Cipher
Test suite to validate using one or multiple ciphers to protect DoH connection
Single Valid Cipher
Description
Configures a single, valid cipher and tries to communicate with the server. No refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
Dec 17 21:41:17.332084 osdx systemd-journald[123332]: Runtime Journal (/run/log/journal/a189e667ab9f46898dbfc92a68a94f73) is 1.8M, max 13.8M, 11.9M free. Dec 17 21:41:17.332994 osdx systemd-journald[123332]: Received client request to rotate journal, rotating. Dec 17 21:41:17.333068 osdx systemd-journald[123332]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a189e667ab9f46898dbfc92a68a94f73. Dec 17 21:41:17.343009 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system journal clear'. Dec 17 21:41:17.565482 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system coredump delete all'. Dec 17 21:41:17.805291 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:41:17.927252 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 17 21:41:17.981935 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 17 21:41:18.087158 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:41:18.147642 osdx ubnt-cfgd[565757]: inactive Dec 17 21:41:18.169504 osdx INFO[565763]: FRR daemons did not change Dec 17 21:41:18.193001 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 17 21:41:18.240170 osdx WARNING[565831]: No supported link modes on interface eth0 Dec 17 21:41:18.241549 osdx modulelauncher[565831]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Dec 17 21:41:18.241561 osdx modulelauncher[565831]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Dec 17 21:41:18.242703 osdx modulelauncher[565831]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Dec 17 21:41:18.242710 osdx modulelauncher[565831]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Dec 17 21:41:18.276166 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:41:18.287674 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:41:18.329057 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:41:18.478410 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Dec 17 21:41:18.547340 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system journal show | cat'. Dec 17 21:41:18.754671 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:41:18.828624 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 17 21:41:18.934003 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 17 21:41:18.996080 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 17 21:41:19.087502 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 17 21:41:19.148235 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d'. Dec 17 21:41:19.240429 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Dec 17 21:41:19.297155 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 17 21:41:19.403028 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 17 21:41:19.457386 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 17 21:41:19.616562 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:41:19.675973 osdx ubnt-cfgd[565934]: inactive Dec 17 21:41:19.706142 osdx INFO[565942]: FRR daemons did not change Dec 17 21:41:19.720453 osdx ca-certificates[565957]: Updating certificates in /etc/ssl/certs... Dec 17 21:41:20.295355 osdx ubnt-cfgd[566970]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Dec 17 21:41:20.303869 osdx ca-certificates[566975]: 1 added, 0 removed; done. Dec 17 21:41:20.307044 osdx ca-certificates[566982]: Running hooks in /etc/ca-certificates/update.d... Dec 17 21:41:20.310463 osdx ca-certificates[566984]: done. Dec 17 21:41:20.377439 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 17 21:41:20.379052 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:41:20.381662 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:41:20.405093 osdx dnscrypt-proxy[566988]: dnscrypt-proxy 2.0.45 Dec 17 21:41:20.405170 osdx dnscrypt-proxy[566988]: Network connectivity detected Dec 17 21:41:20.405424 osdx dnscrypt-proxy[566988]: Dropping privileges Dec 17 21:41:20.408559 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:41:20.408829 osdx dnscrypt-proxy[566988]: Network connectivity detected Dec 17 21:41:20.408868 osdx dnscrypt-proxy[566988]: Now listening to 127.0.0.1:53 [UDP] Dec 17 21:41:20.408874 osdx dnscrypt-proxy[566988]: Now listening to 127.0.0.1:53 [TCP] Dec 17 21:41:20.408894 osdx dnscrypt-proxy[566988]: Firefox workaround initialized Dec 17 21:41:20.408901 osdx dnscrypt-proxy[566988]: Loading the set of cloaking rules from [/tmp/tmpuue9ji4n] Dec 17 21:41:20.572755 osdx dnscrypt-proxy[566988]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Dec 17 21:41:20.572780 osdx dnscrypt-proxy[566988]: [RD] OK (DoH) - rtt: 108ms Dec 17 21:41:20.572790 osdx dnscrypt-proxy[566988]: Server with the lowest initial latency: RD (rtt: 108ms) Dec 17 21:41:20.572796 osdx dnscrypt-proxy[566988]: dnscrypt-proxy is ready - live servers: 1 Dec 17 21:41:25.569048 osdx OSDxCLI[476020]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'. Dec 17 21:41:35.647936 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Multiple Valid Cipher
Description
Configures a valid cipher each time, and tries to communicate with the server. No refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
Dec 17 21:41:43.320288 osdx systemd-journald[123332]: Runtime Journal (/run/log/journal/a189e667ab9f46898dbfc92a68a94f73) is 1.8M, max 13.8M, 11.9M free. Dec 17 21:41:43.323054 osdx systemd-journald[123332]: Received client request to rotate journal, rotating. Dec 17 21:41:43.323129 osdx systemd-journald[123332]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a189e667ab9f46898dbfc92a68a94f73. Dec 17 21:41:43.332608 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system journal clear'. Dec 17 21:41:43.628483 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system coredump delete all'. Dec 17 21:41:44.037142 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:41:44.159560 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 17 21:41:44.261944 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 17 21:41:44.323841 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:41:44.430703 osdx ubnt-cfgd[568702]: inactive Dec 17 21:41:44.453278 osdx INFO[568708]: FRR daemons did not change Dec 17 21:41:44.479065 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 17 21:41:44.526663 osdx WARNING[568776]: No supported link modes on interface eth0 Dec 17 21:41:44.528160 osdx modulelauncher[568776]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Dec 17 21:41:44.528173 osdx modulelauncher[568776]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Dec 17 21:41:44.529346 osdx modulelauncher[568776]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Dec 17 21:41:44.529355 osdx modulelauncher[568776]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Dec 17 21:41:44.566583 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:41:44.579534 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:41:44.602059 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:41:44.748699 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Dec 17 21:41:44.821173 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system journal show | cat'. Dec 17 21:41:45.000501 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:41:45.074666 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 17 21:41:45.203072 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 17 21:41:45.273449 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 17 21:41:45.363390 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 17 21:41:45.423255 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d'. Dec 17 21:41:45.515937 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Dec 17 21:41:45.589405 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 17 21:41:45.664020 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 17 21:41:45.751671 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 17 21:41:45.843426 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:41:45.936287 osdx ubnt-cfgd[568879]: inactive Dec 17 21:41:45.968049 osdx INFO[568887]: FRR daemons did not change Dec 17 21:41:45.984250 osdx ca-certificates[568903]: Updating certificates in /etc/ssl/certs... Dec 17 21:41:46.540211 osdx ubnt-cfgd[569915]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Dec 17 21:41:46.548315 osdx ca-certificates[569921]: 1 added, 0 removed; done. Dec 17 21:41:46.551456 osdx ca-certificates[569927]: Running hooks in /etc/ca-certificates/update.d... Dec 17 21:41:46.554904 osdx ca-certificates[569929]: done. Dec 17 21:41:46.619429 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 17 21:41:46.620811 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:41:46.623200 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:41:46.646983 osdx dnscrypt-proxy[569933]: dnscrypt-proxy 2.0.45 Dec 17 21:41:46.647077 osdx dnscrypt-proxy[569933]: Network connectivity detected Dec 17 21:41:46.647312 osdx dnscrypt-proxy[569933]: Dropping privileges Dec 17 21:41:46.649918 osdx dnscrypt-proxy[569933]: Network connectivity detected Dec 17 21:41:46.649959 osdx dnscrypt-proxy[569933]: Now listening to 127.0.0.1:53 [UDP] Dec 17 21:41:46.649964 osdx dnscrypt-proxy[569933]: Now listening to 127.0.0.1:53 [TCP] Dec 17 21:41:46.649987 osdx dnscrypt-proxy[569933]: Firefox workaround initialized Dec 17 21:41:46.649993 osdx dnscrypt-proxy[569933]: Loading the set of cloaking rules from [/tmp/tmpcqclo1sv] Dec 17 21:41:46.661285 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:41:46.815417 osdx dnscrypt-proxy[569933]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Dec 17 21:41:46.815436 osdx dnscrypt-proxy[569933]: [RD] OK (DoH) - rtt: 103ms Dec 17 21:41:46.815446 osdx dnscrypt-proxy[569933]: Server with the lowest initial latency: RD (rtt: 103ms) Dec 17 21:41:46.815451 osdx dnscrypt-proxy[569933]: dnscrypt-proxy is ready - live servers: 1 Dec 17 21:41:46.829131 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 2
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
