diff --git a/public_html/lists/admin/mysqli.inc b/public_html/lists/admin/mysqli.inc
index 29c900890..6429587c6 100644
--- a/public_html/lists/admin/mysqli.inc
+++ b/public_html/lists/admin/mysqli.inc
@@ -11,7 +11,8 @@ if (!function_exists("mysqli_init")) {
 
 function Sql_Connect($host, $user, $password, $database)
 {
-    global $database_port, $database_socket, $database_connection_compression, $database_connection_ssl;
+    global $database_port, $database_socket, $database_connection_compression;
+    global $database_connection_ssl, $database_connection_ssl_force, $database_connection_ssl_ca;
 
     if (!$host || !$user) {
         header('HTTP/1.0 500 Cannot connect to database');
@@ -20,10 +21,27 @@ function Sql_Connect($host, $user, $password, $database)
     }
     $db = mysqli_init();
     $compress = empty($database_connection_compression) ? 0 : MYSQLI_CLIENT_COMPRESS;
-    $secure = empty($database_connection_ssl) ? 0 : MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT;
+    $secure = 0;
+    if (!empty($database_connection_ssl)) {
+        $secure = MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT;
+    }
+    if (!empty($database_connection_ssl_force)) {
+        $secure = MYSQLI_CLIENT_SSL;
+    }
 
     mysqli_report(MYSQLI_REPORT_OFF);
 
+    if (!empty($database_connection_ssl_ca)) {
+        mysqli_ssl_set(
+            $db,
+            null,
+            null,
+            realpath($database_connection_ssl_ca),
+            null,
+            null
+        );
+    }
+
     if (!mysqli_real_connect($db, $host, $user, $password, $database, $database_port, $database_socket, $compress | $secure)) {
         $errno = mysqli_connect_errno();
 
@@ -427,5 +445,3 @@ function sql_escape($text)
         return '';
     }
 }
-
-
diff --git a/public_html/lists/config/config_extended.php b/public_html/lists/config/config_extended.php
index b0ab027c4..f453ac888 100644
--- a/public_html/lists/config/config_extended.php
+++ b/public_html/lists/config/config_extended.php
@@ -38,9 +38,16 @@
 // enable database connection compression
 $database_connection_compression = false;
 
-// force database connection to use SSL
+// Use SSL/TLS for the database connection.
 $database_connection_ssl = false;
 
+// Set to true if MySQL is configured with require_secure_transport=ON.
+$database_connection_ssl_force = false;
+
+// If the database user requires SSL, set this to the path
+// of the CA certificate used to verify the MySQL server certificate.
+$database_connection_ssl_ca = '/path/to/ca.pem';
+
 // if you use multiple installations of phpList you can set this to
 // something to identify this one. it will be prepended to email report
 // subjects