Default SSL socket factory as created in com.github.shyiko.mysql.binlog.BinaryLogClient enforces TLS v1 as it is configured in no-parametric consutrctor of com.github.shyiko.mysql.binlog.network.DefaultSSLSocketFactory.

Debezium should

• provide a configuration parameter that would set the TLS version to be used
• provide alternative implementation of com.github.shyiko.mysql.binlog.BinaryLogClient.DEFAULT_REQUIRED_SSL_MODE_SOCKET_FACTORY and com.github.shyiko.mysql.binlog.BinaryLogClient.DEFAULT_VERIFY_CA_SSL_MODE_SOCKET_FACTORY that would call a paramtirzed constructor with the requested TLS version
• use the alternative SSL socket factory via {{com.github.shyiko.mysql.binlog.BinaryLogClient.setSocketFactory(SocketFactory)}