testing: Use identity based CA restrictions in rw-hash-and-url-multi-level
This is a prominent example where the identity based CA constraint is benefical. While the description of the test claims a strict binding of the client to the intermediate CA, this is not fully true if CA operators are not fully trusted: A rogue OU=Sales intermediate may issue certificates containing a OU=Research. By binding the connection to the CA, we can avoid this, and using the identity based constraint still allows moon to receive the intermediate over IKE or hash-and-url.
This commit is contained in:
parent
026024bc02
commit
f95d512251
|
@ -10,7 +10,7 @@ connections {
|
|||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = "C=CH, O=strongSwan Project, OU=Research, CN=*"
|
||||
ca_id = "C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
|
||||
}
|
||||
children {
|
||||
alice {
|
||||
|
@ -32,7 +32,7 @@ connections {
|
|||
}
|
||||
remote {
|
||||
auth = pubkey
|
||||
id = "C=CH, O=strongSwan Project, OU=Sales, CN=*"
|
||||
ca_id = "C=CH, O=strongSwan Project, OU=Sales, CN=Sales CA"
|
||||
}
|
||||
children {
|
||||
venus {
|
||||
|
|
Loading…
Reference in New Issue