WL#14582: Deprecate the use of TLS v1.0 and v1.1

Affects: Server-8.0   —   Status: Complete


Follow https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html the use of TLSv1.0 and TLSv1.1 should be deprecated.

MySQL Router uses TLS

  1. on the routing ports
  2. on http ports
  3. between router and metadata-servers

routing ports

TLSv1.0 and TLSv1.1 connections will fail at the router is accepting a TLS connection (client_ssl_mode=REQUIRED or PREFERRED).

When passing through the TLS connections to the server (client_ssl_mode=PASSTHROUGH) the router does not interfere with the TLS handshake and it is up to the server to allow/deny the TLS connection.

http ports

TLSv1.0 and TLSv1.1 connections fail.

between router and metadata servers

MySQL Router uses libmysqlclient to connect to the metadata servers.

The allowed TLS version for those connections is controlled via:


The allowed values of tls_version allow specifying TLSv1.0 and TLSv1.1.


  • deprecate the use of TLSv1.0 and TLSv1.1 in tls_version in [metadata_cache]
No new warnings are logged by the router if a TLSv1.0 or TLSv1.1 is established.