avoid double hostname verification in post_connection_check

After connect verifies the hostname (via verify_hostname), stash it on
the socket. A subsequent post_connection_check for the same hostname
(e.g. from net/http) returns immediately instead of re-checking.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: kares

lib/openssl/ssl.rb

@@ -427,6 +427,13 @@ def sysclose
       # This method MUST be called after calling #connect to ensure that the
       # hostname of a remote peer has been verified.
       def post_connection_check(hostname)
+        # If connect already verified this hostname (via verify_hostname), skip.
+        # Avoids double-verification in libraries that call post_connection_check.
+        if defined?(@verified_hostname) && @verified_hostname == hostname
+          @verified_hostname = nil
+          return true
+        end
+
         if peer_cert.nil?
           msg = "Peer verification enabled, but no certificate received."
           if using_anon_cipher?

src/main/java/org/jruby/ext/openssl/SSLSocket.java

@@ -326,9 +326,7 @@ private IRubyObject connectImpl(final ThreadContext context, final boolean block
         // during the handshake (ossl_ssl.c ossl_ssl_verify_callback, depth 0).
         // JSSE has no equivalent hook, so we check after the handshake completes.
         // This is functionally equivalent — connect raises SSLError on mismatch.
-        // Note: net/http and net/imap also call post_connection_check explicitly,
-        // so this may double-check in those cases (harmless, same result).
-        verifyHostnameIfRequired(context);
+        verifyHostnameConnectionCheck(context);
 
         return this;
     }
@@ -419,7 +417,7 @@ private IRubyObject acceptImpl(final ThreadContext context, final boolean blocki
         return this;
     }
 
-    private void verifyHostnameIfRequired(final ThreadContext context) {
+    private void verifyHostnameConnectionCheck(final ThreadContext context) {
         final IRubyObject verifyHostname = sslContext.getInstanceVariable("@verify_hostname");
         if (verifyHostname == null || !verifyHostname.isTrue()) return;
 
@@ -429,6 +427,10 @@ private void verifyHostnameIfRequired(final ThreadContext context) {
         // delegates to post_connection_check (defined in Ruby) which calls
         // OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname)
         callMethod(context, "post_connection_check", hostname);
+
+        // stash verified hostname so a subsequent explicit post_connection_check
+        // (e.g. from net/http) does not execute the check twice (to match MRI)
+        setInstanceVariable("@verified_hostname", hostname);
     }
 
     final IRubyObject verify_mode(final ThreadContext context) {