Cipher Server

Test suite to validate using one or multiple ciphers to protect DoH connection

TLS v1.3 Connection

Description

Sets up the DUT0 as a server, DUT1 as a client and ensures the communication between them is secured by TLS v1.3.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy server cert file 'running://dns.dut0.crt'
set service dns proxy server cert key 'running://dns.dut0.key'
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 20cbb339f943b7564dfff33f0d2ef3d34de1e142130cc6df36ef782f2bd85194
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set service dns static host-name teldat.com inet 10.11.12.13
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT1 :

set interfaces ethernet eth0 address 10.215.168.65/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy log level 0
set service dns proxy server-name DUT0
set service dns proxy static DUT0 protocol dns-over-https hash 7c39dbf3a5275f4085fa4475017956fb3b19bbac1d64fff41395eb0d6d205b4e
set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0
set service dns proxy static DUT0 protocol dns-over-https host port 3000
set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64
set service dns resolver local
set service dns static host-name dns.dut0 inet 10.215.168.64
set service ssh
set system certificate trust 'running://CA.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 3: Run command system journal show | cat at DUT1 and expect this output:

Show output

Jan 10 12:59:24.281812 osdx systemd-journald[1523]: Runtime Journal (/run/log/journal/7179cccd71d140d8bcd6364001e8f483) is 992.0K, max 7.2M, 6.2M free.
Jan 10 12:59:24.285534 osdx systemd-journald[1523]: Received client request to rotate journal, rotating.
Jan 10 12:59:24.285585 osdx systemd-journald[1523]: Vacuuming done, freed 0B of archived journals from /run/log/journal/7179cccd71d140d8bcd6364001e8f483.
Jan 10 12:59:24.290960 osdx OSDxCLI[1768]: User 'admin' executed a new command: 'system journal clear'.
Jan 10 12:59:24.713281 osdx osdx-coredump[68483]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
Jan 10 12:59:24.720755 osdx OSDxCLI[1768]: User 'admin' executed a new command: 'system coredump delete all'.
Jan 10 12:59:25.833851 osdx OSDxCLI[1768]: User 'admin' entered the configuration menu.
Jan 10 12:59:25.914375 osdx OSDxCLI[1768]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.65/24'.
Jan 10 12:59:25.993948 osdx OSDxCLI[1768]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Jan 10 12:59:26.090225 osdx OSDxCLI[1768]: User 'admin' added a new cfg line: 'set service ssh'.
Jan 10 12:59:26.183702 osdx OSDxCLI[1768]: User 'admin' added a new cfg line: 'show working'.
Jan 10 12:59:26.287980 osdx INFO[68514]: FRR daemons did not change
Jan 10 12:59:26.305515 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Jan 10 12:59:26.449819 osdx systemd[1]: Starting ssh.service - OpenBSD Secure Shell server...
Jan 10 12:59:26.460822 osdx sshd[68584]: Server listening on 0.0.0.0 port 22.
Jan 10 12:59:26.461020 osdx sshd[68584]: Server listening on :: port 22.
Jan 10 12:59:26.461121 osdx systemd[1]: Started ssh.service - OpenBSD Secure Shell server.
Jan 10 12:59:26.482721 osdx cfgd[1231]: [1768]Completed change to active configuration
Jan 10 12:59:26.508273 osdx OSDxCLI[1768]: User 'admin' committed the configuration.
Jan 10 12:59:26.525553 osdx OSDxCLI[1768]: User 'admin' left the configuration menu.
