Cipher Server

Test suite to validate using one or multiple ciphers to protect DoH connection

TLS v1.3 Connection

Description

Sets up the DUT0 as a server, DUT1 as a client and ensures the communication between them is secured by TLS v1.3.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy server cert file 'running://dns.dut0.crt'
set service dns proxy server cert key 'running://dns.dut0.key'
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 3da01845fbcfc1579f9eca2d995ba22ecb78951c4fead8f8e986fc6d1e954848
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set service dns static host-name teldat.com inet 10.11.12.13
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT1 :

set interfaces ethernet eth0 address 10.215.168.65/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy log level 0
set service dns proxy server-name DUT0
set service dns proxy static DUT0 protocol dns-over-https hash 0d341e79e767dc1014ddc330211454dac1b3755cfca5ee57b0b8ce2ec7a1b0da
set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0
set service dns proxy static DUT0 protocol dns-over-https host port 3000
set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64
set service dns resolver local
set service dns static host-name dns.dut0 inet 10.215.168.64
set service ssh
set system certificate trust 'running://CA.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 3: Run command system journal show | cat at DUT1 and expect this output:

Show output

Sep 05 09:50:58.274635 osdx systemd-journald[1555]: Runtime Journal (/run/log/journal/50a598a116a9494aab0ac4ddc8eeff40) is 960.0K, max 6.5M, 5.5M free.
Sep 05 09:50:58.277112 osdx systemd-journald[1555]: Received client request to rotate journal, rotating.
Sep 05 09:50:58.277165 osdx systemd-journald[1555]: Vacuuming done, freed 0B of archived journals from /run/log/journal/50a598a116a9494aab0ac4ddc8eeff40.
Sep 05 09:50:58.286876 osdx OSDxCLI[1828]: User 'admin' executed a new command: 'system journal clear'.
Sep 05 09:50:58.491859 osdx OSDxCLI[1828]: User 'admin' executed a new command: 'system coredump delete all'.
Sep 05 09:50:59.424480 osdx OSDxCLI[1828]: User 'admin' entered the configuration menu.
Sep 05 09:50:59.510866 osdx OSDxCLI[1828]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.65/24'.
Sep 05 09:50:59.609629 osdx OSDxCLI[1828]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Sep 05 09:50:59.671902 osdx OSDxCLI[1828]: User 'admin' added a new cfg line: 'set service ssh'.
Sep 05 09:50:59.791186 osdx OSDxCLI[1828]: User 'admin' added a new cfg line: 'show working'.
Sep 05 09:50:59.852529 osdx ubnt-cfgd[38545]: inactive
Sep 05 09:50:59.875199 osdx INFO[38559]: FRR daemons did not change
Sep 05 09:51:00.049356 osdx systemd[1]: Starting ssh.service - OpenBSD Secure Shell server...
Sep 05 09:51:00.062389 osdx sshd[38673]: Server listening on 0.0.0.0 port 22.
Sep 05 09:51:00.062657 osdx sshd[38673]: Server listening on :: port 22.
Sep 05 09:51:00.062790 osdx systemd[1]: Started ssh.service - OpenBSD Secure Shell server.
Sep 05 09:51:00.092421 osdx cfgd[1254]: [1828]Completed change to active configuration
Sep 05 09:51:00.105770 osdx OSDxCLI[1828]: User 'admin' committed the configuration.
Sep 05 09:51:00.151283 osdx OSDxCLI[1828]: User 'admin' left the configuration menu.
Sep 05 09:51:00.318141 osdx OSDxCLI[1828]: User 'admin' executed a new command: 'ping 10.215.168.64 count 1 size 56 timeout 1'.
