diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c

index 926e05e..bbe1d20 100644

--- a/modules/ssl/mod_ssl.c

+++ b/modules/ssl/mod_ssl.c

@@ -333,6 +333,11 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,

     OpenSSL_add_all_algorithms();

     OPENSSL_load_builtin_modules();

+    if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) {

+        (void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV",

+                         "SRVName otherName form");

+    }

+

     /*

      * Let us cleanup the ssl library when the module is unloaded

      */

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c

index eb11a38..27eaa5a 100644

--- a/modules/ssl/ssl_engine_kernel.c

+++ b/modules/ssl/ssl_engine_kernel.c

@@ -1156,6 +1156,7 @@ int ssl_hook_Fixup(request_rec *r)

     /* standard SSL environment variables */

     if (dc->nOptions & SSL_OPT_STDENVVARS) {

         modssl_var_extract_dns(env, sslconn->ssl, r->pool);

+        modssl_var_extract_san_entries(env, sslconn->ssl, r->pool);

         for (i = 0; ssl_hook_Fixup_vars[i]; i++) {

             var = (char *)ssl_hook_Fixup_vars[i];

diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c

index c508fff..2b7c9ba 100644

--- a/modules/ssl/ssl_engine_vars.c

+++ b/modules/ssl/ssl_engine_vars.c

@@ -42,6 +42,7 @@

 static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, request_rec *r, char *var);

 static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, char *var);

 static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char *var);

+static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var);

 static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm);

 static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm);

 static char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs);

@@ -509,6 +510,10 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs,

         result = ssl_var_lookup_ssl_cert_dn(p, xsname, var+5);

         resdup = FALSE;

     }

+    else if (strlen(var) > 4 && strcEQn(var, "SAN_", 4)) {

+        result = ssl_var_lookup_ssl_cert_san(p, xs, var+4);

+        resdup = FALSE;

+    }

     else if (strcEQ(var, "A_SIG")) {

         nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm));

         result = apr_pstrdup(p,

@@ -597,6 +602,49 @@ static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char *

     return result;

 }

+static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var)

+{

+    int type, numlen;

+    const char *onf = NULL;

+    apr_array_header_t *entries;

+

+    if (strcEQn(var, "Email_", 6)) {

+        type = GEN_EMAIL;

+        var += 6;

+    }

+    else if (strcEQn(var, "DNS_", 4)) {

+        type = GEN_DNS;

+        var += 4;

+    }

+    else if (strcEQn(var, "OTHER_", 6)) {

+        type = GEN_OTHERNAME;

+        var += 6;

+        if (strEQn(var, "msUPN_", 6)) {

+            var += 6;

+            onf = "msUPN";

+        }

+        else if (strEQn(var, "dnsSRV_", 7)) {

+            var += 7;

+            onf = "id-on-dnsSRV";

+        }

+        else

+           return NULL;

+    }

+    else

+        return NULL;

+

+    /* sanity check: number must be between 1 and 4 digits */

+    numlen = strspn(var, "0123456789");

+    if ((numlen < 1) || (numlen > 4) || (numlen != strlen(var)))

+        return NULL;

+

+    if (SSL_X509_getSAN(p, xs, type, onf, atoi(var), &entries))

+        /* return the first entry from this 1-element array */

+        return APR_ARRAY_IDX(entries, 0, char *);

+    else

+        return NULL;

+}

+

 static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm)

 {

     char *result;

@@ -890,6 +938,54 @@ void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p)

     }

 }

+static void extract_san_array(apr_table_t *t, const char *pfx,

+                              apr_array_header_t *entries, apr_pool_t *p)

+{

+    int i;

+

+    for (i = 0; i < entries->nelts; i++) {

+        const char *key = apr_psprintf(p, "%s_%d", pfx, i);

+        apr_table_setn(t, key, APR_ARRAY_IDX(entries, i, const char *));

+    }

+}

+

+void modssl_var_extract_san_entries(apr_table_t *t, SSL *ssl, apr_pool_t *p)

+{

+    X509 *xs;

+    apr_array_header_t *entries;

