Hello,
I have client certificate based authorization defined in nginx as follows:


ssl_client_certificate /path/to/MY_CA_ROOT.pem;
ssl_verify_client optional;
ssl_verify_depth 2;

#special location - admin only access (with client cert signed by CA)
location /myApp/admin/{
if ($ssl_client_verify != SUCCESS) { return 403; }
}

Now, according to official documentation: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_client_certificate

I wanted to change ssl_client_certificate in favor of ssl_trusted_certificate.

But when I do so:
instead of:

#ssl_client_certificate /path/to/MY_CA_ROOT.pem;
I set:
ssl_trusted_certificate /path/to/MY_CA_ROOT.pem;



Nginx complains:

nginx: [emerg] no ssl_client_certificate for ssl_client_verify


Are those two directives compatible or am I getting in wrong?

DOC says:
Specifies a file with trusted CA certificates in the PEM format used to verify client certificates and OCSP responses if ssl_stapling is enabled.

In contrast to the certificate set by ssl_client_certificate, the list of these certificates will not be sent to clients.

bump

It seems these two directives are not derived from a compatible context after all?

Although this is an old post, I landed on it when asking myself the same type of question, so I am posting this reply in case it helps. I wanted to avoid and send a list of trusted CAs to the client during the initial TLS negotiation, especially as this can result in a relatively large payload sent during the TLS session setup if many CAs are trusted.

I then wondered how I could use ssl_trusted_certificate as this is indeed described with "the list of these certificates will not be sent to clients".

I figured out how to achieve that. I wished the nginx documentation was better describing that.
The configuration required is to use "ssl_verify_client optional_no_ca". In such case, and if "ssl_client_certificate" isn't defined, no list of CA is sent and a client certificate is requested, but is optional.

nginx verifies the client certificate against the list of CAs defined in ssl_trusted_certificate and set variable $ssl_client_verify accordingly. It is then important to check the content of this variable in the configuration file to accept or reject the request: "NONE" is no client certificate was sent, "SUCCESS" if the certificate is verified, and "FAILED:reason..." if verification failed



Edited 1 time(s). Last edit at 07/27/2017 03:54AM by cvillerm.