Are X.509 nameConstraints on certificates supported on OS X?

No. Apple does not support this.

Apple's Secure Transport library does not support X.509's nameConstraints.

There is a bug in Chromium's bug database about this. And it's been closed as WontFix. Developer Ryan Sleevi had this to say on Aug 25, 2014 (archived here):

Chrome defers to the OS cryptographic stack for verification.

It's a well-known, long-standing issue that Apple does not implement name constraints. This applies to all applications that use OS X's SSL or certificate verification libraries (e.g. Safari, Curl, Python, etc)

Related

  • Should name constraints be present on a subordinate CA issued to an organization?
  • Which properties of a X.509 certificate should be critical and which not?
  • http://karl.kornel.us/2014/09/cas-name-constraints-and-a-business-opportunity/

Yes, OS X / macOS supports this since 10.13.3.

According to the https://nameconstraints.bettertls.com archived tests, 10.13 failed some tests but 10.13.3 passes all in with both Safari and Chrome.

This fit's the timeline release notes for macOS 10.13.3 which lists the following fix1

Description: A certificate evaluation issue existed in the handling of name constraints. This issue was addressed with improved trust evaluation of certificates.

Firefox who uses it's own internal TLS passes since at least version 50.

This also matches lxgr's comment about it working on 10.15.4 comment and my test today on 10.14.6


1as pointed out by Joe Lee-Moyet in the comments