Dec 17 21:41:47.078606 osdx systemd-journald[123332]: Runtime Journal (/run/log/journal/a189e667ab9f46898dbfc92a68a94f73) is 1.8M, max 13.8M, 11.9M free. Dec 17 21:41:47.079051 osdx systemd-journald[123332]: Received client request to rotate journal, rotating. Dec 17 21:41:47.079084 osdx systemd-journald[123332]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a189e667ab9f46898dbfc92a68a94f73. Dec 17 21:41:47.088678 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system journal clear'. Dec 17 21:41:47.338322 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:41:47.392648 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'delete '. Dec 17 21:41:47.504757 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Dec 17 21:41:47.569664 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:41:47.685485 osdx ubnt-cfgd[569986]: inactive Dec 17 21:41:47.712278 osdx dnscrypt-proxy[569933]: Stopped. Dec 17 21:41:47.712301 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Dec 17 21:41:47.713072 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Dec 17 21:41:47.713187 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Dec 17 21:41:47.773694 osdx WARNING[570050]: No supported link modes on interface eth0 Dec 17 21:41:47.775550 osdx modulelauncher[570050]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Dec 17 21:41:47.775562 osdx modulelauncher[570050]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Dec 17 21:41:47.777140 osdx modulelauncher[570050]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Dec 17 21:41:47.777149 osdx modulelauncher[570050]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Dec 17 21:41:47.798810 osdx ca-certificates[570075]: Clearing symlinks in /etc/ssl/certs... Dec 17 21:41:48.156722 osdx ca-certificates[570653]: done. Dec 17 21:41:48.161157 osdx ca-certificates[570661]: Updating certificates in /etc/ssl/certs... Dec 17 21:41:48.675191 osdx ubnt-cfgd[571519]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Dec 17 21:41:48.683276 osdx ca-certificates[571525]: 142 added, 0 removed; done. Dec 17 21:41:48.687448 osdx ca-certificates[571531]: Running hooks in /etc/ca-certificates/update.d... Dec 17 21:41:48.691003 osdx ca-certificates[571533]: done. Dec 17 21:41:48.707951 osdx INFO[571536]: FRR daemons did not change Dec 17 21:41:48.708236 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:41:48.761469 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:41:48.791278 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:41:50.099631 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:41:50.158457 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 17 21:41:50.261344 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 17 21:41:50.338054 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 17 21:41:50.424768 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 17 21:41:50.491803 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d'. Dec 17 21:41:50.579352 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. Dec 17 21:41:50.641072 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 17 21:41:50.760884 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 17 21:41:50.841971 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 17 21:41:51.002763 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:41:51.073795 osdx ubnt-cfgd[571570]: inactive Dec 17 21:41:51.102838 osdx INFO[571578]: FRR daemons did not change Dec 17 21:41:51.117152 osdx ca-certificates[571593]: Updating certificates in /etc/ssl/certs... Dec 17 21:41:51.677151 osdx ubnt-cfgd[572606]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Dec 17 21:41:51.685214 osdx ca-certificates[572612]: 1 added, 0 removed; done. Dec 17 21:41:51.688121 osdx ca-certificates[572618]: Running hooks in /etc/ca-certificates/update.d... Dec 17 21:41:51.690850 osdx ca-certificates[572620]: done. Dec 17 21:41:51.719068 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 17 21:41:51.766919 osdx WARNING[572686]: No supported link modes on interface eth0 Dec 17 21:41:51.768398 osdx modulelauncher[572686]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Dec 17 21:41:51.768412 osdx modulelauncher[572686]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Dec 17 21:41:51.769607 osdx modulelauncher[572686]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Dec 17 21:41:51.769616 osdx modulelauncher[572686]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Dec 17 21:41:51.867508 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 17 21:41:51.868864 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:41:51.884102 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:41:51.895848 osdx dnscrypt-proxy[572735]: dnscrypt-proxy 2.0.45 Dec 17 21:41:51.895935 osdx dnscrypt-proxy[572735]: Network connectivity detected Dec 17 21:41:51.896164 osdx dnscrypt-proxy[572735]: Dropping privileges Dec 17 21:41:51.898716 osdx dnscrypt-proxy[572735]: Network connectivity detected Dec 17 21:41:51.898751 osdx dnscrypt-proxy[572735]: Now listening to 127.0.0.1:53 [UDP] Dec 17 21:41:51.898756 osdx dnscrypt-proxy[572735]: Now listening to 127.0.0.1:53 [TCP] Dec 17 21:41:51.898773 osdx dnscrypt-proxy[572735]: Firefox workaround initialized Dec 17 21:41:51.898781 osdx dnscrypt-proxy[572735]: Loading the set of cloaking rules from [/tmp/tmpb1zodllv] Dec 17 21:41:51.903816 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:41:52.060862 osdx dnscrypt-proxy[572735]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 Dec 17 21:41:52.060882 osdx dnscrypt-proxy[572735]: [RD] OK (DoH) - rtt: 108ms Dec 17 21:41:52.060892 osdx dnscrypt-proxy[572735]: Server with the lowest initial latency: RD (rtt: 108ms) Dec 17 21:41:52.060897 osdx dnscrypt-proxy[572735]: dnscrypt-proxy is ready - live servers: 1 Dec 17 21:41:57.066193 osdx OSDxCLI[476020]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'. Dec 17 21:42:07.151565 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 3
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
Dec 17 21:42:07.377637 osdx systemd-journald[123332]: Runtime Journal (/run/log/journal/a189e667ab9f46898dbfc92a68a94f73) is 1.8M, max 13.8M, 11.9M free. Dec 17 21:42:07.379069 osdx systemd-journald[123332]: Received client request to rotate journal, rotating. Dec 17 21:42:07.379139 osdx systemd-journald[123332]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a189e667ab9f46898dbfc92a68a94f73. Dec 17 21:42:07.391379 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system journal clear'. Dec 17 21:42:07.696931 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:42:07.751417 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'delete '. Dec 17 21:42:07.866329 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Dec 17 21:42:07.927371 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:42:08.021930 osdx ubnt-cfgd[572814]: inactive Dec 17 21:42:08.044645 osdx dnscrypt-proxy[572735]: Stopped. Dec 17 21:42:08.044653 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Dec 17 21:42:08.045296 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Dec 17 21:42:08.045403 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Dec 17 21:42:08.109573 osdx WARNING[572878]: No supported link modes on interface eth0 Dec 17 21:42:08.111367 osdx modulelauncher[572878]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Dec 17 21:42:08.111383 osdx modulelauncher[572878]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Dec 17 21:42:08.112948 osdx modulelauncher[572878]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Dec 17 21:42:08.112958 osdx modulelauncher[572878]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Dec 17 21:42:08.132555 osdx ca-certificates[572903]: Clearing symlinks in /etc/ssl/certs... Dec 17 21:42:08.461072 osdx ca-certificates[573480]: done. Dec 17 21:42:08.464527 osdx ca-certificates[573489]: Updating certificates in /etc/ssl/certs... Dec 17 21:42:09.033825 osdx ubnt-cfgd[574347]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Dec 17 21:42:09.044331 osdx ca-certificates[574353]: 142 added, 0 removed; done. Dec 17 21:42:09.047422 osdx ca-certificates[574359]: Running hooks in /etc/ca-certificates/update.d... Dec 17 21:42:09.050297 osdx ca-certificates[574361]: done. Dec 17 21:42:09.068266 osdx INFO[574364]: FRR daemons did not change Dec 17 21:42:09.068597 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:42:09.071191 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:42:09.090638 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:42:10.450861 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:42:10.516708 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 17 21:42:10.649564 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 17 21:42:10.773871 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 17 21:42:10.880294 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 17 21:42:10.976158 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d'. Dec 17 21:42:11.064344 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. Dec 17 21:42:11.182750 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 17 21:42:11.272029 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 17 21:42:11.371003 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 17 21:42:11.439981 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:42:11.550897 osdx ubnt-cfgd[574398]: inactive Dec 17 21:42:11.576555 osdx INFO[574406]: FRR daemons did not change Dec 17 21:42:11.590712 osdx ca-certificates[574422]: Updating certificates in /etc/ssl/certs... Dec 17 21:42:12.157137 osdx ubnt-cfgd[575434]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Dec 17 21:42:12.167611 osdx ca-certificates[575440]: 1 added, 0 removed; done. Dec 17 21:42:12.170657 osdx ca-certificates[575446]: Running hooks in /etc/ca-certificates/update.d... Dec 17 21:42:12.173976 osdx ca-certificates[575448]: done. Dec 17 21:42:12.199068 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 17 21:42:12.251644 osdx WARNING[575514]: No supported link modes on interface eth0 Dec 17 21:42:12.253459 osdx modulelauncher[575514]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Dec 17 21:42:12.253472 osdx modulelauncher[575514]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Dec 17 21:42:12.254718 osdx modulelauncher[575514]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Dec 17 21:42:12.254727 osdx modulelauncher[575514]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Dec 17 21:42:12.379552 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 17 21:42:12.381256 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:42:12.394712 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:42:12.405335 osdx dnscrypt-proxy[575563]: dnscrypt-proxy 2.0.45 Dec 17 21:42:12.405418 osdx dnscrypt-proxy[575563]: Network connectivity detected Dec 17 21:42:12.405666 osdx dnscrypt-proxy[575563]: Dropping privileges Dec 17 21:42:12.408808 osdx dnscrypt-proxy[575563]: Network connectivity detected Dec 17 21:42:12.408849 osdx dnscrypt-proxy[575563]: Now listening to 127.0.0.1:53 [UDP] Dec 17 21:42:12.408855 osdx dnscrypt-proxy[575563]: Now listening to 127.0.0.1:53 [TCP] Dec 17 21:42:12.408879 osdx dnscrypt-proxy[575563]: Firefox workaround initialized Dec 17 21:42:12.408884 osdx dnscrypt-proxy[575563]: Loading the set of cloaking rules from [/tmp/tmpg2d5io4j] Dec 17 21:42:12.423527 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:42:12.663708 osdx dnscrypt-proxy[575563]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Dec 17 21:42:12.663731 osdx dnscrypt-proxy[575563]: [RD] OK (DoH) - rtt: 134ms Dec 17 21:42:12.663742 osdx dnscrypt-proxy[575563]: Server with the lowest initial latency: RD (rtt: 134ms) Dec 17 21:42:12.663749 osdx dnscrypt-proxy[575563]: dnscrypt-proxy is ready - live servers: 1 Dec 17 21:42:13.031775 osdx systemd[1]: systemd-timedated.service: Deactivated successfully. Dec 17 21:42:17.578674 osdx OSDxCLI[476020]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'. Dec 17 21:42:27.670465 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Single Invalid Cipher
