diff --git a/envoy/api/v2/auth/cert.proto b/envoy/api/v2/auth/cert.proto
index 1393924e..dd71da5c 100644
--- a/envoy/api/v2/auth/cert.proto
+++ b/envoy/api/v2/auth/cert.proto
@@ -38,12 +38,14 @@ message TlsParameters {
   // Minimum TLS protocol version. By default, it's ``TLSv1_0``.
   TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum.defined_only = true];
 
-  // Maximum TLS protocol version. By default, it's ``TLSv1_2``.
+  // Maximum TLS protocol version. By default, it's ``TLSv1_3`` for servers in non-FIPS builds, and
+  // ``TLSv1_2`` for clients and for servers using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`.
   TlsProtocol tls_maximum_protocol_version = 2 [(validate.rules).enum.defined_only = true];
 
   // If specified, the TLS listener will only support the specified `cipher list
-  // <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_.
-  // If not specified, the default list will be used.
+  // <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_
+  // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not
+  // specified, the default list will be used.
   //
   // In non-FIPS builds, the default cipher list is:
   //