+

+    /* subjectAltName entries of the server certificate */

+    xs = SSL_get_certificate(ssl);

+    if (xs) {

+        if (SSL_X509_getSAN(p, xs, GEN_EMAIL, NULL, -1, &entries)) {

+            extract_san_array(t, "SSL_SERVER_SAN_Email", entries, p);

+        }

+        if (SSL_X509_getSAN(p, xs, GEN_DNS, NULL, -1, &entries)) {

+            extract_san_array(t, "SSL_SERVER_SAN_DNS", entries, p);

+        }

+        if (SSL_X509_getSAN(p, xs, GEN_OTHERNAME, "id-on-dnsSRV", -1,

+                               &entries)) {

+            extract_san_array(t, "SSL_SERVER_SAN_OTHER_dnsSRV", entries, p);

+        }

+        /* no need to free xs (refcount does not increase) */

+    }

+

+    /* subjectAltName entries of the client certificate */

+    xs = SSL_get_peer_certificate(ssl);

+    if (xs) {

+        if (SSL_X509_getSAN(p, xs, GEN_EMAIL, NULL, -1, &entries)) {

+            extract_san_array(t, "SSL_CLIENT_SAN_Email", entries, p);

+        }

+        if (SSL_X509_getSAN(p, xs, GEN_DNS, NULL, -1, &entries)) {

+            extract_san_array(t, "SSL_CLIENT_SAN_DNS", entries, p);

+        }

+        if (SSL_X509_getSAN(p, xs, GEN_OTHERNAME, "msUPN", -1, &entries)) {

+            extract_san_array(t, "SSL_CLIENT_SAN_OTHER_msUPN", entries, p);

+        }

+        X509_free(xs);

+    }

+}

+

 /* For an extension type which OpenSSL does not recognize, attempt to

  * parse the extension type as a primitive string.  This will fail for

  * any structured extension type per the docs.  Returns non-zero on

diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h

index a5ede6e..80e1e8e 100644

--- a/modules/ssl/ssl_private.h

+++ b/modules/ssl/ssl_private.h

@@ -974,6 +974,10 @@ void         ssl_var_log_config_register(apr_pool_t *p);

  * allocating from 'p': */

 void modssl_var_extract_dns(apr_table_t *t, SSL *ssl, apr_pool_t *p);

+/* Extract SSL_*_SAN_* variables (subjectAltName entries) into table 't'

+ * from SSL object 'ssl', allocating from 'p'. */

+void modssl_var_extract_san_entries(apr_table_t *t, SSL *ssl, apr_pool_t *p);

+

 #ifndef OPENSSL_NO_OCSP

 /* Perform OCSP validation of the current cert in the given context.

  * Returns non-zero on success or zero on failure.  On failure, the

diff --git a/modules/ssl/ssl_util_ssl.c b/modules/ssl/ssl_util_ssl.c

index 588ceba..09a9877 100644

--- a/modules/ssl/ssl_util_ssl.c

+++ b/modules/ssl/ssl_util_ssl.c

@@ -236,22 +236,32 @@ BOOL SSL_X509_getBC(X509 *cert, int *ca, int *pathlen)

     return TRUE;

 }

-/* convert a NAME_ENTRY to UTF8 string */

-char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne)

+/* convert an ASN.1 string to a UTF-8 string (escaping control characters) */

+char *SSL_ASN1_STRING_to_utf8(apr_pool_t *p, ASN1_STRING *asn1str)

 {

     char *result = NULL;

-    BIO* bio;

+    BIO *bio;

     int len;

     if ((bio = BIO_new(BIO_s_mem())) == NULL)

         return NULL;

-    ASN1_STRING_print_ex(bio, X509_NAME_ENTRY_get_data(xsne),

-                         ASN1_STRFLGS_ESC_CTRL|ASN1_STRFLGS_UTF8_CONVERT);

+

+    ASN1_STRING_print_ex(bio, asn1str, ASN1_STRFLGS_ESC_CTRL|

+                                       ASN1_STRFLGS_UTF8_CONVERT);

     len = BIO_pending(bio);

-    result = apr_palloc(p, len+1);

-    len = BIO_read(bio, result, len);

