From 3f9ebae2d3d5088298bea55401a16265cdec0769 Mon Sep 17 00:00:00 2001
From: YangKeao <yangkeao@chunibyo.icu>
Date: Sat, 11 Oct 2025 17:26:19 +0800
Subject: [PATCH 1/2] This is an automated cherry-pick of #21811

Signed-off-by: ti-chi-bot <ti-community-prow-bot@tidb.io>
---
 enable-tls-between-components.md | 49 +++++++++++++++++++++++++++++++-
 1 file changed, 48 insertions(+), 1 deletion(-)

diff --git a/enable-tls-between-components.md b/enable-tls-between-components.md
index c7ebfe9d87cd6..e8f13d3e57c75 100644
--- a/enable-tls-between-components.md
+++ b/enable-tls-between-components.md
@@ -160,7 +160,7 @@ To verify the caller's identity for a component, you need to mark the certificat
 > **Note:**
 >
 > - Starting from v8.4.0, the PD configuration item `cert-allowed-cn` supports multiple values. You can configure multiple `Common Name` in the `cluster-verify-cn` configuration item for TiDB and in the `cert-allowed-cn` configuration item for other components as needed. Note that TiUP uses a separate identifier when querying component status. For example, if the cluster name is `test`, TiUP uses `test-client` as the `Common Name`.
-> - For v8.3.0 and earlier versions, the PD configuration item `cert-allowed-cn` can only be set to a single value. Therefore, the `Common Name` of all authentication objects must be set to the same value. For related configuration examples, see [v8.3.0 documentation](https://docs.pingcap.com/tidb/v8.3/enable-tls-between-components).
+> - For v8.3.0 and earlier versions, the PD configuration item `cert-allowed-cn` can only be set to a single value. Therefore, the `Common Name` of all authentication objects must be set to the same value. For related configuration examples, see [v8.3.0 documentation](https://docs-archive.pingcap.com/tidb/v8.3/enable-tls-between-components/).
 
 - TiDB
 
@@ -205,6 +205,53 @@ To verify the caller's identity for a component, you need to mark the certificat
     cert-allowed-cn = ["tidb", "tikv", "tiflash", "prometheus"]
     ```
 
+<<<<<<< HEAD
+=======
+- TiProxy (New in v1.4.0)
+
+    Configure in the configuration file:
+
+    ```toml
+    [security]
+        [server-http-tls]
+        cert-allowed-cn = ["tiproxy", "tidb", "test-client", "prometheus"]
+    ```
+
+## Validate TLS between TiDB components
+
+After configuring TLS for communication between TiDB components, you can use the following commands to verify that TLS has been successfully enabled. These commands print the certificate and TLS handshake details for each component.
+
+- TiDB
+
+    ```sh
+    openssl s_client -connect <tidb_host>:10080 -cert /path/to/client.pem -key /path/to/client-key.pem -CAfile ./ca.crt < /dev/null
+    ```
+
+- PD
+
+    ```sh
+    openssl s_client -connect <pd_host>:2379 -cert /path/to/client.pem -key /path/to/client-key.pem -CAfile ./ca.crt < /dev/null
+    ```
+
+- TiKV
+
+    ```sh
+    openssl s_client -connect <tikv_host>:20160 -cert /path/to/client.pem -key /path/to/client-key.pem -CAfile ./ca.crt < /dev/null
+    ```
+
+- TiFlash (New in v4.0.5)
+
+    ```sh
+    openssl s_client -connect <tiflash_host>:<tiflash_port> -cert /path/to/client.pem -key /path/to/client-key.pem -CAfile ./ca.crt < /dev/null
+    ```
+
+- TiProxy
+
+    ```sh
+    openssl s_client -connect <tiproxy_host>:3080 -cert /path/to/client.pem -key /path/to/client-key.pem -CAfile ./ca.crt < /dev/null
+    ```
+
+>>>>>>> 68f2e3cd87 (security: add steps to validate TLS between components (#21811))
 ## Reload certificates
 
 - If your TiDB cluster is deployed in a local data center, to reload the certificates and keys, TiDB, PD, TiKV, TiFlash, TiCDC, and all kinds of clients reread the current certificates and key files each time a new connection is created, without restarting the TiDB cluster.

From b810199b70fbf08596a2a292e0b3399361f5b042 Mon Sep 17 00:00:00 2001
From: xixirangrang <hfxsd@hotmail.com>
Date: Mon, 13 Oct 2025 09:22:41 +0800
Subject: [PATCH 2/2] Apply suggestions from code review

---
 enable-tls-between-components.md | 13 -------------
 1 file changed, 13 deletions(-)

diff --git a/enable-tls-between-components.md b/enable-tls-between-components.md
index e8f13d3e57c75..40a5f48b621a8 100644
--- a/enable-tls-between-components.md
+++ b/enable-tls-between-components.md
@@ -205,18 +205,6 @@ To verify the caller's identity for a component, you need to mark the certificat
     cert-allowed-cn = ["tidb", "tikv", "tiflash", "prometheus"]
     ```
 
-<<<<<<< HEAD
-=======
-- TiProxy (New in v1.4.0)
-
-    Configure in the configuration file:
-
-    ```toml
-    [security]
-        [server-http-tls]
-        cert-allowed-cn = ["tiproxy", "tidb", "test-client", "prometheus"]
-    ```
-
 ## Validate TLS between TiDB components
 
 After configuring TLS for communication between TiDB components, you can use the following commands to verify that TLS has been successfully enabled. These commands print the certificate and TLS handshake details for each component.
@@ -251,7 +239,6 @@ After configuring TLS for communication between TiDB components, you can use the
     openssl s_client -connect <tiproxy_host>:3080 -cert /path/to/client.pem -key /path/to/client-key.pem -CAfile ./ca.crt < /dev/null
     ```
 
->>>>>>> 68f2e3cd87 (security: add steps to validate TLS between components (#21811))
 ## Reload certificates
 
 - If your TiDB cluster is deployed in a local data center, to reload the certificates and keys, TiDB, PD, TiKV, TiFlash, TiCDC, and all kinds of clients reread the current certificates and key files each time a new connection is created, without restarting the TiDB cluster.