TLS

https://dev.mysql.com/doc/refman/8.4/en/using-encrypted-connections.html
https://dev.mysql.com/doc/refman/8.4/en/encrypted-connection-protocols-ciphers.html
https://dev.mysql.com/doc/refman/8.4/en/creating-ssl-rsa-files.html
https://dev.mysql.com/doc/refman/8.4/en/connection-options.html

server side:
    enable encrypted connections
    require secure transport for client connections

client side:
    use VERIFY_CA or VERIFY_IDENTITY
    pin CA certificate
    verify server hostname when possible

do not do this in production:
    ssl-mode=DISABLED
    rejectUnauthorized=false
    insecure_skip_verify

file layout:
    /etc/mysql/certs/ca.pem
    /etc/mysql/certs/server-cert.pem
    /etc/mysql/certs/server-key.pem

permissions:
    private key should be readable only by mysql process owner
    certificate files should not be world-writable

SHOW VARIABLES LIKE 'require_secure_transport';
SHOW VARIABLES LIKE 'tls_version';
SHOW VARIABLES LIKE 'have_ssl';

note:
    MySQL 8.4 supports TLSv1.2 and TLSv1.3 for connections

mysql \
  --host=db.example.com \
  --user=shop_app \
  --password \
  --ssl-mode=VERIFY_IDENTITY \
  --ssl-ca=/etc/mysql/certs/ca.pem \
  -e "SHOW STATUS LIKE 'Ssl_cipher';"

mysql \
  --host=db.example.com \
  --user=shop_app \
  --password \
  --ssl-mode=VERIFY_CA \
  --ssl-ca=/etc/mysql/certs/ca.pem

SHOW STATUS LIKE 'Ssl_cipher';
SHOW STATUS LIKE 'Ssl_version';

JDBC URL example:
    jdbc:mysql://db.example.com:3306/shop?sslMode=VERIFY_IDENTITY&enabledTLSProtocols=TLSv1.2,TLSv1.3

recommendation:
    trust the server CA
    keep hostname verification on

mysql-connector-python style:
    ssl_ca=/etc/mysql/certs/ca.pem
    ssl_verify_cert=True
    ssl_verify_identity=True

go-sql-driver/mysql style:
    register a tls.Config with RootCAs and ServerName
    use tls=custom in the DSN

mysql2 style:
    ssl:
        ca: fs.readFileSync('/etc/mysql/certs/ca.pem')
        rejectUnauthorized: true