diff --git a/SOURCES/README.wsrep_sst_rsync_tunnel b/SOURCES/README.wsrep_sst_rsync_tunnel
new file mode 100644
index 0000000..0222b34
--- /dev/null
+++ b/SOURCES/README.wsrep_sst_rsync_tunnel
@@ -0,0 +1,132 @@
+socat tunnel for encrypted rsync SST
+====================================
+
+`wsrep_sst_rsync_tunnel` is an extension of the rsync-based [SST](http://galeracluster.com/documentation-webpages/glossary.html#term-state-snapshot-transfer)
+implementation that ships with mariadb. Its purpose is to encrypt
+communication between the donor and the joiner during an SST.
+
+Encryption is implemented by means of a socat tunnel, using OPENSSL
+addresses. It can be configured via the regular openssl flags exposed
+by socat.
+
+
+## How to configure the script
+
+This SST script can configured by setting a few keys in your favorite
+mariadb option file in addition to the usual galera settings.
+
+    [mysqld]
+    ...
+    bind_address=<node-name>
+    wsrep_sst_method=rsync_tunnel
+    ...
+    
+    [sst]
+    tca=/path/to/your/ca-file.crt
+    tcert=/path/to/node/certificate.crt
+    tkey=/path/to/node/key.key
+    sockopt=<openssl-address-options-as-per-socat-manual>
+
+When a joiner node requests an SST, `wsrep_sst_rsync_tunnel` uses
+socat to listen to incoming SSL connections on port 4444 in lieu of
+the original rsync daemon. Received data will be forwarded to the
+rscynd daemon started locally to replicate the database.
+
+When a donor node serves the SST, `wsrep_sst_rsync_tunnel` makes
+a series of rsync calls that target a locally started socat daemon.
+The daemon tunnels all rsync traffic into an encrypted SSL connection
+that targets the joiner's end of the socat tunnel.
+
+Encryption parameters are specified under the `[sst]` group in the
+mariadb option file, where `tkey` and `tcert` are respectively the key
+and the certificate that are used by both sides of the socat tunnel.
+Each node typically has a different key and cert. Both key and
+certificate can be combined into a single PEM file and referenced by
+`tcert`. Option `tca` holds a list of the trusted signing
+certificates.
+
+In case you need to tweak the creation of the SSL connection, you can
+pass valid socat options (as per socat manual) via the `sockopt` key.
+For debugging purpose, the exact socat command that is being executed
+shows up in the mariadb log file.
+
+Note that socat verifies that the certificate's commonName matches
+that of the host that is being targeted. The target name comes from
+the value configured in `bind_address`, so it's important that it
+matches the certificate's commonName. An IP address can be used for
+`bind_address`, but you may get into trouble in case different
+hostnames resolve to the same IP (e.g. multiple networks per host).
+
+
+## Examples of use
+
+Suppose you're running a 3-node galera cluster
+`node1.my.cluster`, `node2.my.cluster`, `node3.my.cluster`.
+
+### Scenario: using self-signed certificates
+
+On each node, create a key and a certificate, and bundle them into a
+single PEM file. For instance on `node1.my.cluster`:
+
+    openssl genrsa -out /tls/mysql-$(hostname -f).key 2048
+    openssl req -new -key /tls/mysql-$(hostname -f).key -x509 -days 365000 -subj "/CN=$(hostname -f)" -out /tls/mysql-$(hostname -f).crt -batch
+    cat /tls/mysql-$(hostname -f).key /tls/mysql-$(hostname -f).crt > /tls/mysql.pem
+
+Then, on each node, create a cafile that will contain all the certs to
+trust:
+
+    for n in node1.my.cluster node2.my.cluster node3.my.cluster; do
+       ssh $n 'cat /tls/mysql-$(hostname -f).crt' >> /tls/all-mysql.crt
+    done
+
+Once you have those two files on each host, you can configure the SST
+appropriately. For instance from `/etc/my.cnf.d/galera.cnf`:
+
+    [mysqld]
+    ...
+    
+    [sst]
+    tca=/tls/all-mysql.crt
+    tcert=/tls/mysql.pem
+
+### Scenario: using self-signed certificates, without verification
+
+By default, when socat tries to establish a SSL connection to a peer,
+it also verifies that it can trust the peer's certificate. If for some
+reason you need to disable that feature, you can amend the previous
+configuration with a sockopt option:
+
+    [mysqld]
+    ...
