diff --git a/mysql-test/suite/mariabackup/backup_ssl_system_ca.opt b/mysql-test/suite/mariabackup/backup_ssl_system_ca.opt
new file mode 100644
index 00000000000..9fd05d254fb
--- /dev/null
+++ b/mysql-test/suite/mariabackup/backup_ssl_system_ca.opt
@@ -0,0 +1,2 @@
+--ssl-key=$MYSQL_TEST_DIR/std_data/server8k-key.pem
+--ssl-cert=$MYSQL_TEST_DIR/std_data/server8k-cert.pem
diff --git a/mysql-test/suite/mariabackup/backup_ssl_system_ca.result b/mysql-test/suite/mariabackup/backup_ssl_system_ca.result
new file mode 100644
index 00000000000..e3f3f4750c2
--- /dev/null
+++ b/mysql-test/suite/mariabackup/backup_ssl_system_ca.result
@@ -0,0 +1,8 @@
+#
+# MDEV-35368 Validation of SSL certificate fails for mariadb-backup
+#
+GRANT ALL PRIVILEGES on *.* TO backup_user IDENTIFIED by 'x' REQUIRE SSL;
+# localhost, not self-signed cert with a wrong hostname: ok
+# tcp, not self-signed cert with a wrong hostname: fails
+# tcp, not self-signed cert with a wrong hostname: fails even with a password (no auto-verification)
+DROP USER backup_user;
diff --git a/mysql-test/suite/mariabackup/backup_ssl_system_ca.test b/mysql-test/suite/mariabackup/backup_ssl_system_ca.test
new file mode 100644
index 00000000000..18db74fe431
--- /dev/null
+++ b/mysql-test/suite/mariabackup/backup_ssl_system_ca.test
@@ -0,0 +1,30 @@
+source include/not_embedded.inc;
+source include/not_windows.inc;
+if (`select @@version_ssl_library not like 'OpenSSL%'`) {
+  skip Needs OpenSSL;
+}
+
+
+--echo #
+--echo # MDEV-35368 Validation of SSL certificate fails for mariadb-backup
+--echo #
+GRANT ALL PRIVILEGES on *.* TO backup_user IDENTIFIED by 'x' REQUIRE SSL;
+let $targetdir=$MYSQLTEST_VARDIR/tmp/backup;
+
+let SSL_CERT_DIR=$MYSQL_TMP_DIR;
+copy_file $MYSQL_TEST_DIR/std_data/cacert.pem $MYSQL_TMP_DIR/ed1f42db.0;
+
+echo # localhost, not self-signed cert with a wrong hostname: ok;
+exec $XTRABACKUP --user=root --socket=$MASTER_MYSOCK --backup --target-dir=$targetdir;
+rmdir $targetdir;
+
+echo # tcp, not self-signed cert with a wrong hostname: fails;
+error 1;
+exec $XTRABACKUP --protocol=tcp --user=root --port=$MASTER_MYPORT --backup --target-dir=$targetdir;
+
+echo # tcp, not self-signed cert with a wrong hostname: fails even with a password (no auto-verification);
+error 1;
+exec $XTRABACKUP --protocol=tcp --user=backup_user --password=x --port=$MASTER_MYPORT --backup --target-dir=$targetdir;
+
+remove_file $MYSQL_TMP_DIR/ed1f42db.0;
+DROP USER backup_user;
diff --git a/sql-common/client.c b/sql-common/client.c
index c5656be6a1e..c468f3fd3d9 100644
--- a/sql-common/client.c
+++ b/sql-common/client.c
@@ -1587,7 +1587,7 @@ mysql_get_ssl_cipher(MYSQL *mysql __attribute__((unused)))
 
 #include <openssl/x509v3.h>
 
-static int ssl_verify_server_cert(MYSQL *mysql, const char **errptr)
+static int ssl_verify_server_cert(MYSQL *mysql, const char **errptr, int is_local)
 {
   SSL *ssl;
   X509 *server_cert= NULL;
@@ -1628,7 +1628,8 @@ static int ssl_verify_server_cert(MYSQL *mysql, const char **errptr)
     mysql->tls_self_signed_error= *errptr= "SSL certificate is self-signed";
     break;
   case X509_V_OK:
-    ret_validation= X509_check_host(server_cert, mysql->host,
+    ret_validation= !is_local &&
+                    X509_check_host(server_cert, mysql->host,
                                     strlen(mysql->host), 0, 0) != 1 &&
                     X509_check_ip_asc(server_cert, mysql->host, 0) != 1;
     *errptr= "SSL certificate validation failure";
@@ -2171,7 +2172,7 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio,
     /* Verify server cert */
     if ((!mysql->options.extension ||
          !mysql->options.extension->tls_allow_invalid_server_cert) &&
-        ssl_verify_server_cert(mysql, &cert_error))
+        ssl_verify_server_cert(mysql, &cert_error, vio_type == VIO_TYPE_SOCKET))
     {
       set_mysql_extended_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate,
                                ER(CR_SSL_CONNECTION_ERROR), cert_error);