Ruby OpenSSL using verify peer and system cert store.

example5.rb

>> require 'socket'
=> true
>> require 'openssl'
=> true
>> 
?> ssl_context = OpenSSL::SSL::SSLContext.new
=> #<OpenSSL::SSL::SSLContext:0x007ffc9a9deb00>
>> ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER
=> 1
>> cert_store = OpenSSL::X509::Store.new
=> #<OpenSSL::X509::Store:0x007ffc9a9eb328>
>> cert_store.set_default_paths
=> nil
>> ssl_context.cert_store = cert_store
=> #<OpenSSL::X509::Store:0x007ffc9a9eb328>
>> 
?> tcp_client = TCPSocket.new ‘server.trustwave.com', 443
=> #<TCPSocket:fd 5>
>> ssl_client = OpenSSL::SSL::SSLSocket.new tcp_client, ssl_context
=> #<OpenSSL::SSL::SSLSocket:0x007ffc9aa05520>
>> ssl_client.connect
=> #<OpenSSL::SSL::SSLSocket:0x007ffc9aa05520>

For anyone else who arrives here.. this won't verify the cert's hostname.

ssl_context = OpenSSL::SSL::SSLContext.new
ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER
ssl_context.verify_hostname = true # ❗
cert_store = OpenSSL::X509::Store.new
cert_store.set_default_paths
ssl_context.cert_store = cert_store
tcp_client = TCPSocket.new host, 443
ssl_client = OpenSSL::SSL::SSLSocket.new tcp_client, ssl_context
ssl_client.hostname = host         #❗
ssl_client.connect

The two lines marked ❗ are also required.

Thanks @awfulcooking