Hello,

List of UX problems:
Documentation, part 1:
Where is only one page with small amount of information:
https://www.zabbix.com/documentation/current/manual/appendix/install/db_encrypt

Documentation, part 2:

Options for configuring secure connections to the database become available when the TLS encryption checkbox is marked in the Configure DB connection step of installing Zabbix frontend.

This checkbox does not allow to understand which is done by this checkbox, transport mode or cert verify mode (PgSQL and MySQL has mostly the same behaviour).

Even if no other parameters are filled, connections will be TLS-encrypted if this checkbox is marked.

Not true, for example MySQL has 2 options to allow encrypted transport only (no cert checks) and 4 options for user account to check certificate. This should be improved in documentation.

With host verification Mark this checkbox to activate host verification.

This is not working for MySQL and settings are always using Common name check. So overall implementation does not allow you to use it without CN checks. Also it doesn't mentioned, that in transport mode - CN is not checked, so this is the base logic.

Specify a custom list of valid ciphers. The format of the cipher list must conform to the OpenSSL standard.
This field is available for MySQL only.

In transport mode leaving this field empty is OK, but in cert verify mode - you will have error, because code is setting nothing as a cipher, but client should handle this, if not set nothing manually, so here is an error in code and in documentation. Set field mandatory or do not try to set as NULL, if nothing entered. All CERT fields should be mandatory.

If they point to non-existent or invalid files, a connection error will be displayed.

No checks, set any non existing file path - authorisation error, despite of missing file path.

If TLS parameters point to files that are open for writing, the frontend generates a warning in the System information report that "TLS certificate files must be read-only."

Works only if PHP user is owner of the certificate, you can set 0777 and it will show nothing since owner and group are different.

Just good to note in documentation:

1. localhost/127.0.0.1 with socket connection will not use encryption, since shared memory is used with socket, so all accounts should not have strict requirement to enable encryption, also no global option should be set.
2. no examples how to setup database, how to create users, etc...
3. no information about common name restrictions;

Frontend/database, part1:
Re-design required for setup part, change checkbox to horizontal selector like this:

If localhost/127.0.0.1 do not try to use encryption at all and notify user to use correct account, if not - it will fail having unreliable errors like 2002:

If verify cert option is selected, notify to set CN as dns or ip of the database server in text field and also provide help how to regenerate certs using openssl:

Also if cert verify is selected it's required to show other fields.

If TLS cipher list is not set - allow client to negotiate with server itself automatically.

Frontend/database, part2:
Fix errors handling, currently it doesn't clear if Frontend tried to connect or not, if SElinux or AppArmor is set, frontend just showing - Permission denied without any clue - where it stuck.

Also permission checks and file existence are not handling correctly.