testing: Use identity based CA restrictions in rw-hash-and-url-multi-level
authorMartin Willi <martin@strongswan.org>
Thu, 28 Nov 2019 09:25:20 +0000 (10:25 +0100)
committerTobias Brunner <tobias@strongswan.org>
Fri, 6 Dec 2019 09:07:47 +0000 (10:07 +0100)
commitf95d5122513ab34cd1b3cffc7bb49d69932cd51c
treea9d09c44bcc5e4a011378ee2bd6587c5dd020a45
parent026024bc02d82ee953a72eef40986d12d0cf0a87
testing: Use identity based CA restrictions in rw-hash-and-url-multi-level

This is a prominent example where the identity based CA constraint is
benefical. While the description of the test claims a strict binding
of the client to the intermediate CA, this is not fully true if CA operators
are not fully trusted: A rogue OU=Sales intermediate may issue certificates
containing a OU=Research.

By binding the connection to the CA, we can avoid this, and using the identity
based constraint still allows moon to receive the intermediate over IKE
or hash-and-url.
testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/swanctl/swanctl.conf