Several options in CHANGE MASTER TO, for example MASTER_SSL_CA, have the following text in their documentation: 'This option implies the MASTER_SSL option.'
This is false. MASTER_SSL=1 must be explicitly set.
I tested this using MariaDB 10.11.2, but this issue has probably existed for a while since there is a comment at the bottom of that very documentation page where someone reported this over a year ago.
I guess there are two potential solutions for this. Either
- Update the documentation to instead say that you need to set MASTER_SSL=1 for the other TLS options to take effect.
- Or, update the server replication implementation to follow the documentation.