Cipher Server

Test suite to validate using one or multiple ciphers to protect DoH connection

TLS v1.3 Connection

Description

Sets up the DUT0 as a server, DUT1 as a client and ensures the communication between them is secured by TLS v1.3.

Scenario

Step 1: Set the following configuration in DUT0 :

set interfaces ethernet eth0 address 10.215.168.64/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy server cert file 'running://dns.dut0.crt'
set service dns proxy server cert key 'running://dns.dut0.key'
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https hash 94bd2423f228aa7789fc9c7f10d73f124a6a1a9a67ac61539e0489970e64183c
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set service dns static host-name teldat.com inet 10.11.12.13
set system certificate trust 'running://remote.dns-server.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 2: Set the following configuration in DUT1 :

set interfaces ethernet eth0 address 10.215.168.65/24
set protocols static route 0.0.0.0/0 next-hop 10.215.168.1
set service dns proxy log level 0
set service dns proxy server-name DUT0
set service dns proxy static DUT0 protocol dns-over-https hash 86b5c47ac7724433d03db1f58b1acc2565da06689436a689248e1787522b25fc
set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0
set service dns proxy static DUT0 protocol dns-over-https host port 3000
set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64
set service dns resolver local
set service dns static host-name dns.dut0 inet 10.215.168.64
set service ssh
set system certificate trust 'running://CA.crt'
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 3: Run command system journal show | cat at DUT1 and expect this output:

