Fix and improve discovery TLS authentication comments in document

Change-Id: I9a39ab88244438ccfb8ce97c235c45ec1c421419 Signed-off-by: yacovm <yacovm@il.ibm.com>
hyperledger · Aug 17, 2020 · ea7ab2d · ea7ab2d
1 parent 6001547
commit ea7ab2d
Showing 1 changed file with 10 additions and 5 deletions.
diff --git a/docs/source/discovery-cli.md b/docs/source/discovery-cli.md
@@ -87,12 +87,17 @@ signerconfig:
 
 When the peer runs with TLS enabled, the discovery service on the peer
 requires the client to connect to it with mutual TLS, which means it
-needs to supply a TLS certificate. The peer is configured by default to
-request (but not to verify) client TLS certificates, so supplying a TLS
-certificate isn't needed (unless the peer's `tls.clientAuthRequired` is
-set to `true`).
+expects the client to authenticate using a TLS certificate. 
 
-When the discovery CLI's config file has a certificate path for
+However, the peer is configured by default to
+request (and verify if given, but not require) client TLS certificates. 
+Therefore, unless the peer's `tls.clientAuthRequired` is
+set to `true` (in which case it mandates client-side TLS authentication),
+TLS connections can be established to the peer but will be rejected in the 
+discovery application layer. To that end, the discovery CLI provides a 
+TLS certificate on its own if the user doesn't explicitly set one.
+
+More concretely, when the discovery CLI's config file has a certificate path for
 `peercacertpath`, but the `certpath` and `keypath` aren't configured as
 in the above - the discovery CLI generates a self-signed TLS certificate
 and uses this to connect to the peer.