diff --git a/certs/test/cert-ext-mnc.der b/certs/test/cert-ext-mnc.der
new file mode 100644
index 000000000..b7df09abb
Binary files /dev/null and b/certs/test/cert-ext-mnc.der differ
diff --git a/certs/test/gen-ext-certs.sh b/certs/test/gen-ext-certs.sh
index 045942d71..f63e86e84 100755
--- a/certs/test/gen-ext-certs.sh
+++ b/certs/test/gen-ext-certs.sh
@@ -46,6 +46,35 @@ nsComment       = "Testing name constraints"
 EOF
 gen_cert
 
+
+OUT=certs/test/cert-ext-mnc.der
+KEYFILE=certs/test/cert-ext-mnc-key.der
+CONFIG=certs/test/cert-ext-mnc.cfg
+tee >$CONFIG <<EOF
+[ req ]
+distinguished_name = req_distinguished_name
+prompt             = no
+x509_extensions    = v3_ca
+
+[ req_distinguished_name ]
+C             = AU
+ST            = Queensland
+L             = Brisbane
+O             = wolfSSL Inc
+OU            = Engineering
+CN            = www.wolfssl.com
+
+[ v3_ca ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+nameConstraints = critical,permitted;email:.wolfssl.com, permitted;email:.example.com
+nsComment       = "Testing name constraints"
+
+EOF
+gen_cert
+
 OUT=certs/test/cert-ext-ia.der
 KEYFILE=certs/test/cert-ext-ia-key.der
 CONFIG=certs/test/cert-ext-ia.cfg
diff --git a/tests/api.c b/tests/api.c
index a3d658a47..6847ac556 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -1571,7 +1571,6 @@ static void test_wolfSSL_CertManagerNameConstraint(void)
     X509_NAME_free(name);
 
     wolfSSL_X509_add_altname(x509, "wolfssl@info.wolfssl.com", ASN_RFC822_TYPE);
-    (void)altEmail;
 
     AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
     #if 0
@@ -1808,6 +1807,165 @@ static void test_wolfSSL_CertManagerNameConstraint2(void)
 #endif
 }
 