+    
+    [sst]
+    tca=/tls/all-mysql.crt
+    tcert=/tls/mysql.pem
+    sockopt="verify=0"
+
+The associated sockopt value is passed to socat when
+the donor or the joiner configures his part of the tunnel.
+
+Note: please do not do so in production, this is inherently insecure
+as you will not verify the identity of the peer you're connecting to!
+
+### Scenario: using certificates from a CA
+
+Suppose you have a FreeIPA service which generated a key file and a
+certificate file for the three galera nodes, respectively located at
+/tls/mysql.key and /tls/mysql.crt.
+
+Assuming that the certificate for the FreeIPA server is available at
+/etc/ipa/ca.crt, you can configure you galera servers as follows:
+
+    [sst]
+    tca=/etc/ipa/ca.crt
+    tcert=/tls/mysql.crt
+    tkey=/tls/mysql.key
+
+## License
+
+Copyright © 2017 [Damien Ciabrini](https://github.com/dciabrin).
+This work is derived from the original `wsrep_rsync_sst`, copyright
+© 2010-2014 [Codership Oy](https://github.com/codership).
+Released under the GNU GPLv2.
diff --git a/SOURCES/wsrep_sst_rsync_tunnel b/SOURCES/wsrep_sst_rsync_tunnel
new file mode 100644
index 0000000..f537249
--- /dev/null
+++ b/SOURCES/wsrep_sst_rsync_tunnel
@@ -0,0 +1,492 @@
+#!/bin/bash -ue
+
+# Copyright (C) 2010-2014 Codership Oy
+# Copyright (C) 2017-2020 Damien Ciabrini <damien.ciabrini@gmail.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; see the file COPYING. If not, write to the
+# Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston
+# MA  02110-1301  USA.
+
+# This is a reference script for rsync-based state snapshot tansfer
+# over an encrypted communication channel, managed by socat
+
+RSYNC_PID=                                      # rsync pid file
+RSYNC_CONF=                                     # rsync configuration file
+RSYNC_REAL_PID=                                 # rsync process id
+
+SOCAT_PID=                                      # socat pid file
+SOCAT_REAL_PID=                                 # socat process id
+
+SOCAT_OPTS=                                     # openssl connection args
+
+MODULE="rsync_tunnel_sst"
+
+OS=$(uname)
+[ "$OS" == "Darwin" ] && export -n LD_LIBRARY_PATH
+
+# Setting the path for lsof on CentOS
+export PATH="/usr/sbin:/sbin:$PATH"
+
+. $(dirname $0)/wsrep_sst_common
+
+wsrep_check_programs rsync socat
+
+cleanup_pid()
+{
+    local real_pid=$1
+    [ "0" != "$real_pid" ]            && \
+    kill $real_pid                    && \
+    sleep 0.5                         && \
+    kill -9 $real_pid >/dev/null 2>&1 || \
+    :
+}
+
+cleanup_tunnel()
+{
+    if [ -n "$SOCAT_REAL_PID" ] && ps -p "$SOCAT_REAL_PID" >/dev/null 2>&1; then
+	wsrep_log_info "cleanup socat PID: $SOCAT_REAL_PID"
+	cleanup_pid $SOCAT_REAL_PID
+    fi
+    rm -rf "$SOCAT_PID"
+}
+
+cleanup_joiner()
+{
+    wsrep_log_info "Joiner cleanup. rsync PID: $RSYNC_REAL_PID"
+    [ -n "$RSYNC_REAL_PID" ] && cleanup_pid $RSYNC_REAL_PID
+    rm -rf "$RSYNC_CONF"
+    rm -rf "$MAGIC_FILE"
+    rm -rf "$RSYNC_PID"
+
+    cleanup_tunnel
+
+    wsrep_log_info "Joiner cleanup done."
+    if [ "${WSREP_SST_OPT_ROLE}" = "joiner" ];then
+        wsrep_cleanup_progress_file
+    fi
+}
+
+# Check whether process is still running.
+check_pid()
+{
+    local pid_file=$1
+    [ -r "$pid_file" ] && ps -p $(cat $pid_file) >/dev/null 2>&1
+}
+
+check_pid_and_port()
+{
+    local pid_file=$1
+    local service_pid=$2
+    local service_port=$3
+    local service_host=$4
+    local service_name=$5
+
+    if ! which lsof > /dev/null; then
+      wsrep_log_error "lsof tool not found in PATH! Make sure you have it installed."
