diff --git a/br/pkg/lightning/restore/BUILD.bazel b/br/pkg/lightning/restore/BUILD.bazel
index ef5aeb106585b..2b34396fe4b68 100644
--- a/br/pkg/lightning/restore/BUILD.bazel
+++ b/br/pkg/lightning/restore/BUILD.bazel
@@ -43,6 +43,7 @@ go_library(
         "//br/pkg/utils",
         "//br/pkg/version",
         "//br/pkg/version/build",
+        "//config",
         "//ddl",
         "//errno",
         "//kv",
@@ -76,6 +77,7 @@ go_library(
         "@com_github_pingcap_kvproto//pkg/import_sstpb",
         "@com_github_pingcap_kvproto//pkg/metapb",
         "@com_github_pingcap_tipb//go-tipb",
+        "@com_github_tikv_client_go_v2//config",
         "@com_github_tikv_client_go_v2//oracle",
         "@com_github_tikv_pd_client//:client",
         "@io_etcd_go_etcd_client_v3//:client",
@@ -159,6 +161,7 @@ go_test(
         "@com_github_pingcap_tipb//go-tipb",
         "@com_github_stretchr_testify//require",
         "@com_github_stretchr_testify//suite",
+        "@com_github_tikv_client_go_v2//config",
         "@com_github_tikv_client_go_v2//oracle",
         "@com_github_tikv_pd_client//:client",
         "@com_github_xitongsys_parquet_go//writer",
diff --git a/br/pkg/lightning/restore/restore.go b/br/pkg/lightning/restore/restore.go
index 9753156f9e5e9..e6c2406577a52 100644
--- a/br/pkg/lightning/restore/restore.go
+++ b/br/pkg/lightning/restore/restore.go
@@ -54,6 +54,7 @@ import (
 	"github.com/pingcap/tidb/br/pkg/utils"
 	"github.com/pingcap/tidb/br/pkg/version"
 	"github.com/pingcap/tidb/br/pkg/version/build"
+	tidbconfig "github.com/pingcap/tidb/config"
 	tidbkv "github.com/pingcap/tidb/kv"
 	"github.com/pingcap/tidb/meta/autoid"
 	"github.com/pingcap/tidb/parser/model"
@@ -63,6 +64,7 @@ import (
 	"github.com/pingcap/tidb/util/mathutil"
 	regexprrouter "github.com/pingcap/tidb/util/regexpr-router"
 	"github.com/pingcap/tidb/util/set"
+	tikvconfig "github.com/tikv/client-go/v2/config"
 	pd "github.com/tikv/pd/client"
 	"go.uber.org/atomic"
 	"go.uber.org/multierr"
@@ -353,6 +355,7 @@ func NewRestoreControllerWithPauser(
 			}
 		}
 
+		initGlobalConfig(tls.ToTiKVSecurityConfig())
 		backend, err = local.NewLocalBackend(ctx, tls, cfg, p.Glue, maxOpenFiles, errorMgr)
 		if err != nil {
 			return nil, common.NormalizeOrWrapErr(common.ErrUnknown, err)
@@ -2825,3 +2828,18 @@ func openReader(ctx context.Context, fileMeta mydump.SourceFileMeta, store stora
 	}
 	return
 }
+
+// check store liveness of tikv client-go requires GlobalConfig to work correctly, so we need to init it,
+// else tikv will report SSL error when tls is enabled.
+// and the SSL error seems affects normal logic of newer TiKV version, and cause the error "tikv: region is unavailable"
+// during checksum.
+// todo: DM relay on lightning physical mode too, but client-go doesn't support passing TLS data as bytes,
+func initGlobalConfig(secCfg tikvconfig.Security) {
+	if secCfg.ClusterSSLCA != "" || secCfg.ClusterSSLCert != "" {
+		conf := tidbconfig.GetGlobalConfig()
+		conf.Security.ClusterSSLCA = secCfg.ClusterSSLCA
+		conf.Security.ClusterSSLCert = secCfg.ClusterSSLCert
+		conf.Security.ClusterSSLKey = secCfg.ClusterSSLKey
+		tidbconfig.StoreGlobalConfig(conf)
+	}
+}
diff --git a/br/pkg/lightning/restore/restore_test.go b/br/pkg/lightning/restore/restore_test.go
index 82613b64fe662..88eeb137c5a1a 100644
--- a/br/pkg/lightning/restore/restore_test.go
+++ b/br/pkg/lightning/restore/restore_test.go
@@ -40,6 +40,7 @@ import (
 	tmock "github.com/pingcap/tidb/util/mock"
 	router "github.com/pingcap/tidb/util/table-router"
 	"github.com/stretchr/testify/require"
+	tikvconfig "github.com/tikv/client-go/v2/config"
 )
 
 func TestNewTableRestore(t *testing.T) {
@@ -422,3 +423,29 @@ func TestFilterColumns(t *testing.T) {
 		require.Equal(t, expectedDatums, extendDatums)
 	}
 }
+
+func TestInitGlobalConfig(t *testing.T) {
+	require.Empty(t, tikvconfig.GetGlobalConfig().Security.ClusterSSLCA)
+	require.Empty(t, tikvconfig.GetGlobalConfig().Security.ClusterSSLCert)
+	require.Empty(t, tikvconfig.GetGlobalConfig().Security.ClusterSSLKey)
+	initGlobalConfig(tikvconfig.Security{})
+	require.Empty(t, tikvconfig.GetGlobalConfig().Security.ClusterSSLCA)
+	require.Empty(t, tikvconfig.GetGlobalConfig().Security.ClusterSSLCert)
+	require.Empty(t, tikvconfig.GetGlobalConfig().Security.ClusterSSLKey)
+
+	initGlobalConfig(tikvconfig.Security{
+		ClusterSSLCA: "ca",
+	})
+	require.NotEmpty(t, tikvconfig.GetGlobalConfig().Security.ClusterSSLCA)
+	require.Empty(t, tikvconfig.GetGlobalConfig().Security.ClusterSSLCert)
+	require.Empty(t, tikvconfig.GetGlobalConfig().Security.ClusterSSLKey)
+
+	initGlobalConfig(tikvconfig.Security{})
+	initGlobalConfig(tikvconfig.Security{
+		ClusterSSLCert: "cert",
+		ClusterSSLKey:  "key",
+	})
+	require.Empty(t, tikvconfig.GetGlobalConfig().Security.ClusterSSLCA)
+	require.NotEmpty(t, tikvconfig.GetGlobalConfig().Security.ClusterSSLCert)
+	require.NotEmpty(t, tikvconfig.GetGlobalConfig().Security.ClusterSSLKey)
+}