The problem is, that there is no standard for checking the hostname in the certificate. RFC4513 (LDAP) specifies, that the hostname should be checked against subjectAltName and that wildcards can be only left-most. But RFC2818 (https) allows checking against the CN (with subjectAltName preferred) while allowing also wildcars like f*.com (which is insane in my opinion, but see rfc2818, section 3.1).

So if there would be a common rule it would definitly make sense to implement it on the transport layer (either IO::Socket::SSL or Net::SSLeay), but unfortunatly there is no common rule.

That doesn't mean that it wouldn't be useful to have kind of 'best-practices' by implementing the system desribed in rfc4513 for LDAP and rfc2595 for imap,pop,... . Both systems seems to mean the same thing, even if the description is different

As for the verify_callback: It is is called on every part of the chain to give you the opportunity to either stop the verification of the whole chain even if openssl thinks it is valid or to accept this part and continue with the verification even if openssl considered the part invalid.
What kind of parameters you need within the callback which don't get provided?