From 83fe8187f42b485d1ec7f18805ad7cdca5bb8e12 Mon Sep 17 00:00:00 2001
From: Brandon Philips <brandon@ifup.co>
Date: Sat, 4 Jul 2015 15:27:09 -0700
Subject: [PATCH] Documentation/security: add FAQ about peer TLS and etcd 2.0.x

etcd 2.0.x TLS can appear not to work on smaller machines with less
horse-power or lots of other work going on. Document the timeout
workaround.
---
 Documentation/security.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Documentation/security.md b/Documentation/security.md
index 29e01f3dd..84d3123b2 100644
--- a/Documentation/security.md
+++ b/Documentation/security.md
@@ -147,6 +147,13 @@ The etcd members will form a cluster and all communication between members in th
 
 ## Frequently Asked Questions
 
+### My cluster is not working with peer tls configuration?
+
+The internal protocol of etcd v2.0.x uses a lot of short-lived HTTP connections.
+So, when enabling TLS you may need to increase the heartbeat interval and election timeouts to reduce internal cluster connection churn.
+A reasonable place to start are these values: ` --heartbeat-interval 500 --election-timeout 2500`.
+This issues is resolved in the etcd v2.1.x series of releases which uses fewer connections.
+
 ### I'm seeing a SSLv3 alert handshake failure when using SSL client authentication?
 
 The `crypto/tls` package of `golang` checks the key usage of the certificate public key before using it.