Do either of the following cl+ssl functions called before making the postmodern query work to give cl+ssl the appropriate root CA?
(cl+ssl:use-certificate-chain-file "/some/path/to/your-pem-file.pem") > or (cl+ssl:ssl-load-global-verify-locations > '("/some/path/to/your-pem-file.pem")) > On Thu, Mar 24, 2022 at 10:54 AM Tim Hawes <trha...@gmail.com> wrote: > It would be nice to be able to specify the root CA explicitly. > > On Thu, Mar 24, 2022 at 10:53 AM Tim Hawes <trha...@gmail.com> wrote: > >> I haven't looked at the code, but apparently, it checks if the rootCA is >> registered in the system. >> This works if I have added the rootCA system-wide >> (let ((cl-postgres:*ssl-certificate-file* "/some/path/to/cert.crt") >> (cl-postgres:*ssl-key-file* "/some/path/to/a-key.key")) >> (postmodern:with-connection >> '("dbname" "dbuser" "password" "some-remote-server.lan" :port 5432 >> :use-ssl :full) >> (postmodern:query (:select '* :from 'table)))) >> >> >> On Tue, Mar 22, 2022 at 8:50 PM Sabra Crolleton < >> sabra.crolle...@gmail.com> wrote: >> >>> Postmodern uses cl+ssl and I do not see cl+ssl using a root ca. Maybe I >>> am missing something in that library? >>> >>> On Mon, Mar 21, 2022 at 9:37 PM Tim Hawes <trha...@gmail.com> wrote: >>> >>>> Sorry Sabra, I didn't intend to reply to you directly. >>>> >>>> ---------- Forwarded message --------- >>>> From: Tim Hawes <trha...@gmail.com> >>>> Date: Mon, Mar 21, 2022 at 9:35 PM >>>> Subject: Re: How to connect cl+ssl with host ca verification? >>>> To: Sabra Crolleton <sabra.crolle...@gmail.com> >>>> >>>> >>>> That works, but it looks like the root ca has to be added to the >>>> system. If using psql I could specify where all the certs I want to use to >>>> connect with like so: >>>> >>>> $>psql "port=5432 host=localhost user=postgres >>>> sslcert=./test/client.crt sslkey=./test/client.key >>>> sslrootcert=./test/server.crt sslmode=verify-full" >>>> Is there an equivalent in Postmodern? >>>> >>>> On Mon, Mar 21, 2022 at 8:36 PM Sabra Crolleton < >>>> sabra.crolle...@gmail.com> wrote: >>>> >>>>> The cl-postgres (open-database ...) function has :use-ssl as a key >>>>> parameter where the parameter values: >>>>> >>>>> - :try means if the server supports it >>>>> - :require means use provided ssl certificate with no verification >>>>> - :yes means verify that the server cert is issued by a trusted >>>>> CA, but does not verify the server hostname >>>>> - :full means expect a CA-signed cert for the supplied hostname >>>>> and verify the server hostname >>>>> >>>>> This is mirrored in the postmodern (connect ...) function. >>>>> >>>>> If I understand your question correctly, you want to use :full as the >>>>> parameter passed to :use-ssl. E.g. >>>>> >>>>>> (connect "test_db" "test-user" "test-password" "192.168.5.223" >>>>>> :port 5434 :pooled-p t :use-ssl :full) >>>>>> >>>>>> But maybe I am not understanding your question correctly. >>>>> >>>>> Sabra >>>>> >>>>> On Mon, Mar 21, 2022 at 7:50 PM Tim Hawes <trha...@gmail.com> wrote: >>>>> >>>>>> I am not finding any helpful information in how to connect to >>>>>> PostgreSQL using client key/client cert and a root ca for verifying the >>>>>> host with Postmodern. Can someone send me an example? >>>>>> >>>>>