Re: Client certificate based AUTH (ssl_client_certificate vs ssl_trusted_certificate)

Although this is an old post, I landed on it when asking myself the same type of question, so I am posting this reply in case it helps. I wanted to avoid and send a list of trusted CAs to the client during the initial TLS negotiation, especially as this can result in a relatively large payload sent during the TLS session setup if many CAs are trusted.

I then wondered how I could use ssl_trusted_certificate as this is indeed described with "the list of these certificates will not be sent to clients".

I figured out how to achieve that. I wished the nginx documentation was better describing that.
The configuration required is to use "ssl_verify_client optional_no_ca". In such case, and if "ssl_client_certificate" isn't defined, no list of CA is sent and a client certificate is requested, but is optional.

nginx verifies the client certificate against the list of CAs defined in ssl_trusted_certificate and set variable $ssl_client_verify accordingly. It is then important to check the content of this variable in the configuration file to accept or reject the request: "NONE" is no client certificate was sent, "SUCCESS" if the certificate is verified, and "FAILED:reason..." if verification failed