Cipher Server

Test suite to validate using one or multiple ciphers to protect DoH connection

TLS v1.3 Connection

Description

Sets up the DUT0 as a server, DUT1 as a client and ensures the communication between them is secured by TLS v1.3.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy server cert file 'running://dns.dut0.crt'
set service dns proxy server cert key 'running://dns.dut0.key'
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash dcd7c79d517ef035e12eb8156d635988f90b76b5f45de016aad64fcb8fc998ba
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set service dns static host-name teldat.com inet 10.11.12.13
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT1 :

set interfaces ethernet eth0 address 10.215.168.65/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy log level 0
set service dns proxy server-name DUT0
set service dns proxy static DUT0 protocol dns-over-https hash 6e9b7d5c217601f9a087027954a5bb7c86184c69962d7be534cd5eaf012441ff
set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0
set service dns proxy static DUT0 protocol dns-over-https host port 3000
set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64
set service dns resolver local
set service dns static host-name dns.dut0 inet 10.215.168.64
set service ssh
set system certificate trust 'running://CA.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 3: Run command system journal show | cat at DUT1 and expect this output:

Show output

Mar 18 12:47:22.346433 osdx systemd-journald[1529]: Runtime Journal (/run/log/journal/b491cf57694a41c88ee96a0e11fa2117) is 1.0M, max 7.2M, 6.2M free.
Mar 18 12:47:22.349010 osdx systemd-journald[1529]: Received client request to rotate journal, rotating.
Mar 18 12:47:22.349109 osdx systemd-journald[1529]: Vacuuming done, freed 0B of archived journals from /run/log/journal/b491cf57694a41c88ee96a0e11fa2117.
Mar 18 12:47:22.360052 osdx OSDxCLI[60720]: User 'admin' executed a new command: 'system journal clear'.
Mar 18 12:47:22.934498 osdx osdx-coredump[142607]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
Mar 18 12:47:22.945823 osdx OSDxCLI[60720]: User 'admin' executed a new command: 'system coredump delete all'.
Mar 18 12:47:24.388591 osdx OSDxCLI[60720]: User 'admin' entered the configuration menu.
Mar 18 12:47:24.531386 osdx OSDxCLI[60720]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.65/24'.
Mar 18 12:47:24.605753 osdx OSDxCLI[60720]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Mar 18 12:47:24.742334 osdx OSDxCLI[60720]: User 'admin' added a new cfg line: 'set service ssh'.
Mar 18 12:47:24.855035 osdx OSDxCLI[60720]: User 'admin' added a new cfg line: 'show working'.
Mar 18 12:47:24.955291 osdx INFO[142638]: FRR daemons did not change
Mar 18 12:47:24.980987 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Mar 18 12:47:25.201438 osdx systemd[1]: Starting ssh.service - OpenBSD Secure Shell server...
Mar 18 12:47:25.218003 osdx sshd[142708]: Server listening on 0.0.0.0 port 22.
Mar 18 12:47:25.218047 osdx sshd[142708]: Server listening on :: port 22.
Mar 18 12:47:25.218167 osdx systemd[1]: Started ssh.service - OpenBSD Secure Shell server.
Mar 18 12:47:25.248032 osdx cfgd[1234]: [60720]Completed change to active configuration
Mar 18 12:47:25.283259 osdx OSDxCLI[60720]: User 'admin' committed the configuration.
Mar 18 12:47:25.308063 osdx OSDxCLI[60720]: User 'admin' left the configuration menu.
Mar 18 12:47:25.486025 osdx OSDxCLI[60720]: User 'admin' executed a new command: 'ping 10.215.168.64 count 1 size 56 timeout 1'.
Mar 18 12:47:27.775547 osdx OSDxCLI[60720]: User 'admin' entered the configuration menu.
Mar 18 12:47:27.898610 osdx OSDxCLI[60720]: User 'admin' added a new cfg line: 'set service dns static host-name dns.dut0 inet 10.215.168.64'.
Mar 18 12:47:27.986051 osdx OSDxCLI[60720]: User 'admin' added a new cfg line: 'set system certificate trust running://CA.crt'.
Mar 18 12:47:28.077554 osdx OSDxCLI[60720]: User 'admin' added a new cfg line: 'set service dns proxy server-name DUT0'.
Mar 18 12:47:28.177989 osdx OSDxCLI[60720]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0'.
Mar 18 12:47:28.264039 osdx OSDxCLI[60720]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host port 3000'.
Mar 18 12:47:28.355819 osdx OSDxCLI[60720]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64'.
Mar 18 12:47:28.451450 osdx OSDxCLI[60720]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https hash 6e9b7d5c217601f9a087027954a5bb7c86184c69962d7be534cd5eaf012441ff'.
Mar 18 12:47:28.540336 osdx OSDxCLI[60720]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Mar 18 12:47:28.627434 osdx OSDxCLI[60720]: User 'admin' added a new cfg line: 'set service dns resolver local'.
Mar 18 12:47:28.748111 osdx OSDxCLI[60720]: User 'admin' added a new cfg line: 'show working'.
Mar 18 12:47:28.878208 osdx INFO[142771]: FRR daemons did not change
Mar 18 12:47:28.897237 osdx ca-certificates[142787]: Updating certificates in /etc/ssl/certs...
Mar 18 12:47:29.594918 osdx ca-certificates[143790]: 1 added, 0 removed; done.
Mar 18 12:47:29.599352 osdx ca-certificates[143797]: Running hooks in /etc/ca-certificates/update.d...
Mar 18 12:47:29.603703 osdx ca-certificates[143799]: done.
Mar 18 12:47:29.745439 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Mar 18 12:47:29.747773 osdx cfgd[1234]: [60720]Completed change to active configuration
Mar 18 12:47:29.752250 osdx OSDxCLI[60720]: User 'admin' committed the configuration.
Mar 18 12:47:29.777426 osdx dnscrypt-proxy[143859]: dnscrypt-proxy 2.0.45
Mar 18 12:47:29.777497 osdx dnscrypt-proxy[143859]: Network connectivity detected
Mar 18 12:47:29.777714 osdx dnscrypt-proxy[143859]: Dropping privileges
Mar 18 12:47:29.779797 osdx OSDxCLI[60720]: User 'admin' left the configuration menu.
Mar 18 12:47:29.780859 osdx dnscrypt-proxy[143859]: Network connectivity detected
Mar 18 12:47:29.780897 osdx dnscrypt-proxy[143859]: Now listening to 127.0.0.1:53 [UDP]
Mar 18 12:47:29.780902 osdx dnscrypt-proxy[143859]: Now listening to 127.0.0.1:53 [TCP]
Mar 18 12:47:29.780927 osdx dnscrypt-proxy[143859]: Firefox workaround initialized
Mar 18 12:47:29.780932 osdx dnscrypt-proxy[143859]: Loading the set of cloaking rules from [/tmp/tmpil43nv3e]
Mar 18 12:47:29.977246 osdx OSDxCLI[60720]: User 'admin' executed a new command: 'system journal show | cat'.
Mar 18 12:47:30.098835 osdx dnscrypt-proxy[143859]: [DUT0] TLS version: 304 - Protocol: h2 - Cipher suite: 4867
Mar 18 12:47:30.098858 osdx dnscrypt-proxy[143859]: [DUT0] OK (DoH) - rtt: 175ms
Mar 18 12:47:30.098868 osdx dnscrypt-proxy[143859]: Server with the lowest initial latency: DUT0 (rtt: 175ms)
Mar 18 12:47:30.098874 osdx dnscrypt-proxy[143859]: dnscrypt-proxy is ready - live servers: 1

---