diff --git a/website/content/docs/configuration/listener/tcp.mdx b/website/content/docs/configuration/listener/tcp.mdx index 8a27c6631f..f46665712c 100644 --- a/website/content/docs/configuration/listener/tcp.mdx +++ b/website/content/docs/configuration/listener/tcp.mdx @@ -25,7 +25,7 @@ allowed. ## `tcp` Listener Parameters - `purpose` `(string: "")` - Specifies the purpose. Can be `api`, `cluster`, or -`proxy`. + `proxy`. - `address` `(string: "127.0.0.1:9200")` – Specifies the address to bind to for listening. @@ -63,30 +63,25 @@ allowed. assumes TLS by default, so you must explicitly disable TLS to opt-in to insecure communication. -- `tls_cert_file` `(string: , reloads-on-SIGHUP)` – +- `tls_cert_file` `(string: ` – Specifies the path to the certificate for TLS. To configure the listener to use a CA certificate, concatenate the primary certificate and the CA certificate together. The primary certificate should appear first in the - combined file. On `SIGHUP`, the path set here _at Boundary startup_ will be used - for reloading the certificate; modifying this value while Boundary is running - will have no effect for `SIGHUP`s. + combined file. -- `tls_key_file` `(string: , reloads-on-SIGHUP)` – +- `tls_key_file` `(string: ` – Specifies the path to the private key for the certificate. If the key file is encrypted, you will be prompted to enter the passphrase on server startup. - The passphrase must stay the same between key files when reloading your - configuration using `SIGHUP`. On `SIGHUP`, the path set here _at Boundary - startup_ will be used for reloading the certificate; modifying this value - while Boundary is running will have no effect for `SIGHUP`s. - `tls_min_version` `(string: "tls12")` – Specifies the minimum supported version of TLS. Accepted values are "tls10", "tls11", "tls12" or "tls13". ~> **Warning**: TLS 1.1 and lower are generally considered insecure. -- `tls_cipher_suites` `(string: "")` – Specifies the list of supported - ciphersuites as a comma-separated-list. The list of all available ciphersuites - is available in the [Golang TLS documentation][golang-tls]. +- `tls_cipher_suites` `(string: "")` – Override the default list of supported + ciphersuites (which varies by TLS version) with the the specified + comma-delimited list. The list of all available ciphersuites is available in + the [Golang TLS documentation][golang-tls]. - `tls_prefer_server_cipher_suites` `(string: "false")` – Specifies to prefer the server's ciphersuite over the client ciphersuites.