Jan 10 12:59:26.667864 osdx OSDxCLI[1768]: User 'admin' executed a new command: 'ping 10.215.168.64 count 1 size 56 timeout 1'.
Jan 10 12:59:28.333975 osdx OSDxCLI[1768]: User 'admin' entered the configuration menu.
Jan 10 12:59:28.403457 osdx OSDxCLI[1768]: User 'admin' added a new cfg line: 'set service dns static host-name dns.dut0 inet 10.215.168.64'.
Jan 10 12:59:28.490860 osdx OSDxCLI[1768]: User 'admin' added a new cfg line: 'set system certificate trust running://CA.crt'.
Jan 10 12:59:28.557210 osdx OSDxCLI[1768]: User 'admin' added a new cfg line: 'set service dns proxy server-name DUT0'.
Jan 10 12:59:28.672035 osdx OSDxCLI[1768]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0'.
Jan 10 12:59:28.736871 osdx OSDxCLI[1768]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host port 3000'.
Jan 10 12:59:28.827883 osdx OSDxCLI[1768]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64'.
Jan 10 12:59:28.896447 osdx OSDxCLI[1768]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https hash 7c39dbf3a5275f4085fa4475017956fb3b19bbac1d64fff41395eb0d6d205b4e'.
Jan 10 12:59:28.996547 osdx OSDxCLI[1768]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Jan 10 12:59:29.060821 osdx OSDxCLI[1768]: User 'admin' added a new cfg line: 'set service dns resolver local'.
Jan 10 12:59:29.190616 osdx OSDxCLI[1768]: User 'admin' added a new cfg line: 'show working'.
Jan 10 12:59:29.273336 osdx INFO[68647]: FRR daemons did not change
Jan 10 12:59:29.287857 osdx ca-certificates[68662]: Updating certificates in /etc/ssl/certs...
Jan 10 12:59:29.733208 osdx ca-certificates[69668]: 1 added, 0 removed; done.
Jan 10 12:59:29.736369 osdx ca-certificates[69673]: Running hooks in /etc/ca-certificates/update.d...
Jan 10 12:59:29.739280 osdx ca-certificates[69675]: done.
Jan 10 12:59:29.870071 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Jan 10 12:59:29.872411 osdx cfgd[1231]: [1768]Completed change to active configuration
Jan 10 12:59:29.875910 osdx OSDxCLI[1768]: User 'admin' committed the configuration.
Jan 10 12:59:29.892736 osdx OSDxCLI[1768]: User 'admin' left the configuration menu.
Jan 10 12:59:29.896878 osdx dnscrypt-proxy[69735]: dnscrypt-proxy 2.0.45
Jan 10 12:59:29.896946 osdx dnscrypt-proxy[69735]: Network connectivity detected
Jan 10 12:59:29.897162 osdx dnscrypt-proxy[69735]: Dropping privileges
Jan 10 12:59:29.899228 osdx dnscrypt-proxy[69735]: Network connectivity detected
Jan 10 12:59:29.899261 osdx dnscrypt-proxy[69735]: Now listening to 127.0.0.1:53 [UDP]
Jan 10 12:59:29.899266 osdx dnscrypt-proxy[69735]: Now listening to 127.0.0.1:53 [TCP]
Jan 10 12:59:29.899289 osdx dnscrypt-proxy[69735]: Firefox workaround initialized
Jan 10 12:59:29.899294 osdx dnscrypt-proxy[69735]: Loading the set of cloaking rules from [/tmp/tmputethlwa]
Jan 10 12:59:30.042936 osdx OSDxCLI[1768]: User 'admin' executed a new command: 'system journal show | cat'.
Jan 10 12:59:30.220119 osdx dnscrypt-proxy[69735]: [DUT0] TLS version: 304 - Protocol: h2 - Cipher suite: 4867
Jan 10 12:59:30.220132 osdx dnscrypt-proxy[69735]: [DUT0] OK (DoH) - rtt: 175ms
Jan 10 12:59:30.220139 osdx dnscrypt-proxy[69735]: Server with the lowest initial latency: DUT0 (rtt: 175ms)
Jan 10 12:59:30.220144 osdx dnscrypt-proxy[69735]: dnscrypt-proxy is ready - live servers: 1
Jan 10 12:59:30.239135 osdx OSDxCLI[1768]: User 'admin' executed a new command: 'system journal show | cat'.

---