Found it.
Example:
f=my_opener.open(url)
f.fp._sock.fp._sock._sslobj # here's the ssl object holding the 'issuer' (CA) and 'server' (CN) attributes.
This is valid when you use the patching from this question: Python 'requests' library - define specific DNS?
This case is so peculiar, that I hope no one else will ever have to use this. However, if you're using requests, switching between custom name resolvers and have to check the SSL cert CA/CN, I hope this helps :)