Added two new connection options, evaluated during the TLS handshake, which restrict negotiated TLS protocols and ciphers, along with those set on the server that can further restrict the final choices. tls-versions determines permitted TLS protocol versions; tls-ciphersuites determines permitted cipher suites. These definitions are comma-separated, and accepted by getSession() and getClient().

tls-versions: Accepts one or more of the following: TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3. Other values generate an error.

tls-ciphersuites: Accepts IANA cipher suite names, as listed at TLS Cipher Suites. Unsupported or unknown values are ignored.

The following examples demonstrate both plain JavaScript and JSON configuration object formats:

# tls versions:
mysqlx.getSession('mysqlx://root@localhost?tls-versions=[TLSv1,TLSv1.1,TLSv1.2,TLSv1.3]')

mysqlx.getSession({ user: 'root', tls: { versions: ['TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3'] } })

# tls cipher suites
mysqlx.getSession('mysqlx://root@localhost?tls-ciphersuites=[DHE-RSA-AES128-GCM-SHA256,DHE-RSA-AES256-SHA256]')

mysqlx.getSession({ user: 'root', tls: { ciphersuites: ['DHE-RSA-AES128-GCM-SHA256', 'DHE-RSA-AES256-SHA256'] } })

(WL #12738)

For X DevAPI applications, when creating a new connection, if the connection specification contains several target hosts with no assigned priority, the behavior of the failover logic now is the same as if all those target hosts have the same priority. That is, the next candidate for making a connection is chosen randomly from the remaining available hosts. If two hosts have the same priority then one is chosen at random. (WL #13546)