+      exit 2 # ENOENT
+    fi
+
+    local port_info=$(lsof -i "@"$service_host:$service_port -Pn 2>/dev/null | \
+        grep "(LISTEN)")
+    local is_service=$(echo $port_info | \
+        grep -w '^'"$service_name"'[[:space:]]\+'"$service_pid" 2>/dev/null)
+
+    if [ -n "$port_info" -a -z "$is_service" ]; then
+        wsrep_log_error "$service_name daemon port '$service_port' has been taken"
+        exit 16 # EBUSY
+    fi
+
+    if ! check_pid $pid_file; then
+        wsrep_log_error "$service_name process terminated unexpectedly"
+        exit 10 # ECHILD
+    fi
+
+    [ -n "$port_info" ] && [ -n "$is_service" ] && \
+        [ $(cat $pid_file) -eq $service_pid ]
+}
+
+config_from_cnf()
+{
+    local group=$1
+    local key=$2
+    echo $($MY_PRINT_DEFAULTS $group | grep -- "--$key=" | cut -d= -f2- | tail -1)
+}
+
+setup_tunnel_args()
+{
+    tca=$(config_from_cnf sst tca)
+    tkey=$(config_from_cnf sst tkey)
+    tcert=$(config_from_cnf sst tcert)
+    sockopt=$(config_from_cnf sst sockopt)
+
+    if [ -z "$tcert" ]; then
+        wsrep_log_error "Encryption certificate not found in my.cnf"
+        exit 3
+    else
+        SOCAT_OPTS="cert=$tcert"
+    fi
+    [ -n "$tkey" ] && SOCAT_OPTS="$SOCAT_OPTS,key=$tkey"
+    [ -n "$tca" ] && SOCAT_OPTS="$SOCAT_OPTS,cafile=$tca"
+    wsrep_log_info "Encryption setting to be used for socat tunnel: $SOCAT_OPTS"
+
+    [ -n "$sockopt" ] && SOCAT_OPTS="$SOCAT_OPTS,$sockopt"
+}
+
+MAGIC_FILE="$WSREP_SST_OPT_DATA/rsync_tunnel_sst_complete"
+rm -rf "$MAGIC_FILE"
+
+BINLOG_TAR_FILE="$WSREP_SST_OPT_DATA/wsrep_sst_binlog.tar"
+BINLOG_N_FILES=1
+rm -f "$BINLOG_TAR_FILE" || :
+
+if ! [ -z $WSREP_SST_OPT_BINLOG ]
+then
+    BINLOG_DIRNAME=$(dirname $WSREP_SST_OPT_BINLOG)
+    BINLOG_FILENAME=$(basename $WSREP_SST_OPT_BINLOG)
+fi
+
+WSREP_LOG_DIR=${WSREP_LOG_DIR:-""}
+# if WSREP_LOG_DIR env. variable is not set, try to get it from my.cnf
+if [ -z "$WSREP_LOG_DIR" ]; then
+    WSREP_LOG_DIR=$($MY_PRINT_DEFAULTS --mysqld \
+                    | grep -- '--innodb[-_]log[-_]group[-_]home[-_]dir=' \
+                    | cut -b 29- )
+fi
+
+if [ -n "$WSREP_LOG_DIR" ]; then
+    # handle both relative and absolute paths
+    WSREP_LOG_DIR=$(cd $WSREP_SST_OPT_DATA; mkdir -p "$WSREP_LOG_DIR"; cd $WSREP_LOG_DIR; pwd -P)
+else
+    # default to datadir
+    WSREP_LOG_DIR=$(cd $WSREP_SST_OPT_DATA; pwd -P)
+fi
+
+# Old filter - include everything except selected
+# FILTER=(--exclude '*.err' --exclude '*.pid' --exclude '*.sock' \
+#         --exclude '*.conf' --exclude core --exclude 'galera.*' \
+#         --exclude grastate.txt --exclude '*.pem' \
+#         --exclude '*.[0-9][0-9][0-9][0-9][0-9][0-9]' --exclude '*.index')
+
+# New filter - exclude everything except dirs (schemas) and innodb files
+FILTER=(-f '- /lost+found' -f '- /.fseventsd' -f '- /.Trashes'
+        -f '+ /wsrep_sst_binlog.tar' -f '+ /ib_lru_dump' -f '+ /ibdata*' -f '+ /*/' -f '- /*')
+
+SOCAT_PID="$WSREP_SST_OPT_DATA/$MODULE-socat.pid"
+
+if check_pid $SOCAT_PID
+then
+    wsrep_log_error "socat tunnel already running."
