Sorry Sabra, I didn't intend to reply to you directly.
---------- Forwarded message --------- From: Tim Hawes trhawes@gmail.com Date: Mon, Mar 21, 2022 at 9:35 PM Subject: Re: How to connect cl+ssl with host ca verification? To: Sabra Crolleton sabra.crolleton@gmail.com
That works, but it looks like the root ca has to be added to the system. If using psql I could specify where all the certs I want to use to connect with like so:
$>psql "port=5432 host=localhost user=postgres sslcert=./test/client.crt sslkey=./test/client.key sslrootcert=./test/server.crt sslmode=verify-full" Is there an equivalent in Postmodern?
On Mon, Mar 21, 2022 at 8:36 PM Sabra Crolleton sabra.crolleton@gmail.com wrote:
The cl-postgres (open-database ...) function has :use-ssl as a key parameter where the parameter values:
- :try means if the server supports it
- :require means use provided ssl certificate with no verification
- :yes means verify that the server cert is issued by a trusted CA,
but does not verify the server hostname
- :full means expect a CA-signed cert for the supplied hostname and
verify the server hostname
This is mirrored in the postmodern (connect ...) function.
If I understand your question correctly, you want to use :full as the parameter passed to :use-ssl. E.g.
(connect "test_db" "test-user" "test-password" "192.168.5.223" :port 5434 :pooled-p t :use-ssl :full)
But maybe I am not understanding your question correctly.
Sabra
On Mon, Mar 21, 2022 at 7:50 PM Tim Hawes trhawes@gmail.com wrote:
I am not finding any helpful information in how to connect to PostgreSQL using client key/client cert and a root ca for verifying the host with Postmodern. Can someone send me an example?
Postmodern uses cl+ssl and I do not see cl+ssl using a root ca. Maybe I am missing something in that library?
On Mon, Mar 21, 2022 at 9:37 PM Tim Hawes trhawes@gmail.com wrote:
Sorry Sabra, I didn't intend to reply to you directly.
---------- Forwarded message --------- From: Tim Hawes trhawes@gmail.com Date: Mon, Mar 21, 2022 at 9:35 PM Subject: Re: How to connect cl+ssl with host ca verification? To: Sabra Crolleton sabra.crolleton@gmail.com
That works, but it looks like the root ca has to be added to the system. If using psql I could specify where all the certs I want to use to connect with like so:
$>psql "port=5432 host=localhost user=postgres sslcert=./test/client.crt sslkey=./test/client.key sslrootcert=./test/server.crt sslmode=verify-full" Is there an equivalent in Postmodern?
On Mon, Mar 21, 2022 at 8:36 PM Sabra Crolleton sabra.crolleton@gmail.com wrote:
The cl-postgres (open-database ...) function has :use-ssl as a key parameter where the parameter values:
- :try means if the server supports it
- :require means use provided ssl certificate with no verification
- :yes means verify that the server cert is issued by a trusted CA,
but does not verify the server hostname
- :full means expect a CA-signed cert for the supplied hostname and
verify the server hostname
This is mirrored in the postmodern (connect ...) function.
If I understand your question correctly, you want to use :full as the parameter passed to :use-ssl. E.g.
(connect "test_db" "test-user" "test-password" "192.168.5.223" :port 5434 :pooled-p t :use-ssl :full)
But maybe I am not understanding your question correctly.
Sabra
On Mon, Mar 21, 2022 at 7:50 PM Tim Hawes trhawes@gmail.com wrote:
I am not finding any helpful information in how to connect to PostgreSQL using client key/client cert and a root ca for verifying the host with Postmodern. Can someone send me an example?
