Description:
The manual states that setting tls_version to an empty string should disable TLS connections:
"If you set a TLS version parameter to the empty string, encrypted connections cannot be established ... * tls_version: The server does not permit encrypted incoming connections." - https://dev.mysql.com/doc/refman/8.4/en/encrypted-connection-protocols-ciphers.html
"Setting this variable to an empty string disables encrypted connections." - https://dev.mysql.com/doc/refman/8.4/en/server-system-variables.html#sysvar_tls_version
The tls_version variable is dynamic in MySQL 8.0.16+. However, after running this dynamically,
SET GLOBAL tls_version = '';
...TLS connections can still be established fine, and it does not seem to have any effect.
Other text on https://dev.mysql.com/doc/refman/8.4/en/encrypted-connection-protocols-ciphers.html is confusingly contradictory: one section says "To change the value of tls_version, set it at server startup" and then a few paragraphs later it says "tls_version can be changed at runtime". Possibly a documentation oversight from the 8.0.16 change.
How to repeat:
Run SET GLOBAL tls_version = '';
And then note that TLS connections can still be established, e.g. by running the mysql client with --ssl-mode=required, and/or by checking session status.
Suggested fix:
Dynamic setting of tls_version to empty string should block subsequent encrypted connections, just like setting it at startup. Or if this is not possible to disable dynamically, the manual should reflect this, and ideally an error should be returned by this SET command in this situation.