+    exit 114 # EALREADY
+fi
+rm -rf "$SOCAT_PID"
+
+setup_tunnel_args
+
+if [ "$WSREP_SST_OPT_ROLE" = "donor" ]
+then
+
+    SOCAT_JOINER_ADDR=$(echo $WSREP_SST_OPT_ADDR | awk -F'/' '{print $1}')
+    # map to name in case we received an IP
+    SOCAT_JOINER_HOST=$(getent hosts $SOCAT_JOINER_ADDR | awk '{ print $2 }')
+    if [ -z "$SOCAT_JOINER_HOST" ]; then
+        SOCAT_JOINER_HOST=$SOCAT_JOINER_ADDR
+    fi
+    SOCAT_PORT=$(echo $SOCAT_JOINER_ADDR | awk -F ':' '{ print $2 }')
+    if [ -z "$SOCAT_PORT" ]
+    then
+        SOCAT_PORT=4444
+    fi
+    TARGET_ADDR=localhost:$SOCAT_PORT/$MODULE
+
+    trap cleanup_tunnel EXIT
+
+    # Socat forwards rsync connections to the joiner
+    SOCAT_SRC=tcp-listen:$SOCAT_PORT,bind=localhost,reuseaddr,fork
+    SOCAT_DST=openssl:$SOCAT_JOINER_HOST,$SOCAT_OPTS
+    wsrep_log_info "Setting up tunnel for donor: socat $SOCAT_SRC $SOCAT_DST"
+    socat $SOCAT_SRC $SOCAT_DST &
+    SOCAT_REAL_PID=$!
+    # This is ok because a local galera node doesn't run SST concurrently
+    echo $SOCAT_REAL_PID >"$SOCAT_PID"
+    until check_pid_and_port $SOCAT_PID $SOCAT_REAL_PID $SOCAT_PORT localhost "socat"
+    do
+        sleep 0.2
+    done
+
+    if [ $WSREP_SST_OPT_BYPASS -eq 0 ]
+    then
+
+        FLUSHED="$WSREP_SST_OPT_DATA/tables_flushed"
+        ERROR="$WSREP_SST_OPT_DATA/sst_error"
+
+        rm -rf "$FLUSHED"
+        rm -rf "$ERROR"
+
+        # Use deltaxfer only for WAN
+        inv=$(basename $0)
+        [ "$inv" = "wsrep_sst_rsync_wan" ] && WHOLE_FILE_OPT="" \
+                                           || WHOLE_FILE_OPT="--whole-file"
+
+        echo "flush tables"
+
+        # Wait for :
+        # (a) Tables to be flushed, AND
+        # (b) Cluster state ID & wsrep_gtid_domain_id to be written to the file, OR
+        # (c) ERROR file, in case flush tables operation failed.
+
+        while [ ! -r "$FLUSHED" ] && ! grep -q ':' "$FLUSHED" >/dev/null 2>&1
+        do
+            # Check whether ERROR file exists.
+            if [ -f "$ERROR" ]
+            then
+                # Flush tables operation failed.
+                rm -rf "$ERROR"
+                exit 255
+            fi
+
+            sleep 0.2
+        done
+
+        STATE="$(cat $FLUSHED)"
+        rm -rf "$FLUSHED"
+
+        sync
+
+        if ! [ -z $WSREP_SST_OPT_BINLOG ]
+        then
+            # Prepare binlog files
+            pushd $BINLOG_DIRNAME &> /dev/null
+            binlog_files_full=$(tail -n $BINLOG_N_FILES ${BINLOG_FILENAME}.index)
+            binlog_files=""
+            for ii in $binlog_files_full
+            do
+                binlog_files="$binlog_files $(basename $ii)"
+            done
+            if ! [ -z "$binlog_files" ]
+            then
+                wsrep_log_info "Preparing binlog files for transfer:"
+                tar -cvf $BINLOG_TAR_FILE $binlog_files >&2
+            fi
+            popd &> /dev/null
+        fi
+
+        # first, the normal directories, so that we can detect incompatible protocol
+        RC=0
+        rsync --owner --group --perms --links --specials \
+              --ignore-times --inplace --dirs --delete --quiet \
+              $WHOLE_FILE_OPT "${FILTER[@]}" "$WSREP_SST_OPT_DATA/" \
+              rsync://$TARGET_ADDR >&2 || RC=$?
