class Net::LDAP::Connection

def setup_encryption(args, timeout=nil, hostname=nil)

++
generously contributing the :start_tls path.
communications, as with simple_tls. Thanks for Kouhei Sutou for
port. It does not require an alternative port for encrypted
The start_tls method is supported by many servers over the standard LDAP

TCPSocket object.
WE REPLACE the value of @conn, which is presumed to be a connected
nothing in the way of key files and root-cert files, etc etc. OBSERVE:
LDAP server. It doesn't do any server-cert validation and requires
solution for people who want nothing more than encrypted comms with the
The simple_tls method is intended as the simplest, stupidest, easiest

without OpenSSL.
produce recognizable errors if someone tries to use this on a machine
for us to debug the problem reports. Presumably (hopefully?) that will also
OpenSSL library. Let them pass back to the user. That should make it easier
OpenSSL wrapper react in that case?) DO NOT filter exceptions raised by the
if OpenSSL is not set up on the machine. (Question: how does the Ruby
if encryption is requested and we have trouble setting it up. That includes
errors here if no encryption is requested. DO raise Net::LDAP::Error objects
potentially replacing the value of @conn accordingly. Don't generate any
connection. Depending on the received arguments, we establish SSL,
after we have a successfully-opened @conn instance variable, which is a TCP
Helper method called only from prepare_socket or open_connection, and only
-- 
def setup_encryption(args, timeout=nil, hostname=nil)
  args[:tls_options] ||= {}
  case args[:method]
  when :simple_tls
    @conn = self.class.wrap_with_ssl(@conn, args[:tls_options], timeout, hostname)
    # additional branches requiring server validation and peer certs, etc.
    # go here.
  when :start_tls
    message_id = next_msgid
    request    = [
      Net::LDAP::StartTlsOid.to_ber_contextspecific(0),
    ].to_ber_appsequence(Net::LDAP::PDU::ExtendedRequest)
    write(request, nil, message_id)
    pdu = queued_read(message_id)
    if pdu.nil? || pdu.app_tag != Net::LDAP::PDU::ExtendedResponse
      raise Net::LDAP::NoStartTLSResultError, "no start_tls result"
    end
    raise Net::LDAP::StartTLSError,
          "start_tls failed: #{pdu.result_code}" unless pdu.result_code.zero?
    @conn = self.class.wrap_with_ssl(@conn, args[:tls_options], timeout, hostname)
  else
    raise Net::LDAP::EncMethodUnsupportedError, "unsupported encryption method #{args[:method]}"
  end
end