diff --git a/CHANGES b/CHANGES
index 107e21a963..f0d75a45ce 100644
--- a/CHANGES
+++ b/CHANGES
@@ -65,6 +65,7 @@
     * Add `sum` to DUPLICATE_POLICY documentation of `TS.CREATE`, `TS.ADD` and `TS.ALTER`
     * Prevent async ClusterPipeline instances from becoming "false-y" in case of empty command stack (#3061)
     * Close Unix sockets if the connection attempt fails. This prevents `ResourceWarning`s. (#3314)
+    * Close SSL sockets if the connection attempt fails, or if validations fail. (#3317)
 
 * 4.1.3 (Feb 8, 2022)
   * Fix flushdb and flushall (#1926)
diff --git a/redis/connection.py b/redis/connection.py
index 457e2b1896..1f862d0371 100644
--- a/redis/connection.py
+++ b/redis/connection.py
@@ -819,7 +819,7 @@ def _connect(self):
         sock = super()._connect()
         try:
             return self._wrap_socket_with_ssl(sock)
-        except OSError:
+        except (OSError, RedisError):
             sock.close()
             raise
 
@@ -854,7 +854,6 @@ def _wrap_socket_with_ssl(self, sock):
             context.minimum_version = self.ssl_min_version
         if self.ssl_ciphers:
             context.set_ciphers(self.ssl_ciphers)
-        sslsock = context.wrap_socket(sock, server_hostname=self.host)
         if self.ssl_validate_ocsp is True and CRYPTOGRAPHY_AVAILABLE is False:
             raise RedisError("cryptography is not installed.")
 
@@ -864,6 +863,8 @@ def _wrap_socket_with_ssl(self, sock):
                 "- not both."
             )
 
+        sslsock = context.wrap_socket(sock, server_hostname=self.host)
+
         # validation for the stapled case
         if self.ssl_validate_ocsp_stapled:
             import OpenSSL