Description
Configures a single, invalid cipher and tries to communicate with the server. A refusal of the proposed cipher is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
Dec 17 21:42:35.297500 osdx systemd-journald[123332]: Runtime Journal (/run/log/journal/a189e667ab9f46898dbfc92a68a94f73) is 1.8M, max 13.8M, 11.9M free. Dec 17 21:42:35.301545 osdx systemd-journald[123332]: Received client request to rotate journal, rotating. Dec 17 21:42:35.301606 osdx systemd-journald[123332]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a189e667ab9f46898dbfc92a68a94f73. Dec 17 21:42:35.308774 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system journal clear'. Dec 17 21:42:35.577617 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system coredump delete all'. Dec 17 21:42:35.849011 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:42:35.937325 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 17 21:42:36.063087 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 17 21:42:36.127342 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:42:36.241800 osdx ubnt-cfgd[577296]: inactive Dec 17 21:42:36.262323 osdx INFO[577302]: FRR daemons did not change Dec 17 21:42:36.285436 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 17 21:42:36.331618 osdx WARNING[577370]: No supported link modes on interface eth0 Dec 17 21:42:36.333066 osdx modulelauncher[577370]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Dec 17 21:42:36.333078 osdx modulelauncher[577370]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Dec 17 21:42:36.334292 osdx modulelauncher[577370]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Dec 17 21:42:36.334299 osdx modulelauncher[577370]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Dec 17 21:42:36.371984 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:42:36.383624 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:42:36.401131 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:42:36.545509 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Dec 17 21:42:36.618604 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system journal show | cat'. Dec 17 21:42:36.816204 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:42:36.885504 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 17 21:42:37.005892 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 17 21:42:37.068367 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 17 21:42:37.150845 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 17 21:42:37.218270 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d'. Dec 17 21:42:37.334700 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Dec 17 21:42:37.405130 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 17 21:42:37.479569 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 17 21:42:37.560869 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 17 21:42:37.640440 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:42:37.725026 osdx ubnt-cfgd[577473]: inactive Dec 17 21:42:37.750565 osdx INFO[577481]: FRR daemons did not change Dec 17 21:42:37.765999 osdx ca-certificates[577497]: Updating certificates in /etc/ssl/certs... Dec 17 21:42:38.319044 osdx ubnt-cfgd[578509]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Dec 17 21:42:38.326823 osdx ca-certificates[578515]: 1 added, 0 removed; done. Dec 17 21:42:38.329807 osdx ca-certificates[578521]: Running hooks in /etc/ca-certificates/update.d... Dec 17 21:42:38.332610 osdx ca-certificates[578523]: done. Dec 17 21:42:38.405862 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 17 21:42:38.407326 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:42:38.409539 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:42:38.424857 osdx dnscrypt-proxy[578527]: dnscrypt-proxy 2.0.45 Dec 17 21:42:38.424928 osdx dnscrypt-proxy[578527]: Network connectivity detected Dec 17 21:42:38.425144 osdx dnscrypt-proxy[578527]: Dropping privileges Dec 17 21:42:38.428122 osdx dnscrypt-proxy[578527]: Network connectivity detected Dec 17 21:42:38.428164 osdx dnscrypt-proxy[578527]: Now listening to 127.0.0.1:53 [UDP] Dec 17 21:42:38.428171 osdx dnscrypt-proxy[578527]: Now listening to 127.0.0.1:53 [TCP] Dec 17 21:42:38.428194 osdx dnscrypt-proxy[578527]: Firefox workaround initialized Dec 17 21:42:38.428202 osdx dnscrypt-proxy[578527]: Loading the set of cloaking rules from [/tmp/tmp9tcy2uhj] Dec 17 21:42:38.429208 osdx dnscrypt-proxy[578527]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Dec 17 21:42:38.458554 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:42:38.602330 osdx dnscrypt-proxy[578527]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Dec 17 21:42:38.602356 osdx dnscrypt-proxy[578527]: [RD] OK (DoH) - rtt: 115ms Dec 17 21:42:38.602367 osdx dnscrypt-proxy[578527]: Server with the lowest initial latency: RD (rtt: 115ms) Dec 17 21:42:38.602374 osdx dnscrypt-proxy[578527]: dnscrypt-proxy is ready - live servers: 1
Multiple Invalid Cipher
Description
Configures either one or two invalid ciphers and tries to communicate with the server. A refusal of all proposed ciphers is expected.
Scenario
Example 1
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
Dec 17 21:42:45.000220 osdx systemd-timedated[577269]: Changed local time to Wed 2025-12-17 21:42:45 UTC Dec 17 21:42:45.001617 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'set date 2025-12-17 21:42:45'. Dec 17 21:42:45.001943 osdx systemd-journald[123332]: Time jumped backwards, rotating. Dec 17 21:42:45.290649 osdx systemd-journald[123332]: Runtime Journal (/run/log/journal/a189e667ab9f46898dbfc92a68a94f73) is 1.8M, max 13.8M, 11.9M free. Dec 17 21:42:45.293932 osdx systemd-journald[123332]: Received client request to rotate journal, rotating. Dec 17 21:42:45.293991 osdx systemd-journald[123332]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a189e667ab9f46898dbfc92a68a94f73. Dec 17 21:42:45.300547 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system journal clear'. Dec 17 21:42:45.504429 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system coredump delete all'. Dec 17 21:42:45.728804 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:42:45.882115 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 17 21:42:45.935619 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 17 21:42:46.047363 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:42:46.121335 osdx ubnt-cfgd[580232]: inactive Dec 17 21:42:46.143150 osdx INFO[580238]: FRR daemons did not change Dec 17 21:42:46.165946 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 17 21:42:46.213840 osdx WARNING[580306]: No supported link modes on interface eth0 Dec 17 21:42:46.215343 osdx modulelauncher[580306]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Dec 17 21:42:46.215355 osdx modulelauncher[580306]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Dec 17 21:42:46.216576 osdx modulelauncher[580306]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Dec 17 21:42:46.216585 osdx modulelauncher[580306]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Dec 17 21:42:46.256606 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:42:46.268070 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:42:46.283625 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:42:46.438866 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Dec 17 21:42:46.518285 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system journal show | cat'. Dec 17 21:42:46.668411 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:42:46.770738 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 17 21:42:46.892838 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 17 21:42:46.961576 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 17 21:42:47.052816 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 17 21:42:47.113680 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d'. Dec 17 21:42:47.206941 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Dec 17 21:42:47.285021 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 17 21:42:47.378182 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 17 21:42:47.474524 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 17 21:42:47.551981 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:42:47.646540 osdx ubnt-cfgd[580409]: inactive Dec 17 21:42:47.668425 osdx INFO[580417]: FRR daemons did not change Dec 17 21:42:47.683127 osdx ca-certificates[580433]: Updating certificates in /etc/ssl/certs... Dec 17 21:42:48.267600 osdx ubnt-cfgd[581445]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Dec 17 21:42:48.276620 osdx ca-certificates[581452]: 1 added, 0 removed; done. Dec 17 21:42:48.279751 osdx ca-certificates[581457]: Running hooks in /etc/ca-certificates/update.d... Dec 17 21:42:48.283703 osdx ca-certificates[581459]: done. Dec 17 21:42:48.362441 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 17 21:42:48.364159 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:42:48.367010 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:42:48.386733 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:42:48.392351 osdx dnscrypt-proxy[581463]: dnscrypt-proxy 2.0.45 Dec 17 21:42:48.392472 osdx dnscrypt-proxy[581463]: Network connectivity detected Dec 17 21:42:48.392865 osdx dnscrypt-proxy[581463]: Dropping privileges Dec 17 21:42:48.396128 osdx dnscrypt-proxy[581463]: Network connectivity detected Dec 17 21:42:48.396172 osdx dnscrypt-proxy[581463]: Now listening to 127.0.0.1:53 [UDP] Dec 17 21:42:48.396178 osdx dnscrypt-proxy[581463]: Now listening to 127.0.0.1:53 [TCP] Dec 17 21:42:48.396203 osdx dnscrypt-proxy[581463]: Firefox workaround initialized Dec 17 21:42:48.396210 osdx dnscrypt-proxy[581463]: Loading the set of cloaking rules from [/tmp/tmptze5j80z] Dec 17 21:42:48.397500 osdx dnscrypt-proxy[581463]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Dec 17 21:42:48.558124 osdx dnscrypt-proxy[581463]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Dec 17 21:42:48.558151 osdx dnscrypt-proxy[581463]: [RD] OK (DoH) - rtt: 104ms Dec 17 21:42:48.558161 osdx dnscrypt-proxy[581463]: Server with the lowest initial latency: RD (rtt: 104ms) Dec 17 21:42:48.558167 osdx dnscrypt-proxy[581463]: dnscrypt-proxy is ready - live servers: 1
Example 2
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
