We have added the functionality on the DB side to require SSL for mariadb connections based on user. We (fr-tech-ops) would like this tested with civicrm on frdev. Then we can enable it there and on production for the required users.
Initially, we will be ok with just using SSL for the connection. If it can be configured, we would like to have it set to verify the DB connection using the host's copy of the CA file.