Cipher Server
Test suite to validate using one or multiple ciphers to protect DoH connection
TLS v1.3 Connection
Description
Sets up the DUT0 as a server, DUT1 as a client and ensures the communication between them is secured by TLS v1.3.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy server cert file 'running://dns.dut0.crt' set service dns proxy server cert key 'running://dns.dut0.key' set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 68c25678167aeb1c6d3c5a2eee24cda4b0e03dd3e6b1ed1872dbed544374329e set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set service dns static host-name teldat.com inet 10.11.12.13 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 address 10.215.168.65/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy log level 0 set service dns proxy server-name DUT0 set service dns proxy static DUT0 protocol dns-over-https hash 2a33a6a56a79ec23502644176323d94c1ab199d8eb9c7e362a6184afe16afed9 set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0 set service dns proxy static DUT0 protocol dns-over-https host port 3000 set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64 set service dns resolver local set service dns static host-name dns.dut0 inet 10.215.168.64 set service ssh set system certificate trust 'running://CA.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Run command system journal show | cat at DUT1 and expect this output:
Show output
Oct 30 12:16:30.284470 osdx systemd-journald[1716]: Runtime Journal (/run/log/journal/ec1e6df9c86a4e70bec24fbb88487109) is 1.3M, max 9.7M, 8.4M free. Oct 30 12:16:30.288167 osdx systemd-journald[1716]: Received client request to rotate journal, rotating. Oct 30 12:16:30.288245 osdx systemd-journald[1716]: Vacuuming done, freed 0B of archived journals from /run/log/journal/ec1e6df9c86a4e70bec24fbb88487109. Oct 30 12:16:30.294249 osdx OSDxCLI[1928]: User 'admin' executed a new command: 'system journal clear'. Oct 30 12:16:30.763520 osdx osdx-coredump[72517]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Oct 30 12:16:30.772025 osdx OSDxCLI[1928]: User 'admin' executed a new command: 'system coredump delete all'. Oct 30 12:16:31.900582 osdx OSDxCLI[1928]: User 'admin' entered the configuration menu. Oct 30 12:16:31.971654 osdx OSDxCLI[1928]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.65/24'. Oct 30 12:16:32.059349 osdx OSDxCLI[1928]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 30 12:16:32.121430 osdx OSDxCLI[1928]: User 'admin' added a new cfg line: 'set service ssh'. Oct 30 12:16:32.237171 osdx ERROR[72526]: unexpected Traceback (most recent call last): File "osdx/bin/op/fan_control.py", line 23, in _send_fan_control_cmd FileNotFoundError: [Errno 2] No such file or directory Oct 30 12:16:32.238630 osdx OSDxCLI[1928]: User 'admin' added a new cfg line: 'show working'. Oct 30 12:16:32.324165 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 30 12:16:32.480434 osdx systemd[1]: Starting ssh.service - OpenBSD Secure Shell server... Oct 30 12:16:32.496588 osdx sshd[72610]: Server listening on 0.0.0.0 port 22. Oct 30 12:16:32.496801 osdx sshd[72610]: Server listening on :: port 22. Oct 30 12:16:32.496904 osdx systemd[1]: Started ssh.service - OpenBSD Secure Shell server. Oct 30 12:16:32.523794 osdx cfgd[1427]: [1928]Completed change to active configuration Oct 30 12:16:32.549107 osdx OSDxCLI[1928]: User 'admin' committed the configuration. Oct 30 12:16:32.565358 osdx OSDxCLI[1928]: User 'admin' left the configuration menu. Oct 30 12:16:32.696783 