With wsrep_sst_mariabackup, and sst encrypt 2 or 3 the role of donor or joiner controls if we are a listener or a connector.
However the parameters tca, tpem, and tkey are not role specific, despite the fact that in some environments the client and server certificates are different for the same instance.
This is further complicated by the possibility of those roles changing due to a failure and later recovery of the primary node in a cluster.
It looks like a change to wsrep_sst_mariabackup to optionally allow for separate joiner and donor tca, tcert, and tkey values would be reasonable trivial.
Would a patch to implement this be welcome? And if so, are there any preferred names for the options?
(If not, I will likely implement it as ssl_client_key, ssl_client_ca, and ssl_client_cert, as well as ssl_server_key, ssl_server_ca, and ssl_server_cert.)