I like my SSL verification tools paranoid, and it seems openssl s_client -verify isn't paranoid enough. The man page reports:
The -verify option should really exit if the server verification
I'd like added "the hostname in the certificate is not verified". I ran a
little test server to test for the right way to configure the SSL certificates
in openldap server and noticed I got the verification to work even when
I was connecting to the wrong name.