Cipher Server

Test suite to validate using one or multiple ciphers to protect DoH connection

TLS v1.3 Connection

Description

Sets up the DUT0 as a server, DUT1 as a client and ensures the communication between them is secured by TLS v1.3.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy server cert file 'running://dns.dut0.crt'
set service dns proxy server cert key 'running://dns.dut0.key'
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 56d2dc9783a8c33a68b4b8938777fc5a91749b16b5b6117fa04686ce5ad9496d
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set service dns static host-name teldat.com inet 10.11.12.13
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT1 :

set interfaces ethernet eth0 address 10.215.168.65/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy log level 0
set service dns proxy server-name DUT0
set service dns proxy static DUT0 protocol dns-over-https hash 7991f6763f57192d5e7038bfad20a88453c95b4a98a33aa074515c6c16251a35
set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0
set service dns proxy static DUT0 protocol dns-over-https host port 3000
set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64
set service dns resolver local
set service dns static host-name dns.dut0 inet 10.215.168.64
set service ssh
set system certificate trust 'running://CA.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 3: Run command system journal show | cat at DUT1 and expect this output:

Show output

Dec 17 21:40:55.273450 osdx systemd-journald[1556]: Runtime Journal (/run/log/journal/c6a6a8e2d9d640e4bbdbbcec0635592c) is 948.0K, max 6.5M, 5.5M free.
Dec 17 21:40:55.277268 osdx systemd-journald[1556]: Received client request to rotate journal, rotating.
Dec 17 21:40:55.277352 osdx systemd-journald[1556]: Vacuuming done, freed 0B of archived journals from /run/log/journal/c6a6a8e2d9d640e4bbdbbcec0635592c.
Dec 17 21:40:55.287464 osdx OSDxCLI[67921]: User 'admin' executed a new command: 'system journal clear'.
Dec 17 21:40:55.518765 osdx OSDxCLI[67921]: User 'admin' executed a new command: 'system coredump delete all'.
Dec 17 21:40:56.703701 osdx OSDxCLI[67921]: User 'admin' entered the configuration menu.
Dec 17 21:40:56.795798 osdx OSDxCLI[67921]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.65/24'.
Dec 17 21:40:56.894824 osdx OSDxCLI[67921]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Dec 17 21:40:56.953518 osdx OSDxCLI[67921]: User 'admin' added a new cfg line: 'set service ssh'.
Dec 17 21:40:57.057210 osdx OSDxCLI[67921]: User 'admin' added a new cfg line: 'show working'.
Dec 17 21:40:57.115667 osdx ubnt-cfgd[287131]: inactive
Dec 17 21:40:57.142505 osdx INFO[287143]: FRR daemons did not change
Dec 17 21:40:57.165306 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Dec 17 21:40:57.214988 osdx WARNING[287211]: No supported link modes on interface eth0
Dec 17 21:40:57.216589 osdx modulelauncher[287211]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Dec 17 21:40:57.216600 osdx modulelauncher[287211]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Dec 17 21:40:57.217987 osdx modulelauncher[287211]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --
Dec 17 21:40:57.218000 osdx modulelauncher[287211]: Command '/sbin/ethtool -s eth0 autoneg on advertise Asym_Pause off Pause off --' returned non-zero exit status 75.
Dec 17 21:40:57.329991 osdx systemd[1]: Starting ssh.service - OpenBSD Secure Shell server...
Dec 17 21:40:57.344456 osdx sshd[287262]: Server listening on 0.0.0.0 port 22.
Dec 17 21:40:57.344492 osdx sshd[287262]: Server listening on :: port 22.
Dec 17 21:40:57.344631 osdx systemd[1]: Started ssh.service - OpenBSD Secure Shell server.
