diff --git a/MySQLdb/connections.py b/MySQLdb/connections.py
index 8e226ffe..acccf4f4 100644
--- a/MySQLdb/connections.py
+++ b/MySQLdb/connections.py
@@ -5,6 +5,7 @@
 override Connection.default_cursor with a non-standard Cursor class.
 """
 import re
+import os
 
 from . import cursors, _mysql
 from ._exceptions import (
@@ -144,10 +145,36 @@ class object, used to create cursors (keyword only)
 
         kwargs2 = kwargs.copy()
 
-        if "database" in kwargs2:
-            kwargs2["db"] = kwargs2.pop("database")
-        if "password" in kwargs2:
-            kwargs2["passwd"] = kwargs2.pop("password")
+        # Load SSL arguments from the environment if provided.
+        # Anything passed locally overrides the environment.
+        # Skip this if ssl is explicitly passed with a None value.
+        if kwargs2.get("ssl", True) is not None:
+            ssl_arg = {}
+            for conf_name in ("key", "cert", "ca", "capath", "cipher"):
+                try:
+                    value = kwargs2["ssl"][conf_name]
+                except KeyError:
+                    env_key = "PY_MYSQL_SSL_%s" % conf_name.upper()
+                    try:
+                        value = os.environ[env_key]
+                    except KeyError:
+                        value = None
+                if value is not None:
+                    ssl_arg[conf_name] = value
+            if ssl_arg:
+                kwargs2["ssl"] = ssl_arg
+
+        # If the host is "localhost", a TLS connection there does not
+        # make sense, whether it's via a TCP/IP or UNIX socket. Make it
+        # easier for users by removing the SSL argument in that case.
+        if ("ssl" in kwargs2 and
+                kwargs2.get("host", "localhost") == "localhost"):
+            del kwargs2["ssl"]
+
+        if 'database' in kwargs2:
+            kwargs2['db'] = kwargs2.pop('database')
+        if 'password' in kwargs2:
+            kwargs2['passwd'] = kwargs2.pop('password')
 
         if "conv" in kwargs:
             conv = kwargs["conv"]