diff --git a/lib/net/ldap/connection.rb b/lib/net/ldap/connection.rb
index 71e2edda..be0db04b 100644
--- a/lib/net/ldap/connection.rb
+++ b/lib/net/ldap/connection.rb
@@ -33,9 +33,10 @@ def socket_class=(socket_class)
   def prepare_socket(server, timeout=nil)
     socket = server[:socket]
     encryption = server[:encryption]
+    hostname = server[:host]
 
     @conn = socket
-    setup_encryption(encryption, timeout) if encryption
+    setup_encryption(encryption, timeout, hostname) if encryption
   end
 
   def open_connection(server)
@@ -86,7 +87,7 @@ def close
     end
   end
 
-  def self.wrap_with_ssl(io, tls_options = {}, timeout=nil)
+  def self.wrap_with_ssl(io, tls_options = {}, timeout=nil, hostname=nil)
     raise Net::LDAP::NoOpenSSLError, "OpenSSL is unavailable" unless Net::LDAP::HasOpenSSL
 
     ctx = OpenSSL::SSL::SSLContext.new
@@ -96,6 +97,7 @@ def self.wrap_with_ssl(io, tls_options = {}, timeout=nil)
     ctx.set_params(tls_options) unless tls_options.empty?
 
     conn = OpenSSL::SSL::SSLSocket.new(io, ctx)
+    conn.hostname = hostname
 
     begin
       if timeout
@@ -148,11 +150,11 @@ def self.wrap_with_ssl(io, tls_options = {}, timeout=nil)
   # communications, as with simple_tls. Thanks for Kouhei Sutou for
   # generously contributing the :start_tls path.
   #++
-  def setup_encryption(args, timeout=nil)
+  def setup_encryption(args, timeout=nil, hostname=nil)
     args[:tls_options] ||= {}
     case args[:method]
     when :simple_tls
-      @conn = self.class.wrap_with_ssl(@conn, args[:tls_options], timeout)
+      @conn = self.class.wrap_with_ssl(@conn, args[:tls_options], timeout, hostname)
       # additional branches requiring server validation and peer certs, etc.
       # go here.
     when :start_tls
@@ -170,7 +172,7 @@ def setup_encryption(args, timeout=nil)
 
       raise Net::LDAP::StartTLSError,
             "start_tls failed: #{pdu.result_code}" unless pdu.result_code.zero?
-      @conn = self.class.wrap_with_ssl(@conn, args[:tls_options], timeout)
+      @conn = self.class.wrap_with_ssl(@conn, args[:tls_options], timeout, hostname)
     else
       raise Net::LDAP::EncMethodUnsupportedError, "unsupported encryption method #{args[:method]}"
     end
diff --git a/test/test_ldap_connection.rb b/test/test_ldap_connection.rb
index 4c9dffa5..dcb4ce72 100644
--- a/test/test_ldap_connection.rb
+++ b/test/test_ldap_connection.rb
@@ -288,7 +288,7 @@ def test_queued_read_setup_encryption_with_start_tls
         .and_return(result2)
     mock.should_receive(:write)
     conn = Net::LDAP::Connection.new(:socket => mock)
-    flexmock(Net::LDAP::Connection).should_receive(:wrap_with_ssl).with(mock, {}, nil)
+    flexmock(Net::LDAP::Connection).should_receive(:wrap_with_ssl).with(mock, {}, nil, nil)
                                    .and_return(mock)
 
     conn.next_msgid # simulates ongoing query