Enforce tls v1.2 for xtradb Cluster

Hi Team,
How can I enforce TLS 1.2 for 4567 port.
Currently tls_version=TLSv1.2* is already set in my.cnf but looks like it’s not enforced for the 4567 port.

because when I run openssl s_client -connect host_IP:4567 -tls1_1 I can still see valid output, I wanto to disable tls1.1 and enforce only use of tls1.2 for galera internal communication also.

can’t find any such option for wsrep_provider_options


1 Like

Hi @adi thanks for posting to the Percona forums!
Have you experimented with socket.ssl_cipher Galera Parameters — Galera Cluster Documentation

wsrep_provider_options = "socket.ssl_cipher=ALL:!EXP:!NULL:!ADH:!LOW:!SSLv2:!SSLv3:!MD5:!RC4:!RSA"
1 Like

Thanks @Michael_Coburn, Will check it out.

1 Like