nodece commented on code in PR #17808: URL: https://github.com/apache/pulsar/pull/17808#discussion_r983212330
########## site2/docs/security-tls-transport.md: ########## @@ -475,46 +407,97 @@ brokerClientTlsKeyStore=/var/private/tls/client.keystore.jks brokerClientTlsKeyStorePassword=clientpw ``` -:::note +To disable non-TLS ports, you need to set the values of `brokerServicePort` and `webServicePort` to empty. -It is important to restrict access to the store files via filesystem permissions. +Optional settings: +1. `tlsRequireTrustedClientCertOnConnect=true`: Enable TLS authentication on both brokers and clients for mutual TLS. When enabled, it authenticates the other end of the communication channel. +2. `tlsCiphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`: A cipher suite is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS network protocol. By default, it is null. See [OpenSSL Ciphers](https://www.openssl.org/docs/man1.0.2/apps/ciphers.html) and [JDK Ciphers](http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#ciphersuites) for more details. Review Comment: Move 2,3 to `Configure TLS Protocol Version and Cipher`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
