Affected versions: all
Fixed versions: 0.7.3
http.rb failed to call the OpenSSL::SSL::SSLSocket#post_connection_check method to perform hostname verification. Because of this, an attacker with a valid certificate but with a mismatched subject can perform a MitM attack.
The problem was corrected by calling #post_connection_check.
Additionally I have filed this ticket upstream with Ruby OpenSSL to make this API less confusing and error-prone: