badssl.com tests have wildcard certificate with common name *.badssl.com and Subject Alternative Names badssl.com and *.badssl.com. Wreq (or http-client-tls or tls package?) misinterpretes how wildcard certificates should be handled:

Prelude Network.Wreq> get "https://wrong.host.badssl.com/"
Response {responseStatus = Status {statusCode = 200, statusMessage = "OK"}, responseVersion = HTTP/1.1, responseHeaders = <reponse removed>...

RFC2818 states that:

Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., .a.com matches foo.a.com but not bar.foo.a.com. f.com matches foo.com but not bar.com.

Chrome, Firefox and Safari don't allow connection to this test host.

This was found with TryTLS test tool: https://github.com/ouspg/trytls

This is also reported for http-client-tls package in snoyberg/http-client#212

This has been fixed in haskell-tls/hs-certificate#75:

- FAIL wrong hostname in certificate [reject wrong.host.badssl.com:443]
-      output: 200 OK
+ PASS wrong hostname in certificate [reject wrong.host.badssl.com:443]
+      output: HandshakeFailed (Error_Protocol ("certificate rejected: [NameMismatch \"wrong.host.badssl.com\"]",True,CertificateUnknown))

- FAIL invalid wildcard certificate Common Name [reject wildcard.mismatch.badtls.io:11007]
-      output: 200 OK
+ PASS invalid wildcard certificate Common Name [reject wildcard.mismatch.badtls.io:11007]
+      output: HandshakeFailed (Error_Protocol ("certificate rejected: [NameMismatch \"wildcard.mismatch.badtls.io\"]",True,CertificateUnknown))