Cipher Server

Test suite to validate using one or multiple ciphers to protect DoH connection

TLS v1.3 Connection

Description

Sets up the DUT0 as a server, DUT1 as a client and ensures the communication between them is secured by TLS v1.3.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy server cert file 'running://dns.dut0.crt'
set service dns proxy server cert key 'running://dns.dut0.key'
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash fbde9ec8b61083045636daed938e6ac3eb5836b9a6063993d8620d69f6a6c58c
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set service dns static host-name teldat.com inet 10.11.12.13
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT1 :

set interfaces ethernet eth0 address 10.215.168.65/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy log level 0
set service dns proxy server-name DUT0
set service dns proxy static DUT0 protocol dns-over-https hash 57ba8cbeb6d79050faebf9e090a0320956ccc24ff42144158192aa247598c6c7
set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0
set service dns proxy static DUT0 protocol dns-over-https host port 3000
set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64
set service dns resolver local
set service dns static host-name dns.dut0 inet 10.215.168.64
set service ssh
set system certificate trust 'running://CA.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 3: Run command system journal show | cat at DUT1 and expect this output:

Show output

Oct 10 22:48:47.273435 osdx systemd-journald[1561]: Runtime Journal (/run/log/journal/806ba4d037ed4b398e58eb92edf93777) is 900.0K, max 6.5M, 5.6M free.
Oct 10 22:48:47.274551 osdx systemd-journald[1561]: Received client request to rotate journal, rotating.
Oct 10 22:48:47.274617 osdx systemd-journald[1561]: Vacuuming done, freed 0B of archived journals from /run/log/journal/806ba4d037ed4b398e58eb92edf93777.
Oct 10 22:48:47.283299 osdx OSDxCLI[129632]: User 'admin' executed a new command: 'system journal clear'.
Oct 10 22:48:47.487524 osdx OSDxCLI[129632]: User 'admin' executed a new command: 'system coredump delete all'.
Oct 10 22:48:48.394459 osdx OSDxCLI[129632]: User 'admin' entered the configuration menu.
Oct 10 22:48:48.469295 osdx OSDxCLI[129632]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.65/24'.
Oct 10 22:48:48.554003 osdx OSDxCLI[129632]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Oct 10 22:48:48.611318 osdx OSDxCLI[129632]: User 'admin' added a new cfg line: 'set service ssh'.
Oct 10 22:48:48.719999 osdx OSDxCLI[129632]: User 'admin' added a new cfg line: 'show working'.
Oct 10 22:48:48.788604 osdx ubnt-cfgd[295481]: inactive
Oct 10 22:48:48.812077 osdx INFO[295493]: FRR daemons did not change
Oct 10 22:48:48.834541 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Oct 10 22:48:48.881158 osdx WARNING[295561]: No supported link modes on interface eth0
Oct 10 22:48:48.882597 osdx modulelauncher[295561]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Oct 10 22:48:48.882612 osdx modulelauncher[295561]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Oct 10 22:48:48.884115 osdx modulelauncher[295561]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --
Oct 10 22:48:48.884123 osdx modulelauncher[295561]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75.
Oct 10 22:48:48.991116 osdx systemd[1]: Starting ssh.service - OpenBSD Secure Shell server...
Oct 10 22:48:49.004810 osdx sshd[295612]: Server listening on 0.0.0.0 port 22.
Oct 10 22:48:49.004835 osdx sshd[295612]: Server listening on :: port 22.
Oct 10 22:48:49.004919 osdx systemd[1]: Started ssh.service - OpenBSD Secure Shell server.
Oct 10 22:48:49.030903 osdx cfgd[1260]: [129632]Completed change to active configuration
