diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index f02b93d76..6f37671c8 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -389,11 +389,19 @@ app-layer:
       # will be disabled by default, but enabled if rules require it.
       ja3-fingerprints: auto
 
-      # Completely stop processing TLS/SSL session after the handshake
-      # completed. If bypass is enabled this will also trigger flow
-      # bypass. If disabled (the default), TLS/SSL session is still
-      # tracked for Heartbleed and other anomalies.
-      #no-reassemble: yes
+      # What to do when the encrypted communications start:
+      # - default: keep tracking TLS session, check for protocol anomalies,
+      #            inspect tls_* keywords. Disables inspection of unmodified
+      #            'content' signatures.
+      # - bypass:  stop processing this flow as much as possible. No further
+      #            TLS parsing and inspection. Offload flow bypass to kernel
+      #            or hardware if possible.
+      # - full:    keep tracking and inspection as normal. Unmodified content
+      #            keyword signatures are inspected as well.
+      #
+      # For best performance, select 'bypass'.
+      #
+      encryption-handling: bypass
     dcerpc:
       enabled: yes
     ftp:
@@ -810,6 +818,7 @@ stream:
   prealloc-sessions: 4096
   checksum-validation: yes      # reject wrong csums
   inline: auto                  # auto will use inline mode in IPS mode, yes or no set it statically
+  bypass: yes                   # Bypass packets when stream.reassembly.depth is reached.
   reassembly:
     memcap: 256mb
     depth: 1mb                  # reassemble 1mb into a stream