diff --git a/src/infrastructure/storage/connection/mysql/AphrontMySQLDatabaseConnection.php b/src/infrastructure/storage/connection/mysql/AphrontMySQLDatabaseConnection.php
--- a/src/infrastructure/storage/connection/mysql/AphrontMySQLDatabaseConnection.php
+++ b/src/infrastructure/storage/connection/mysql/AphrontMySQLDatabaseConnection.php
@@ -36,6 +36,15 @@
           'mysql_connect()'));
     }
 
+    $use_tls = $this->getConfiguration('use-tls');
+    if ($use_tls) {
+      // TLS requires AphrontMySQLiDatabaseConnection
+      throw new Exception(
+        pht(
+          'Using TLS database connections requires the PHP "%s" extension.',
+          'mysqli'));
+    }
+
     $user = $this->getConfiguration('user');
     $host = $this->getConfiguration('host');
     $port = $this->getConfiguration('port');
diff --git a/src/infrastructure/storage/connection/mysql/AphrontMySQLiDatabaseConnection.php b/src/infrastructure/storage/connection/mysql/AphrontMySQLiDatabaseConnection.php
--- a/src/infrastructure/storage/connection/mysql/AphrontMySQLiDatabaseConnection.php
+++ b/src/infrastructure/storage/connection/mysql/AphrontMySQLiDatabaseConnection.php
@@ -71,6 +71,42 @@
       $conn->options(MYSQLI_OPT_CONNECT_TIMEOUT, $timeout);
     }
 
+    $flags = 0;
+    $use_tls = $this->getConfiguration('use-tls');
+    if ($use_tls) {
+      // Below ssl_set() will do nothing if openssl is not enabled, leading to a
+      // successful insecure connection if the database server does not disable
+      // plaintext connections.
+      if (!function_exists('openssl_encrypt')) {
+        throw new Exception(
+          pht(
+            'Using TLS database connections requires the PHP "%s" extension.',
+            'openssl'));
+      }
+
+      $flags = MYSQLI_CLIENT_SSL;
+
+      // TODO
+      $client_key = '..';
+      $client_cert = '..';
+
+      // Maybe this should be configurable. This list is based on the
+      // "Modern" compatibility specified in:
+      // https://wiki.mozilla.org/Security/Server_Side_TLS
+      // crossed with what openssl_get_cipher_methods() returns.
+      $ciphers = array(
+        'aes-128-gcm',
+        'chacha20-poly1305',
+      );
+
+      $conn->ssl_set(
+        $client_key,
+        $client_cert,
+        null, // ca_certificate, load from php.ini/openssl.cafile
+        null, // ca_path, load from php.ini/openssl.capath
+        $ciphers);
+    }
+
     if ($this->getPersistent()) {
       $host = 'p:'.$host;
     }
@@ -82,7 +118,9 @@
       $user,
       $pass,
       $database,
-      $port);
+      $port,
+      null, // socket
+      $flags);
 
     $call_error = $trap->getErrorsAsString();
     $trap->destroy();