+
+        if [ "$RC" -ne 0 ]; then
+            wsrep_log_error "rsync returned code $RC:"
+
+            case $RC in
+            12) RC=71  # EPROTO
+                wsrep_log_error \
+                "rsync server on the other end has incompatible protocol. " \
+                "Make sure you have the same version of rsync on all nodes."
+                ;;
+            22) RC=12  # ENOMEM
+                ;;
+            *)  RC=255 # unknown error
+                ;;
+            esac
+            exit $RC
+        fi
+
+        # second, we transfer InnoDB log files
+        rsync --owner --group --perms --links --specials \
+              --ignore-times --inplace --dirs --delete --quiet \
+              $WHOLE_FILE_OPT -f '+ /ib_logfile[0-9]*' -f '- **' "$WSREP_LOG_DIR/" \
+              rsync://$TARGET_ADDR-log_dir >&2 || RC=$?
+
+        if [ $RC -ne 0 ]; then
+            wsrep_log_error "rsync innodb_log_group_home_dir returned code $RC:"
+            exit 255 # unknown error
+        fi
+
+        # then, we parallelize the transfer of database directories, use . so that pathconcatenation works
+        pushd "$WSREP_SST_OPT_DATA" >/dev/null
+
+        count=1
+        [ "$OS" == "Linux" ] && count=$(grep -c processor /proc/cpuinfo)
+        [ "$OS" == "Darwin" -o "$OS" == "FreeBSD" ] && count=$(sysctl -n hw.ncpu)
+
+        find . -maxdepth 1 -mindepth 1 -type d -not -name "lost+found" -print0 | \
+             xargs -I{} -0 -P $count \
+             rsync --owner --group --perms --links --specials \
+             --ignore-times --inplace --recursive --delete --quiet \
+             $WHOLE_FILE_OPT --exclude '*/ib_logfile*' "$WSREP_SST_OPT_DATA"/{}/ \
+             rsync://$TARGET_ADDR/{} >&2 || RC=$?
+
+        popd >/dev/null
+
+        if [ $RC -ne 0 ]; then
+            wsrep_log_error "find/rsync returned code $RC:"
+            exit 255 # unknown error
+        fi
+
+    else # BYPASS
+        wsrep_log_info "Bypassing state dump."
+
+        # Store donor's wsrep GTID (state ID) and wsrep_gtid_domain_id
+        # (separated by a space).
+        STATE="$WSREP_SST_OPT_GTID $WSREP_SST_OPT_GTID_DOMAIN_ID"
+    fi
+
+    echo "continue" # now server can resume updating data
+
+    echo "$STATE" > "$MAGIC_FILE"
+    rsync --archive --quiet --checksum "$MAGIC_FILE" rsync://$TARGET_ADDR
+
+    # to avoid cleanup race, stop tunnel before declaring the SST finished.
+    # This ensures galera won't start a new SST locally before we exit.
+    cleanup_tunnel
+
+    echo "done $STATE"
+
+elif [ "$WSREP_SST_OPT_ROLE" = "joiner" ]
+then
+    wsrep_check_programs lsof socat
+
+    touch $SST_PROGRESS_FILE
+    MYSQLD_PID=$WSREP_SST_OPT_PARENT
+
+    RSYNC_PID="$WSREP_SST_OPT_DATA/$MODULE.pid"
+
+    if check_pid $RSYNC_PID
+    then
+        wsrep_log_error "rsync daemon already running."
