WL#13392: Support for TLS 1.3 in Asynchronous Replication

WL#12361: "Support TLS 1.3 in the server and libmysql" implemented
support for TLS 1.3 in the connections between MySQL clients and
servers. It includes the connections established through
asynchronous replication, which use the same library - libmysql,
that is, a slave server can establish its connection to a master
using TLS 1.3. Though the TLS 1.3 configuration was not implemented
on replication connections, there is no user interface to a DBA set
the allowed ciphersuites.

The DBA can now restrict the master server's TLS configuration to
TLS 1.3 and a single TLS 1.3 ciphersuite that is not enabled by
default, e.g., --tls-version=TLSv1.3 and
--tls-ciphersuites=TLS_AES_128_CCM_8_SHA256. Replication slaves
cannot connect to the master with such configurations.
This also breaks Group Replication incremental recovery since it
uses a asynchronous replication channel.

To allow such configuration this worklog will implement:
 1. MASTER_TLS_CIPHERSUITES option on CHANGE MASTER command;
 2. group_replication_recovery_tls_version plugin option;
 3. group_replication_recovery_tls_ciphersuites plugin option.

ReviewBoard: 22892

Author: nacarvalho

mysql-test/r/information_schema_keywords.result

@@ -335,6 +335,7 @@ MASTER_SSL_CRL	0
 MASTER_SSL_CRLPATH	0
 MASTER_SSL_KEY	0
 MASTER_SSL_VERIFY_SERVER_CERT	1
+MASTER_TLS_CIPHERSUITES	0
 MASTER_TLS_VERSION	0
 MASTER_USER	0
 MASTER_ZSTD_COMPRESSION_LEVEL	0

mysql-test/r/mysqldump.result

@@ -5326,6 +5326,7 @@ CREATE TABLE IF NOT EXISTS `slave_master_info` (
   `Network_namespace` text CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'Network namespace used for communication with the master server.',
   `Master_compression_algorithm` char(64) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL COMMENT 'Compression algorithm supported for data transfer between master and slave.',
   `Master_zstd_compression_level` int(10) unsigned NOT NULL COMMENT 'Compression level associated with zstd compression algorithm.',
+  `Tls_ciphersuites` text CHARACTER SET utf8 COLLATE utf8_bin COMMENT 'Ciphersuites used for TLS 1.3 communication with the master server.',
   PRIMARY KEY (`Channel_name`)
 ) /*!50100 TABLESPACE `mysql` */ ENGINE=InnoDB DEFAULT CHARSET=utf8 STATS_PERSISTENT=0 ROW_FORMAT=DYNAMIC COMMENT='Master Information';
 /*!40101 SET character_set_client = @saved_cs_client */;