I haven't looked at the code, but apparently, it checks if the rootCA is registered in the system. This works if I have added the rootCA system-wide (let ((cl-postgres:*ssl-certificate-file* "/some/path/to/cert.crt") (cl-postgres:*ssl-key-file* "/some/path/to/a-key.key")) (postmodern:with-connection '("dbname" "dbuser" "password" "some-remote-server.lan" :port 5432 :use-ssl :full) (postmodern:query (:select '* :from 'table))))
On Tue, Mar 22, 2022 at 8:50 PM Sabra Crolleton sabra.crolleton@gmail.com wrote:
Postmodern uses cl+ssl and I do not see cl+ssl using a root ca. Maybe I am missing something in that library?
On Mon, Mar 21, 2022 at 9:37 PM Tim Hawes trhawes@gmail.com wrote:
Sorry Sabra, I didn't intend to reply to you directly.
---------- Forwarded message --------- From: Tim Hawes trhawes@gmail.com Date: Mon, Mar 21, 2022 at 9:35 PM Subject: Re: How to connect cl+ssl with host ca verification? To: Sabra Crolleton sabra.crolleton@gmail.com
That works, but it looks like the root ca has to be added to the system. If using psql I could specify where all the certs I want to use to connect with like so:
$>psql "port=5432 host=localhost user=postgres sslcert=./test/client.crt sslkey=./test/client.key sslrootcert=./test/server.crt sslmode=verify-full" Is there an equivalent in Postmodern?
On Mon, Mar 21, 2022 at 8:36 PM Sabra Crolleton < sabra.crolleton@gmail.com> wrote:
The cl-postgres (open-database ...) function has :use-ssl as a key parameter where the parameter values:
- :try means if the server supports it
- :require means use provided ssl certificate with no verification
- :yes means verify that the server cert is issued by a trusted CA,
but does not verify the server hostname
- :full means expect a CA-signed cert for the supplied hostname and
verify the server hostname
This is mirrored in the postmodern (connect ...) function.
If I understand your question correctly, you want to use :full as the parameter passed to :use-ssl. E.g.
(connect "test_db" "test-user" "test-password" "192.168.5.223" :port 5434 :pooled-p t :use-ssl :full)
But maybe I am not understanding your question correctly.
Sabra
On Mon, Mar 21, 2022 at 7:50 PM Tim Hawes trhawes@gmail.com wrote:
I am not finding any helpful information in how to connect to PostgreSQL using client key/client cert and a root ca for verifying the host with Postmodern. Can someone send me an example?
It would be nice to be able to specify the root CA explicitly.
On Thu, Mar 24, 2022 at 10:53 AM Tim Hawes trhawes@gmail.com wrote:
I haven't looked at the code, but apparently, it checks if the rootCA is registered in the system. This works if I have added the rootCA system-wide (let ((cl-postgres:*ssl-certificate-file* "/some/path/to/cert.crt") (cl-postgres:*ssl-key-file* "/some/path/to/a-key.key")) (postmodern:with-connection '("dbname" "dbuser" "password" "some-remote-server.lan" :port 5432 :use-ssl :full) (postmodern:query (:select '* :from 'table))))
On Tue, Mar 22, 2022 at 8:50 PM Sabra Crolleton sabra.crolleton@gmail.com wrote:
Postmodern uses cl+ssl and I do not see cl+ssl using a root ca. Maybe I am missing something in that library?
On Mon, Mar 21, 2022 at 9:37 PM Tim Hawes trhawes@gmail.com wrote:
Sorry Sabra, I didn't intend to reply to you directly.
---------- Forwarded message --------- From: Tim Hawes trhawes@gmail.com Date: Mon, Mar 21, 2022 at 9:35 PM Subject: Re: How to connect cl+ssl with host ca verification? To: Sabra Crolleton sabra.crolleton@gmail.com
That works, but it looks like the root ca has to be added to the system. If using psql I could specify where all the certs I want to use to connect with like so:
$>psql "port=5432 host=localhost user=postgres sslcert=./test/client.crt sslkey=./test/client.key sslrootcert=./test/server.crt sslmode=verify-full" Is there an equivalent in Postmodern?
