Several options in CHANGE MASTER TO, for example MASTER_SSL_CA, have the following text in their documentation: 'This option implies the MASTER_SSL option.'

This is false. MASTER_SSL=1 must be explicitly set.
I tested this using MariaDB 10.11.2, but this issue has probably existed for a while since there is a comment at the bottom of that very documentation page where someone reported this over a year ago.

I guess there are two potential solutions for this. Either

• Update the documentation to instead say that you need to set MASTER_SSL=1 for the other TLS options to take effect.
• Or, update the server replication implementation to follow the documentation.