Dec 17 21:42:48.748814 osdx systemd-journald[123332]: Runtime Journal (/run/log/journal/a189e667ab9f46898dbfc92a68a94f73) is 1.8M, max 13.8M, 11.9M free. Dec 17 21:42:48.749934 osdx systemd-journald[123332]: Received client request to rotate journal, rotating. Dec 17 21:42:48.750002 osdx systemd-journald[123332]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a189e667ab9f46898dbfc92a68a94f73. Dec 17 21:42:48.760618 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system journal clear'. Dec 17 21:42:49.192970 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:42:49.292645 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'delete '. Dec 17 21:42:49.415007 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Dec 17 21:42:49.486470 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:42:49.588631 osdx ubnt-cfgd[581513]: inactive Dec 17 21:42:49.613207 osdx dnscrypt-proxy[581463]: Stopped. Dec 17 21:42:49.613275 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Dec 17 21:42:49.614061 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Dec 17 21:42:49.614182 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Dec 17 21:42:49.677333 osdx WARNING[581577]: No supported link modes on interface eth0 Dec 17 21:42:49.679030 osdx modulelauncher[581577]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Dec 17 21:42:49.679042 osdx modulelauncher[581577]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Dec 17 21:42:49.680502 osdx modulelauncher[581577]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Dec 17 21:42:49.680512 osdx modulelauncher[581577]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Dec 17 21:42:49.699507 osdx ca-certificates[581602]: Clearing symlinks in /etc/ssl/certs... Dec 17 21:42:49.991133 osdx ca-certificates[582179]: done. Dec 17 21:42:49.995100 osdx ca-certificates[582187]: Updating certificates in /etc/ssl/certs... Dec 17 21:42:50.483028 osdx ubnt-cfgd[583046]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Dec 17 21:42:50.493019 osdx ca-certificates[583052]: 142 added, 0 removed; done. Dec 17 21:42:50.495912 osdx ca-certificates[583058]: Running hooks in /etc/ca-certificates/update.d... Dec 17 21:42:50.498735 osdx ca-certificates[583060]: done. Dec 17 21:42:50.514211 osdx INFO[583063]: FRR daemons did not change Dec 17 21:42:50.514502 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:42:50.545493 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:42:50.570410 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:42:51.833592 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:42:51.890229 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 17 21:42:52.000813 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 17 21:42:52.086920 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 17 21:42:52.184960 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 17 21:42:52.290224 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d'. Dec 17 21:42:52.364160 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Dec 17 21:42:52.463639 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 17 21:42:52.546804 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 17 21:42:52.622509 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 17 21:42:52.696130 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:42:52.805888 osdx ubnt-cfgd[583097]: inactive Dec 17 21:42:52.827883 osdx INFO[583105]: FRR daemons did not change Dec 17 21:42:52.841302 osdx ca-certificates[583121]: Updating certificates in /etc/ssl/certs... Dec 17 21:42:53.373470 osdx ubnt-cfgd[584133]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Dec 17 21:42:53.381288 osdx ca-certificates[584139]: 1 added, 0 removed; done. Dec 17 21:42:53.384372 osdx ca-certificates[584145]: Running hooks in /etc/ca-certificates/update.d... Dec 17 21:42:53.387244 osdx ca-certificates[584147]: done. Dec 17 21:42:53.413955 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 17 21:42:53.468111 osdx WARNING[584213]: No supported link modes on interface eth0 Dec 17 21:42:53.469842 osdx modulelauncher[584213]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Dec 17 21:42:53.469856 osdx modulelauncher[584213]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Dec 17 21:42:53.471281 osdx modulelauncher[584213]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Dec 17 21:42:53.471293 osdx modulelauncher[584213]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Dec 17 21:42:53.614451 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 17 21:42:53.616019 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:42:53.629389 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:42:53.643485 osdx dnscrypt-proxy[584262]: dnscrypt-proxy 2.0.45 Dec 17 21:42:53.643590 osdx dnscrypt-proxy[584262]: Network connectivity detected Dec 17 21:42:53.643898 osdx dnscrypt-proxy[584262]: Dropping privileges Dec 17 21:42:53.647057 osdx dnscrypt-proxy[584262]: Network connectivity detected Dec 17 21:42:53.647096 osdx dnscrypt-proxy[584262]: Now listening to 127.0.0.1:53 [UDP] Dec 17 21:42:53.647101 osdx dnscrypt-proxy[584262]: Now listening to 127.0.0.1:53 [TCP] Dec 17 21:42:53.647120 osdx dnscrypt-proxy[584262]: Firefox workaround initialized Dec 17 21:42:53.647125 osdx dnscrypt-proxy[584262]: Loading the set of cloaking rules from [/tmp/tmp1cv7dgdw] Dec 17 21:42:53.648458 osdx dnscrypt-proxy[584262]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Dec 17 21:42:53.651815 osdx OSDxCLI[476020]: User 'admin' left the configuration menu.
Example 3
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration fileShow output
Dec 17 21:42:53.988193 osdx systemd-journald[123332]: Runtime Journal (/run/log/journal/a189e667ab9f46898dbfc92a68a94f73) is 1.9M, max 13.8M, 11.9M free. Dec 17 21:42:53.989949 osdx systemd-journald[123332]: Received client request to rotate journal, rotating. Dec 17 21:42:53.990043 osdx systemd-journald[123332]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a189e667ab9f46898dbfc92a68a94f73. Dec 17 21:42:54.001487 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system journal clear'. Dec 17 21:42:54.331325 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:42:54.422061 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'delete '. Dec 17 21:42:54.545455 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Dec 17 21:42:54.637018 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:42:54.729623 osdx ubnt-cfgd[584331]: inactive Dec 17 21:42:54.754607 osdx dnscrypt-proxy[584262]: Stopped. Dec 17 21:42:54.754671 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Dec 17 21:42:54.755700 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Dec 17 21:42:54.755829 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Dec 17 21:42:54.820751 osdx WARNING[584395]: No supported link modes on interface eth0 Dec 17 21:42:54.822597 osdx modulelauncher[584395]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Dec 17 21:42:54.822611 osdx modulelauncher[584395]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Dec 17 21:42:54.823927 osdx modulelauncher[584395]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Dec 17 21:42:54.823940 osdx modulelauncher[584395]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Dec 17 21:42:54.841766 osdx ca-certificates[584420]: Clearing symlinks in /etc/ssl/certs... Dec 17 21:42:55.150265 osdx ca-certificates[584997]: done. Dec 17 21:42:55.153463 osdx ca-certificates[585006]: Updating certificates in /etc/ssl/certs... Dec 17 21:42:55.663924 osdx ubnt-cfgd[585864]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Dec 17 21:42:55.673425 osdx ca-certificates[585870]: 142 added, 0 removed; done. Dec 17 21:42:55.677404 osdx ca-certificates[585876]: Running hooks in /etc/ca-certificates/update.d... Dec 17 21:42:55.680767 osdx ca-certificates[585878]: done. Dec 17 21:42:55.699359 osdx INFO[585881]: FRR daemons did not change Dec 17 21:42:55.699679 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:42:55.701822 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:42:55.719926 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:42:57.040161 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:42:57.111013 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 17 21:42:57.230760 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 17 21:42:57.313530 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 17 21:42:57.420367 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 17 21:42:57.519798 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d'. Dec 17 21:42:57.578520 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Dec 17 21:42:57.692734 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Dec 17 21:42:57.753912 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 17 21:42:57.874561 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 17 21:42:57.956040 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 17 21:42:58.064697 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:42:58.131072 osdx ubnt-cfgd[585918]: inactive Dec 17 21:42:58.153758 osdx INFO[585926]: FRR daemons did not change Dec 17 21:42:58.170077 osdx ca-certificates[585942]: Updating certificates in /etc/ssl/certs... Dec 17 21:42:58.725896 osdx ubnt-cfgd[586954]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Dec 17 21:42:58.734578 osdx ca-certificates[586960]: 1 added, 0 removed; done. Dec 17 21:42:58.738428 osdx ca-certificates[586966]: Running hooks in /etc/ca-certificates/update.d... Dec 17 21:42:58.742158 osdx ca-certificates[586968]: done. Dec 17 21:42:58.765947 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 17 21:42:58.813030 osdx WARNING[587034]: No supported link modes on interface eth0 Dec 17 21:42:58.814625 osdx modulelauncher[587034]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Dec 17 21:42:58.814638 osdx modulelauncher[587034]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Dec 17 21:42:58.815926 osdx modulelauncher[587034]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Dec 17 21:42:58.815937 osdx modulelauncher[587034]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Dec 17 21:42:58.938400 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 17 21:42:58.940263 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:42:58.957745 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:42:58.968160 osdx dnscrypt-proxy[587083]: dnscrypt-proxy 2.0.45 Dec 17 21:42:58.968255 osdx dnscrypt-proxy[587083]: Network connectivity detected Dec 17 21:42:58.968505 osdx dnscrypt-proxy[587083]: Dropping privileges Dec 17 21:42:58.971950 osdx dnscrypt-proxy[587083]: Network connectivity detected Dec 17 21:42:58.972011 osdx dnscrypt-proxy[587083]: Now listening to 127.0.0.1:53 [UDP] Dec 17 21:42:58.972018 osdx dnscrypt-proxy[587083]: Now listening to 127.0.0.1:53 [TCP] Dec 17 21:42:58.972043 osdx dnscrypt-proxy[587083]: Firefox workaround initialized Dec 17 21:42:58.972052 osdx dnscrypt-proxy[587083]: Loading the set of cloaking rules from [/tmp/tmp3e7mvqat] Dec 17 21:42:58.973743 osdx dnscrypt-proxy[587083]: TLS handshake failure - Try changing or deleting the tls_cipher_suite value in the configuration file Dec 17 21:42:58.981679 osdx OSDxCLI[476020]: User 'admin' left the configuration menu.
