I got in contact with MySQL development and in MySQL 5.7 they have already changed the "--ssl" option so that it requires TLS, with no default fallback to plaintext. They are working on TLS by default and to make it easier to verify TLS for replication and connections. We can implement some of the TLS options in our db_mysql module with modparams, which would make it easier for us to help using TLS - this way there's no need to specify TLS in my.cnf sections any more. /Olle