id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
1902	Can not use ssl_trusted_certificate to verify Clients	jkman340@…		"In my config, I set the following to validate client certificates
        ssl_verify_client               on;
        ssl_trusted_certificate         /usr/local/nginx/ssl/ca.crt;
        ssl_crl                         /usr/local/nginx/ssl/crl.pem;

The server fails to start with error: nginx: [emerg] no ssl_client_certificate for ssl_verify_client

If I change the configuration to the following, the server starts.
        ssl_verify_client               on;
        ssl_client_certificate          /usr/local/nginx/ssl/ca.crt;
        ssl_crl                         /usr/local/nginx/ssl/crl.pem;

I am not using OSCP or stapling, just verification against a CA/CRL.

Reading thru the Docs, the description for both of the options 'ssl_trusted_certificate' and 'ssl_client_certificate' are the same. ""Specifies a file with trusted CA certificates in the PEM format used to verify client certificates and OCSP responses if ssl_stapling is enabled."" The only difference is if the list of certificates is sent to the client.
"	defect	new	minor		other	1.17.x				Linux dev-02 4.4.0-170-generic #199-Ubuntu SMP Thu Nov 14 01:45:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux	"nginx version: nginx/1.17.6
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12) 
built with OpenSSL 1.1.1d  10 Sep 2019
TLS SNI support enabled
configure arguments: --with-openssl=/usr/local/src/nginx/openssl-1.1.1d --without-http_ssi_module --without-http_userid_module --without-http_geo_module --without-http_auth_basic_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-pcre --with-http_ssl_module --with-stream --with-stream_ssl_module
"