MIM-2360 Update documentation to reflect just_tls as a default TLS …

…lib in C2S

doc/configuration/TLS-hardening.md

@@ -16,7 +16,9 @@ The former one is used primarily by MIM dependencies, while the latter is used o
 None of them is strictly better than the other.
 Below you may find a summary of the differences between them.
 
-* `fast_tls` is faster
+* `fast_tls` used to be faster, however with the progress of OTP TLS implementation
+and additional optimisations applied in MongooseIM this is no longer true.
+* `fast_tls` may use slightly less memory per connection and a a bit less processor time than `just_tls`.
 * There are options that OTP TLS (a.k.a `just_tls` in the C2S listener configuration) supports exclusively:
     * Immediate connection drop when the client certificate is invalid
     * Certificate Revocation Lists
@@ -48,7 +50,7 @@ The remaining valid values are: `'tlsv1.1'`, `tlsv1`, `sslv3`.
 
 This setting affects the following MongooseIM components:
 
-* Raw XMPP over TCP connections, if a C2S listener is configured to use `just_tls`
+* Raw XMPP over TCP connections (C2S listener) in the default configuration uses `just_tls`
 * All outgoing connections (databases, AMQP, SIP etc.)
 * HTTP endpoints
 
@@ -60,7 +62,8 @@ By default, MongooseIM sets this option to `TLSv1.2:TLSv1.3` for each component.
 
 The list below enumerates all components that use Fast TLS and describes how to change this string.
 
-* `listen.c2s` - main user session abstraction + XMPP over TCP listener
+* `listen.c2s` - main user session abstraction + XMPP over TCP listener, when configured to use `fast_tls`
+    * Note that usage of `fast_tls` for C2S has been deprecated
     * Please consult the respective section in [Listener modules](../listeners/listen-c2s.md#listenc2stlsprotocol_options-only-for-fast_tls).
 * `listen.s2s` - incoming S2S connections (XMPP Federation)
     * Please consult the respective section in [Listener modules](../listeners/listen-s2s.md#tls-options-for-s2s).

doc/configuration/configuration-files.md

@@ -63,8 +63,8 @@ By default only the following applications can be found there:
 
 TLS is configured in one of two ways: some modules need a private key and certificate (chain) in __separate__ files, while others need both in a __single__ file. This is because recent additions use OTP's `ssl` library, while older modules use `p1_tls`, respectively.
 
-* Client-to-server connections need both in the __same__ `.pem` file
 * Server-to-server connections need both in the __same__ `.pem` file
+* Client-to-server connections need them in __separate__ files
 * BOSH, WebSockets and REST APIs need them in __separate__ files
 
 In order to create private key & certificate bundle, you may simply concatenate them.

doc/listeners/listen-c2s.md

@@ -89,10 +89,12 @@ This option determines how clients are supposed to set up the TLS encryption:
 
 ### `listen.c2s.tls.module`
 * **Syntax:** string, one of `"just_tls"`, `"fast_tls"`
-* **Default:** `"fast_tls"`
+* **Default:** `"just_tls"`
 * **Example:** `tls.module = "just_tls"`
 
-By default, the TLS library used for C2S connections is `fast_tls`, which uses OpenSSL-based NIFs. It is possible to change it to `just_tls` - Erlang TLS implementation provided by OTP. Some TLS-related options described here have different formats for these two libraries.
+By default, the TLS library used for C2S connections is `just_tls` - Erlang TLS implementation provided by OTP.
+Usage of `fast_tls`, which uses OpenSSL-based NIFs for C2S is deprecated, however it is still possible to use this option.
+Some TLS-related options described here have different formats for these two libraries.
 
 ### `listen.c2s.tls.verify_mode`
 * **Syntax:** string, one of `"peer"`, `"selfsigned_peer"`, `"none"`