diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js
index 3e091b0fc1be0d..c1037a7096a755 100644
--- a/lib/_tls_wrap.js
+++ b/lib/_tls_wrap.js
@@ -858,7 +858,8 @@ exports.connect = function(/* [port, host], options, cb */) {
 
   var hostname = options.servername ||
                  options.host ||
-                 options.socket && options.socket._host,
+                 (options.socket && options.socket._host) ||
+                 'localhost',
       NPN = {},
       context = tls.createSecureContext(options);
   tls.convertNPNProtocols(options.NPNProtocols, NPN);
diff --git a/test/parallel/test-tls-connect-no-host.js b/test/parallel/test-tls-connect-no-host.js
new file mode 100644
index 00000000000000..41aac1acabd781
--- /dev/null
+++ b/test/parallel/test-tls-connect-no-host.js
@@ -0,0 +1,34 @@
+var common = require('../common');
+
+if (!common.hasCrypto) {
+  console.log('1..0 # Skipped: missing crypto');
+  process.exit();
+}
+var tls = require('tls');
+
+var assert = require('assert');
+var fs = require('fs');
+var path = require('path');
+
+var cert = fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'));
+var key = fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem'));
+
+// https://github.com/iojs/io.js/issues/1489
+// tls.connect(options) with no options.host should accept a cert with
+//   CN:'localhost'
+tls.createServer({
+  key: key,
+  cert: cert
+}).listen(common.PORT);
+
+var socket = tls.connect({
+    port: common.PORT,
+    ca: cert,
+    // No host set here. 'localhost' is the default,
+    // but tls.checkServerIdentity() breaks before the fix with:
+    // Error: Hostname/IP doesn't match certificate's altnames:
+    //   "Host: undefined. is not cert's CN: localhost"
+}, function() {
+    assert(socket.authorized);
+    process.exit();
+});