- Pass joiner's authentication information to donor together with address in State Transfer Request. This allows joiner to authenticate donor on connection. Previously joiner would accept data from anywhere.
- Deprecate custom SSL configuration variables tca, tcert and tkey in favor of more familiar ssl-ca, ssl-cert and ssl-key. For backward compatibility tca, tcert and tkey are still supported.
- Allow falling back to server-wide SSL configuration in [mysqld] if no SSL configuration is found in [sst] section of the config file.
- Introduce ssl-mode variable in [sst] section that takes standard values and has following effects:
- old-style SSL configuration present in [sst]: no effect
- ssl-mode=DISABLED or absent: retains old, backward compatible behavior and ignores any other SSL configuration
- ssl-mode=VERIFY*: verify joiner's certificate and CN on donor, verify donor's secret on joiner (passed to donor via State Transfer Request)
- BACKWARD INCOMPATIBLE BEHAVIOR
- anything else enables new SSL configuration conventions but does not require verification ssl-mode should be set to VERIFY only in a fully upgraded cluster.