mysql-test/r/rewrite_slow_log.result

@@ -17,6 +17,10 @@ SET PASSWORD FOR test_user2='azundris2' REPLACE 'azundris2';
 SET GLOBAL master_info_repository = 'TABLE';
 SET GLOBAL relay_log_info_repository = 'TABLE';
 CHANGE MASTER TO MASTER_PASSWORD='azundris3',
+MASTER_BIND = 'eth4n',
+MASTER_TLS_CIPHERSUITES = ''
+  FOR CHANNEL 'chan_jackie';
+CHANGE MASTER TO MASTER_PASSWORD='azundris3',
 MASTER_CONNECT_RETRY = 1, MASTER_HEARTBEAT_PERIOD = 1.01,
 MASTER_LOG_FILE = 'master_log_name', MASTER_LOG_POS = 0,
 MASTER_SSL = 0, MASTER_SSL_CA = 'ca_file_name',
@@ -25,6 +29,7 @@ MASTER_SSL_CERT = 'cert_file_name', MASTER_SSL_KEY = 'key_file_name',
 MASTER_SSL_CIPHER = 'cipher_list', MASTER_SSL_VERIFY_SERVER_CERT = 1,
 MASTER_SSL_CRL = 'crl_file_name', MASTER_SSL_CRLPATH = 'crl_directory_name',
 IGNORE_SERVER_IDS = (99,100), MASTER_TLS_VERSION = 'TLSv1.2',
+MASTER_TLS_CIPHERSUITES = NULL,
 MASTER_BIND = 'eth4n', MASTER_RETRY_COUNT = 7,
 MASTER_DELAY = 4711, MASTER_AUTO_POSITION = 0 FOR CHANNEL 'chan_jackie';
 RESET SLAVE ALL;
@@ -53,7 +58,8 @@ count(*)=1 OR count(*)=2
 1
 SELECT sql_text FROM test_log WHERE sql_text LIKE 'CHANGE MASTER TO MASTER_BIND %';
 sql_text
-CHANGE MASTER TO MASTER_BIND = 'eth4n', MASTER_PASSWORD = <secret>, MASTER_CONNECT_RETRY = 1, MASTER_RETRY_COUNT = 7, MASTER_DELAY = 4711, MASTER_HEARTBEAT_PERIOD = 1.010000, MASTER_LOG_FILE = 'master_log_name', MASTER_LOG_POS = 4, MASTER_AUTO_POSITION = 0, MASTER_SSL = 0, MASTER_SSL_CA = 'ca_file_name', MASTER_SSL_CAPATH = 'ca_directory_name', MASTER_SSL_CERT = 'cert_file_name', MASTER_SSL_CRL = 'crl_file_name', MASTER_SSL_CRLPATH = 'crl_directory_name', MASTER_SSL_KEY = 'key_file_name', MASTER_SSL_CIPHER = 'cipher_list', MASTER_SSL_VERIFY_SERVER_CERT = 1, MASTER_TLS_VERSION = 'TLSv1.2', IGNORE_SERVER_IDS = ( 99, 100 ) FOR CHANNEL 'chan_jackie';
+CHANGE MASTER TO MASTER_BIND = 'eth4n', MASTER_PASSWORD = <secret>, MASTER_TLS_CIPHERSUITES = '' FOR CHANNEL 'chan_jackie';
+CHANGE MASTER TO MASTER_BIND = 'eth4n', MASTER_PASSWORD = <secret>, MASTER_CONNECT_RETRY = 1, MASTER_RETRY_COUNT = 7, MASTER_DELAY = 4711, MASTER_HEARTBEAT_PERIOD = 1.010000, MASTER_LOG_FILE = 'master_log_name', MASTER_LOG_POS = 4, MASTER_AUTO_POSITION = 0, MASTER_SSL = 0, MASTER_SSL_CA = 'ca_file_name', MASTER_SSL_CAPATH = 'ca_directory_name', MASTER_SSL_CERT = 'cert_file_name', MASTER_SSL_CRL = 'crl_file_name', MASTER_SSL_CRLPATH = 'crl_directory_name', MASTER_SSL_KEY = 'key_file_name', MASTER_SSL_CIPHER = 'cipher_list', MASTER_SSL_VERIFY_SERVER_CERT = 1, MASTER_TLS_VERSION = 'TLSv1.2', MASTER_TLS_CIPHERSUITES = NULL, IGNORE_SERVER_IDS = ( 99, 100 ) FOR CHANNEL 'chan_jackie';
 SELECT count(*) FROM test_log WHERE sql_text LIKE 'SET PASSWORD %' AND sql_text LIKE '%<secret>%';
 count(*)
 3
@@ -63,7 +69,8 @@ count(*)=1 OR count(*)=2
 1
 SELECT sql_text FROM test_log WHERE sql_text LIKE 'CHANGE MASTER TO MASTER_BIND %';
 sql_text
-CHANGE MASTER TO MASTER_BIND = 'eth4n', MASTER_PASSWORD = <secret>, MASTER_CONNECT_RETRY = 1, MASTER_RETRY_COUNT = 7, MASTER_DELAY = 4711, MASTER_HEARTBEAT_PERIOD = 1.010000, MASTER_LOG_FILE = 'master_log_name', MASTER_LOG_POS = 4, MASTER_AUTO_POSITION = 0, MASTER_SSL = 0, MASTER_SSL_CA = 'ca_file_name', MASTER_SSL_CAPATH = 'ca_directory_name', MASTER_SSL_CERT = 'cert_file_name', MASTER_SSL_CRL = 'crl_file_name', MASTER_SSL_CRLPATH = 'crl_directory_name', MASTER_SSL_KEY = 'key_file_name', MASTER_SSL_CIPHER = 'cipher_list', MASTER_SSL_VERIFY_SERVER_CERT = 1, MASTER_TLS_VERSION = 'TLSv1.2', IGNORE_SERVER_IDS = ( 99, 100 ) FOR CHANNEL 'chan_jackie';
+CHANGE MASTER TO MASTER_BIND = 'eth4n', MASTER_PASSWORD = <secret>, MASTER_TLS_CIPHERSUITES = '' FOR CHANNEL 'chan_jackie';
+CHANGE MASTER TO MASTER_BIND = 'eth4n', MASTER_PASSWORD = <secret>, MASTER_CONNECT_RETRY = 1, MASTER_RETRY_COUNT = 7, MASTER_DELAY = 4711, MASTER_HEARTBEAT_PERIOD = 1.010000, MASTER_LOG_FILE = 'master_log_name', MASTER_LOG_POS = 4, MASTER_AUTO_POSITION = 0, MASTER_SSL = 0, MASTER_SSL_CA = 'ca_file_name', MASTER_SSL_CAPATH = 'ca_directory_name', MASTER_SSL_CERT = 'cert_file_name', MASTER_SSL_CRL = 'crl_file_name', MASTER_SSL_CRLPATH = 'crl_directory_name', MASTER_SSL_KEY = 'key_file_name', MASTER_SSL_CIPHER = 'cipher_list', MASTER_SSL_VERIFY_SERVER_CERT = 1, MASTER_TLS_VERSION = 'TLSv1.2', MASTER_TLS_CIPHERSUITES = NULL, IGNORE_SERVER_IDS = ( 99, 100 ) FOR CHANNEL 'chan_jackie';
 SELECT count(*) FROM test_log WHERE sql_text LIKE 'SET PASSWORD %' AND sql_text LIKE '%<secret>%';
 count(*)
 3

