Client SSL mode scope

[cursor]

Bare minimum self-checks

What do you think of a person who only does the bare minimum?

• I've updated this PR with the latest code from main
• I've done a cursory QA pass of my code locally
• I've ensured all automated status check and tests pass
• I've connected this PR to an issue

Pieces of flare

• I've written a unit or functional test for my code
• I've updated relevant documentation it my code changes it
• I've updated this repo's README if my code changes it
• I've updated this repo's CHANGELOG with my change unless its a trivial change (like updating a typo in the docs)

Finally

• I've requested a review with relevant people

If you have any issues or need help please join the #contributors channel in the Lando slack and someone will gladly help you out!

You can also check out the coder guide.

Description

This PR fixes a regression introduced by globally disabling SSL for MySQL clients. The previous change, intended to address MySQL 5.7 self-signed certificate issues, inadvertently broke connections to MySQL 8.0+ servers requiring secure transport and removed encryption for all MySQL client connections.

This change reverts the ssl-mode=DISABLED setting in lando.cnf, restoring the default ssl-mode=PREFERRED behavior. This default mode correctly handles self-signed certificates (by not strictly verifying them) while still attempting encrypted connections and falling back gracefully when SSL is not available. This resolves the regression and ensures secure transport is still possible where required, without reintroducing the original MySQL 5.7 issue.

---

[cursor]

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
_{Learn more about Cursor Agents}