Replication switchover and failover do not work when having replication set up to require two-way TLS by creating the replication user with REQUIRE x509.
Problem is that even with replication_master_ssl=true only adds MASTER_SSL=1 to the CHANGE_MASTER statement, but not MASTER_SSL_CERT etc.
As far as I understand it relies on these to be fetched from the MariaDB options file(s) as documented here:
but this does not work as documented, see
MDEV-31934, and so makes switchover fail in a setup requiring two-way TLS as the slave will not send a client certificate to the master.