+        exit 114 # EALREADY
+    fi
+    rm -rf "$RSYNC_PID"
+
+    ADDR=$WSREP_SST_OPT_ADDR
+    RSYNC_PORT=$(echo $ADDR | awk -F ':' '{ print $2 }')
+    if [ -z "$RSYNC_PORT" ]
+    then
+        RSYNC_PORT=4444
+        ADDR="$(echo $ADDR | awk -F ':' '{ print $1 }'):$RSYNC_PORT"
+    fi
+
+    SOCAT_ADDR=$(echo $ADDR | awk -F ':' '{ print $1 }')
+    # map to name in case we received an IP
+    SOCAT_HOST=$(getent hosts $SOCAT_ADDR | awk '{ print $2 }')
+    if [ -z "$SOCAT_HOST" ]; then
+        SOCAT_HOST=$SOCAT_ADDR
+    fi
+    SOCAT_PORT=$RSYNC_PORT
+
+    trap "exit 32" HUP PIPE
+    trap "exit 3"  INT TERM ABRT
+    trap cleanup_joiner EXIT
+
+    RSYNC_CONF="$WSREP_SST_OPT_DATA/$MODULE.conf"
+
+    if [ -n "${MYSQL_TMP_DIR:-}" ] ; then
+      SILENT="log file = $MYSQL_TMP_DIR/rsynd.log"
+    else
+      SILENT=""
+    fi
+
+cat << EOF > "$RSYNC_CONF"
+pid file = $RSYNC_PID
+use chroot = no
+read only = no
+timeout = 300
+$SILENT
+[$MODULE]
+    path = $WSREP_SST_OPT_DATA
+[$MODULE-log_dir]
+    path = $WSREP_LOG_DIR
+EOF
+
+#    rm -rf "$DATA"/ib_logfile* # we don't want old logs around
+
+    # Socat receives rsync connections from the donor
+    SOCAT_SRC=openssl-listen:$SOCAT_PORT,bind=$SOCAT_HOST,reuseaddr,fork,$SOCAT_OPTS
+    SOCAT_DST=tcp:localhost:$RSYNC_PORT
+    wsrep_log_info "Setting up tunnel for joiner: socat $SOCAT_SRC $SOCAT_DST"
+    socat $SOCAT_SRC $SOCAT_DST &
+    SOCAT_REAL_PID=$!
+    # This is ok because a local galera node doesn't run SST concurrently
+    echo $SOCAT_REAL_PID >"$SOCAT_PID"
+    until check_pid_and_port $SOCAT_PID $SOCAT_REAL_PID $SOCAT_PORT $SOCAT_HOST "socat"
+    do
+        sleep 0.2
+    done
+
+    wsrep_log_info "rsync --daemon --no-detach --address localhost --port $RSYNC_PORT --config \"$RSYNC_CONF\""
+    rsync --daemon --no-detach --address localhost --port $RSYNC_PORT --config "$RSYNC_CONF" &
+    RSYNC_REAL_PID=$!
+
+    until check_pid_and_port $RSYNC_PID $RSYNC_REAL_PID $RSYNC_PORT localhost "rsync"
+    do
+        sleep 0.2
+    done
+
+    echo "ready $ADDR/$MODULE"
+
+    # wait for SST to complete by monitoring magic file
+    while [ ! -r "$MAGIC_FILE" ] && check_pid "$RSYNC_PID" && \
+          check_pid "$SOCAT_PID" && ps -p $MYSQLD_PID >/dev/null
+    do
+        sleep 1
+    done
+
+    # to avoid cleanup race, we can tear down the socat tunnel now
+    # before signaling the end of the SST to galera.
+    cleanup_tunnel
+
+    if ! ps -p $MYSQLD_PID >/dev/null
+    then
+        wsrep_log_error \
+        "Parent mysqld process (PID:$MYSQLD_PID) terminated unexpectedly."
+        exit 32
+    fi
+
+    if ! [ -z $WSREP_SST_OPT_BINLOG ]
+    then
+
+        pushd $BINLOG_DIRNAME &> /dev/null
+        if [ -f $BINLOG_TAR_FILE ]
+        then
+            # Clean up old binlog files first
+            rm -f ${BINLOG_FILENAME}.*
+            wsrep_log_info "Extracting binlog files:"
+            tar -xvf $BINLOG_TAR_FILE >&2
+            for ii in $(ls -1 ${BINLOG_FILENAME}.*)
+            do
+                echo ${BINLOG_DIRNAME}/${ii} >> ${BINLOG_FILENAME}.index
+            done
+        fi
+        popd &> /dev/null
+    fi
+    if [ -r "$MAGIC_FILE" ]
+    then
+        # UUID:seqno & wsrep_gtid_domain_id is received here.