mysql-test/std_data/dd/sdi/innodb_sdi/mysql.json

@@ -36750,6 +36750,42 @@
                 "collation_id": X,
                 "is_explicit_collation": false
             },
+            {
+                "name": "Tls_ciphersuites",
+                "type": 27,
+                "is_nullable": true,
+                "is_zerofill": false,
+                "is_unsigned": false,
+                "is_auto_increment": false,
+                "is_virtual": false,
+                "hidden": 1,
+                "ordinal_position": 31,
+                "char_length": 65535,
+                "numeric_precision": 0,
+                "numeric_scale": 0,
+                "numeric_scale_null": true,
+                "datetime_precision": 0,
+                "datetime_precision_null": 1,
+                "has_no_default": false,
+                "default_value_null": true,
+                "srs_id_null": true,
+                "srs_id": 0,
+                "default_value": "",
+                "default_value_utf8_null": true,
+                "default_value_utf8": "",
+                "default_option": "",
+                "update_option": "",
+                "comment": "Ciphersuites used for TLS 1.3 communication with the master server.",
+                "generation_expression": "",
+                "generation_expression_utf8": "",
+                "options": "interval_count=0;",
+                "se_private_data": "table_id=X",
+                "column_key": 1,
+                "column_type_utf8": "text",
+                "elements": [],
+                "collation_id": X,
+                "is_explicit_collation": true
+            },
             {
                 "name": "DB_TRX_ID",
                 "type": 10,
@@ -36759,7 +36795,7 @@
                 "is_auto_increment": false,
                 "is_virtual": false,
                 "hidden": 2,
-                "ordinal_position": 31,
+                "ordinal_position": 32,
                 "char_length": 6,
                 "numeric_precision": 0,
                 "numeric_scale": 0,
@@ -36795,7 +36831,7 @@
                 "is_auto_increment": false,
                 "is_virtual": false,
                 "hidden": 2,
-                "ordinal_position": 32,
+                "ordinal_position": 33,
                 "char_length": 7,
                 "numeric_precision": 0,
                 "numeric_scale": 0,
@@ -36865,14 +36901,14 @@
                         "length": 4294967295,
                         "order": 2,
                         "hidden": true,
-                        "column_opx": 30
+                        "column_opx": 31
                     },
                     {
                         "ordinal_position": 3,
                         "length": 4294967295,
                         "order": 2,
                         "hidden": true,
-                        "column_opx": 31
+                        "column_opx": 32
                     },
                     {
                         "ordinal_position": 4,
@@ -37076,6 +37112,13 @@
                         "order": 2,
                         "hidden": true,
                         "column_opx": 29
+                    },
+                    {
+                        "ordinal_position": 33,
+                        "length": 4294967295,
+                        "order": 2,
+                        "hidden": true,
+                        "column_opx": 30
                     }
                 ],
                 "tablespace_ref": "mysql"