On Mon, Mar 21, 2022 at 8:36 PM Sabra Crolleton < sabra.crolleton@gmail.com> wrote:
The cl-postgres (open-database ...) function has :use-ssl as a key parameter where the parameter values:
- :try means if the server supports it
- :require means use provided ssl certificate with no verification
- :yes means verify that the server cert is issued by a trusted CA,
but does not verify the server hostname
- :full means expect a CA-signed cert for the supplied hostname and
verify the server hostname
This is mirrored in the postmodern (connect ...) function.
If I understand your question correctly, you want to use :full as the parameter passed to :use-ssl. E.g.
(connect "test_db" "test-user" "test-password" "192.168.5.223" :port 5434 :pooled-p t :use-ssl :full)
But maybe I am not understanding your question correctly.
Sabra
On Mon, Mar 21, 2022 at 7:50 PM Tim Hawes trhawes@gmail.com wrote:
I am not finding any helpful information in how to connect to PostgreSQL using client key/client cert and a root ca for verifying the host with Postmodern. Can someone send me an example?
Do either of the following cl+ssl functions called before making the postmodern query work to give cl+ssl the appropriate root CA?
(cl+ssl:use-certificate-chain-file "/some/path/to/your-pem-file.pem")
or
(cl+ssl:ssl-load-global-verify-locations
'("/some/path/to/your-pem-file.pem"))
On Thu, Mar 24, 2022 at 10:54 AM Tim Hawes trhawes@gmail.com wrote:
It would be nice to be able to specify the root CA explicitly.
On Thu, Mar 24, 2022 at 10:53 AM Tim Hawes trhawes@gmail.com wrote:
I haven't looked at the code, but apparently, it checks if the rootCA is registered in the system. This works if I have added the rootCA system-wide (let ((cl-postgres:*ssl-certificate-file* "/some/path/to/cert.crt") (cl-postgres:*ssl-key-file* "/some/path/to/a-key.key")) (postmodern:with-connection '("dbname" "dbuser" "password" "some-remote-server.lan" :port 5432 :use-ssl :full) (postmodern:query (:select '* :from 'table))))
On Tue, Mar 22, 2022 at 8:50 PM Sabra Crolleton < sabra.crolleton@gmail.com> wrote:
Postmodern uses cl+ssl and I do not see cl+ssl using a root ca. Maybe I am missing something in that library?
On Mon, Mar 21, 2022 at 9:37 PM Tim Hawes trhawes@gmail.com wrote:
Sorry Sabra, I didn't intend to reply to you directly.
---------- Forwarded message --------- From: Tim Hawes trhawes@gmail.com Date: Mon, Mar 21, 2022 at 9:35 PM Subject: Re: How to connect cl+ssl with host ca verification? To: Sabra Crolleton sabra.crolleton@gmail.com
That works, but it looks like the root ca has to be added to the system. If using psql I could specify where all the certs I want to use to connect with like so:
$>psql "port=5432 host=localhost user=postgres sslcert=./test/client.crt sslkey=./test/client.key sslrootcert=./test/server.crt sslmode=verify-full" Is there an equivalent in Postmodern?
On Mon, Mar 21, 2022 at 8:36 PM Sabra Crolleton < sabra.crolleton@gmail.com> wrote:
The cl-postgres (open-database ...) function has :use-ssl as a key parameter where the parameter values:
- :try means if the server supports it
- :require means use provided ssl certificate with no verification
- :yes means verify that the server cert is issued by a trusted
CA, but does not verify the server hostname
- :full means expect a CA-signed cert for the supplied hostname
and verify the server hostname
This is mirrored in the postmodern (connect ...) function.
If I understand your question correctly, you want to use :full as the parameter passed to :use-ssl. E.g.
(connect "test_db" "test-user" "test-password" "192.168.5.223" :port 5434 :pooled-p t :use-ssl :full)
But maybe I am not understanding your question correctly.
