How to connect cl+ssl with host ca verification?

Tim Hawes trhawes at gmail.com
Thu Mar 24 14:53:46 UTC 2022 

I haven't looked at the code, but apparently, it checks if the rootCA is
registered in the system.
This works if I have added the rootCA system-wide
(let ((cl-postgres:*ssl-certificate-file* "/some/path/to/cert.crt")
       (cl-postgres:*ssl-key-file* "/some/path/to/a-key.key"))
   (postmodern:with-connection
       '("dbname" "dbuser" "password" "some-remote-server.lan" :port 5432
         :use-ssl :full)
     (postmodern:query (:select '* :from 'table))))


On Tue, Mar 22, 2022 at 8:50 PM Sabra Crolleton <sabra.crolleton at gmail.com>
wrote:

> Postmodern uses cl+ssl and I do not see cl+ssl using a root ca. Maybe I am
> missing something in that library?
>
> On Mon, Mar 21, 2022 at 9:37 PM Tim Hawes <trhawes at gmail.com> wrote:
>
>> Sorry Sabra, I didn't intend to reply to you directly.
>>
>> ---------- Forwarded message ---------
>> From: Tim Hawes <trhawes at gmail.com>
>> Date: Mon, Mar 21, 2022 at 9:35 PM
>> Subject: Re: How to connect cl+ssl with host ca verification?
>> To: Sabra Crolleton <sabra.crolleton at gmail.com>
>>
>>
>> That works, but it looks like the root ca has to be added to the system.
>> If using psql I could specify where all the certs I want to use to connect
>> with like so:
>>
>> $>psql "port=5432 host=localhost user=postgres sslcert=./test/client.crt
>> sslkey=./test/client.key sslrootcert=./test/server.crt sslmode=verify-full"
>> Is there an equivalent in Postmodern?
>>
>> On Mon, Mar 21, 2022 at 8:36 PM Sabra Crolleton <
>> sabra.crolleton at gmail.com> wrote:
>>
>>> The cl-postgres (open-database ...) function has :use-ssl as a key
>>> parameter where the parameter values:
>>>
>>>    - :try means if the server supports it
>>>    - :require means use provided ssl certificate with no verification
>>>    - :yes means verify that the server cert is issued by a trusted CA,
>>>    but does not verify the server hostname
>>>    - :full means expect a CA-signed cert for the supplied hostname and
>>>    verify the server hostname
>>>
>>> This is mirrored in the postmodern (connect ...) function.
>>>
>>> If I understand your question correctly, you want to use :full as the
>>> parameter passed to :use-ssl. E.g.
>>>
>>>> (connect "test_db" "test-user" "test-password" "192.168.5.223"
>>>>          :port 5434 :pooled-p t :use-ssl :full)
>>>>
>>>> But maybe I am not understanding your question correctly.
>>>
>>> Sabra
>>>
>>> On Mon, Mar 21, 2022 at 7:50 PM Tim Hawes <trhawes at gmail.com> wrote:
>>>
>>>> I am not finding any helpful information in how to connect to
>>>> PostgreSQL using client key/client cert and a root ca for verifying the
>>>> host with Postmodern. Can someone send me an example?
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.common-lisp.net/pipermail/postmodern-devel/attachments/20220324/0de29894/attachment.html>

More information about the postmodern-devel mailing list