Sep 05 09:51:02.201517 osdx OSDxCLI[1828]: User 'admin' entered the configuration menu.
Sep 05 09:51:02.261377 osdx OSDxCLI[1828]: User 'admin' added a new cfg line: 'set service dns static host-name dns.dut0 inet 10.215.168.64'.
Sep 05 09:51:02.364383 osdx OSDxCLI[1828]: User 'admin' added a new cfg line: 'set system certificate trust running://CA.crt'.
Sep 05 09:51:02.420008 osdx OSDxCLI[1828]: User 'admin' added a new cfg line: 'set service dns proxy server-name DUT0'.
Sep 05 09:51:02.540445 osdx OSDxCLI[1828]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0'.
Sep 05 09:51:02.605837 osdx OSDxCLI[1828]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host port 3000'.
Sep 05 09:51:02.713364 osdx OSDxCLI[1828]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64'.
Sep 05 09:51:02.775732 osdx OSDxCLI[1828]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https hash 0d341e79e767dc1014ddc330211454dac1b3755cfca5ee57b0b8ce2ec7a1b0da'.
Sep 05 09:51:02.873151 osdx OSDxCLI[1828]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Sep 05 09:51:02.932502 osdx OSDxCLI[1828]: User 'admin' added a new cfg line: 'set service dns resolver local'.
Sep 05 09:51:03.047246 osdx OSDxCLI[1828]: User 'admin' added a new cfg line: 'show working'.
Sep 05 09:51:03.112834 osdx ubnt-cfgd[38733]: inactive
Sep 05 09:51:03.135481 osdx INFO[38741]: FRR daemons did not change
Sep 05 09:51:03.152738 osdx ca-certificates[38756]: Updating certificates in /etc/ssl/certs...
Sep 05 09:51:03.658888 osdx ubnt-cfgd[39755]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Sep 05 09:51:03.667744 osdx ca-certificates[39762]: 1 added, 0 removed; done.
Sep 05 09:51:03.671036 osdx ca-certificates[39767]: Running hooks in /etc/ca-certificates/update.d...
Sep 05 09:51:03.674162 osdx ca-certificates[39769]: done.
Sep 05 09:51:03.793459 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Sep 05 09:51:03.795443 osdx cfgd[1254]: [1828]Completed change to active configuration
Sep 05 09:51:03.799093 osdx OSDxCLI[1828]: User 'admin' committed the configuration.
Sep 05 09:51:03.815315 osdx OSDxCLI[1828]: User 'admin' left the configuration menu.
Sep 05 09:51:03.840571 osdx dnscrypt-proxy[39829]: dnscrypt-proxy 2.0.45
Sep 05 09:51:03.840634 osdx dnscrypt-proxy[39829]: Network connectivity detected
Sep 05 09:51:03.840833 osdx dnscrypt-proxy[39829]: Dropping privileges
Sep 05 09:51:03.843214 osdx dnscrypt-proxy[39829]: Network connectivity detected
Sep 05 09:51:03.843242 osdx dnscrypt-proxy[39829]: Now listening to 127.0.0.1:53 [UDP]
Sep 05 09:51:03.843246 osdx dnscrypt-proxy[39829]: Now listening to 127.0.0.1:53 [TCP]
Sep 05 09:51:03.843267 osdx dnscrypt-proxy[39829]: Firefox workaround initialized
Sep 05 09:51:03.843271 osdx dnscrypt-proxy[39829]: Loading the set of cloaking rules from [/tmp/tmpxechh43t]
Sep 05 09:51:03.990661 osdx OSDxCLI[1828]: User 'admin' executed a new command: 'system journal show | cat'.
Sep 05 09:51:04.045002 osdx dnscrypt-proxy[39829]: [DUT0] TLS version: 304 - Protocol: h2 - Cipher suite: 4867
Sep 05 09:51:04.045021 osdx dnscrypt-proxy[39829]: [DUT0] OK (DoH) - rtt: 110ms
Sep 05 09:51:04.045032 osdx dnscrypt-proxy[39829]: Server with the lowest initial latency: DUT0 (rtt: 110ms)
Sep 05 09:51:04.045038 osdx dnscrypt-proxy[39829]: dnscrypt-proxy is ready - live servers: 1

---