diff --git a/sqlx-core/src/mysql/connection.rs b/sqlx-core/src/mysql/connection.rs
index aa237ff1..2c251049 100644
--- a/sqlx-core/src/mysql/connection.rs
+++ b/sqlx-core/src/mysql/connection.rs
@@ -206,6 +206,10 @@ impl MySqlConnection {
             client_capabilities |= Capabilities::CONNECT_WITH_DB;
         }
 
+        if cfg!(feature = "tls") {
+            client_capabilities |= Capabilities::SSL;
+        }
+
         self.capabilities =
             (client_capabilities & handshake.server_capabilities) | Capabilities::PROTOCOL_41;
 
@@ -462,7 +466,7 @@ impl MySqlConnection {
             // try to upgrade
             #[cfg(feature = "tls")]
             "PREFERRED" => if let Err(e) = self_.try_ssl(&url, None, true).await {
-                log::warn!("server does not support TLS");
+                log::warn!("TLS handshake failed, falling back to insecure: {}", e);
                 // fallback, redo connection
                 self_ = Self::new(&url).await?;
                 handshake = self_.receive_handshake(&url).await?;
diff --git a/sqlx-core/src/mysql/protocol/ssl_request.rs b/sqlx-core/src/mysql/protocol/ssl_request.rs
index 088081ca..34682763 100644
--- a/sqlx-core/src/mysql/protocol/ssl_request.rs
+++ b/sqlx-core/src/mysql/protocol/ssl_request.rs
@@ -14,9 +14,11 @@ pub struct SslRequest {
 
 impl Encode for SslRequest {
     fn encode(&self, buf: &mut Vec<u8>, capabilities: Capabilities) {
-        // client capabilities : int<4>
         // SSL must be set or else it makes no sense to ask for an upgrade
-        buf.put_u32::<LittleEndian>((capabilities | Capabilities::SSL).bits() as u32);
+        assert!(capabilities.contains(Capabilities::SSL), "SSL bit must be set for Capabilities");
+
+        // client capabilities : int<4>
+        buf.put_u32::<LittleEndian>(capabilities.bits() as u32);
 
         // max packet size : int<4>
         buf.put_u32::<LittleEndian>(self.max_packet_size);