+        cat "$MAGIC_FILE" # Output : UUID:seqno wsrep_gtid_domain_id
+    else
+        # this message should cause joiner to abort
+        echo "rsync process ended without creating '$MAGIC_FILE'"
+    fi
+    wsrep_cleanup_progress_file
+#    cleanup_joiner
+else
+    wsrep_log_error "Unrecognized role: '$WSREP_SST_OPT_ROLE'"
+    exit 22 # EINVAL
+fi
+
+rm -f $BINLOG_TAR_FILE || :
+
+exit 0
diff --git a/SPECS/mariadb.spec b/SPECS/mariadb.spec
index fc1f956..bea684a 100644
--- a/SPECS/mariadb.spec
+++ b/SPECS/mariadb.spec
@@ -154,7 +154,7 @@
 
 Name:             mariadb
 Version:          10.5.12
-Release:          2%{?with_debug:.debug}%{?dist}
+Release:          3%{?with_debug:.debug}%{?dist}
 Epoch:            3
 
 Summary:          A very fast and robust SQL database server
@@ -170,6 +170,7 @@ Source0:          https://fedoraproject.org/mariadb-%{version}-downstream_modifi
 Source2:          mysql_config_multilib.sh
 Source3:          my.cnf.in
 Source6:          README.mariadb-docs
+Source8:          README.wsrep_sst_rsync_tunnel
 Source10:         mariadb.tmpfiles.d.in
 Source11:         mysql.service.in
 Source12:         mariadb-prepare-db-dir.sh
@@ -204,6 +205,10 @@ Source71:         LICENSE.clustercheck
 # https://jira.mariadb.org/browse/MDEV-12646
 Source72:         mariadb-server-galera.te
 
+# Script to support encrypted rsync transfers when SST is required between nodes.
+# https://github.com/dciabrin/wsrep_sst_rsync_tunnel/blob/master/wsrep_sst_rsync_tunnel
+Source73:         wsrep_sst_rsync_tunnel
+
 #   Patch4: Red Hat distributions specific logrotate fix
 #   it would be big unexpected change, if we start shipping it now. Better wait for MariaDB 10.2
 Patch4:           %{pkgnamepatch}-logrotate.patch
@@ -766,7 +771,7 @@ cat %{SOURCE53} | tee -a mysql-test/unstable-tests
 %endif
 
 cp %{SOURCE2} %{SOURCE3} %{SOURCE10} %{SOURCE11} %{SOURCE12} \
-   %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE18} %{SOURCE70} scripts
+   %{SOURCE14} %{SOURCE15} %{SOURCE16} %{SOURCE18} %{SOURCE70} %{SOURCE73} scripts
 
 %if %{with galera}
 # prepare selinux policy
@@ -1042,6 +1047,7 @@ ln -s %{_libexecdir}/mariadbd %{buildroot}%{_sbindir}/mariadbd
 
 # copy additional docs into build tree so %%doc will find them
 install -p -m 0644 %{SOURCE6} %{basename:%{SOURCE6}}
+install -p -m 0644 %{SOURCE8} %{basename:%{SOURCE8}}
 install -p -m 0644 %{SOURCE16} %{basename:%{SOURCE16}}
 install -p -m 0644 %{SOURCE71} %{basename:%{SOURCE71}}
 
@@ -1063,6 +1069,9 @@ rm -r %{buildroot}%{_datadir}/%{pkg_name}/policy/apparmor
 # Buildroot does not have symlink /lib64 --> /usr/lib64
 mv %{buildroot}/%{_lib}/security %{buildroot}%{_libdir}
 
+# Add wsrep_sst_rsync_tunnel script
+install -p -m 0755 scripts/wsrep_sst_rsync_tunnel %{buildroot}%{_bindir}/wsrep_sst_rsync_tunnel
+
 # Disable plugins
 %if %{with gssapi}
 sed -i 's/^plugin-load-add/#plugin-load-add/' %{buildroot}%{_sysconfdir}/my.cnf.d/auth_gssapi.cnf
@@ -1380,6 +1389,7 @@ fi
 %endif
 
 %files server
+%doc README.wsrep_sst_rsync_tunnel
 
 %{_bindir}/aria_{chk,dump_log,ftdump,pack,read_log}
 %{_bindir}/mariadb-service-convert
@@ -1638,6 +1648,9 @@ fi
 %endif
 
 %changelog
+* Mon Oct 11 2021 Michal Schorm <mschorm@redhat.com> - 3:10.5.12-3
+- Add wsrep_sst_rsync_tunnel script
+
 * Tue Aug 17 2021 Honza Horak <hhorak@redhat.com> - 3:10.5.12-2
 - Fix OpenSSL 3.x compatibility
   Resolves: #1962047