We are happy to announce the release of strongSwan 5.8.2, which adds support for identity-based CA constraints, can send intermediate CA certificates in hash-and-URL encoding and brings several other new features and fixes.
An identity-based CA constraint enforces that the certificate chain of the remote peer contains a CA certificate with a specific identity. They are supported via vici/swanctl.conf and are similar to the existing CA constraints but don't require that the CA certificate is locally installed, such as intermediate CA certificates received from the peers.
Wildcard identity matching (e.g.
"..., OU=Research, CN=*") could also be used for the latter but this requires trust in the intermediate CAs to only issue certificates with legitimate subject DNs (e.g. the "Sales" CA must not issue certificates with
"OU=Research"). With the new constraint that's not necessary as long as a path length basic constraint (
--pathlen for pki --issue) prevents intermediate CAs from issuing further intermediate CAs.
Intermediate CA certificates may now be sent in hash-and-URL encoding by configuring a base URL for the parent CA (swanctl/rw-hash-and-url-multi-level).
Other Notable Features and Fixes