DNS Name Constraints with leading dot
It was reported that if the CA certificate has name constraints with domains that have a leading dot (e.g., '.gr., or '.example.com') gnutls doesn't consider them. This was recently added in openssl. The spec (RFC5280) though doesn't mention a leading dot in domains, so clearly the CA is at fault here. However, if that issue is widespread we should consider allowing such domains as well.
The issue was brought up to saag mailing list