MDEV-25418 rsync SST does not work with stunnel encryption

1. Fix eval command line to correctly pass stunnel option to rsync on donor.
2. Deprecate `tkey`, `tcert` and `tca` options in [sst] section in favor of
   conventional `ssl-key`, `ssl-cert` and `ssl-ca`, but keep their precedence
   for backward compatibility.
3. Default to require SSL encryption if at least SSL key and cert files are
   specified in configuration, either in [sst] or [mysqld] sections.
4. Enable `verify*` option for stunnel on donor only if
   a. CA file is specified somewhere in the configuration
   b. it is explicitly requested in [sst] section by either specifying
   ssl-mode or CA file there. In this case if ssl-mode is not explicitly
   given, it defaults to VERIFY_CA.

   ssl-mode maps to stunnel options as follows:
   VERIFY_CA       -> verifyChain = yes
   VERIFY_IDENTITY -> verifyPeer = yes

   Example to require donor to verify joiner identity:
```
[mysqld]
ssl-cert=/path/to/cert
ssl-key=/path/to/key
ssl-ca=/path/to/ca

[sst]
ssl-mode=VERIFY_IDENTITY
```
5. If SSL verification is requested, joiner verifies donor by checking the
   secret passed to donor via SST request.

Signed-off-by: Julius Goryavsky <julius.goryavsky@mariadb.com>

1 files changed, 15 insertions, 0 deletions

diff --git a/mysql-test/suite/galera/t/galera_sst_rsync_encrypt_with_key.cnf b/mysql-test/suite/galera/t/galera_sst_rsync_encrypt_with_key.cnf
new file mode 100644
index 00000000000..f131088f582
--- /dev/null
+++ b/mysql-test/suite/galera/t/galera_sst_rsync_encrypt_with_key.cnf
@@ -0,0 +1,15 @@
+!include ../galera_2nodes.cnf
+
+[mysqld]
+wsrep_sst_method=rsync
+
+[sst]
+tkey=@ENV.MYSQL_TEST_DIR/std_data/server-key.pem
+tcert=@ENV.MYSQL_TEST_DIR/std_data/server-cert.pem
+
+[mysqld.1]
+wsrep_provider_options='base_port=@mysqld.1.#galera_port;gcache.size=1;pc.ignore_sb=true'
+
+[mysqld.2]
+wsrep_provider_options='base_port=@mysqld.2.#galera_port;gcache.size=1;pc.ignore_sb=true'
+