pbossman do you mean a similar thing that MariaDB offers with client certificate verification, i.e. REQUIRE X509? If so then this is already implemented with ssl_verify_peer_certificate in MaxScale.

I'm not aware of how mTLS is used by Fidelity. In my conversation with them, it just became clear it was from application to MaxScale, and not Xpand.

Since this very much seems like ssl_verify_peer_certificate which mutually authenticates both the client and the server, I'll close this as Done since it's implemented in all versions or until further details about this can be provided.

They can enable it between clients and MaxScale by adding ssl_verify_peer_certificate=true in either the listener or the server definitions after configuring TLS normally for MaxScale.

When this feature is enabled, the peer must send a certificate. The certificate sent by the peer is verified against the configured Certificate Authority to make sure the peer is who they claim to be. For listeners, this behaves as if REQUIRE X509 was defined for all users. For servers, this behaves like the --ssl-verify-server-cert command line option for the mysql client.