osdx OSDxCLI[1928]: User 'admin' executed a new command: 'ping 10.215.168.64 count 1 size 56 timeout 1'. Oct 30 12:16:34.459975 osdx OSDxCLI[1928]: User 'admin' entered the configuration menu. Oct 30 12:16:34.526434 osdx OSDxCLI[1928]: User 'admin' added a new cfg line: 'set service dns static host-name dns.dut0 inet 10.215.168.64'. Oct 30 12:16:34.619572 osdx OSDxCLI[1928]: User 'admin' added a new cfg line: 'set system certificate trust running://CA.crt'. Oct 30 12:16:34.679733 osdx OSDxCLI[1928]: User 'admin' added a new cfg line: 'set service dns proxy server-name DUT0'. Oct 30 12:16:34.792530 osdx OSDxCLI[1928]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0'. Oct 30 12:16:34.850544 osdx OSDxCLI[1928]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host port 3000'. Oct 30 12:16:34.948203 osdx OSDxCLI[1928]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64'. Oct 30 12:16:35.009542 osdx OSDxCLI[1928]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https hash 2a33a6a56a79ec23502644176323d94c1ab199d8eb9c7e362a6184afe16afed9'. Oct 30 12:16:35.101585 osdx OSDxCLI[1928]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Oct 30 12:16:35.198834 osdx OSDxCLI[1928]: User 'admin' added a new cfg line: 'set service dns resolver local'. Oct 30 12:16:35.273249 osdx ERROR[72661]: unexpected Traceback (most recent call last): File "osdx/bin/op/fan_control.py", line 23, in _send_fan_control_cmd FileNotFoundError: [Errno 2] No such file or directory Oct 30 12:16:35.275352 osdx OSDxCLI[1928]: User 'admin' added a new cfg line: 'show working'. Oct 30 12:16:35.396292 osdx ca-certificates[72687]: Updating certificates in /etc/ssl/certs... Oct 30 12:16:35.948230 osdx ca-certificates[73690]: 1 added, 0 removed; done. Oct 30 12:16:35.951205 osdx ca-certificates[73698]: Running hooks in /etc/ca-certificates/update.d... Oct 30 12:16:35.954039 osdx ca-certificates[73700]: done. Oct 30 12:16:36.076473 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Oct 30 12:16:36.078492 osdx cfgd[1427]: [1928]Completed change to active configuration Oct 30 12:16:36.082786 osdx OSDxCLI[1928]: User 'admin' committed the configuration. Oct 30 12:16:36.099115 osdx OSDxCLI[1928]: User 'admin' left the configuration menu. Oct 30 12:16:36.266024 osdx OSDxCLI[1928]: User 'admin' executed a new command: 'system journal show | cat'. Oct 30 12:16:36.279925 osdx dnscrypt-proxy[73760]: dnscrypt-proxy 2.0.45 Oct 30 12:16:36.280002 osdx dnscrypt-proxy[73760]: Network connectivity detected Oct 30 12:16:36.280247 osdx dnscrypt-proxy[73760]: Dropping privileges Oct 30 12:16:36.285519 osdx dnscrypt-proxy[73760]: Network connectivity detected Oct 30 12:16:36.285550 osdx dnscrypt-proxy[73760]: Now listening to 127.0.0.1:53 [UDP] Oct 30 12:16:36.285554 osdx dnscrypt-proxy[73760]: Now listening to 127.0.0.1:53 [TCP] Oct 30 12:16:36.285572 osdx dnscrypt-proxy[73760]: Firefox workaround initialized Oct 30 12:16:36.285576 osdx dnscrypt-proxy[73760]: Loading the set of cloaking rules from [/tmp/tmpv3l6n53q] Oct 30 12:16:36.483522 osdx OSDxCLI[1928]: User 'admin' executed a new command: 'system journal show | cat'. Oct 30 12:16:36.582818 osdx dnscrypt-proxy[73760]: [DUT0] TLS version: 304 - Protocol: h2 - Cipher suite: 4867 Oct 30 12:16:36.582832 osdx dnscrypt-proxy[73760]: [DUT0] OK (DoH) - rtt: 142ms Oct 30 12:16:36.582840 osdx dnscrypt-proxy[73760]: Server with the lowest initial latency: DUT0 (rtt: 142ms) Oct 30 12:16:36.582845 osdx dnscrypt-proxy[73760]: dnscrypt-proxy is ready - live servers: 1