Oct 10 22:48:49.042489 osdx OSDxCLI[129632]: User 'admin' committed the configuration.
Oct 10 22:48:49.057962 osdx OSDxCLI[129632]: User 'admin' left the configuration menu.
Oct 10 22:48:49.195300 osdx OSDxCLI[129632]: User 'admin' executed a new command: 'ping 10.215.168.64 count 1 size 56 timeout 1'.
Oct 10 22:48:51.036832 osdx OSDxCLI[129632]: User 'admin' entered the configuration menu.
Oct 10 22:48:51.098404 osdx OSDxCLI[129632]: User 'admin' added a new cfg line: 'set service dns static host-name dns.dut0 inet 10.215.168.64'.
Oct 10 22:48:51.190830 osdx OSDxCLI[129632]: User 'admin' added a new cfg line: 'set system certificate trust running://CA.crt'.
Oct 10 22:48:51.257361 osdx OSDxCLI[129632]: User 'admin' added a new cfg line: 'set service dns proxy server-name DUT0'.
Oct 10 22:48:51.373455 osdx OSDxCLI[129632]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0'.
Oct 10 22:48:51.445136 osdx OSDxCLI[129632]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host port 3000'.
Oct 10 22:48:51.531802 osdx OSDxCLI[129632]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64'.
Oct 10 22:48:51.595353 osdx OSDxCLI[129632]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https hash 57ba8cbeb6d79050faebf9e090a0320956ccc24ff42144158192aa247598c6c7'.
Oct 10 22:48:51.682570 osdx OSDxCLI[129632]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Oct 10 22:48:51.736995 osdx OSDxCLI[129632]: User 'admin' added a new cfg line: 'set service dns resolver local'.
Oct 10 22:48:51.849564 osdx OSDxCLI[129632]: User 'admin' added a new cfg line: 'show working'.
Oct 10 22:48:51.944888 osdx ubnt-cfgd[295669]: inactive
Oct 10 22:48:51.967857 osdx INFO[295677]: FRR daemons did not change
Oct 10 22:48:51.981398 osdx ca-certificates[295693]: Updating certificates in /etc/ssl/certs...
Oct 10 22:48:52.536766 osdx ubnt-cfgd[296705]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Oct 10 22:48:52.544378 osdx ca-certificates[296710]: 1 added, 0 removed; done.
Oct 10 22:48:52.547385 osdx ca-certificates[296717]: Running hooks in /etc/ca-certificates/update.d...
Oct 10 22:48:52.550404 osdx ca-certificates[296719]: done.
Oct 10 22:48:52.671051 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Oct 10 22:48:52.673424 osdx cfgd[1260]: [129632]Completed change to active configuration
Oct 10 22:48:52.677733 osdx OSDxCLI[129632]: User 'admin' committed the configuration.
Oct 10 22:48:52.698861 osdx OSDxCLI[129632]: User 'admin' left the configuration menu.
Oct 10 22:48:52.699332 osdx dnscrypt-proxy[296779]: dnscrypt-proxy 2.0.45
Oct 10 22:48:52.699418 osdx dnscrypt-proxy[296779]: Network connectivity detected
Oct 10 22:48:52.699678 osdx dnscrypt-proxy[296779]: Dropping privileges
Oct 10 22:48:52.701964 osdx dnscrypt-proxy[296779]: Network connectivity detected
Oct 10 22:48:52.701997 osdx dnscrypt-proxy[296779]: Now listening to 127.0.0.1:53 [UDP]
Oct 10 22:48:52.702002 osdx dnscrypt-proxy[296779]: Now listening to 127.0.0.1:53 [TCP]
Oct 10 22:48:52.702020 osdx dnscrypt-proxy[296779]: Firefox workaround initialized
Oct 10 22:48:52.702025 osdx dnscrypt-proxy[296779]: Loading the set of cloaking rules from [/tmp/tmpy78r3mmc]
Oct 10 22:48:52.857936 osdx OSDxCLI[129632]: User 'admin' executed a new command: 'system journal show | cat'.
Oct 10 22:48:52.881406 osdx dnscrypt-proxy[296779]: [DUT0] TLS version: 304 - Protocol: h2 - Cipher suite: 4867
Oct 10 22:48:52.881425 osdx dnscrypt-proxy[296779]: [DUT0] OK (DoH) - rtt: 100ms
Oct 10 22:48:52.881434 osdx dnscrypt-proxy[296779]: Server with the lowest initial latency: DUT0 (rtt: 100ms)
Oct 10 22:48:52.881443 osdx dnscrypt-proxy[296779]: dnscrypt-proxy is ready - live servers: 1

---