Invalid Cipher With Fallback
Description
Configures an invalid cipher and a valid fallback one. It then tries to communicate with the server. No refusal of the cipher is expected, as long as the valid one proposed is used.
Scenario
Example 1
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
Dec 17 21:43:07.306153 osdx systemd-journald[123332]: Runtime Journal (/run/log/journal/a189e667ab9f46898dbfc92a68a94f73) is 1.8M, max 13.8M, 11.9M free. Dec 17 21:43:07.307237 osdx systemd-journald[123332]: Received client request to rotate journal, rotating. Dec 17 21:43:07.307299 osdx systemd-journald[123332]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a189e667ab9f46898dbfc92a68a94f73. Dec 17 21:43:07.316491 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system journal clear'. Dec 17 21:43:07.529874 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system coredump delete all'. Dec 17 21:43:07.772055 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:43:07.863251 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 17 21:43:07.948239 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 17 21:43:08.025001 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:43:08.131298 osdx ubnt-cfgd[588809]: inactive Dec 17 21:43:08.157732 osdx INFO[588815]: FRR daemons did not change Dec 17 21:43:08.187254 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 17 21:43:08.241344 osdx WARNING[588883]: No supported link modes on interface eth0 Dec 17 21:43:08.243204 osdx modulelauncher[588883]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Dec 17 21:43:08.243220 osdx modulelauncher[588883]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Dec 17 21:43:08.244793 osdx modulelauncher[588883]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Dec 17 21:43:08.244802 osdx modulelauncher[588883]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Dec 17 21:43:08.289284 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:43:08.302462 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:43:08.323847 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:43:08.539739 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Dec 17 21:43:08.653305 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system journal show | cat'. Dec 17 21:43:08.848508 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:43:09.522101 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 17 21:43:09.600713 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 17 21:43:09.716511 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 17 21:43:09.783312 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 17 21:43:09.883118 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d'. Dec 17 21:43:09.938407 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Dec 17 21:43:10.040254 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Dec 17 21:43:10.106750 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 17 21:43:10.220303 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 17 21:43:10.273072 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 17 21:43:10.388208 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:43:10.456779 osdx ubnt-cfgd[588991]: inactive Dec 17 21:43:10.518034 osdx INFO[588999]: FRR daemons did not change Dec 17 21:43:10.531535 osdx ca-certificates[589015]: Updating certificates in /etc/ssl/certs... Dec 17 21:43:11.090503 osdx ubnt-cfgd[590027]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Dec 17 21:43:11.099452 osdx ca-certificates[590032]: 1 added, 0 removed; done. Dec 17 21:43:11.103286 osdx ca-certificates[590039]: Running hooks in /etc/ca-certificates/update.d... Dec 17 21:43:11.106986 osdx ca-certificates[590041]: done. Dec 17 21:43:11.175633 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 17 21:43:11.177060 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:43:11.179468 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:43:11.194302 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:43:11.194757 osdx dnscrypt-proxy[590045]: dnscrypt-proxy 2.0.45 Dec 17 21:43:11.194816 osdx dnscrypt-proxy[590045]: Network connectivity detected Dec 17 21:43:11.195017 osdx dnscrypt-proxy[590045]: Dropping privileges Dec 17 21:43:11.197513 osdx dnscrypt-proxy[590045]: Network connectivity detected Dec 17 21:43:11.197548 osdx dnscrypt-proxy[590045]: Now listening to 127.0.0.1:53 [UDP] Dec 17 21:43:11.197553 osdx dnscrypt-proxy[590045]: Now listening to 127.0.0.1:53 [TCP] Dec 17 21:43:11.197572 osdx dnscrypt-proxy[590045]: Firefox workaround initialized Dec 17 21:43:11.197580 osdx dnscrypt-proxy[590045]: Loading the set of cloaking rules from [/tmp/tmpi6649gdd] Dec 17 21:43:11.366409 osdx dnscrypt-proxy[590045]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Dec 17 21:43:11.366432 osdx dnscrypt-proxy[590045]: [RD] OK (DoH) - rtt: 116ms Dec 17 21:43:11.366443 osdx dnscrypt-proxy[590045]: Server with the lowest initial latency: RD (rtt: 116ms) Dec 17 21:43:11.366449 osdx dnscrypt-proxy[590045]: dnscrypt-proxy is ready - live servers: 1 Dec 17 21:43:16.344729 osdx OSDxCLI[476020]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'. Dec 17 21:43:26.429787 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 2
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
Dec 17 21:43:26.648545 osdx systemd-journald[123332]: Runtime Journal (/run/log/journal/a189e667ab9f46898dbfc92a68a94f73) is 1.8M, max 13.8M, 11.9M free. Dec 17 21:43:26.651251 osdx systemd-journald[123332]: Received client request to rotate journal, rotating. Dec 17 21:43:26.651329 osdx systemd-journald[123332]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a189e667ab9f46898dbfc92a68a94f73. Dec 17 21:43:26.659509 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system journal clear'. Dec 17 21:43:26.935365 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:43:26.989272 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'delete '. Dec 17 21:43:27.102993 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Dec 17 21:43:27.192226 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:43:27.280969 osdx ubnt-cfgd[590101]: inactive Dec 17 21:43:27.302906 osdx dnscrypt-proxy[590045]: Stopped. Dec 17 21:43:27.302927 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Dec 17 21:43:27.303870 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Dec 17 21:43:27.303976 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Dec 17 21:43:27.365819 osdx WARNING[590165]: No supported link modes on interface eth0 Dec 17 21:43:27.367516 osdx modulelauncher[590165]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Dec 17 21:43:27.367533 osdx modulelauncher[590165]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Dec 17 21:43:27.369287 osdx modulelauncher[590165]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Dec 17 21:43:27.369299 osdx modulelauncher[590165]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Dec 17 21:43:27.387416 osdx ca-certificates[590190]: Clearing symlinks in /etc/ssl/certs... Dec 17 21:43:27.704944 osdx ca-certificates[590767]: done. Dec 17 21:43:27.708108 osdx ca-certificates[590776]: Updating certificates in /etc/ssl/certs... Dec 17 21:43:28.257595 osdx ubnt-cfgd[591634]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Dec 17 21:43:28.270894 osdx ca-certificates[591639]: 142 added, 0 removed; done. Dec 17 21:43:28.277158 osdx ca-certificates[591646]: Running hooks in /etc/ca-certificates/update.d... Dec 17 21:43:28.282418 osdx ca-certificates[591648]: done. Dec 17 21:43:28.305883 osdx INFO[591651]: FRR daemons did not change Dec 17 21:43:28.306216 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:43:28.308770 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:43:28.338152 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:43:29.860248 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:43:30.882759 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 17 21:43:31.009635 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 17 21:43:31.141846 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 17 21:43:31.287757 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 17 21:43:31.476424 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d'. Dec 17 21:43:31.613083 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Dec 17 21:43:31.711603 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. Dec 17 21:43:31.793671 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 17 21:43:31.891516 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 17 21:43:32.002202 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 17 21:43:32.132033 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:43:32.232904 osdx ubnt-cfgd[591688]: inactive Dec 17 21:43:32.265250 osdx INFO[591696]: FRR daemons did not change Dec 17 21:43:32.282737 osdx ca-certificates[591712]: Updating certificates in /etc/ssl/certs... Dec 17 21:43:33.044089 osdx ubnt-cfgd[592724]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Dec 17 21:43:33.054621 osdx ca-certificates[592729]: 1 added, 0 removed; done. Dec 17 21:43:33.058711 osdx ca-certificates[592736]: Running hooks in /etc/ca-certificates/update.d... Dec 17 21:43:33.062727 osdx ca-certificates[592738]: done. Dec 17 21:43:33.087251 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 17 21:43:33.135293 osdx WARNING[592804]: No supported link modes on interface eth0 Dec 17 21:43:33.136774 osdx modulelauncher[592804]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Dec 17 21:43:33.136787 osdx modulelauncher[592804]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Dec 17 21:43:33.137978 osdx modulelauncher[592804]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Dec 17 21:43:33.137986 osdx modulelauncher[592804]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Dec 17 21:43:33.255725 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 17 21:43:33.257615 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:43:33.273032 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:43:33.281290 osdx dnscrypt-proxy[592853]: dnscrypt-proxy 2.0.45 Dec 17 21:43:33.281691 osdx dnscrypt-proxy[592853]: Network connectivity detected Dec 17 21:43:33.281972 osdx dnscrypt-proxy[592853]: Dropping privileges Dec 17 21:43:33.286098 osdx dnscrypt-proxy[592853]: Network connectivity detected Dec 17 21:43:33.286147 osdx dnscrypt-proxy[592853]: Now listening to 127.0.0.1:53 [UDP] Dec 17 21:43:33.286153 osdx dnscrypt-proxy[592853]: Now listening to 127.0.0.1:53 [TCP] Dec 17 21:43:33.286177 osdx dnscrypt-proxy[592853]: Firefox workaround initialized Dec 17 21:43:33.286183 osdx dnscrypt-proxy[592853]: Loading the set of cloaking rules from [/tmp/tmpblv_n9_q] Dec 17 21:43:33.312411 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:43:33.466917 osdx dnscrypt-proxy[592853]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 Dec 17 21:43:33.466939 osdx dnscrypt-proxy[592853]: [RD] OK (DoH) - rtt: 115ms Dec 17 21:43:33.466949 osdx dnscrypt-proxy[592853]: Server with the lowest initial latency: RD (rtt: 115ms) Dec 17 21:43:33.466955 osdx dnscrypt-proxy[592853]: dnscrypt-proxy is ready - live servers: 1 Dec 17 21:43:33.506734 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 3