Dec 17 21:40:57.371969 osdx cfgd[1255]: [67921]Completed change to active configuration
Dec 17 21:40:57.385416 osdx OSDxCLI[67921]: User 'admin' committed the configuration.
Dec 17 21:40:57.432666 osdx OSDxCLI[67921]: User 'admin' left the configuration menu.
Dec 17 21:40:57.585015 osdx OSDxCLI[67921]: User 'admin' executed a new command: 'ping 10.215.168.64 count 1 size 56 timeout 1'.
Dec 17 21:40:59.552547 osdx OSDxCLI[67921]: User 'admin' entered the configuration menu.
Dec 17 21:40:59.612564 osdx OSDxCLI[67921]: User 'admin' added a new cfg line: 'set service dns static host-name dns.dut0 inet 10.215.168.64'.
Dec 17 21:40:59.727740 osdx OSDxCLI[67921]: User 'admin' added a new cfg line: 'set system certificate trust running://CA.crt'.
Dec 17 21:40:59.790676 osdx OSDxCLI[67921]: User 'admin' added a new cfg line: 'set service dns proxy server-name DUT0'.
Dec 17 21:40:59.891462 osdx OSDxCLI[67921]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0'.
Dec 17 21:40:59.945652 osdx OSDxCLI[67921]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host port 3000'.
Dec 17 21:41:00.051757 osdx OSDxCLI[67921]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64'.
Dec 17 21:41:00.126457 osdx OSDxCLI[67921]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https hash 7991f6763f57192d5e7038bfad20a88453c95b4a98a33aa074515c6c16251a35'.
Dec 17 21:41:00.245463 osdx OSDxCLI[67921]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Dec 17 21:41:00.354005 osdx OSDxCLI[67921]: User 'admin' added a new cfg line: 'set service dns resolver local'.
Dec 17 21:41:00.450382 osdx OSDxCLI[67921]: User 'admin' added a new cfg line: 'show working'.
Dec 17 21:41:00.552439 osdx ubnt-cfgd[287319]: inactive
Dec 17 21:41:00.576513 osdx INFO[287327]: FRR daemons did not change
Dec 17 21:41:00.593411 osdx ca-certificates[287343]: Updating certificates in /etc/ssl/certs...
Dec 17 21:41:01.172549 osdx ubnt-cfgd[288358]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Dec 17 21:41:01.179933 osdx ca-certificates[288364]: 1 added, 0 removed; done.
Dec 17 21:41:01.183103 osdx ca-certificates[288370]: Running hooks in /etc/ca-certificates/update.d...
Dec 17 21:41:01.186006 osdx ca-certificates[288372]: done.
Dec 17 21:41:01.313796 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Dec 17 21:41:01.315906 osdx cfgd[1255]: [67921]Completed change to active configuration
Dec 17 21:41:01.322909 osdx OSDxCLI[67921]: User 'admin' committed the configuration.
Dec 17 21:41:01.336952 osdx dnscrypt-proxy[288432]: dnscrypt-proxy 2.0.45
Dec 17 21:41:01.337028 osdx dnscrypt-proxy[288432]: Network connectivity detected
Dec 17 21:41:01.337319 osdx dnscrypt-proxy[288432]: Dropping privileges
Dec 17 21:41:01.340218 osdx dnscrypt-proxy[288432]: Network connectivity detected
Dec 17 21:41:01.340256 osdx dnscrypt-proxy[288432]: Now listening to 127.0.0.1:53 [UDP]
Dec 17 21:41:01.340262 osdx dnscrypt-proxy[288432]: Now listening to 127.0.0.1:53 [TCP]
Dec 17 21:41:01.340282 osdx dnscrypt-proxy[288432]: Firefox workaround initialized
Dec 17 21:41:01.340288 osdx dnscrypt-proxy[288432]: Loading the set of cloaking rules from [/tmp/tmpbkkmbitd]
Dec 17 21:41:01.346327 osdx OSDxCLI[67921]: User 'admin' left the configuration menu.
Dec 17 21:41:01.508216 osdx OSDxCLI[67921]: User 'admin' executed a new command: 'system journal show | cat'.
Dec 17 21:41:01.538824 osdx dnscrypt-proxy[288432]: [DUT0] TLS version: 304 - Protocol: h2 - Cipher suite: 4867
Dec 17 21:41:01.538843 osdx dnscrypt-proxy[288432]: [DUT0] OK (DoH) - rtt: 114ms
Dec 17 21:41:01.538856 osdx dnscrypt-proxy[288432]: Server with the lowest initial latency: DUT0 (rtt: 114ms)
Dec 17 21:41:01.538862 osdx dnscrypt-proxy[288432]: dnscrypt-proxy is ready - live servers: 1

---