Enable TLS with certificate verification by default

In version 2.0, connections should use TLS and check the server's certificate by default, in other words, ship with ssl=true and ssl_verify_cert=true.

Right now the connector connects in plain text by default. And even if you turn TLS on with ssl=true, certificate checking stays off (ssl_verify_cert=false). So today, with no extra setup, the username, password and data are sent unencrypted, and even when someone does enable TLS, the connection is encrypted but the server's identity is never verified, so an attacker sitting between the client and the server (a man-in-the-middle) can still read or alter the traffic.

Until now, secure-by-default was impractical because of the setup work: CA
management, keys, trust stores. Zero-configuration TLS in Server 11.4+ removes
all of that. The server generates its own certificate, and the client verifies
it via fingerprint + the account password as a shared secret, no CA needed.
so against an 11.4+ server it just works. The feature has been out since 11.4 LTS (2024) and is now in tree LTS lines, so it is mature enough to rely on by default.

The C connector already did this. MariaDB Connector-C (libmariadb) already verifies the certificate by default (DEFAULT_SSL_VERIFY_SERVER_CERT is ON in its build), and it handles that zero-config self-signed case the same way. So changing Connector/Python's defaults brings it in line with the C connector instead of making the two behave differently, which matches our rule of following the C implementation.