*: update the recent improvements about tls/security

[toutdesuite]

What is changed, added or deleted? (Required)

Which TiDB version(s) do your changes apply to? (Required)

• master (the latest development version)
• v4.0 (TiDB 4.0 versions)
• v3.1 (TiDB 3.1 versions)
• v3.0 (TiDB 3.0 versions)
• v2.1 (TiDB 2.1 versions)

If you select two or more versions from above, to trigger the bot to cherry-pick this PR to your desired release version branch(es), you must add corresponding labels such as needs-cherry-pick-4.0, needs-cherry-pick-3.1, needs-cherry-pick-3.0, and needs-cherry-pick-2.1.

What is the related PR or file link(s)?

• This PR is translated from: *: update the recent improvements about tls/security docs-cn#2417, *: fix typo for reload tls docs-cn#2933, how-to/secure: remove some week cipher suits docs-cn#2998 toc: add alter-instance in toc docs-cn#3068
• Other reference link(s):

[lysu]

LGTM

[TomShawn]

The first round of comments.

[TomShawn]

Suggested change

	- The **mutual authentication** between TiDB components, including the authentication among TiDB, TiKV, and PD, between TiDB Control and TiDB, between TiKV Control and TiKV, between PD Control and PD, between TiKV peers, and between PD peers. Once enabled, the mutual authentication applies to all components, rather than only part of the components.
	- The **mutual authentication** between TiDB components, including the authentication among TiDB, TiKV, and PD; the authentication between TiDB Control and TiDB, between TiKV Control and TiKV, between PD Control and PD; the authentication between TiKV peers, and between PD peers. Once enabled, the mutual authentication applies to all components, rather than to a part of the components.

[TomShawn]

Suggested change

	> The authentication between the MySQL Client and the TiDB server involves one set of certificates, while the authentication among TiDB components uses another set of certificates.
	> The authentication between the MySQL Client and the TiDB server uses one set of certificates, while the authentication among TiDB components uses another set of certificates.

[TomShawn]

Suggested change

When you need to replace the certificate, the key or CA, you can execute the [`ALTER INSTANCE RELOAD TLS`](/reference/sql/statements/alter-instance.md) statement on the running TiDB instance to reload the certificate ([`ssl-cert`](/reference/configuration/tidb-server/configuration-file.md#ssl-cert)), the key ([`ssl-key`](/reference/configuration/tidb-server/configuration-file.md#ssl-key)), and the CA ([`ssl-ca`](/reference/configuration/tidb-server/configuration-file.md#ssl-ca)) from the original configuration path, after replacing the corresponding file. In this case, you do not need to restart the TiDB instance.

To replace the certificate, the key or CA, first replace the corresponding files, then execute the [`ALTER INSTANCE RELOAD TLS`](/reference/sql/statements/alter-instance.md) statement on the running TiDB instance to reload the certificate ([`ssl-cert`](/reference/configuration/tidb-server/configuration-file.md#ssl-cert)), the key ([`ssl-key`](/reference/configuration/tidb-server/configuration-file.md#ssl-key)), and the CA ([`ssl-ca`](/reference/configuration/tidb-server/configuration-file.md#ssl-ca)) from the original configuration path. In this way, you do not need to restart the TiDB instance.

[TomShawn]

Suggested change

	The newly loaded certificate, key, and CA take effect on the connection established after the statement is successfully executed. They have no affect on the connection established before the statement is executed.
	The newly loaded certificate, key, and CA take effect on the connection that is established after the statement is successfully executed. The connection established before the statement execution is not affected.

[TomShawn]

Suggested change

	4. Make sure that the certificate (`ssl-cert`) configured by the TiDB server is signed by the CA specified by the client `--ssl-ca` parameter; otherwise, the authentication fails.
	4. Make sure that the certificate (`ssl-cert`) configured in the TiDB server is signed by the CA specified by the client `--ssl-ca` parameter; otherwise, the authentication fails.

[TomShawn]

Suggested change

By default, you can choose to authenticate the client from the server. Even if the client does not present its certificate of identification during the TLS handshake, the TLS connection can be established. You can also require the client to be authenticated through `require 509` when creating a user (`create user`), granting permissions (`grant`), or modifying an existing user (`alter user`). The following is an example of creating a user:

By default, the server-to-client authentication is optional. Even if the client does not present its certificate of identification during the TLS handshake, the TLS connection can be still established. You can also require the client to be authenticated by specifying `require 509` when creating a user (`create user`), granting permissions (`grant`), or modifying an existing user (`alter user`). The following is an example of creating a user:

[TomShawn]

@lysu Please confirm whether 如果登录用户已配置使用 TiDB 证书鉴权功能校验用户证书 means If the logged-in user has configured using the TiDB Certificate-Based Authentication for Login, thanks!

[lysu]

maybe we should remove "ed" from "logged-in user"? yes， you means we need "如果登录用户已配置使用 TiDB 证书鉴权功能校验用户证书" instead of "如果已登录用户已配置使用 TiDB 证书鉴权功能校验用户证书"？

[toutdesuite]

@lysu I will update logged-in user later. But Tom wants to confirm whether 如果登录用户已配置使用 TiDB 证书鉴权功能校验用户证书 means If the logged-in user has configured using the TiDB Certificate-Based Authentication for Login. Here the Chinese version is slightly different from the English version~ The English version omits 校验用户证书, since 校验用户证书 is implicit in the sentence

[lysu]

emmm~ I agree with you, we can omits "校验用户证书" :D

[toutdesuite]

@TomShawn Comments addressed. PTAL, thanks

[TomShawn]

LGTM

[sre-bot]

/run-all-tests

[sre-bot]

cherry pick to release-3.1 in PR #2548

[sre-bot]

cherry pick to release-4.0 in PR #2549