diff --git a/defaults/main.yml b/defaults/main.yml
index 953a123b..dc03629b 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -244,6 +244,8 @@ galera_ssl_verify: true
 galera_ssl_cert: /etc/ssl/certs/galera.pem
 galera_ssl_key: /etc/mysql/ssl/galera.key
 galera_ssl_ca_cert: /etc/ssl/certs/galera-ca.pem
+galera_require_secure_transport: false
+galera_tls_version: "TLSv1.2,TLSv1.3"
 
 ## These options should be specified in user_variables if necessary, otherwise self-signed certs are used.
 # galera_user_ssl_cert: /etc/openstack_deploy/self_signed_certs/galera.pem
diff --git a/releasenotes/notes/additional-tls-options-14b7e1a435581887.yaml b/releasenotes/notes/additional-tls-options-14b7e1a435581887.yaml
new file mode 100644
index 00000000..0c21ed92
--- /dev/null
+++ b/releasenotes/notes/additional-tls-options-14b7e1a435581887.yaml
@@ -0,0 +1,9 @@
+---
+upgrade:
+  - |
+    Additional variables are available when MariaDB is configured to use TLS,
+    enabled by setting ``galera_use_ssl`` to ``true``.
+    ``galera_require_secure_transport`` to require that all client connections
+    are encrypted, defaulting to false.
+    ``galera_tls_version`` to provide a list of accepted TLS protocols,
+    defaulting to 'TLSv1.2,TLSv1.3'.
diff --git a/templates/my.cnf.j2 b/templates/my.cnf.j2
index 338ebf19..210630e9 100644
--- a/templates/my.cnf.j2
+++ b/templates/my.cnf.j2
@@ -46,6 +46,8 @@ ssl
 ssl-ca = {{ galera_ssl_ca_cert }}
 ssl-cert = {{ galera_ssl_cert }}
 ssl-key = {{ galera_ssl_key }}
+require-secure-transport = {{ galera_require_secure_transport }}
+tls-version = {{ galera_tls_version }}
 {% endif %}
 
 # LOGGING #