In PYTHON-1627, Dcossey014 reports that his server that was misconfigured with a DNS subjectAltName of '127.0.0.1':

$ openssl x509 -text -noout -in ./mongodb.pem
    ...
  X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:<server1>, DNS:<*.server_domain.com>, DNS:127.0.0.1
    ...

However the mongo shell can still connect:

$ ./mongo --host 127.0.0.1 --port 27017 --ssl --sslCAFile ~/ssl_cert_location/mongodb6.pem
    MongoDB shell version v4.0.1
    connecting to: mongodb://127.0.0.1:27017/
    MongoDB server version: 3.6.5
    WARNING: shell and server versions do not match
  MongoDB Enterprise > use admin
    switched to db admin

PyMongo fails hostname matching to such a server because the hostname, 127.0.0.1, is an IP address and therefor is only compared to iPAddress subjectAltName. As far as I can tell PyMongo (and CPython) are following the relevant RFCs with respect to IP address matching. From RFC 2818

In some cases, the URI is specified as an IP address rather than a
hostname. In this case, the iPAddress subjectAltName must be present
in the certificate and must exactly match the IP in the URI.

From RFC 6125 :

3.1.3.2. Comparison of IP Addresses

When the reference identity is an IP address, the identity MUST be
converted to the "network byte order" octet string representation
[IP] [IPv6]. For IP Version 4, as specified in RFC 791, the octet
string will contain exactly four octets. For IP Version 6, as
specified in RFC 2460, the octet string will contain exactly sixteen
octets. This octet string is then compared against subjectAltName
values of type iPAddress. A match occurs if the reference identity
octet string and value octet strings are identical.

So I think the mongo shell is performing non-standard subject alt name comparisons between IP addresses and DNS subjectAltNames.