How to connect cl+ssl with host ca verification?

Tim Hawes trhawes at gmail.com
Mon Mar 28 23:25:12 UTC 2022


Thank you! I got
(cl+ssl:ssl-load-global-verify-locations "/path/to/root/ca")
to work with the forementioned code. But note that it does not look for an
actual list of pathnames but takes multiple parameters collected with &rest

On Sat, Mar 26, 2022 at 2:01 PM Sabra Crolleton <sabra.crolleton at gmail.com>
wrote:

> Do either of the following cl+ssl functions called before making the
> postmodern query work to give cl+ssl the appropriate root CA?
>
> (cl+ssl:use-certificate-chain-file "/some/path/to/your-pem-file.pem")
>>
>
> or
>
> (cl+ssl:ssl-load-global-verify-locations
>> '("/some/path/to/your-pem-file.pem"))
>>
>
>
>
> On Thu, Mar 24, 2022 at 10:54 AM Tim Hawes <trhawes at gmail.com> wrote:
>
>> It would be nice to be able to specify the root CA explicitly.
>>
>> On Thu, Mar 24, 2022 at 10:53 AM Tim Hawes <trhawes at gmail.com> wrote:
>>
>>> I haven't looked at the code, but apparently, it checks if the rootCA is
>>> registered in the system.
>>> This works if I have added the rootCA system-wide
>>> (let ((cl-postgres:*ssl-certificate-file* "/some/path/to/cert.crt")
>>>        (cl-postgres:*ssl-key-file* "/some/path/to/a-key.key"))
>>>    (postmodern:with-connection
>>>        '("dbname" "dbuser" "password" "some-remote-server.lan" :port 5432
>>>          :use-ssl :full)
>>>      (postmodern:query (:select '* :from 'table))))
>>>
>>>
>>> On Tue, Mar 22, 2022 at 8:50 PM Sabra Crolleton <
>>> sabra.crolleton at gmail.com> wrote:
>>>
>>>> Postmodern uses cl+ssl and I do not see cl+ssl using a root ca. Maybe I
>>>> am missing something in that library?
>>>>
>>>> On Mon, Mar 21, 2022 at 9:37 PM Tim Hawes <trhawes at gmail.com> wrote:
>>>>
>>>>> Sorry Sabra, I didn't intend to reply to you directly.
>>>>>
>>>>> ---------- Forwarded message ---------
>>>>> From: Tim Hawes <trhawes at gmail.com>
>>>>> Date: Mon, Mar 21, 2022 at 9:35 PM
>>>>> Subject: Re: How to connect cl+ssl with host ca verification?
>>>>> To: Sabra Crolleton <sabra.crolleton at gmail.com>
>>>>>
>>>>>
>>>>> That works, but it looks like the root ca has to be added to the
>>>>> system. If using psql I could specify where all the certs I want to use to
>>>>> connect with like so:
>>>>>
>>>>> $>psql "port=5432 host=localhost user=postgres
>>>>> sslcert=./test/client.crt sslkey=./test/client.key
>>>>> sslrootcert=./test/server.crt sslmode=verify-full"
>>>>> Is there an equivalent in Postmodern?
>>>>>
>>>>> On Mon, Mar 21, 2022 at 8:36 PM Sabra Crolleton <
>>>>> sabra.crolleton at gmail.com> wrote:
>>>>>
>>>>>> The cl-postgres (open-database ...) function has :use-ssl as a key
>>>>>> parameter where the parameter values:
>>>>>>
>>>>>>    - :try means if the server supports it
>>>>>>    - :require means use provided ssl certificate with no verification
>>>>>>    - :yes means verify that the server cert is issued by a trusted
>>>>>>    CA, but does not verify the server hostname
>>>>>>    - :full means expect a CA-signed cert for the supplied hostname
>>>>>>    and verify the server hostname
>>>>>>
>>>>>> This is mirrored in the postmodern (connect ...) function.
>>>>>>
>>>>>> If I understand your question correctly, you want to use :full as the
>>>>>> parameter passed to :use-ssl. E.g.
>>>>>>
>>>>>>> (connect "test_db" "test-user" "test-password" "192.168.5.223"
>>>>>>>          :port 5434 :pooled-p t :use-ssl :full)
>>>>>>>
>>>>>>> But maybe I am not understanding your question correctly.
>>>>>>
>>>>>> Sabra
>>>>>>
>>>>>> On Mon, Mar 21, 2022 at 7:50 PM Tim Hawes <trhawes at gmail.com> wrote:
>>>>>>
>>>>>>> I am not finding any helpful information in how to connect to
>>>>>>> PostgreSQL using client key/client cert and a root ca for verifying the
>>>>>>> host with Postmodern. Can someone send me an example?
>>>>>>>
>>>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.common-lisp.net/pipermail/postmodern-devel/attachments/20220328/d2a1613d/attachment.html>


More information about the postmodern-devel mailing list