diff --git a/client/tlsutil/tlsconfig.go b/client/tlsutil/tlsconfig.go
index a8bac17f676..5bf03dc4afc 100644
--- a/client/tlsutil/tlsconfig.go
+++ b/client/tlsutil/tlsconfig.go
@@ -47,21 +47,12 @@ import (
 type TLSInfo struct {
 	CertFile           string
 	KeyFile            string
-	CAFile             string // TODO: deprecate this in v4
 	TrustedCAFile      string
-	ClientCertAuth     bool
-	CRLFile            string
 	InsecureSkipVerify bool
 
-	SkipClientSANVerify bool
-
 	// ServerName ensures the cert matches the given host in case of discovery / virtual hosting
 	ServerName string
 
-	// HandshakeFailure is optionally called when a connection fails to handshake. The
-	// connection will be closed immediately afterwards.
-	HandshakeFailure func(*tls.Conn, error)
-
 	// CipherSuites is a list of supported cipher suites.
 	// If empty, Go auto-populates it by default.
 	// Note that cipher suites are prioritized in the given order.
@@ -157,9 +148,6 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) {
 // cafiles returns a list of CA file paths.
 func (info TLSInfo) cafiles() []string {
 	cs := make([]string, 0)
-	if info.CAFile != "" {
-		cs = append(cs, info.CAFile)
-	}
 	if info.TrustedCAFile != "" {
 		cs = append(cs, info.TrustedCAFile)
 	}