[GitHub] [pulsar] nodece commented on a diff in pull request #17808: [improve][doc] Improve TLS encryption

[GitBox <gi...@apache.org>]

nodece commented on code in PR #17808:
URL: https://github.com/apache/pulsar/pull/17808#discussion_r983212330


##########
site2/docs/security-tls-transport.md:
##########
@@ -475,46 +407,97 @@ brokerClientTlsKeyStore=/var/private/tls/client.keystore.jks
 brokerClientTlsKeyStorePassword=clientpw
 ```
 
-:::note
+To disable non-TLS ports, you need to set the values of `brokerServicePort` and `webServicePort` to empty.
 
-It is important to restrict access to the store files via filesystem permissions.
+Optional settings:
+1. `tlsRequireTrustedClientCertOnConnect=true`: Enable TLS authentication on both brokers and clients for mutual TLS. When enabled, it authenticates the other end of the communication channel.
+2. `tlsCiphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`: A cipher suite is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS network protocol. By default, it is null. See [OpenSSL Ciphers](https://www.openssl.org/docs/man1.0.2/apps/ciphers.html) and [JDK Ciphers](http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#ciphersuites) for more details.

Review Comment:
   Move 2 to `Configure TLS Protocol Version and Cipher`.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org