Hello everyone,

Can you plz help me to answer below question?

Does this also applies to TCP connections? (https://forum.nginx.org/read.php?29,285549,285550#msg-285550)
* nginx approach is to proceed with handshake
regardless of client certificate verification results, and then
reject requests on HTTP level (and/or just make verification
results available for logging)

I have tried to use ngx_stream_return_module (return $ssl_client_verify) but no exception is listed in the client.
Is there a way to return the exception? The client is written in Python with pyopenssl.


Client

def load_context(self):

context = ssl.SSLContext(
ssl.PROTOCOL_TLS_CLIENT
)

context.load_verify_locations(self.server_cafile)
context.load_cert_chain(
self.client_certfile, self.client_keyfile
)

return context





def connect(self, context):

_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s_sock = context.wrap_socket(
_sock , server_hostname=self.hostname,
do_handshake_on_connect=False
)
s_sock.settimeout(5)


s_sock.connect(
(self.ip_address, self.port)
)


try:

s_sock.do_handshake()
return s_sock

except ssl.SSLError as exc:
raise SystemExit('Error: {0}'.format(exc))




Nginx configuration


stream {
log_format basic '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received $session_time'
'"$upstream_addr" "$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';


access_log /var/log/nginx/access.log basic;
error_log /var/log/nginx/error.log debug;

upstream backend {
zone upstreams 64K;
server 127.0.0.1:3330 max_fails=3 fail_timeout=10s;
}


server {
listen *:330 ssl;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;

ssl_certificate /etc/nginx/ssl/server.pem;
ssl_certificate_key /etc/nginx/ssl/server.key;

ssl_session_cache shared:SSL:20m;
ssl_session_timeout 4h;
ssl_handshake_timeout 30s;

ssl_verify_depth 2;
ssl_verify_client on;
ssl_client_certificate /etc/nginx/ssl/ca-client.pem;

#return $ssl_client_verify;

proxy_ssl off;
proxy_pass backend;
}
}