diff --git a/SOURCES/bz1992661-mysql-use-ssl-mode.patch b/SOURCES/bz1992661-mysql-use-ssl-mode.patch
new file mode 100644
index 0000000..c930c4e
--- /dev/null
+++ b/SOURCES/bz1992661-mysql-use-ssl-mode.patch
@@ -0,0 +1,24 @@
+From ed5bc606a4db5108995df9297698cf9dc14cccb2 Mon Sep 17 00:00:00 2001
+From: Oyvind Albrigtsen <oalbrigt@redhat.com>
+Date: Tue, 18 Jan 2022 11:32:05 +0100
+Subject: [PATCH] mysql-common: fix local SSL connection by using
+ --ssl-mode=REQUIRED which is available on 5.7+ (--ssl is not available in
+ 8.0)
+
+---
+ heartbeat/mysql-common.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/heartbeat/mysql-common.sh b/heartbeat/mysql-common.sh
+index 459948b10..de8763544 100755
+--- a/heartbeat/mysql-common.sh
++++ b/heartbeat/mysql-common.sh
+@@ -97,7 +97,7 @@ MYSQL_BINDIR=`dirname ${OCF_RESKEY_binary}`
+ 
+ MYSQL=$OCF_RESKEY_client_binary
+ if ocf_is_true "$OCF_RESKEY_replication_require_ssl"; then
+-  MYSQL_OPTIONS_LOCAL_SSL_OPTIONS="--ssl"
++  MYSQL_OPTIONS_LOCAL_SSL_OPTIONS="--ssl-mode=REQUIRED"
+ else
+   MYSQL_OPTIONS_LOCAL_SSL_OPTIONS=""
+ fi
diff --git a/SPECS/resource-agents.spec b/SPECS/resource-agents.spec
index 41f94a6..65873ef 100644
--- a/SPECS/resource-agents.spec
+++ b/SPECS/resource-agents.spec
@@ -66,7 +66,7 @@
 Name:		resource-agents
 Summary:	Open Source HA Reusable Cluster Resource Scripts
 Version:	4.9.0
-Release:	12%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
+Release:	13%{?rcver:%{rcver}}%{?numcomm:.%{numcomm}}%{?alphatag:.%{alphatag}}%{?dirty:.%{dirty}}%{?dist}
 License:	GPLv2+ and LGPLv2+
 URL:		https://github.com/ClusterLabs/resource-agents
 %if 0%{?fedora} || 0%{?centos_version} || 0%{?rhel}
@@ -95,6 +95,7 @@ Patch8: 	bz2015789-gcp-ilb-3-use-bundled-gcloud.patch
 Patch9: 	bz2027591-nfsnotify-fix-notify_args-default.patch
 Patch10:	bz2012057-Route-return-OCF_NOT_RUNNING-missing-route.patch
 Patch11:	bz2029706-db2-crm_attribute-use-forever.patch
+Patch12:	bz1992661-mysql-use-ssl-mode.patch
 
 # bundle patches
 Patch1000:	7-gcp-bundled.patch
@@ -280,6 +281,7 @@ exit 1
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
+%patch12 -p1
 
 chmod 755 heartbeat/nova-compute-wait
 chmod 755 heartbeat/NovaEvacuate
@@ -860,6 +862,11 @@ ccs_update_schema > /dev/null 2>&1 ||:
 %{_usr}/lib/ocf/lib/heartbeat/OCF_*.pm
 
 %changelog
+* Thu Jan 20 2022 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-13
+- mysql: add support for local SSL connection
+
+  Resolves: rhbz#1992661
+
 * Tue Dec  7 2021 Oyvind Albrigtsen <oalbrigt@redhat.com> - 4.9.0-12
 - Route: return OCF_NOT_RUNNING for probe action when interface
   or route doesnt exist