There is a difference in how --ssl behaves in mariadb 10.1 and mariadb 10.2, which is caused by using mariadb-connector-c as a client library. The difference is that from version 10.2, when user specifies the option --ssl but not --verify-server-cert, the cert chain is not verified, so using just --ssl is inherently insecure. One should use --verify-server-cert if one wants a secure connection (but, of course, it's up to you whether to do so).
As Sergei more explained:
We've agreed that this issue is not a bug.
It does not make much sense to insist on a valid certificate when the server can turn off SSL altogether.
That is, the use case is mysql --ssl and it means "use SSL if possible". This is a flawed approach, because it allows the server simply to disable SSL, and the client will happily connect without. So, if the certificate is invalid the client can either accept it (that's what Connector/C is doing) or not accept, which will only make the server not to use the certificate and the client will connect without SSL at all. This check does not add any extra security, if anything it makes the connection less secure.
The correct approach for the client is to use --verify-server-cert option. This will properly require SSL and a valid server certificate.
The historical "optional SSL" mode does not guarantee anything.
So, since the different behaviour is considered expected, I'd suggest two things to do:
- document this change in behaviour between 10.1 and 10.2 in https://mariadb.com/kb/en/library/upgrading-from-mariadb-101-to-mariadb-102/
- enhance man page for mysql --ssl, and explain that to be secured, one needs to also use --verify-server-cert