Yes I think it would be good to have something like this either in IO::Socket::SSL or Net::SSLeay.

But currently I see only one module (Crypt::X509) which gives you access to the subjAltName extension of the certificate. And unfortunatly this module needs to get the certificate from a file, a design which doesn't really fit into the design of IO::Socket::SSL, e.g. it would be necessary to use a tempfile which is not an option I like, given that openssl provides all the necessary function, only that they are not available through Net::SSLeay.

I think the best way would be to add functionality to Net::SSLeay so that subjAltName could be extracted and the checked within IO::Socket::SSL. Checking the CN only is not enough, for instance signin.ebay.DE send a certificate for signin.ebay.COM and signin.ebay.DE is only mentioned within the subjAltName.

As for the callback: I don't think it's easy to get info which part of the chain is currently checked. So if you just want to check the top most certificate it could be easier to don't use the verify_callback but check against the infos you get from $socket->peer_certificate after the builtin verification succeeded (e.g. the SSL connection is set up).