<div dir="ltr"><div>Do either of the following cl+ssl functions called before making the postmodern query work to give cl+ssl the appropriate root CA?</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>(cl+ssl:use-certificate-chain-file "/some/path/to/your-pem-file.pem") <br></div></blockquote><div><br></div><div>or<br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>(cl+ssl:ssl-load-global-verify-locations '("/some/path/to/your-pem-file.pem"))</div></blockquote><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Mar 24, 2022 at 10:54 AM Tim Hawes <<a href="mailto:trhawes@gmail.com">trhawes@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">It would be nice to be able to specify the root CA explicitly.</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Mar 24, 2022 at 10:53 AM Tim Hawes <<a href="mailto:trhawes@gmail.com" target="_blank">trhawes@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">I haven't looked at the code, but apparently, it checks if the rootCA is registered in the system.<br>This works if I have added the rootCA system-wide<br><span style="font-family:monospace"><span style="color:rgb(0,0,0)">(let ((cl-postgres:*ssl-certificate-file* "/some/path/to/cert.crt")
</span><br> (cl-postgres:*ssl-key-file* "/some/path/to/a-key.key"))
<br> (postmodern:with-connection
<br> '("dbname" "dbuser" "password" "some-remote-server.lan" :port 5432<br> :use-ssl :full)
<br> (postmodern:query (:select '* :from 'table))))<br></span><div><span style="font-family:monospace"><br></span></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Mar 22, 2022 at 8:50 PM Sabra Crolleton <<a href="mailto:sabra.crolleton@gmail.com" target="_blank">sabra.crolleton@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Postmodern uses cl+ssl and I do not see cl+ssl using a root ca. Maybe I am missing something in that library?<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 21, 2022 at 9:37 PM Tim Hawes <<a href="mailto:trhawes@gmail.com" target="_blank">trhawes@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Sorry Sabra, I didn't intend to reply to you directly.<br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">---------- Forwarded message ---------<br>From: <strong class="gmail_sendername" dir="auto">Tim Hawes</strong> <span dir="auto"><<a href="mailto:trhawes@gmail.com" target="_blank">trhawes@gmail.com</a>></span><br>Date: Mon, Mar 21, 2022 at 9:35 PM<br>Subject: Re: How to connect cl+ssl with host ca verification?<br>To: Sabra Crolleton <<a href="mailto:sabra.crolleton@gmail.com" target="_blank">sabra.crolleton@gmail.com</a>><br></div><br><br><div dir="ltr">That works, but it looks like the root ca has to be added to the system. If using psql I could specify where all the certs I want to use to connect with like so:<br><br><span style="color:rgb(35,38,41);font-family:ui-monospace,"Cascadia Mono","Segoe UI Mono","Liberation Mono",Menlo,Monaco,Consolas,monospace;font-size:13px;white-space:pre-wrap;background-color:rgb(227,230,232)">$>psql "port=5432 host=localhost user=postgres sslcert=./test/client.crt sslkey=./test/client.key sslrootcert=./test/server.crt sslmode=verify-full"
</span><br>Is there an equivalent in Postmodern? </div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 21, 2022 at 8:36 PM Sabra Crolleton <<a href="mailto:sabra.crolleton@gmail.com" target="_blank">sabra.crolleton@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>The cl-postgres (open-database ...) function has :use-ssl as a key parameter where the parameter values:</div><div><ul><li>:try means if the server supports it</li><li>:require means use provided ssl certificate with no verification</li><li>:yes means verify that the server cert is issued by a trusted CA, but does not verify the server hostname</li><li>:full means expect a CA-signed cert for the supplied hostname and verify the server hostname</li></ul><div>This is mirrored in the postmodern (connect ...) function.</div><div><br></div><div>If I understand your question correctly, you want to use :full as the parameter passed to :use-ssl. E.g.</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><pre>(connect "test_db" "test-user" "test-password" "192.168.5.223"<br> :port 5434 :pooled-p t :use-ssl :full)<span style="color:rgb(35,215,215)"></span><span style="color:rgb(35,215,215)"></span></pre></div></blockquote><div>But maybe I am not understanding your question correctly.</div><div><br></div><div>Sabra<br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 21, 2022 at 7:50 PM Tim Hawes <<a href="mailto:trhawes@gmail.com" target="_blank">trhawes@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">I am not finding any helpful information in how to connect to PostgreSQL using client key/client cert and a root ca for verifying the host with Postmodern. Can someone send me an example? </div>
</blockquote></div>
</blockquote></div>
</div></div>
</blockquote></div>
</blockquote></div>
</blockquote></div>
</blockquote></div>