117440]: User 'admin' added a new cfg line: 'show working'. Oct 07 12:43:45.661643 osdx ca-certificates[195028]: Updating certificates in /etc/ssl/certs... Oct 07 12:43:46.131047 osdx ca-certificates[196032]: 1 added, 0 removed; done. Oct 07 12:43:46.135436 osdx ca-certificates[196036]: Running hooks in /etc/ca-certificates/update.d... Oct 07 12:43:46.138456 osdx ca-certificates[196040]: done. Oct 07 12:43:46.237009 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Oct 07 12:43:46.239637 osdx cfgd[1206]: [117440]Completed change to active configuration Oct 07 12:43:46.250089 osdx OSDxCLI[117440]: User 'admin' committed the configuration. Oct 07 12:43:46.265993 osdx OSDxCLI[117440]: User 'admin' left the configuration menu. Oct 07 12:43:46.267340 osdx dnscrypt-proxy[196100]: dnscrypt-proxy 2.0.45 Oct 07 12:43:46.267565 osdx dnscrypt-proxy[196100]: Network connectivity detected Oct 07 12:43:46.267792 osdx dnscrypt-proxy[196100]: Dropping privileges Oct 07 12:43:46.269742 osdx dnscrypt-proxy[196100]: Network connectivity detected Oct 07 12:43:46.270114 osdx dnscrypt-proxy[196100]: Now listening to 127.0.0.1:53 [UDP] Oct 07 12:43:46.270366 osdx dnscrypt-proxy[196100]: Now listening to 127.0.0.1:53 [TCP] Oct 07 12:43:46.270387 osdx dnscrypt-proxy[196100]: Firefox workaround initialized Oct 07 12:43:46.270391 osdx dnscrypt-proxy[196100]: Loading the set of cloaking rules from [/tmp/tmpaq7ldznv] Oct 07 12:43:46.401998 osdx OSDxCLI[117440]: User 'admin' executed a new command: 'system journal show | cat'. Oct 07 12:43:46.440188 osdx dnscrypt-proxy[196100]: [DUT0] TLS version: 304 - Protocol: h2 - Cipher suite: 4867 Oct 07 12:43:46.440200 osdx dnscrypt-proxy[196100]: [DUT0] OK (DoH) - rtt: 132ms Oct 07 12:43:46.440206 osdx dnscrypt-proxy[196100]: Server with the lowest initial latency: DUT0 (rtt: 132ms) Oct 07 12:43:46.440212 osdx dnscrypt-proxy[196100]: dnscrypt-proxy is ready - live servers: 1