mysql-test/std_data/dd/sdi/upgrade/mysql.json

@@ -33743,6 +33743,42 @@
                 "collation_id": X,
                 "is_explicit_collation": false
             },
+            {
+                "name": "Tls_ciphersuites",
+                "type": 27,
+                "is_nullable": true,
+                "is_zerofill": false,
+                "is_unsigned": false,
+                "is_auto_increment": false,
+                "is_virtual": false,
+                "hidden": 1,
+                "ordinal_position": 31,
+                "char_length": 65535,
+                "numeric_precision": 0,
+                "numeric_scale": 0,
+                "numeric_scale_null": true,
+                "datetime_precision": 0,
+                "datetime_precision_null": 1,
+                "has_no_default": false,
+                "default_value_null": true,
+                "srs_id_null": true,
+                "srs_id": 0,
+                "default_value": "",
+                "default_value_utf8_null": true,
+                "default_value_utf8": "",
+                "default_option": "",
+                "update_option": "",
+                "comment": "Ciphersuites used for TLS 1.3 communication with the master server.",
+                "generation_expression": "",
+                "generation_expression_utf8": "",
+                "options": "interval_count=0;",
+                "se_private_data": "table_id=X",
+                "column_key": 1,
+                "column_type_utf8": "text",
+                "elements": [],
+                "collation_id": X,
+                "is_explicit_collation": true
+            },
             {
                 "name": "DB_TRX_ID",
                 "type": 10,
@@ -33752,7 +33788,7 @@
                 "is_auto_increment": false,
                 "is_virtual": false,
                 "hidden": 2,
-                "ordinal_position": 31,
+                "ordinal_position": 32,
                 "char_length": 6,
                 "numeric_precision": 0,
                 "numeric_scale": 0,
@@ -33788,7 +33824,7 @@
                 "is_auto_increment": false,
                 "is_virtual": false,
                 "hidden": 2,
-                "ordinal_position": 32,
+                "ordinal_position": 33,
                 "char_length": 7,
                 "numeric_precision": 0,
                 "numeric_scale": 0,
@@ -33858,14 +33894,14 @@
                         "length": 4294967295,
                         "order": 2,
                         "hidden": true,
-                        "column_opx": 30
+                        "column_opx": 31
                     },
                     {
                         "ordinal_position": 3,
                         "length": 4294967295,
                         "order": 2,
                         "hidden": true,
-                        "column_opx": 31
+                        "column_opx": 32
                     },
                     {
                         "ordinal_position": 4,
@@ -34069,6 +34105,13 @@
                         "order": 2,
                         "hidden": true,
                         "column_opx": 29
+                    },
+                    {
+                        "ordinal_position": 33,
+                        "length": 4294967295,
+                        "order": 2,
+                        "hidden": true,
+                        "column_opx": 30
                     }
                 ],
                 "tablespace_ref": "mysql"