-    result[len] = NUL;

+    if (len > 0) {

+        result = apr_palloc(p, len+1);

+        len = BIO_read(bio, result, len);

+        result[len] = NUL;

+    }

     BIO_free(bio);

+    return result;

+}

+

+/* convert a NAME_ENTRY to UTF8 string */

+char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne)

+{

+    char *result = SSL_ASN1_STRING_to_utf8(p, X509_NAME_ENTRY_get_data(xsne));

     ap_xlate_proto_from_ascii(result, len);

     return result;

 }

@@ -288,51 +298,123 @@ char *SSL_X509_NAME_to_string(apr_pool_t *p, X509_NAME *dn, int maxlen)

     return result;

 }

-/* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a certificate */

-BOOL SSL_X509_getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids)

+static void parse_otherName_value(apr_pool_t *p, ASN1_TYPE *value,

+                                  const char *onf, apr_array_header_t **entries)

+{

+    const char *str;

+    int nid = onf ? OBJ_txt2nid(onf) : NID_undef;

+

+    if (!value || (nid == NID_undef) || !*entries)

+       return;

+

+    /* 

+     * Currently supported otherName forms (values for "onf"):

+     * "msUPN" (1.3.6.1.4.1.311.20.2.3): Microsoft User Principal Name

+     * "id-on-dnsSRV" (1.3.6.1.5.5.7.8.7): SRVName, as specified in RFC 4985

+     */

+    if ((nid == NID_ms_upn) && (value->type == V_ASN1_UTF8STRING) &&

+        (str = SSL_ASN1_STRING_to_utf8(p, value->value.utf8string))) {

+        APR_ARRAY_PUSH(*entries, const char *) = str;

+    } else if (strEQ(onf, "id-on-dnsSRV") &&

+               (value->type == V_ASN1_IA5STRING) &&

+               (str = SSL_ASN1_STRING_to_utf8(p, value->value.ia5string))) {

+        APR_ARRAY_PUSH(*entries, const char *) = str;

+    }

+}

+

+/* 

+ * Return an array of subjectAltName entries of type "type". If idx is -1,

+ * return all entries of the given type, otherwise return an array consisting

+ * of the n-th occurrence of that type only. Currently supported types:

+ * GEN_EMAIL (rfc822Name)

+ * GEN_DNS (dNSName)

+ * GEN_OTHERNAME (requires the otherName form ["onf"] argument to be supplied,

+ *                see parse_otherName_value for the currently supported forms)

+ */

+BOOL SSL_X509_getSAN(apr_pool_t *p, X509 *x509, int type, const char *onf,

+                     int idx, apr_array_header_t **entries)

 {

     STACK_OF(GENERAL_NAME) *names;

-    BIO *bio;

-    X509_NAME *subj;

-    char **cpp;

-    int i, n;

+    int nid = onf ? OBJ_txt2nid(onf) : NID_undef;

-    if (!x509 || !(*ids = apr_array_make(p, 0, sizeof(char *)))) {

-        *ids = NULL;

+    if (!x509 || (type < GEN_OTHERNAME) ||

+        ((type == GEN_OTHERNAME) && (nid == NID_undef)) ||

+        (type > GEN_RID) || (idx < -1) ||

+        !(*entries = apr_array_make(p, 0, sizeof(char *)))) {

+        *entries = NULL;

         return FALSE;

     }

-    /* First, the DNS-IDs (dNSName entries in the subjectAltName extension) */

-    if ((names = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL)) &&

-        (bio = BIO_new(BIO_s_mem()))) {

+    if ((names = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL))) {

+        int i, n = 0;

         GENERAL_NAME *name;

+        const char *utf8str;

         for (i = 0; i < sk_GENERAL_NAME_num(names); i++) {

             name = sk_GENERAL_NAME_value(names, i);

-            if (name->type == GEN_DNS) {

-                ASN1_STRING_print_ex(bio, name->d.ia5, ASN1_STRFLGS_ESC_CTRL|

-                                     ASN1_STRFLGS_UTF8_CONVERT);

-                n = BIO_pending(bio);