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
Dec 17 21:43:33.822345 osdx systemd-journald[123332]: Runtime Journal (/run/log/journal/a189e667ab9f46898dbfc92a68a94f73) is 1.8M, max 13.8M, 11.9M free. Dec 17 21:43:33.823245 osdx systemd-journald[123332]: Received client request to rotate journal, rotating. Dec 17 21:43:33.823317 osdx systemd-journald[123332]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a189e667ab9f46898dbfc92a68a94f73. Dec 17 21:43:33.839393 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system journal clear'. Dec 17 21:43:34.411163 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:43:34.491850 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'delete '. Dec 17 21:43:34.606795 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Dec 17 21:43:34.719624 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:43:34.785615 osdx ubnt-cfgd[592924]: inactive Dec 17 21:43:34.814976 osdx dnscrypt-proxy[592853]: Stopped. Dec 17 21:43:34.815059 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Dec 17 21:43:34.816308 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Dec 17 21:43:34.816489 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Dec 17 21:43:34.891055 osdx WARNING[592988]: No supported link modes on interface eth0 Dec 17 21:43:34.893074 osdx modulelauncher[592988]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Dec 17 21:43:34.893093 osdx modulelauncher[592988]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Dec 17 21:43:34.894805 osdx modulelauncher[592988]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Dec 17 21:43:34.894818 osdx modulelauncher[592988]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Dec 17 21:43:34.916196 osdx ca-certificates[593013]: Clearing symlinks in /etc/ssl/certs... Dec 17 21:43:35.279200 osdx ca-certificates[593590]: done. Dec 17 21:43:35.282741 osdx ca-certificates[593599]: Updating certificates in /etc/ssl/certs... Dec 17 21:43:35.874116 osdx ubnt-cfgd[594457]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Dec 17 21:43:35.884726 osdx ca-certificates[594462]: 142 added, 0 removed; done. Dec 17 21:43:35.890004 osdx ca-certificates[594469]: Running hooks in /etc/ca-certificates/update.d... Dec 17 21:43:35.895273 osdx ca-certificates[594471]: done. Dec 17 21:43:35.927221 osdx INFO[594474]: FRR daemons did not change Dec 17 21:43:35.927952 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:43:35.931821 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:43:35.957673 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:43:37.030845 osdx systemd[1]: systemd-timedated.service: Deactivated successfully. Dec 17 21:43:37.691956 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:43:38.719965 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 17 21:43:38.835200 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 17 21:43:38.960345 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 17 21:43:39.084959 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 17 21:43:39.238545 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d'. Dec 17 21:43:39.351100 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_RC4_128_SHA'. Dec 17 21:43:39.456878 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. Dec 17 21:43:39.555741 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 17 21:43:39.688711 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 17 21:43:39.825050 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 17 21:43:39.949170 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:43:40.079856 osdx ubnt-cfgd[594513]: inactive Dec 17 21:43:40.116522 osdx INFO[594521]: FRR daemons did not change Dec 17 21:43:40.134510 osdx ca-certificates[594536]: Updating certificates in /etc/ssl/certs... Dec 17 21:43:40.984015 osdx ubnt-cfgd[595549]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Dec 17 21:43:40.996947 osdx ca-certificates[595556]: 1 added, 0 removed; done. Dec 17 21:43:41.001067 osdx ca-certificates[595561]: Running hooks in /etc/ca-certificates/update.d... Dec 17 21:43:41.005209 osdx ca-certificates[595563]: done. Dec 17 21:43:41.055254 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 17 21:43:41.128136 osdx WARNING[595629]: No supported link modes on interface eth0 Dec 17 21:43:41.130878 osdx modulelauncher[595629]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Dec 17 21:43:41.130895 osdx modulelauncher[595629]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Dec 17 21:43:41.133078 osdx modulelauncher[595629]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Dec 17 21:43:41.133092 osdx modulelauncher[595629]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Dec 17 21:43:41.275795 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 17 21:43:41.281040 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:43:41.306171 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:43:41.315658 osdx dnscrypt-proxy[595678]: dnscrypt-proxy 2.0.45 Dec 17 21:43:41.316118 osdx dnscrypt-proxy[595678]: Network connectivity detected Dec 17 21:43:41.316458 osdx dnscrypt-proxy[595678]: Dropping privileges Dec 17 21:43:41.320434 osdx dnscrypt-proxy[595678]: Network connectivity detected Dec 17 21:43:41.320475 osdx dnscrypt-proxy[595678]: Now listening to 127.0.0.1:53 [UDP] Dec 17 21:43:41.320481 osdx dnscrypt-proxy[595678]: Now listening to 127.0.0.1:53 [TCP] Dec 17 21:43:41.320504 osdx dnscrypt-proxy[595678]: Firefox workaround initialized Dec 17 21:43:41.320511 osdx dnscrypt-proxy[595678]: Loading the set of cloaking rules from [/tmp/tmpu53mcexr] Dec 17 21:43:41.358772 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:43:41.737576 osdx dnscrypt-proxy[595678]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Dec 17 21:43:41.737606 osdx dnscrypt-proxy[595678]: [RD] OK (DoH) - rtt: 120ms Dec 17 21:43:41.737622 osdx dnscrypt-proxy[595678]: Server with the lowest initial latency: RD (rtt: 120ms) Dec 17 21:43:41.737628 osdx dnscrypt-proxy[595678]: dnscrypt-proxy is ready - live servers: 1 Dec 17 21:43:46.583792 osdx OSDxCLI[476020]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'. Dec 17 21:43:56.683391 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 4
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49199Show output
Dec 17 21:43:56.941689 osdx systemd-journald[123332]: Runtime Journal (/run/log/journal/a189e667ab9f46898dbfc92a68a94f73) is 1.8M, max 13.8M, 11.9M free. Dec 17 21:43:56.943243 osdx systemd-journald[123332]: Received client request to rotate journal, rotating. Dec 17 21:43:56.943306 osdx systemd-journald[123332]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a189e667ab9f46898dbfc92a68a94f73. Dec 17 21:43:56.952443 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system journal clear'. Dec 17 21:43:57.241753 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:43:57.313405 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'delete '. Dec 17 21:43:57.440443 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Dec 17 21:43:57.504821 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:43:57.637618 osdx ubnt-cfgd[595755]: inactive Dec 17 21:43:57.672674 osdx dnscrypt-proxy[595678]: Stopped. Dec 17 21:43:57.672686 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Dec 17 21:43:57.673427 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Dec 17 21:43:57.673551 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Dec 17 21:43:57.735380 osdx WARNING[595820]: No supported link modes on interface eth0 Dec 17 21:43:57.736887 osdx modulelauncher[595820]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Dec 17 21:43:57.736901 osdx modulelauncher[595820]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Dec 17 21:43:57.738075 osdx modulelauncher[595820]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Dec 17 21:43:57.738083 osdx modulelauncher[595820]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Dec 17 21:43:57.755915 osdx ca-certificates[595845]: Clearing symlinks in /etc/ssl/certs... Dec 17 21:43:58.091021 osdx ca-certificates[596423]: done. Dec 17 21:43:58.095197 osdx ca-certificates[596430]: Updating certificates in /etc/ssl/certs... Dec 17 21:43:58.607693 osdx ubnt-cfgd[597289]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Dec 17 21:43:58.615774 osdx ca-certificates[597295]: 142 added, 0 removed; done. Dec 17 21:43:58.618729 osdx ca-certificates[597301]: Running hooks in /etc/ca-certificates/update.d... Dec 17 21:43:58.621563 osdx ca-certificates[597303]: done. Dec 17 21:43:58.637397 osdx INFO[597306]: FRR daemons did not