mysql-test/suite/funcs_1/r/is_columns_mysql.result

@@ -163,6 +163,7 @@ def	mysql	slave_master_info	Get_public_key	27	NULL	NO	tinyint	NULL	NULL	3	0	NULL
 def	mysql	slave_master_info	Network_namespace	28	NULL	YES	text	65535	65535	NULL	NULL	NULL	utf8	utf8_bin	text			select,insert,update,references	Network namespace used for communication with the master server.		NULL
 def	mysql	slave_master_info	Master_compression_algorithm	29	NULL	NO	char	64	192	NULL	NULL	NULL	utf8	utf8_bin	char(64)			select,insert,update,references	Compression algorithm supported for data transfer between master and slave.		NULL
 def	mysql	slave_master_info	Master_zstd_compression_level	30	NULL	NO	int	NULL	NULL	10	0	NULL	NULL	NULL	int(10) unsigned			select,insert,update,references	Compression level associated with zstd compression algorithm.		NULL
+def	mysql	slave_master_info	Tls_ciphersuites	31	NULL	YES	text	65535	65535	NULL	NULL	NULL	utf8	utf8_bin	text			select,insert,update,references	Ciphersuites used for TLS 1.3 communication with the master server.		NULL
 def	mysql	slave_relay_log_info	Number_of_lines	1	NULL	NO	int	NULL	NULL	10	0	NULL	NULL	NULL	int(10) unsigned			select,insert,update,references	Number of lines in the file or rows in the table. Used to version table definitions.		NULL
 def	mysql	slave_relay_log_info	Relay_log_name	2	NULL	NO	text	65535	65535	NULL	NULL	NULL	utf8	utf8_bin	text			select,insert,update,references	The name of the current relay log file.		NULL
 def	mysql	slave_relay_log_info	Relay_log_pos	3	NULL	NO	bigint	NULL	NULL	20	0	NULL	NULL	NULL	bigint(20) unsigned			select,insert,update,references	The relay log position of the last executed event.		NULL
@@ -501,6 +502,7 @@ NULL	mysql	slave_master_info	Get_public_key	tinyint	NULL	NULL	NULL	NULL	tinyint(
 1.0000	mysql	slave_master_info	Network_namespace	text	65535	65535	utf8	utf8_bin	text
 3.0000	mysql	slave_master_info	Master_compression_algorithm	char	64	192	utf8	utf8_bin	char(64)
 NULL	mysql	slave_master_info	Master_zstd_compression_level	int	NULL	NULL	NULL	NULL	int(10) unsigned
+1.0000	mysql	slave_master_info	Tls_ciphersuites	text	65535	65535	utf8	utf8_bin	text
 NULL	mysql	slave_relay_log_info	Number_of_lines	int	NULL	NULL	NULL	NULL	int(10) unsigned
 1.0000	mysql	slave_relay_log_info	Relay_log_name	text	65535	65535	utf8	utf8_bin	text
 NULL	mysql	slave_relay_log_info	Relay_log_pos	bigint	NULL	NULL	NULL	NULL	bigint(20) unsigned

mysql-test/suite/group_replication/r/gr_perfschema.result

@@ -52,12 +52,13 @@ SSL_CRL_PATH
 CONNECTION_RETRY_INTERVAL	60
 CONNECTION_RETRY_COUNT	1
 HEARTBEAT_INTERVAL	30.000
-TLS_VERSION	
+TLS_VERSION	TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
 PUBLIC_KEY_PATH	
 GET_PUBLIC_KEY	NO
 NETWORK_NAMESPACE	
 COMPRESSION_ALGORITHM	uncompressed
 ZSTD_COMPRESSION_LEVEL	3
+TLS_CIPHERSUITES	NULL
 #group_replication_applier channel configuration
 SELECT * FROM performance_schema.replication_connection_configuration WHERE channel_name LIKE "group_replication_applier";
 CHANNEL_NAME	group_replication_applier
@@ -84,6 +85,7 @@ GET_PUBLIC_KEY	NO
 NETWORK_NAMESPACE	
 COMPRESSION_ALGORITHM	uncompressed
 ZSTD_COMPRESSION_LEVEL	3
+TLS_CIPHERSUITES	NULL
 
 SELECT * FROM performance_schema.replication_connection_status WHERE channel_name = "group_replication_applier";
 CHANNEL_NAME	group_replication_applier
@@ -186,12 +188,13 @@ SSL_CRL_PATH
 CONNECTION_RETRY_INTERVAL	60
 CONNECTION_RETRY_COUNT	1
 HEARTBEAT_INTERVAL	30.000
-TLS_VERSION	
+TLS_VERSION	TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
 PUBLIC_KEY_PATH	
 GET_PUBLIC_KEY	NO
 NETWORK_NAMESPACE	
 COMPRESSION_ALGORITHM	uncompressed
 ZSTD_COMPRESSION_LEVEL	3
+TLS_CIPHERSUITES	NULL
 #group_replication_applier channel configuration
 SELECT * FROM performance_schema.replication_connection_configuration WHERE channel_name LIKE "group_replication_applier";
 CHANNEL_NAME	group_replication_applier
@@ -218,6 +221,7 @@ GET_PUBLIC_KEY	NO
 NETWORK_NAMESPACE	
 COMPRESSION_ALGORITHM	uncompressed
 ZSTD_COMPRESSION_LEVEL	3
+TLS_CIPHERSUITES	NULL
 
