Luke,

Ssl_client_connects is tracking the outgoing TLS sessions (e.g. the server connecting to a replication master).
But ssl_accepts should be increasing for each successful TLS connection to the server.

Thus I must assume the AWS RDS MySQL clone is playing tricks on you.

Can you please download a real mysql server from dev.mysql.com and try with that ?

Yes, you are supposed to be able to connect to a TLS enabled server even if you don't have keys configured at the client.

This will get you an encrypted connection, but it won't be guaranteed against e.g. Man-in-the-middle attack since there'll be no certificate verification possible due to the client not using any certificates to either verify the server's certificate signatures or to supply a certificate to the server so it can verify them.

Both the mysql server and the mysql connectors can enforce certificate verification.
The server can enforce certificate verification for client connections to particular user accounts via CREATE|ALTER USER ... REQUIRE options.
The client (at least the 5.7+ libmysql based ones) can enforce server certificate verification through the --ssl-mode parameter.

The best way to check if your current connection is encrypted is by looking at the Ssl_cipher status variable. It should not be empty for encrypted connections.

Again the AWS mysql clone can be adding its own deviations to the above functionality as exposed by the MySQL server.