The SSL test currently does not check whether any name constraint extensions validate.
Would it be possible to enable this? Googling around, it seems that openssl doesn't implement checking for it. But Internet Explorer (on win8) and Firefox correctly issue an error or warning in case an intermediate CA signs a cert for a server that does not fall into the permitted namespace.
btw, thanks for the ssl test! it's very useful!