 SELECT * FROM performance_schema.replication_connection_status WHERE channel_name = "group_replication_applier";
 CHANNEL_NAME	group_replication_applier

mysql-test/suite/group_replication/r/gr_perfschema_parallel_applier.result

@@ -62,6 +62,7 @@ GET_PUBLIC_KEY	NO
 NETWORK_NAMESPACE	
 COMPRESSION_ALGORITHM	uncompressed
 ZSTD_COMPRESSION_LEVEL	3
+TLS_CIPHERSUITES	NULL
 
 SELECT * FROM performance_schema.replication_connection_status WHERE channel_name = "group_replication_applier";
 CHANNEL_NAME	group_replication_applier
@@ -260,6 +261,7 @@ GET_PUBLIC_KEY	NO
 NETWORK_NAMESPACE	
 COMPRESSION_ALGORITHM	uncompressed
 ZSTD_COMPRESSION_LEVEL	3
+TLS_CIPHERSUITES	NULL
 
 SELECT * FROM performance_schema.replication_connection_status WHERE channel_name = "group_replication_applier";
 CHANNEL_NAME	group_replication_applier

mysql-test/suite/group_replication/r/gr_persist_only_variables.result

@@ -66,6 +66,8 @@ SET PERSIST_ONLY group_replication_recovery_ssl_crl = @@GLOBAL.group_replication
 SET PERSIST_ONLY group_replication_recovery_ssl_crlpath = @@GLOBAL.group_replication_recovery_ssl_crlpath;
 SET PERSIST_ONLY group_replication_recovery_ssl_key = @@GLOBAL.group_replication_recovery_ssl_key;
 SET PERSIST_ONLY group_replication_recovery_ssl_verify_server_cert = @@GLOBAL.group_replication_recovery_ssl_verify_server_cert;
+SET PERSIST_ONLY group_replication_recovery_tls_ciphersuites = @@GLOBAL.group_replication_recovery_tls_ciphersuites;
+SET PERSIST_ONLY group_replication_recovery_tls_version = @@GLOBAL.group_replication_recovery_tls_version;
 SET PERSIST_ONLY group_replication_recovery_use_ssl = @@GLOBAL.group_replication_recovery_use_ssl;
 SET PERSIST_ONLY group_replication_recovery_zstd_compression_level = @@GLOBAL.group_replication_recovery_zstd_compression_level;
 SET PERSIST_ONLY group_replication_single_primary_mode = @@GLOBAL.group_replication_single_primary_mode;
@@ -74,7 +76,7 @@ SET PERSIST_ONLY group_replication_start_on_boot = @@GLOBAL.group_replication_st
 SET PERSIST_ONLY group_replication_transaction_size_limit = @@GLOBAL.group_replication_transaction_size_limit;
 SET PERSIST_ONLY group_replication_unreachable_majority_timeout = @@GLOBAL.group_replication_unreachable_majority_timeout;
 
-include/assert.inc ['Expect 53 persisted variables.']
+include/assert.inc ['Expect 55 persisted variables.']
 
 ############################################################
 # 2. Restart server, it must bootstrap the group and preserve
@@ -83,8 +85,8 @@ include/assert.inc ['Expect 53 persisted variables.']
 include/rpl_reconnect.inc
 include/gr_wait_for_member_state.inc
 
-include/assert.inc ['Expect 53 persisted variables in persisted_variables table.']
-include/assert.inc ['Expect 53 persisted variables shown as PERSISTED in variables_info table.']
+include/assert.inc ['Expect 55 persisted variables in persisted_variables table.']
+include/assert.inc ['Expect 55 persisted variables shown as PERSISTED in variables_info table.']
 include/assert.inc ['Expect 45 persisted variables with matching persisted and global values.']
 
 ############################################################
@@ -136,6 +138,8 @@ RESET PERSIST IF EXISTS group_replication_recovery_ssl_crl;
 RESET PERSIST IF EXISTS group_replication_recovery_ssl_crlpath;
 RESET PERSIST IF EXISTS group_replication_recovery_ssl_key;
 RESET PERSIST IF EXISTS group_replication_recovery_ssl_verify_server_cert;
+RESET PERSIST IF EXISTS group_replication_recovery_tls_ciphersuites;
+RESET PERSIST IF EXISTS group_replication_recovery_tls_version;
 RESET PERSIST IF EXISTS group_replication_recovery_use_ssl;
 RESET PERSIST IF EXISTS group_replication_recovery_zstd_compression_level;
 RESET PERSIST IF EXISTS group_replication_single_primary_mode;