diff --git a/examples/client/client.c b/examples/client/client.c
index 5c888597d..f5d005acd 100644
--- a/examples/client/client.c
+++ b/examples/client/client.c
@@ -905,7 +905,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
                                                     | WOLFSSL_OCSP_URL_OVERRIDE);
         }
         else
-            wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE);
+            wolfSSL_CTX_EnableOCSP(ctx, 0);
     }
 #endif
 
@@ -1007,7 +1007,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
                                      WOLFSSL_CSR_OCSP_USE_NONCE) != SSL_SUCCESS)
             err_sys("UseCertificateStatusRequest failed");
 
-        wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE);
+        wolfSSL_CTX_EnableOCSP(ctx, 0);
     }
 #endif
 
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index be1c332b5..4dcd65b79 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -8579,6 +8579,17 @@ static int DecodeOcspRespExtensions(byte* source,
         }
 
         if (oid == OCSP_NONCE_OID) {
+            /* get data inside extra OCTET_STRING */
+            if (source[idx++] != ASN_OCTET_STRING) {
+                WOLFSSL_MSG("\tfail: should be an OCTET STRING");
+                return ASN_PARSE_E;
+            }
+
+            if (GetLength(source, &idx, &length, sz) < 0) {
+                WOLFSSL_MSG("\tfail: extension data length");
+                return ASN_PARSE_E;
+            }
+            
             resp->nonce = source + idx;
             resp->nonceSz = length;
         }