change Dec 17 21:43:58.637675 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:43:58.861972 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:43:58.878769 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:44:00.200012 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:44:00.922055 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 17 21:44:00.996359 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 17 21:44:01.119968 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 17 21:44:01.189225 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 17 21:44:01.332917 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d'. Dec 17 21:44:01.452771 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Dec 17 21:44:01.555749 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'. Dec 17 21:44:01.656643 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 17 21:44:01.802063 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 17 21:44:01.877296 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 17 21:44:02.021694 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:44:02.140884 osdx ubnt-cfgd[597346]: inactive Dec 17 21:44:02.174410 osdx INFO[597354]: FRR daemons did not change Dec 17 21:44:02.193268 osdx ca-certificates[597370]: Updating certificates in /etc/ssl/certs... Dec 17 21:44:02.947936 osdx ubnt-cfgd[598382]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Dec 17 21:44:02.960860 osdx ca-certificates[598387]: 1 added, 0 removed; done. Dec 17 21:44:02.964546 osdx ca-certificates[598394]: Running hooks in /etc/ca-certificates/update.d... Dec 17 21:44:02.968514 osdx ca-certificates[598396]: done. Dec 17 21:44:03.007260 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 17 21:44:03.070982 osdx WARNING[598462]: No supported link modes on interface eth0 Dec 17 21:44:03.073080 osdx modulelauncher[598462]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Dec 17 21:44:03.073105 osdx modulelauncher[598462]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Dec 17 21:44:03.074756 osdx modulelauncher[598462]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Dec 17 21:44:03.074770 osdx modulelauncher[598462]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Dec 17 21:44:03.223807 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 17 21:44:03.225373 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:44:03.242341 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:44:03.253539 osdx dnscrypt-proxy[598511]: dnscrypt-proxy 2.0.45 Dec 17 21:44:03.253653 osdx dnscrypt-proxy[598511]: Network connectivity detected Dec 17 21:44:03.253915 osdx dnscrypt-proxy[598511]: Dropping privileges Dec 17 21:44:03.257428 osdx dnscrypt-proxy[598511]: Network connectivity detected Dec 17 21:44:03.257470 osdx dnscrypt-proxy[598511]: Now listening to 127.0.0.1:53 [UDP] Dec 17 21:44:03.257476 osdx dnscrypt-proxy[598511]: Now listening to 127.0.0.1:53 [TCP] Dec 17 21:44:03.257498 osdx dnscrypt-proxy[598511]: Firefox workaround initialized Dec 17 21:44:03.257505 osdx dnscrypt-proxy[598511]: Loading the set of cloaking rules from [/tmp/tmp5e56m3x7] Dec 17 21:44:03.266540 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:44:03.435420 osdx dnscrypt-proxy[598511]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49199 Dec 17 21:44:03.435453 osdx dnscrypt-proxy[598511]: [RD] OK (DoH) - rtt: 117ms Dec 17 21:44:03.435463 osdx dnscrypt-proxy[598511]: Server with the lowest initial latency: RD (rtt: 117ms) Dec 17 21:44:03.435469 osdx dnscrypt-proxy[598511]: dnscrypt-proxy is ready - live servers: 1 Dec 17 21:44:08.444353 osdx OSDxCLI[476020]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'. Dec 17 21:44:18.586598 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 5
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 49200Show output
Dec 17 21:44:18.855995 osdx systemd-journald[123332]: Runtime Journal (/run/log/journal/a189e667ab9f46898dbfc92a68a94f73) is 1.8M, max 13.8M, 11.9M free. Dec 17 21:44:18.859245 osdx systemd-journald[123332]: Received client request to rotate journal, rotating. Dec 17 21:44:18.859327 osdx systemd-journald[123332]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a189e667ab9f46898dbfc92a68a94f73. Dec 17 21:44:18.867252 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system journal clear'. Dec 17 21:44:19.201517 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:44:19.263819 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'delete '. Dec 17 21:44:19.397025 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Dec 17 21:44:19.472930 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:44:19.670459 osdx ubnt-cfgd[598587]: inactive Dec 17 21:44:19.696460 osdx dnscrypt-proxy[598511]: Stopped. Dec 17 21:44:19.696485 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Dec 17 21:44:19.697583 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Dec 17 21:44:19.697695 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Dec 17 21:44:19.758160 osdx WARNING[598651]: No supported link modes on interface eth0 Dec 17 21:44:19.760130 osdx modulelauncher[598651]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Dec 17 21:44:19.760149 osdx modulelauncher[598651]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Dec 17 21:44:19.761487 osdx modulelauncher[598651]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Dec 17 21:44:19.761498 osdx modulelauncher[598651]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Dec 17 21:44:19.781214 osdx ca-certificates[598675]: Clearing symlinks in /etc/ssl/certs... Dec 17 21:44:20.185052 osdx ca-certificates[599252]: done. Dec 17 21:44:20.189164 osdx ca-certificates[599263]: Updating certificates in /etc/ssl/certs... Dec 17 21:44:20.702454 osdx ubnt-cfgd[600120]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Dec 17 21:44:20.711414 osdx ca-certificates[600125]: 142 added, 0 removed; done. Dec 17 21:44:20.715284 osdx ca-certificates[600132]: Running hooks in /etc/ca-certificates/update.d... Dec 17 21:44:20.718298 osdx ca-certificates[600134]: done. Dec 17 21:44:20.734014 osdx INFO[600137]: FRR daemons did not change Dec 17 21:44:20.734340 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:44:20.736629 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:44:20.752769 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:44:22.086349 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:44:22.737486 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 17 21:44:22.837880 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 17 21:44:22.950673 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 17 21:44:23.007978 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 17 21:44:23.112073 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d'. Dec 17 21:44:23.172680 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Dec 17 21:44:23.287050 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'. Dec 17 21:44:23.355515 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 17 21:44:23.445987 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 17 21:44:23.520464 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 17 21:44:23.640063 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:44:23.712396 osdx ubnt-cfgd[600174]: inactive Dec 17 21:44:23.737537 osdx INFO[600182]: FRR daemons did not change Dec 17 21:44:23.754528 osdx ca-certificates[600198]: Updating certificates in /etc/ssl/certs... Dec 17 21:44:24.381362 osdx ubnt-cfgd[601210]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Dec 17 21:44:24.392049 osdx ca-certificates[601215]: 1 added, 0 removed; done. Dec 17 21:44:24.396242 osdx ca-certificates[601222]: Running hooks in /etc/ca-certificates/update.d... Dec 17 21:44:24.399501 osdx ca-certificates[601224]: done. Dec 17 21:44:24.423254 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 17 21:44:24.474913 osdx WARNING[601290]: No supported link modes on interface eth0 Dec 17 21:44:24.476782 osdx modulelauncher[601290]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Dec 17 21:44:24.476797 osdx modulelauncher[601290]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Dec 17 21:44:24.478727 osdx modulelauncher[601290]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Dec 17 21:44:24.478737 osdx modulelauncher[601290]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Dec 17 21:44:24.603659 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 17 21:44:24.605270 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:44:24.618478 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:44:24.630311 osdx dnscrypt-proxy[601339]: dnscrypt-proxy 2.0.45 Dec 17 21:44:24.630393 osdx dnscrypt-proxy[601339]: Network connectivity detected Dec 17 21:44:24.630741 osdx dnscrypt-proxy[601339]: Dropping privileges Dec 17 21:44:24.634155 osdx dnscrypt-proxy[601339]: Network connectivity detected Dec 17 21:44:24.634201 osdx dnscrypt-proxy[601339]: Now listening to 127.0.0.1:53 [UDP] Dec 17 21:44:24.634208 osdx dnscrypt-proxy[601339]: Now listening to 127.0.0.1:53 [TCP] Dec 17 21:44:24.634230 osdx dnscrypt-proxy[601339]: Firefox workaround initialized Dec 17 21:44:24.634237 osdx dnscrypt-proxy[601339]: Loading the set of cloaking rules from [/tmp/tmppe7yoe9f] Dec 17 21:44:24.639167 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:44:24.802943 osdx dnscrypt-proxy[601339]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 49200 Dec 17 21:44:24.802968 osdx dnscrypt-proxy[601339]: [RD] OK (DoH) - rtt: 110ms Dec 17 21:44:24.802978 osdx dnscrypt-proxy[601339]: Server with the lowest initial latency: RD (rtt: 110ms) Dec 17 21:44:24.802984 osdx dnscrypt-proxy[601339]: dnscrypt-proxy is ready - live servers: 1 Dec 17 21:44:29.810299 osdx OSDxCLI[476020]: User 'admin' entered an invalid command: 'show host lookup teldat.com type A'. Dec 17 21:44:39.942106 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.
