diff --git a/src/internal.c b/src/internal.c
index 29c62fe89..a75ef67b3 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -10164,7 +10164,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
 
                 #ifdef OPENSSL_EXTRA
                     /* Determine untrusted depth */
-                    if (!alreadySigner) {
+                    if (!alreadySigner && (!args->dCert ||
+                            !args->dCertInit || !args->dCert->selfSigned)) {
                         args->untrustedDepth = 1;
                     }
                 #endif
diff --git a/src/ssl.c b/src/ssl.c
index 344b67b62..34ba26cbb 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -35558,7 +35558,8 @@ err:
     #define PEM_END_SZ             9
     #define PEM_HDR_FIN            "-----"
     #define PEM_HDR_FIN_SZ         5
-    #define PEM_HDR_FIN_EOL        "-----\n"
+    #define PEM_HDR_FIN_EOL_NEWLINE   "-----\n"
+    #define PEM_HDR_FIN_EOL_NULL_TERM "-----\0"
     #define PEM_HDR_FIN_EOL_SZ     6
 
     int wolfSSL_PEM_read_bio(WOLFSSL_BIO* bio, char **name, char **header,
@@ -35694,8 +35695,12 @@ err:
                 ret = WOLFSSL_FAILURE;
         }
         if (ret == WOLFSSL_SUCCESS) {
-            if (XSTRNCMP(pem + PEM_END_SZ + nameLen, PEM_HDR_FIN_EOL,
-                                                     PEM_HDR_FIN_EOL_SZ) != 0) {
+            if (XSTRNCMP(pem + PEM_END_SZ + nameLen,
+                    PEM_HDR_FIN_EOL_NEWLINE,
+                    PEM_HDR_FIN_EOL_SZ) != 0 &&
+                XSTRNCMP(pem + PEM_END_SZ + nameLen,
+                        PEM_HDR_FIN_EOL_NULL_TERM,
+                        PEM_HDR_FIN_EOL_SZ) != 0) {
                 ret = WOLFSSL_FAILURE;
             }
         }
@@ -35759,8 +35764,8 @@ err:
         if (!err)
             err = wolfSSL_BIO_write(bio, name, nameLen) != nameLen;
         if (!err) {
-            err = wolfSSL_BIO_write(bio, PEM_HDR_FIN_EOL, PEM_HDR_FIN_EOL_SZ) !=
-                                                        (int)PEM_HDR_FIN_EOL_SZ;
+            err = wolfSSL_BIO_write(bio, PEM_HDR_FIN_EOL_NEWLINE,
+                    PEM_HDR_FIN_EOL_SZ) != (int)PEM_HDR_FIN_EOL_SZ;
         }
         if (!err && headerLen > 0) {
             err = wolfSSL_BIO_write(bio, header, headerLen) != headerLen;
@@ -35777,8 +35782,8 @@ err:
         if (!err)
             err = wolfSSL_BIO_write(bio, name, nameLen) != nameLen;
         if (!err) {
-            err = wolfSSL_BIO_write(bio, PEM_HDR_FIN_EOL, PEM_HDR_FIN_EOL_SZ) !=
-                                                        (int)PEM_HDR_FIN_EOL_SZ;
+            err = wolfSSL_BIO_write(bio, PEM_HDR_FIN_EOL_NEWLINE,
+                    PEM_HDR_FIN_EOL_SZ) != (int)PEM_HDR_FIN_EOL_SZ;
         }
 
         if (!err) {
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 384f66e8a..263af2512 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -16030,14 +16030,17 @@ static int ParseCRL_Extensions(DecodedCRL* dcrl, const byte* buf,
 
     idx = *inOutIdx;
 
+    /* CRL Extensions are optional */
     if ((idx + 1) > sz)
-        return BUFFER_E;
+        return 0;
 
+    /* CRL Extensions are optional */
     if (GetASNTag(buf, &idx, &tag, sz) < 0)
-        return ASN_PARSE_E;
+        return 0;
 
+    /* CRL Extensions are optional */
     if (tag != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0))
-        return ASN_PARSE_E;
+        return 0;
 
     if (GetLength(buf, &idx, &length, sz) < 0)
         return ASN_PARSE_E;