diff --git a/software/erp5/instance-mariadb-input-schema.json b/software/erp5/instance-mariadb-input-schema.json
index ea0ec9ec887af8f402c5c30eb4afed2f785cf501..e12fe27457eadf0850a447a719d2daf8d71a04ab 100644
--- a/software/erp5/instance-mariadb-input-schema.json
+++ b/software/erp5/instance-mariadb-input-schema.json
@@ -106,6 +106,14 @@
         "key": {
           "description": "Server's key, in PEM format (mandatory to enable SSL support)",
           "type": "string"
+        },
+        "crl": {
+          "description": "Server's certificate revocation list, in PEM format",
+          "type": "string"
+        },
+        "cipher": {
+          "description": "Permissible cipher specifications, separated by colons",
+          "type": "string"
         }
       },
       "type": "object"
diff --git a/stack/erp5/buildout.cfg b/stack/erp5/buildout.cfg
index ebf7a73e68c4317ffcad998d4283797fc777cc0e..9b55441f3d85bbc538ef70c3a799401ff4a8d854 100644
--- a/stack/erp5/buildout.cfg
+++ b/stack/erp5/buildout.cfg
@@ -179,7 +179,7 @@ context =
 [template-mariadb]
 < = download-base
 filename = instance-mariadb.cfg.in
-md5sum = 7946369d6df508d854c786ab653e8cd4
+md5sum = 1e623053708a4d1de7a17d10ea5196c4
 link-binary =
   ${coreutils:location}/bin/basename
   ${coreutils:location}/bin/cat
@@ -210,7 +210,7 @@ md5sum = 5ad1664a39fbab5f8450c7fb36c81945
 [template-my-cnf]
 < = download-base
 filename = my.cnf.in
-md5sum = 21d1e74c964a4882f33c360e9c8a3d44
+md5sum = e0563820db570b77d24eb3ef0b0e0209
 
 [template-mariadb-initial-setup]
 < = download-base
diff --git a/stack/erp5/instance-mariadb.cfg.in b/stack/erp5/instance-mariadb.cfg.in
index 6eb9fadf32d3bec189aa56820c13f85a8da4406e..f5e5d51e67d87129f81d456780eff33dc2a2dc4d 100644
--- a/stack/erp5/instance-mariadb.cfg.in
+++ b/stack/erp5/instance-mariadb.cfg.in
@@ -61,6 +61,9 @@ about laxist file mode. -#}
 {%   if 'ca-crt' in ssl_parameter_dict -%}
 {{     sslfile('ca-crt', ssl_parameter_dict['ca-crt']) }}
 {%   endif -%}
+{%   if 'crl' in ssl_parameter_dict -%}
+{{     sslfile('crl', ssl_parameter_dict['crl']) }}
+{%   endif -%}
 {%- endif %}
 
 {% if full_backup_retention_days > -1 -%}
diff --git a/stack/erp5/my.cnf.in b/stack/erp5/my.cnf.in
index 31e1cc97d7963ddd122ff398fcd7c3a42398365c..ac228d52de436599c341dc36f568d6a333913247 100644
--- a/stack/erp5/my.cnf.in
+++ b/stack/erp5/my.cnf.in
@@ -76,6 +76,12 @@ ssl_key = {{ parameter_dict['ssl-key'] }}
 {%   if 'ssl-ca-crt' in parameter_dict -%}
 ssl_ca = {{ parameter_dict['ssl-ca-crt'] }}
 {%-  endif %}
+{%   if 'ssl-crl' in parameter_dict -%}
+ssl_crl = {{ parameter_dict['ssl-crl'] }}
+{%-  endif %}
+{%   if 'ssl-cipher' in parameter_dict -%}
+ssl_cipher = {{ parameter_dict['ssl-cipher'] }}
+{%-  endif %}
 {%- endif %}
 
 [client]