Syntax: starttls on | off | only; Default: starttls off; Context: mail, server on allow usage of the STLS command for the POP3 and the STARTTLS command for the IMAP; off deny usage of the STLS and STARTTLS commands; only require preliminary TLS transition.

Syntax: ssl_verify_depth number; Default: ssl_verify_depth 1; Context: mail, server This directive appeared in version 1.7.11. Sets the verification depth in the client certificates chain.

Syntax: ssl_verify_depth number; Default: ssl_verify_depth 1; Context: http, server Sets the verification depth in the client certificates chain.

Syntax: ssl_verify_client on | off | optional | optional_no_ca; Default: ssl_verify_client off; Context: stream, server This directive appeared in version 1.11.8. Enables verification of client certificates. The verification result is stored in the $ssl_client_verify variable. If an error has occurred during the client certificate verification or a client has not presented the required certificate, the connection is closed. The optional parameter requests the client cer

Syntax: ssl_verify_client on | off | optional | optional_no_ca; Default: ssl_verify_client off; Context: mail, server This directive appeared in version 1.7.11. Enables verification of client certificates. The verification result is passed in the “Auth-SSL-Verify” header of the authentication request. The optional parameter requests the client certificate and verifies it if the certificate is present. The optional_no_ca parameter requests the client certificate but do

Syntax: ssl_verify_client on | off | optional | optional_no_ca; Default: ssl_verify_client off; Context: http, server Enables verification of client certificates. The verification result is stored in the $ssl_client_verify variable. The optional parameter (0.8.7+) requests the client certificate and verifies it if the certificate is present. The optional_no_ca parameter (1.3.8, 1.2.5) requests the client certificate but does not require it to be signed by a trusted CA

Syntax: ssl_trusted_certificate file; Default: — Context: stream, server This directive appeared in version 1.11.8. Specifies a file with trusted CA certificates in the PEM format used to verify client certificates. In contrast to the certificate set by ssl_client_certificate, the list of these certificates will not be sent to clients.

Syntax: ssl_trusted_certificate file; Default: — Context: mail, server This directive appeared in version 1.7.11. Specifies a file with trusted CA certificates in the PEM format used to verify client certificates. In contrast to the certificate set by ssl_client_certificate, the list of these certificates will not be sent to clients.

Syntax: ssl_trusted_certificate file; Default: — Context: http, server This directive appeared in version 1.3.7. Specifies a file with trusted CA certificates in the PEM format used to verify client certificates and OCSP responses if ssl_stapling is enabled. In contrast to the certificate set by ssl_client_certificate, the list of these certificates will not be sent to clients.

Syntax: ssl_stapling_verify on | off; Default: ssl_stapling_verify off; Context: http, server This directive appeared in version 1.3.7. Enables or disables verification of OCSP responses by the server. For verification to work, the certificate of the server certificate issuer, the root certificate, and all intermediate certificates should be configured as trusted using the ssl_trusted_certificate directive.