+static void test_wolfSSL_CertManagerNameConstraint3(void)
+{
+#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && \
+    !defined(NO_WOLFSSL_CM_VERIFY) && !defined(NO_RSA) && \
+    defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_GEN) && \
+    defined(WOLFSSL_CERT_EXT) && defined(WOLFSSL_ALT_NAMES) && \
+    !defined(NO_SHA256)
+    WOLFSSL_CERT_MANAGER* cm;
+    WOLFSSL_EVP_PKEY *priv;
+    WOLFSSL_X509_NAME* name;
+    const char* ca_cert = "./certs/test/cert-ext-mnc.der";
+    const char* server_cert = "./certs/test/server-goodcn.pem";
+
+    byte    *der;
+    int     derSz;
+    byte    *pt;
+    WOLFSSL_X509 *x509, *ca;
+
+    pt = (byte*)server_key_der_2048;
+    AssertNotNull(priv = wolfSSL_d2i_PrivateKey(EVP_PKEY_RSA, NULL,
+                (const unsigned char**)&pt, sizeof_server_key_der_2048));
+
+    AssertNotNull(cm = wolfSSL_CertManagerNew());
+    AssertNotNull(ca = wolfSSL_X509_load_certificate_file(ca_cert,
+                WOLFSSL_FILETYPE_ASN1));
+    AssertNotNull((der = (byte*)wolfSSL_X509_get_der(ca, &derSz)));
+#if 0
+    {
+        //write out x509 for test
+        BIO* out = BIO_new(wolfSSL_BIO_s_file());
+        if (out != NULL) {
+            FILE* f= fopen("ca.der", "wb");
+            BIO_set_fp(out, f, BIO_CLOSE);
+            BIO_write(out, der, derSz);
+            BIO_free(out);
+        }
+    }
+#endif
+    AssertIntEQ(wolfSSL_CertManagerLoadCABuffer(cm, der, derSz,
+                WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
+
+    /* check satisfying .wolfssl.com constraint passes */
+    AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
+                WOLFSSL_FILETYPE_PEM));
+    AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
+    AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
+
+    AssertNotNull(name = X509_NAME_new());
+    AssertIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
+                                       (byte*)"US", 2, -1, 0), SSL_SUCCESS);
+    AssertIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
+                             (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS);
+    AssertIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8,
+                     (byte*)"support@info.wolfssl.com", 24, -1, 0), SSL_SUCCESS);
+    AssertIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
+    X509_NAME_free(name);
+
+    wolfSSL_X509_add_altname(x509, "wolfssl@info.wolfssl.com", ASN_RFC822_TYPE);
+
+    AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
+    #if 0
+    {
+        //write out good x509 for test
+        BIO* out = BIO_new(wolfSSL_BIO_s_file());
+        if (out != NULL) {
+            FILE* f= fopen("good-1st-constraint-cert.pem", "wb");
+            BIO_set_fp(out, f, BIO_CLOSE);
+            PEM_write_bio_X509(out, x509);
+            BIO_free(out);
+        }
+    }
+    #endif
+
+    AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
+    AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
+                WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
+    wolfSSL_X509_free(x509);
+
+    /* check satisfying .random.com constraint passes */
+    AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
+                WOLFSSL_FILETYPE_PEM));
+    AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
+    AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
+
+    AssertNotNull(name = X509_NAME_new());
+    AssertIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
+                                       (byte*)"US", 2, -1, 0), SSL_SUCCESS);
+    AssertIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
+                             (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS);
+    AssertIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8,
+                     (byte*)"support@info.example.com", 24, -1, 0), SSL_SUCCESS);
+    AssertIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
+    X509_NAME_free(name);
+
+    wolfSSL_X509_add_altname(x509, "wolfssl@info.example.com", ASN_RFC822_TYPE);
+
+    AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
+    #if 0
+    {
+        //write out good x509 for test
+        BIO* out = BIO_new(wolfSSL_BIO_s_file());
+        if (out != NULL) {
+            FILE* f= fopen("good-2nd-constraint-cert.pem", "wb");
+            BIO_set_fp(out, f, BIO_CLOSE);
+            PEM_write_bio_X509(out, x509);
+            BIO_free(out);
+        }
+    }
+    #endif
+
+    AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
+    AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
+                WOLFSSL_FILETYPE_ASN1), WOLFSSL_SUCCESS);
+    wolfSSL_X509_free(x509);
+
+    /* check fail case when neither constraint is matched */
+    AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(server_cert,
+                WOLFSSL_FILETYPE_PEM));
+    AssertNotNull(name = wolfSSL_X509_get_subject_name(ca));
+    AssertIntEQ(wolfSSL_X509_set_issuer_name(x509, name), WOLFSSL_SUCCESS);
+
+    AssertNotNull(name = X509_NAME_new());
+    AssertIntEQ(X509_NAME_add_entry_by_txt(name, "countryName", MBSTRING_UTF8,
+                                       (byte*)"US", 2, -1, 0), SSL_SUCCESS);
+    AssertIntEQ(X509_NAME_add_entry_by_txt(name, "commonName", MBSTRING_UTF8,
+                             (byte*)"wolfssl.com", 11, -1, 0), SSL_SUCCESS);
+    AssertIntEQ(X509_NAME_add_entry_by_txt(name, "emailAddress", MBSTRING_UTF8,
+                     (byte*)"support@info.com", 24, -1, 0), SSL_SUCCESS);
+    AssertIntEQ(wolfSSL_X509_set_subject_name(x509, name), WOLFSSL_SUCCESS);
+    X509_NAME_free(name);
+
+    wolfSSL_X509_add_altname(x509, "wolfssl@info.com", ASN_RFC822_TYPE);
+
+    AssertIntGT(wolfSSL_X509_sign(x509, priv, EVP_sha256()), 0);
+    #if 0
+    {
+        //write out good x509 for test
+        BIO* out = BIO_new(wolfSSL_BIO_s_file());
+        if (out != NULL) {
+            FILE* f= fopen("bad-cert.pem", "wb");
+            BIO_set_fp(out, f, BIO_CLOSE);
+            PEM_write_bio_X509(out, x509);
+            BIO_free(out);
+        }
+    }
+    #endif
+
+    AssertNotNull((der = (byte*)wolfSSL_X509_get_der(x509, &derSz)));
+    AssertIntEQ(wolfSSL_CertManagerVerifyBuffer(cm, der, derSz,
+                WOLFSSL_FILETYPE_ASN1), ASN_NAME_INVALID_E);
+    wolfSSL_X509_free(x509);
+
+    wolfSSL_CertManagerFree(cm);
+    wolfSSL_X509_free(x509);
+    wolfSSL_X509_free(ca);
+    wolfSSL_EVP_PKEY_free(priv);
+#endif
+}
+
 static void test_wolfSSL_CertManagerCRL(void)
 {
 #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && defined(HAVE_CRL) && \
@@ -50397,6 +50555,7 @@ void ApiTest(void)
     test_wolfSSL_CertManagerSetVerify();
     test_wolfSSL_CertManagerNameConstraint();
     test_wolfSSL_CertManagerNameConstraint2();
+    test_wolfSSL_CertManagerNameConstraint3();
     test_wolfSSL_CertManagerCRL();
     test_wolfSSL_CTX_load_verify_locations_ex();
     test_wolfSSL_CTX_load_verify_buffer_ex();
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 32a0817b5..8b37a33cb 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -13501,6 +13501,10 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
                     if (name != NULL)
                         needDns = 1;
 
+                    /* check if already found a matching permitted subtree */
+                    if (matchDns == 1)
+                        break;
+
                     while (name != NULL) {
                         matchDns = MatchBaseName(ASN_DNS_TYPE,
                                           name->name, name->len,
@@ -13522,6 +13526,10 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
                     if (name != NULL)
                         needEmail = 1;
 
+                    /* check if already found a matching permitted subtree */
+                    if (matchEmail == 1)
+                        break;
+
                     while (name != NULL) {
                         matchEmail = MatchBaseName(ASN_DNS_TYPE,
                                           name->name, name->len,
@@ -13540,6 +13548,11 @@ static int ConfirmNameConstraints(Signer* signer, DecodedCert* cert)
                 {
                     /* allow permitted dirName smaller than actual subject */
                     needDir = 1;
+
+                    /* check if already found a matching permitted subtree */
+                    if (matchDir == 1)
+                        break;
+
                     if (cert->subjectRaw != NULL &&
                         cert->subjectRawLen >= base->nameSz &&
                         XMEMCMP(cert->subjectRaw, base->name,