From af47d04002b9b4577466afbdc0c8844c1925645a Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Wed, 17 Mar 2021 12:22:51 -0400
Subject: [PATCH] Clarify that TLS parameters in listeners are valid only for
 api usage.

---
 .../docs/configuration/listener/tcp.mdx       | 17 +++++++--
 .../docs/configuration/listener/unix.mdx      | 38 ++++++++++++-------
 2 files changed, 37 insertions(+), 18 deletions(-)

diff --git a/website/content/docs/configuration/listener/tcp.mdx b/website/content/docs/configuration/listener/tcp.mdx
index d348d7fc21..b0869c4071 100644
--- a/website/content/docs/configuration/listener/tcp.mdx
+++ b/website/content/docs/configuration/listener/tcp.mdx
@@ -24,6 +24,8 @@ allowed.
 
 ## `tcp` Listener Parameters
 
+### General
+
 - `purpose` `(string: "")` - Specifies the purpose. Can be `api`, `cluster`, or
   `proxy`.
 
@@ -59,11 +61,18 @@ allowed.
   request duration allowed before Boundary cancels the request. This overrides
   `default_max_request_duration` for this listener.
 
+### TLS
+
+~> All `tls` parameters are valid only for the `api` listener. `cluster` and
+`proxy` connections use their own ephemeral TLS stacks. For more information,
+see [the connections security concepts
+page](https://www.boundaryproject.io/docs/concepts/security/connections-tls).
+
 - `tls_disable` `(string: "false")` – Specifies if TLS will be disabled. Boundary
   assumes TLS by default, so you must explicitly disable TLS to opt-in to
   insecure communication.
 
-- `tls_cert_file` `(string: <required-if-enabled, reloads-on-SIGHUP>` –
+- `tls_cert_file` `(string: <required-if-enabled, reloads-on-SIGHUP>)` –
   Specifies the path to the certificate for TLS. To configure the listener to
   use a CA certificate, concatenate the primary certificate and the CA
   certificate together. The primary certificate should appear first in the
@@ -71,7 +80,7 @@ allowed.
   used for reloading the certificate; modifying this value while Boundary is
   running will have no effect for `SIGHUP`s.
 
-- `tls_key_file` `(string: <required-if-enabled, reloads-on-SIGHUP>` –
+- `tls_key_file` `(string: <required-if-enabled, reloads-on-SIGHUP>)` –
   Specifies the path to the private key for the certificate. If the key file is
   encrypted, you will be prompted to enter the passphrase on server startup. The
   passphrase must stay the same between key files when reloading your
@@ -82,13 +91,13 @@ allowed.
 - `tls_min_version` `(string: "tls12")` – Specifies the minimum supported
   version of TLS. Accepted values are "tls10", "tls11", "tls12" or "tls13".
 
-  ~> **Warning**: TLS 1.1 and lower are generally considered insecure.
+  !> TLS 1.1 and lower are generally considered insecure.
 
 - `tls_max_version` `(string: "tls13")` – Specifies the maximum supported
   version of TLS, useful if appliances (e.g. load balancers) are not yet capable
   of higher levels. Accepted values are "tls10", "tls11", "tls12" or "tls13".
 
-  ~> **Warning**: TLS 1.1 and lower are generally considered insecure.
+  !> TLS 1.1 and lower are generally considered insecure.
 
 - `tls_cipher_suites` `(string: "")` – Override the default list of supported
   ciphersuites (which varies by TLS version) with the the specified
diff --git a/website/content/docs/configuration/listener/unix.mdx b/website/content/docs/configuration/listener/unix.mdx
index 66b2f99e1e..4448e2fa30 100644
--- a/website/content/docs/configuration/listener/unix.mdx
+++ b/website/content/docs/configuration/listener/unix.mdx
@@ -26,6 +26,8 @@ allowed.
 
 ## `unix` Listener Parameters
 
+### General
+
 - `purpose` `(string: "")` - Specifies the purpose. Can be `api` or `cluster`.
 
 - `address` `(string: "")` – Specifies the address (filesystem path) to bind to
@@ -60,22 +62,29 @@ allowed.
   request duration allowed before Boundary cancels the request. This overrides
   `default_max_request_duration` for this listener.
 
+### TLS
+
+~> All `tls` parameters are valid only for the `api` listener. `cluster` and
+`proxy` connections use their own ephemeral TLS stacks. For more information,
+see [the connections security concepts
+page](https://www.boundaryproject.io/docs/concepts/security/connections-tls).
+
 - `tls_disable` `(string: "false")` – Specifies if TLS will be disabled. Boundary
   assumes TLS by default, so you must explicitly disable TLS to opt-in to
   insecure communication.
 
-- `tls_cert_file` `(string: <required-if-enabled>, reloads-on-SIGHUP)` –
+- `tls_cert_file` `(string: <required-if-enabled, reloads-on-SIGHUP>)` –
   Specifies the path to the certificate for TLS. To configure the listener to
   use a CA certificate, concatenate the primary certificate and the CA
   certificate together. The primary certificate should appear first in the
-  combined file. On `SIGHUP`, the path set here _at Boundary startup_ will be used
-  for reloading the certificate; modifying this value while Boundary is running
-  will have no effect for `SIGHUP`s.
-
-- `tls_key_file` `(string: <required-if-enabled>, reloads-on-SIGHUP)` –
-  Specifies the path to the private key for the certificate. If the key file
-  is encrypted, you will be prompted to enter the passphrase on server startup.
-  The passphrase must stay the same between key files when reloading your
+  combined file. On `SIGHUP`, the path set here _at Boundary startup_ will be
+  used for reloading the certificate; modifying this value while Boundary is
+  running will have no effect for `SIGHUP`s.
+
+- `tls_key_file` `(string: <required-if-enabled, reloads-on-SIGHUP>)` –
+  Specifies the path to the private key for the certificate. If the key file is
+  encrypted, you will be prompted to enter the passphrase on server startup. The
+  passphrase must stay the same between key files when reloading your
   configuration using `SIGHUP`. On `SIGHUP`, the path set here _at Boundary
   startup_ will be used for reloading the certificate; modifying this value
   while Boundary is running will have no effect for `SIGHUP`s.
@@ -83,17 +92,18 @@ allowed.
 - `tls_min_version` `(string: "tls12")` – Specifies the minimum supported
   version of TLS. Accepted values are "tls10", "tls11", "tls12" or "tls13".
 
-  ~> **Warning**: TLS 1.1 and lower are generally considered insecure.
+  !> TLS 1.1 and lower are generally considered insecure.
 
 - `tls_max_version` `(string: "tls13")` – Specifies the maximum supported
   version of TLS, useful if appliances (e.g. load balancers) are not yet capable
   of higher levels. Accepted values are "tls10", "tls11", "tls12" or "tls13".
 
-  ~> **Warning**: TLS 1.1 and lower are generally considered insecure.
+  !> TLS 1.1 and lower are generally considered insecure.
 
-- `tls_cipher_suites` `(string: "")` – Specifies the list of supported
-  ciphersuites as a comma-separated-list. The list of all available ciphersuites
-  is available in the [Golang TLS documentation][golang-tls].
+- `tls_cipher_suites` `(string: "")` – Override the default list of supported
+  ciphersuites (which varies by TLS version) with the the specified
+  comma-delimited list. The list of all available ciphersuites is available in
+  the [Golang TLS documentation][golang-tls].
 
 - `tls_prefer_server_cipher_suites` `(string: "false")` – Specifies to prefer the
   server's ciphersuite over the client ciphersuites.