-                if (n > 0) {

-                    cpp = (char **)apr_array_push(*ids);

-                    *cpp = apr_palloc(p, n+1);

-                    n = BIO_read(bio, *cpp, n);

-                    (*cpp)[n] = NUL;

+

+            if (name->type != type)

+                continue;

+

+            switch (type) {

+            case GEN_EMAIL:

+            case GEN_DNS:

+                if (((idx == -1) || (n == idx)) &&

+                    (utf8str = SSL_ASN1_STRING_to_utf8(p, name->d.ia5))) {

+                    APR_ARRAY_PUSH(*entries, const char *) = utf8str;

+                }

+                n++;

+                break;

+            case GEN_OTHERNAME:

+                if (OBJ_obj2nid(name->d.otherName->type_id) == nid) {

+                    if (((idx == -1) || (n == idx))) {

+                        parse_otherName_value(p, name->d.otherName->value,

+                                              onf, entries);

+                    }

+                    n++;

                 }

+                break;

+            default:

+                /*

+                 * Not implemented right now:

+                 * GEN_X400 (x400Address)

+                 * GEN_DIRNAME (directoryName)

+                 * GEN_EDIPARTY (ediPartyName)

+                 * GEN_URI (uniformResourceIdentifier)

+                 * GEN_IPADD (iPAddress)

+                 * GEN_RID (registeredID)

+                 */

+                break;

             }

+

+            if ((idx != -1) && (n > idx))

+               break;

         }

-        BIO_free(bio);

-    }

-    if (names)

         sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);

+    }

+

+    return apr_is_empty_array(*entries) ? FALSE : TRUE;

+}

+

+/* return an array of (RFC 6125 coined) DNS-IDs and CN-IDs in a certificate */

+BOOL SSL_X509_getIDs(apr_pool_t *p, X509 *x509, apr_array_header_t **ids)

+{

+    X509_NAME *subj;

+    int i = -1;

+

+    /* First, the DNS-IDs (dNSName entries in the subjectAltName extension) */

+    if (!x509 ||

+        (SSL_X509_getSAN(p, x509, GEN_DNS, NULL, -1, ids) == FALSE && !*ids)) {

+        *ids = NULL;

+        return FALSE;

+    }

     /* Second, the CN-IDs (commonName attributes in the subject DN) */

     subj = X509_get_subject_name(x509);

-    i = -1;

     while ((i = X509_NAME_get_index_by_NID(subj, NID_commonName, i)) != -1) {

-        cpp = (char **)apr_array_push(*ids);

-        *cpp = SSL_X509_NAME_ENTRY_to_string(p, X509_NAME_get_entry(subj, i));

+        APR_ARRAY_PUSH(*ids, const char *) = 

+            SSL_X509_NAME_ENTRY_to_string(p, X509_NAME_get_entry(subj, i));

     }

     return apr_is_empty_array(*ids) ? FALSE : TRUE;

diff --git a/modules/ssl/ssl_util_ssl.h b/modules/ssl/ssl_util_ssl.h

index 4b882db..be07ab7 100644

--- a/modules/ssl/ssl_util_ssl.h

+++ b/modules/ssl/ssl_util_ssl.h

@@ -65,8 +65,10 @@ EVP_PKEY   *SSL_read_PrivateKey(char *, EVP_PKEY **, pem_password_cb *, void *);

 int         SSL_smart_shutdown(SSL *ssl);

 BOOL        SSL_X509_isSGC(X509 *);

 BOOL        SSL_X509_getBC(X509 *, int *, int *);

+char       *SSL_ASN1_STRING_to_utf8(apr_pool_t *, ASN1_STRING *);

 char       *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne);

 char       *SSL_X509_NAME_to_string(apr_pool_t *, X509_NAME *, int);

+BOOL        SSL_X509_getSAN(apr_pool_t *, X509 *, int, const char *, int, apr_array_header_t **);

 BOOL        SSL_X509_getIDs(apr_pool_t *, X509 *, apr_array_header_t **);

 BOOL        SSL_X509_match_name(apr_pool_t *, X509 *, const char *, BOOL, server_rec *);

 BOOL        SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);