diff --git a/lib/connection.js b/lib/connection.js
index dcd841cc59..c2c7d78629 100644
--- a/lib/connection.js
+++ b/lib/connection.js
@@ -353,8 +353,9 @@ class Connection extends EventEmitter {
       minVersion: this.config.ssl.minVersion,
       maxVersion: this.config.ssl.maxVersion
     });
-    const rejectUnauthorized = this.config.ssl.rejectUnauthorized;
-    const verifyIdentity = this.config.ssl.verifyIdentity;
+    const rejectUnauthorized = this.config.ssl.rejectUnauthorized === undefined ? true : this.config.ssl.rejectUnauthorized;
+    const verifyIdentity = this.config.ssl.verifyIdentity === undefined ? true : this.config.ssl.verifyIdentity;
+    const checkServerIdentity = (verifyIdentity && rejectUnauthorized) ? (this.config.ssl.checkServerIdentity || Tls.checkServerIdentity) : () => null;
     const servername = this.config.host;
 
     let secureEstablished = false;
@@ -365,19 +366,10 @@ class Connection extends EventEmitter {
       secureContext,
       isServer: false,
       socket: this.stream,
-      servername
+      servername,
+      checkServerIdentity
     }, () => {
       secureEstablished = true;
-      if (rejectUnauthorized) {
-        if (typeof servername === 'string' && verifyIdentity) {
-          const cert = secureSocket.getPeerCertificate(true);
-          const serverIdentityCheckError = Tls.checkServerIdentity(servername, cert);
-          if (serverIdentityCheckError) {
-            onSecure(serverIdentityCheckError);
-            return;
-          }
-        }
-      }
       onSecure();
     });
     // error handler for secure socket