Hello, I've noticed that support for getting subjectAltName entries Email and Type landed in 2.4.13, via r1676087.
We've come across another type in subjectAltName, Microsoft Universal Principal Name (OID 184.108.40.206.4.1.3220.127.116.11) which would be useful to retrieve from the certificate and use for subsequent authorization and identity operations against Active Directory. I've filed https://bz.apache.org/bugzilla/show_bug.cgi?id=58020 When user authenticates with certificate which has their Microsoft Universal Principal Name in subjectAltName, that UPN cannot be used with SSLUserName for further access controls and included a patch which extends the original SAN support to otherName. I'd appreciate any comments about suitability of such change, as well as the implementation. Specifically, I'm not sure if people will prefer the generic and currently proposed SSL_CLIENT_SAN_otherName_n which gets any value of otherName type, or perhaps going with SSL_CLIENT_SAN_UPN_n and checking the OID just for the UPNs. Based on that decision I plan to then respin the patch with documentation changes included. Thank you, -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat