Comment 2 for bug 1828407

Default is enabled from mysql data directory
https://dev.mysql.com/doc/refman/5.7/en/creating-ssl-rsa-files-using-mysql.html
One can override that with parameters you mentioned (and use CA signed keys as opposed to default opportunistic attempt)

I will check with upstream and return if I have something.