We do what we can with the stupid APIs OpenSSL provides us.
I thought we had fixed such basic issues long ago (when we implemented SNI, which is required for this to work, otherwise the server doesn’t know which certificate to send).
The OpenSSL API does not perform any validation by default and accepts everything (no certificate? That’s fine! It is not signed by a known authority? Go ahead! It doesn’t even match the website address we requested? No problem!). So it’s very easy to miss something, and since most websites are correctly configured, and such problems arise only on testing scenarios and when under attack, it is not that easy to make sure we are properly doing all the checks.
We are not the only place where you will find such issues, many Android apps are also allowing similar breaches, for example.
And as I keep saying for a few years now: this is what happens when you let a single developer take care of some part of the OS. Please do help with the code and improve such things!