diff --git a/src/rust/cryptography-x509-verification/src/lib.rs b/src/rust/cryptography-x509-verification/src/lib.rs
index 1c468be67b72..036e9dcd1b0f 100644
--- a/src/rust/cryptography-x509-verification/src/lib.rs
+++ b/src/rust/cryptography-x509-verification/src/lib.rs
@@ -151,6 +151,18 @@ impl<'a, 'chain> NameChain<'a, 'chain> {
                     ))),
                 }
             }
+            // All other matching pairs of (constraint, name) are currently unsupported.
+            (GeneralName::OtherName(_), GeneralName::OtherName(_))
+            | (GeneralName::X400Address(_), GeneralName::X400Address(_))
+            | (GeneralName::DirectoryName(_), GeneralName::DirectoryName(_))
+            | (GeneralName::EDIPartyName(_), GeneralName::EDIPartyName(_))
+            | (
+                GeneralName::UniformResourceIdentifier(_),
+                GeneralName::UniformResourceIdentifier(_),
+            )
+            | (GeneralName::RegisteredID(_), GeneralName::RegisteredID(_)) => Err(
+                ValidationError::Other("unsupported name constraint".to_string()),
+            ),
             _ => Ok(Skipped),
         }
     }
diff --git a/src/rust/src/x509/verify.rs b/src/rust/src/x509/verify.rs
index 02f2825817d9..2c65f6327103 100644
--- a/src/rust/src/x509/verify.rs
+++ b/src/rust/src/x509/verify.rs
@@ -3,8 +3,7 @@
 // for complete details.
 
 use cryptography_x509::{
-    certificate::Certificate, extensions::SubjectAlternativeName, name::GeneralName,
-    oid::SUBJECT_ALTERNATIVE_NAME_OID,
+    certificate::Certificate, extensions::SubjectAlternativeName, oid::SUBJECT_ALTERNATIVE_NAME_OID,
 };
 use cryptography_x509_verification::{
     ops::{CryptoOps, VerificationCertificate},
@@ -21,7 +20,7 @@ use crate::x509::certificate::Certificate as PyCertificate;
 use crate::x509::common::{datetime_now, datetime_to_py, py_to_datetime};
 use crate::x509::sign;
 
-use super::parse_general_name;
+use super::parse_general_names;
 
 pub(crate) struct PyCryptoOps {}
 
@@ -290,23 +289,10 @@ impl PyClientVerifier {
             .unwrap();
 
         let leaf_gns = leaf_san.value::<SubjectAlternativeName<'_>>()?;
-
-        // Instead of returning all general names, we return only ones
-        // that we currently have name constraint implementations for.
-        let filtered_gns = leaf_gns.filter(|gn| {
-            matches!(
-                gn,
-                GeneralName::DNSName(_) | GeneralName::IPAddress(_) | GeneralName::RFC822Name(_)
-            )
-        });
-
-        let filtered_py_gns = pyo3::types::PyList::empty(py);
-        for filtered_gn in filtered_gns {
-            filtered_py_gns.append(parse_general_name(py, filtered_gn)?)?;
-        }
+        let py_gns = parse_general_names(py, &leaf_gns)?;
 
         Ok(PyVerifiedClient {
-            subjects: filtered_py_gns.into(),
+            subjects: py_gns,
             chain: py_chain.into_py(py),
         })
     }