diff --git a/changelog.md b/changelog.md
index eeb167de..c51d4e9c 100644
--- a/changelog.md
+++ b/changelog.md
@@ -5,6 +5,7 @@ Features
 ---------
 * Let the `--dsn` argument accept literal DSNs as well as aliases.
 * Accept `--character-set` as an alias for `--charset` at the CLI.
+* Add SSL/TLS version to `status` output.
 
 
 Bug Fixes
diff --git a/mycli/packages/special/dbcommands.py b/mycli/packages/special/dbcommands.py
index 07be5fa1..a71a9084 100644
--- a/mycli/packages/special/dbcommands.py
+++ b/mycli/packages/special/dbcommands.py
@@ -8,7 +8,7 @@
 from mycli import __version__
 from mycli.packages.special import iocommands
 from mycli.packages.special.main import ArgType, special_command
-from mycli.packages.special.utils import format_uptime
+from mycli.packages.special.utils import format_uptime, get_ssl_version
 from mycli.packages.sqlresult import SQLResult
 
 logger = logging.getLogger(__name__)
@@ -126,6 +126,7 @@ def status(cur: Cursor, **_) -> list[SQLResult]:
 
     output.append(("Server version:", f'{variables["version"]} {variables["version_comment"]}'))
     output.append(("Protocol version:", variables["protocol_version"]))
+    output.append(('SSL/TLS version:', get_ssl_version(cur)))
 
     if "unix" in cur.connection.host_info.lower():
         host_info = cur.connection.host_info
diff --git a/mycli/packages/special/utils.py b/mycli/packages/special/utils.py
index b6edf7f9..98b1e99d 100644
--- a/mycli/packages/special/utils.py
+++ b/mycli/packages/special/utils.py
@@ -1,6 +1,13 @@
+import logging
 import os
 import subprocess
 
+from pymysql.cursors import Cursor
+
+logger = logging.getLogger(__name__)
+
+CACHED_SSL_VERSION: dict[int, str | None] = {}
+
 
 def handle_cd_command(arg: str) -> tuple[bool, str | None]:
     """Handles a `cd` shell command by calling python's os.chdir."""
@@ -46,3 +53,21 @@ def format_uptime(uptime_in_seconds: str) -> str:
 
     uptime = " ".join(uptime_values)
     return uptime
+
+
+def get_ssl_version(cur: Cursor) -> str | None:
+    if cur.connection.thread_id() in CACHED_SSL_VERSION:
+        return CACHED_SSL_VERSION[cur.connection.thread_id()] or None
+
+    query = 'SHOW STATUS LIKE "Ssl_version"'
+    logger.debug(query)
+    cur.execute(query)
+
+    ssl_version = None
+    if one := cur.fetchone():
+        CACHED_SSL_VERSION[cur.connection.thread_id()] = one[1]
+        ssl_version = one[1] or None
+    else:
+        CACHED_SSL_VERSION[cur.connection.thread_id()] = ''
+
+    return ssl_version