Description
When MariaDB is generating a self-signed certificate (new in 11.4.0), it neglects to set the x509 version, so it defaults to v1, which is not accepted by RusTLS and can lead to connection failure: https://github.com/launchbadge/sqlx/actions/runs/8149156874/job/22273413421#step:9:354
This affects clients even when not using MySqlSslMode::VerifyCa or ::VerifyIdentity because RusTLS rejects the certificate while parsing it.
The new server authentication flow involving auth plugins will likely need its own support, but assuming it doesn't change the handshake in a backwards-incompatible way, it should presumably still work with MySqlSslMode::Preferred or ::Required.
As a temporary workaround, users should switch to or continue using existing pre-signed certificates, or switch to the tls-native-tls feature instead. When generating certificates, be sure the x509 version is set to 3 so RusTLS can accept them.
Reported upstream as: https://jira.mariadb.org/browse/MDEV-33592