There are two things you need to verify: that the certificate's signature is valid (i.e. that what the certificate has to say about itself is true) and that the certificate is saying what you expect it to say.

If you only verify that the signature is valid, the black hats could put in any validly signed certificate.

As far as I could see, you can do check subject name Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_subject_name($server_cert)) and Issuer name:

Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_issuer_name($serv
+er_cert))
[download]

However, these high-level routines are available only after you've already sent your request. To verify before you send your data, you need to use the lowlevel routines, the perldoc suggests you see implementation of ds_https3() for ideas on how that works.

Verifying that the signature is currect appears much simpler - a matter of setting a single flag, unless you also want to check the revocation lists.