Example 6
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 set service dns proxy log level 0 set service dns proxy server-name RD set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d set service dns proxy static RD protocol dns-over-https host name remote.dns set service dns proxy static RD protocol dns-over-https ip 10.215.168.1 set system certificate trust 'running://remote.dns-server.crt' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command show host lookup teldat.com type A at DUT0 and check if output contains the following tokens:
teldat.com has address 19.18.17.16Show output
;; communications error to ::1#53: connection refused ;; communications error to ::1#53: connection refused teldat.com has address 19.18.17.16
Step 3: Run command system journal show | cat at DUT0 and check if output contains the following tokens:
Cipher suite: 52392Show output
Dec 17 21:44:40.161831 osdx systemd-journald[123332]: Runtime Journal (/run/log/journal/a189e667ab9f46898dbfc92a68a94f73) is 1.8M, max 13.8M, 11.9M free. Dec 17 21:44:40.163241 osdx systemd-journald[123332]: Received client request to rotate journal, rotating. Dec 17 21:44:40.163316 osdx systemd-journald[123332]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a189e667ab9f46898dbfc92a68a94f73. Dec 17 21:44:40.173446 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'system journal clear'. Dec 17 21:44:40.471528 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:44:40.533830 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'delete '. Dec 17 21:44:40.709463 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set system login user admin authentication encrypted-password $6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'. Dec 17 21:44:40.768857 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:44:40.857819 osdx ubnt-cfgd[601417]: inactive Dec 17 21:44:40.879182 osdx dnscrypt-proxy[601339]: Stopped. Dec 17 21:44:40.879244 osdx systemd[1]: Stopping dnscrypt-proxy.service - DNSCrypt client proxy... Dec 17 21:44:40.880232 osdx systemd[1]: dnscrypt-proxy.service: Deactivated successfully. Dec 17 21:44:40.880358 osdx systemd[1]: Stopped dnscrypt-proxy.service - DNSCrypt client proxy. Dec 17 21:44:40.942995 osdx WARNING[601481]: No supported link modes on interface eth0 Dec 17 21:44:40.945653 osdx modulelauncher[601481]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Dec 17 21:44:40.945672 osdx modulelauncher[601481]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Dec 17 21:44:40.947680 osdx modulelauncher[601481]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Dec 17 21:44:40.947693 osdx modulelauncher[601481]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Dec 17 21:44:40.964544 osdx ca-certificates[601506]: Clearing symlinks in /etc/ssl/certs... Dec 17 21:44:41.278802 osdx ca-certificates[602083]: done. Dec 17 21:44:41.282857 osdx ca-certificates[602091]: Updating certificates in /etc/ssl/certs... Dec 17 21:44:41.759105 osdx ubnt-cfgd[602950]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Dec 17 21:44:41.767427 osdx ca-certificates[602955]: 142 added, 0 removed; done. Dec 17 21:44:41.770870 osdx ca-certificates[602962]: Running hooks in /etc/ca-certificates/update.d... Dec 17 21:44:41.774615 osdx ca-certificates[602964]: done. Dec 17 21:44:41.790441 osdx INFO[602967]: FRR daemons did not change Dec 17 21:44:41.790742 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:44:41.793069 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:44:41.809580 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:44:43.205723 osdx OSDxCLI[476020]: User 'admin' entered the configuration menu. Dec 17 21:44:43.849793 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Dec 17 21:44:43.917258 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy server-name RD'. Dec 17 21:44:44.049183 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https host name remote.dns'. Dec 17 21:44:44.122458 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https ip 10.215.168.1'. Dec 17 21:44:44.257911 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d'. Dec 17 21:44:44.388020 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy cipher 1 algorithm TLS_RSA_WITH_3DES_EDE_CBC_SHA'. Dec 17 21:44:44.479091 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy cipher 2 algorithm TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'. Dec 17 21:44:44.622328 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'. Dec 17 21:44:44.739135 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Dec 17 21:44:44.846084 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Dec 17 21:44:44.951116 osdx OSDxCLI[476020]: User 'admin' added a new cfg line: 'show working'. Dec 17 21:44:45.050556 osdx ubnt-cfgd[603004]: inactive Dec 17 21:44:45.082863 osdx INFO[603012]: FRR daemons did not change Dec 17 21:44:45.099185 osdx ca-certificates[603028]: Updating certificates in /etc/ssl/certs... Dec 17 21:44:45.825996 osdx ubnt-cfgd[604040]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL Dec 17 21:44:45.834476 osdx ca-certificates[604046]: 1 added, 0 removed; done. Dec 17 21:44:45.838204 osdx ca-certificates[604052]: Running hooks in /etc/ca-certificates/update.d... Dec 17 21:44:45.841903 osdx ca-certificates[604054]: done. Dec 17 21:44:45.875253 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Dec 17 21:44:45.931449 osdx WARNING[604120]: No supported link modes on interface eth0 Dec 17 21:44:45.933345 osdx modulelauncher[604120]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on Dec 17 21:44:45.933362 osdx modulelauncher[604120]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76. Dec 17 21:44:45.934771 osdx modulelauncher[604120]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off -- Dec 17 21:44:45.934781 osdx modulelauncher[604120]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75. Dec 17 21:44:46.087735 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy. Dec 17 21:44:46.089467 osdx cfgd[1460]: [476020]Completed change to active configuration Dec 17 21:44:46.108140 osdx OSDxCLI[476020]: User 'admin' committed the configuration. Dec 17 21:44:46.114331 osdx dnscrypt-proxy[604169]: dnscrypt-proxy 2.0.45 Dec 17 21:44:46.114433 osdx dnscrypt-proxy[604169]: Network connectivity detected Dec 17 21:44:46.114765 osdx dnscrypt-proxy[604169]: Dropping privileges Dec 17 21:44:46.117601 osdx dnscrypt-proxy[604169]: Network connectivity detected Dec 17 21:44:46.117657 osdx dnscrypt-proxy[604169]: Now listening to 127.0.0.1:53 [UDP] Dec 17 21:44:46.117661 osdx dnscrypt-proxy[604169]: Now listening to 127.0.0.1:53 [TCP] Dec 17 21:44:46.117697 osdx dnscrypt-proxy[604169]: Firefox workaround initialized Dec 17 21:44:46.117703 osdx dnscrypt-proxy[604169]: Loading the set of cloaking rules from [/tmp/tmpvznkig1g] Dec 17 21:44:46.131262 osdx OSDxCLI[476020]: User 'admin' left the configuration menu. Dec 17 21:44:46.295198 osdx dnscrypt-proxy[604169]: [RD] TLS version: 303 - Protocol: h2 - Cipher suite: 52392 Dec 17 21:44:46.295399 osdx dnscrypt-proxy[604169]: [RD] OK (DoH) - rtt: 105ms Dec 17 21:44:46.295415 osdx dnscrypt-proxy[604169]: Server with the lowest initial latency: RD (rtt: 105ms) Dec 17 21:44:46.295421 osdx dnscrypt-proxy[604169]: dnscrypt-proxy is ready - live servers: 1 Dec 17 21:44:46.317439 osdx OSDxCLI[476020]: User 'admin' executed a new command: 'show host lookup teldat.com type A'.