diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
index cb007813b65e1b8ca638d2b1e60f77fcfbc712a8..8ddd9bab4e6c08071a2a176175912c6b0f9b5c69 100644
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -254,10 +254,38 @@ production: &base
         host: '_your_ldap_server'
         port: 389
         uid: 'sAMAccountName'
-        method: 'plain' # "tls" or "ssl" or "plain"
         bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
         password: '_the_password_of_the_bind_user'
 
+        # Encryption method. The "method" key is deprecated in favor of
+        # "encryption".
+        #
+        #   Examples: "start_tls" or "simple_tls" or "plain"
+        #
+        #   Deprecated values: "tls" was replaced with "start_tls" and "ssl" was
+        #   replaced with "simple_tls".
+        #
+        encryption: 'plain'
+
+        # Enables SSL certificate verification if encryption method is
+        # "start_tls" or "simple_tls". (Defaults to false for backward-
+        # compatibility)
+        verify_certificates: false
+
+        # Specifies the path to a file containing a PEM-format CA certificate,
+        # e.g. if you need to use an internal CA.
+        #
+        #   Example: '/etc/ca.pem'
+        #
+        ca_cert: ''
+
+        # Specifies the SSL version for OpenSSL to use, if the OpenSSL default
+        # is not appropriate.
+        #
+        #   Example: 'TLSv1_1'
+        #
+        ssl_version: ''
+
         # Set a timeout, in seconds, for LDAP queries. This helps avoid blocking
         # a request if the LDAP server becomes unresponsive.
         # A value of 0 means there is no timeout.
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index ec7ce51b542d540fe567c5b8d4f8d246393fd9f6..9344a42540b27764299f9d96321d85b55ed35784 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -145,6 +145,11 @@ def cron_random_weekly_time
     server['attributes'] = {} if server['attributes'].nil?
     server['provider_name'] ||= "ldap#{key}".downcase
     server['provider_class'] = OmniAuth::Utils.camelize(server['provider_name'])
+    server['encryption'] ||= server['method'] # for backwards compatibility
+
+    # Certificates are not verified for backwards compatibility.
+    # This default should be flipped to true in 9.5.
+    server['verify_certificates'] = false if server['verify_certificates'].nil?
   end
 end