diff --git a/core/cmdbsource.class.inc.php b/core/cmdbsource.class.inc.php
index c725d0cec..a27e6d1ec 100644
--- a/core/cmdbsource.class.inc.php
+++ b/core/cmdbsource.class.inc.php
@@ -1611,4 +1611,22 @@ class CMDBSource
 
 		return 'ALTER DATABASE'.CMDBSource::GetSqlStringColumnDefinition().';';
 	}
+
+	/**
+	 * Check which mysql client option (--ssl or --ssl-mode) to be used for encrypted connection
+	 *
+	 * @return bool true if --ssl-mode should be used, false otherwise
+	 * @throws \MySQLException
+	 *
+	 * @link https://dev.mysql.com/doc/refman/5.7/en/connection-options.html#encrypted-connection-options "Command Options for Encrypted Connections"
+	 */
+	public static function IsSslModeDBVersion()
+	{
+		if (static::GetDBVendor() === static::ENUM_DB_VENDOR_MYSQL)
+		{
+			//Mysql 5.7.0 and upper deprecated --ssl and uses --ssl-mode instead
+			return version_compare(static::GetDBVersion(), '5.7.11', '>=');
+		}
+		return false;
+	}
 }
diff --git a/setup/backup.class.inc.php b/setup/backup.class.inc.php
index 854c7594b..e0448b9ff 100644
--- a/setup/backup.class.inc.php
+++ b/setup/backup.class.inc.php
@@ -464,13 +464,13 @@ EOF;
 	 * @param Config $oConfig
 	 *
 	 * @return string TLS arguments for CLI programs such as mysqldump. Empty string if the config does not use TLS.
+	 * @throws \MySQLException
 	 *
-	 * @uses \CMDBSource::GetDBVendor() so needs a connection opened !
-	 * @uses \CMDBSource::GetDBVersion() so needs a connection opened !
+	 * @uses \CMDBSource::IsSslModeDBVersion() so needs a connection opened !
 	 *
 	 * @since 2.5.0 N°1260
 	 * @since 2.6.2 2.7.0 N°2336 Call DB to get vendor and version (so CMDBSource must be init before calling this method)
-	 * @link https://dev.mysql.com/doc/refman/5.6/en/connection-options.html#encrypted-connection-options "Command Options for Encrypted Connections"
+	 * @link https://dev.mysql.com/doc/refman/5.7/en/connection-options.html#encrypted-connection-options Command Options for Encrypted Connections
 	 */
 	public static function GetMysqlCliTlsOptions($oConfig)
 	{
@@ -480,13 +480,17 @@ EOF;
 			return '';
 		}
 		$sTlsOptions = '';
-
-		$sDBVendor = CMDBSource::GetDBVendor();
-		$sDBVersion = CMDBSource::GetDBVersion();
-		$sMysqlSSLModeVersion = '5.7.0'; //Mysql 5.7.0 and upper deprecated --ssl and uses --ssl-mode instead
-		if ($sDBVendor === CMDBSource::ENUM_DB_VENDOR_MYSQL && version_compare($sDBVersion, $sMysqlSSLModeVersion, '>='))
+		// Mysql 5.7.11 and upper deprecated --ssl and uses --ssl-mode instead
+		if (CMDBSource::IsSslModeDBVersion())
 		{
-			$sTlsOptions .= ' --ssl-mode=VERIFY_CA';
+			if(empty($oConfig->Get('db_tls.ca')))
+			{
+				$sTlsOptions .= ' --ssl-mode=REQUIRED';
+			}
+			else
+			{
+				$sTlsOptions .= ' --ssl-mode=VERIFY_CA';
+			}
 		}
 		else
 		{
diff --git a/test/setup/DBBackupTest.php b/test/setup/DBBackupTest.php
index 3ad7a2115..cdcc6cf90 100644
--- a/test/setup/DBBackupTest.php
+++ b/test/setup/DBBackupTest.php
@@ -61,8 +61,16 @@ class DBBackupTest extends ItopTestCase
 		$oConfigToTest->Set('db_tls.enabled', true);
 		$sCliArgsMinCfg = DBBackup::GetMysqlCliTlsOptions($oConfigToTest);
 
-		// depending on the MySQL version, we would have `--ssl` or `--ssl-mode=VERIFY_CA`
-		$this->assertStringStartsWith(' --ssl', $sCliArgsMinCfg);
+		// depending on the MySQL vendor, we would have `--ssl` or `--ssl-mode=REQUIRED`
+		if (CMDBSource::IsSslModeDBVersion())
+		{
+			$this->assertStringStartsWith(' --ssl-mode=REQUIRED', $sCliArgsMinCfg);
+		}
+		else
+		{
+			$this->assertStringStartsWith(' --ssl', $sCliArgsMinCfg);
+			$this->assertStringNotContainsString('--ssl-mode', $sCliArgsMinCfg);
+		}
 	}
 
 	/**
@@ -81,7 +89,17 @@ class DBBackupTest extends ItopTestCase
 		$oConfigToTest->Set('db_tls.ca', $sTestCa);
 		$sCliArgsCapathCfg = DBBackup::GetMysqlCliTlsOptions($oConfigToTest);
 
-		$this->assertStringStartsWith(' --ssl', $sCliArgsCapathCfg);
+		// depending on the MySQL vendor, we would have `--ssl` or `--ssl-mode=VERIFY_CA`
+		if (CMDBSource::IsSslModeDBVersion())
+		{
+			$this->assertStringStartsWith(' --ssl-mode=VERIFY_CA', $sCliArgsCapathCfg);
+		}
+		else
+		{
+			$this->assertStringStartsWith(' --ssl', $sCliArgsCapathCfg);
+			$this->assertStringNotContainsString('--ssl-mode', $sCliArgsCapathCfg);
+
+		}
 		$this->assertStringEndsWith('--ssl-ca='.DBBackup::EscapeShellArg($sTestCa), $sCliArgsCapathCfg);
 	}
 }