Sabra
On Mon, Mar 21, 2022 at 7:50 PM Tim Hawes trhawes@gmail.com wrote:
I am not finding any helpful information in how to connect to PostgreSQL using client key/client cert and a root ca for verifying the host with Postmodern. Can someone send me an example?
Thank you! I got (cl+ssl:ssl-load-global-verify-locations "/path/to/root/ca") to work with the forementioned code. But note that it does not look for an actual list of pathnames but takes multiple parameters collected with &rest
On Sat, Mar 26, 2022 at 2:01 PM Sabra Crolleton sabra.crolleton@gmail.com wrote:
Do either of the following cl+ssl functions called before making the postmodern query work to give cl+ssl the appropriate root CA?
(cl+ssl:use-certificate-chain-file "/some/path/to/your-pem-file.pem")
or
(cl+ssl:ssl-load-global-verify-locations
'("/some/path/to/your-pem-file.pem"))
On Thu, Mar 24, 2022 at 10:54 AM Tim Hawes trhawes@gmail.com wrote:
It would be nice to be able to specify the root CA explicitly.
On Thu, Mar 24, 2022 at 10:53 AM Tim Hawes trhawes@gmail.com wrote:
I haven't looked at the code, but apparently, it checks if the rootCA is registered in the system. This works if I have added the rootCA system-wide (let ((cl-postgres:*ssl-certificate-file* "/some/path/to/cert.crt") (cl-postgres:*ssl-key-file* "/some/path/to/a-key.key")) (postmodern:with-connection '("dbname" "dbuser" "password" "some-remote-server.lan" :port 5432 :use-ssl :full) (postmodern:query (:select '* :from 'table))))
On Tue, Mar 22, 2022 at 8:50 PM Sabra Crolleton < sabra.crolleton@gmail.com> wrote:
Postmodern uses cl+ssl and I do not see cl+ssl using a root ca. Maybe I am missing something in that library?
On Mon, Mar 21, 2022 at 9:37 PM Tim Hawes trhawes@gmail.com wrote:
Sorry Sabra, I didn't intend to reply to you directly.
---------- Forwarded message --------- From: Tim Hawes trhawes@gmail.com Date: Mon, Mar 21, 2022 at 9:35 PM Subject: Re: How to connect cl+ssl with host ca verification? To: Sabra Crolleton sabra.crolleton@gmail.com
That works, but it looks like the root ca has to be added to the system. If using psql I could specify where all the certs I want to use to connect with like so:
$>psql "port=5432 host=localhost user=postgres sslcert=./test/client.crt sslkey=./test/client.key sslrootcert=./test/server.crt sslmode=verify-full" Is there an equivalent in Postmodern?
On Mon, Mar 21, 2022 at 8:36 PM Sabra Crolleton < sabra.crolleton@gmail.com> wrote:
The cl-postgres (open-database ...) function has :use-ssl as a key parameter where the parameter values:
- :try means if the server supports it
- :require means use provided ssl certificate with no verification
- :yes means verify that the server cert is issued by a trusted
CA, but does not verify the server hostname
- :full means expect a CA-signed cert for the supplied hostname
and verify the server hostname
This is mirrored in the postmodern (connect ...) function.
If I understand your question correctly, you want to use :full as the parameter passed to :use-ssl. E.g.
> (connect "test_db" "test-user" "test-password" "192.168.5.223" > :port 5434 :pooled-p t :use-ssl :full) > > But maybe I am not understanding your question correctly.
Sabra
On Mon, Mar 21, 2022 at 7:50 PM Tim Hawes trhawes@gmail.com wrote:
> I am not finding any helpful information in how to connect to > PostgreSQL using client key/client cert and a root ca for verifying the > host with Postmodern. Can someone send me an example? >
postmodern-devel@common-lisp.net
-
Sabra Crolleton -
Tim Hawes