testing: Use identity based CA restrictions in rw-hash-and-url-multi-level

This is a prominent example where the identity based CA constraint is benefical. While the description of the test claims a strict binding of the client to the intermediate CA, this is not fully true if CA operators are not fully trusted: A rogue OU=Sales intermediate may issue certificates containing a OU=Research. By binding the connection to the CA, we can avoid this, and using the identity based constraint still allows moon to receive the intermediate over IKE or hash-and-url.
2019-11-28 10:25:20 +01:00 · 2019-11-28 10:25:20 +01:00 · f95d512251
parent 026024bc02
commit f95d512251
1 changed files with 2 additions and 2 deletions
--- a/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/swanctl/swanctl.conf
@ -10,7 +10,7 @@ connections {
      }
      remote {
         auth = pubkey
-         id = "C=CH, O=strongSwan Project, OU=Research, CN=*"
+         ca_id = "C=CH, O=strongSwan Project, OU=Research, CN=Research CA"
      }
      children {
         alice {
@ -32,7 +32,7 @@ connections {
      }
      remote {
         auth = pubkey
-         id = "C=CH, O=strongSwan Project, OU=Sales, CN=*"
+         ca_id = "C=CH, O=strongSwan Project, OU=Sales, CN=Sales CA"
      }
      children {
         venus {