Show output

Dec 11 19:48:23.253645 osdx systemd-journald[1751]: Runtime Journal (/run/log/journal/a9242cd896344ca481d18f29a6e09395) is 956.0K, max 6.5M, 5.5M free.
Dec 11 19:48:23.254905 osdx systemd-journald[1751]: Received client request to rotate journal, rotating.
Dec 11 19:48:23.254961 osdx systemd-journald[1751]: Vacuuming done, freed 0B of archived journals from /run/log/journal/a9242cd896344ca481d18f29a6e09395.
Dec 11 19:48:23.265617 osdx OSDxCLI[292947]: User 'admin' executed a new command: 'system journal clear'.
Dec 11 19:48:23.472626 osdx OSDxCLI[292947]: User 'admin' executed a new command: 'system coredump delete all'.
Dec 11 19:48:24.489565 osdx OSDxCLI[292947]: User 'admin' entered the configuration menu.
Dec 11 19:48:24.567597 osdx OSDxCLI[292947]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.65/24'.
Dec 11 19:48:24.637092 osdx OSDxCLI[292947]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Dec 11 19:48:24.764691 osdx OSDxCLI[292947]: User 'admin' added a new cfg line: 'set service ssh'.
Dec 11 19:48:24.823705 osdx OSDxCLI[292947]: User 'admin' added a new cfg line: 'show working'.
Dec 11 19:48:24.923650 osdx ubnt-cfgd[380428]: inactive
Dec 11 19:48:24.994620 osdx INFO[380447]: FRR daemons did not change
Dec 11 19:48:25.022899 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Dec 11 19:48:25.068806 osdx WARNING[380516]: No supported link modes on interface eth0
Dec 11 19:48:25.070099 osdx modulelauncher[380516]: osdx.utils.xos cmd error: /sbin/ethtool -A eth0 autoneg on
Dec 11 19:48:25.070110 osdx modulelauncher[380516]: Command '/sbin/ethtool -A eth0 autoneg on' returned non-zero exit status 76.
Dec 11 19:48:25.071265 osdx modulelauncher[380516]: osdx.utils.xos cmd error: /sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --
Dec 11 19:48:25.071274 osdx modulelauncher[380516]: Command '/sbin/ethtool -s eth0 autoneg on advertise Pause off Asym_Pause off --' returned non-zero exit status 75.
Dec 11 19:48:25.159345 osdx systemd[1]: Starting ssh.service - OpenBSD Secure Shell server...
Dec 11 19:48:25.175917 osdx sshd[380576]: Server listening on 0.0.0.0 port 22.
Dec 11 19:48:25.175946 osdx sshd[380576]: Server listening on :: port 22.
Dec 11 19:48:25.176041 osdx systemd[1]: Started ssh.service - OpenBSD Secure Shell server.
Dec 11 19:48:25.177140 osdx cfgd[1430]: [292947]Completed change to active configuration
Dec 11 19:48:25.189293 osdx OSDxCLI[292947]: User 'admin' committed the configuration.
Dec 11 19:48:25.204474 osdx OSDxCLI[292947]: User 'admin' left the configuration menu.
Dec 11 19:48:25.348052 osdx OSDxCLI[292947]: User 'admin' executed a new command: 'ping 10.215.168.64 count 1 size 56 timeout 1'.
Dec 11 19:48:27.266263 osdx OSDxCLI[292947]: User 'admin' entered the configuration menu.
Dec 11 19:48:27.323515 osdx OSDxCLI[292947]: User 'admin' added a new cfg line: 'set service dns static host-name dns.dut0 inet 10.215.168.64'.
Dec 11 19:48:27.423079 osdx OSDxCLI[292947]: User 'admin' added a new cfg line: 'set system certificate trust running://CA.crt'.
Dec 11 19:48:27.479697 osdx OSDxCLI[292947]: User 'admin' added a new cfg line: 'set service dns proxy server-name DUT0'.
Dec 11 19:48:27.585489 osdx OSDxCLI[292947]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0'.
Dec 11 19:48:27.639943 osdx OSDxCLI[292947]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host port 3000'.
Dec 11 19:48:27.736915 osdx OSDxCLI[292947]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64'.
Dec 11 19:48:27.804050 osdx OSDxCLI[292947]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https hash 86b5c47ac7724433d03db1f58b1acc2565da06689436a689248e1787522b25fc'.
Dec 11 19:48:27.909445 osdx OSDxCLI[292947]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Dec 11 19:48:28.007772 osdx OSDxCLI[292947]: User 'admin' added a new cfg line: 'set service dns resolver local'.
Dec 11 19:48:28.080188 osdx OSDxCLI[292947]: User 'admin' added a new cfg line: 'show working'.
Dec 11 19:48:28.174133 osdx ubnt-cfgd[380625]: inactive
Dec 11 19:48:28.195483 osdx INFO[380633]: FRR daemons did not change
Dec 11 19:48:28.207250 osdx ca-certificates[380649]: Updating certificates in /etc/ssl/certs...
Dec 11 19:48:28.717683 osdx ubnt-cfgd[381661]: rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
Dec 11 19:48:28.727050 osdx ca-certificates[381666]: 1 added, 0 removed; done.
Dec 11 19:48:28.730184 osdx ca-certificates[381673]: Running hooks in /etc/ca-certificates/update.d...
Dec 11 19:48:28.733016 osdx ca-certificates[381675]: done.
Dec 11 19:48:28.847192 osdx systemd[1]: Started dnscrypt-proxy.service - DNSCrypt client proxy.
Dec 11 19:48:28.848618 osdx cfgd[1430]: [292947]Completed change to active configuration
Dec 11 19:48:28.850528 osdx OSDxCLI[292947]: User 'admin' committed the configuration.
Dec 11 19:48:28.866891 osdx dnscrypt-proxy[381735]: dnscrypt-proxy 2.0.45
Dec 11 19:48:28.866941 osdx dnscrypt-proxy[381735]: Network connectivity detected
Dec 11 19:48:28.867108 osdx dnscrypt-proxy[381735]: Dropping privileges
Dec 11 19:48:28.869821 osdx OSDxCLI[292947]: User 'admin' left the configuration menu.
Dec 11 19:48:28.870091 osdx dnscrypt-proxy[381735]: Network connectivity detected
Dec 11 19:48:28.870123 osdx dnscrypt-proxy[381735]: Now listening to 127.0.0.1:53 [UDP]
Dec 11 19:48:28.870128 osdx dnscrypt-proxy[381735]: Now listening to 127.0.0.1:53 [TCP]
Dec 11 19:48:28.870150 osdx dnscrypt-proxy[381735]: Firefox workaround initialized
Dec 11 19:48:28.870155 osdx dnscrypt-proxy[381735]: Loading the set of cloaking rules from [/tmp/tmp876phrv8]
Dec 11 19:48:29.028298 osdx OSDxCLI[292947]: User 'admin' executed a new command: 'system journal show | cat'.
Dec 11 19:48:29.045458 osdx dnscrypt-proxy[381735]: [DUT0] TLS version: 304 - Protocol: h2 - Cipher suite: 4867
Dec 11 19:48:29.045473 osdx dnscrypt-proxy[381735]: [DUT0] OK (DoH) - rtt: 101ms
Dec 11 19:48:29.045482 osdx dnscrypt-proxy[381735]: Server with the lowest initial latency: DUT0 (rtt: 101ms)
Dec 11 19:48:29.045488 osdx dnscrypt-proxy[381735]: dnscrypt-proxy is ready - live servers: 1

---