dnl check SAN for STS
SSTS_SAN
ifdef(`_STS_SAN', `dnl
R$*			$: $&{server_name}
# {server_name} does not have a trailing dot
# R$+.			$1
dnl exact match
R$={cert_altnames}	$@ ok
# strip one level up to first dot  
R$~. . $+		.$2
dnl wildcard: *. not just .
R.$+			$: *.$1
R $={cert_altnames}	$@ ok
dnl always temporary error? make it an option (of the feature)?
R$*			$#error $@ 4.7.0 $: 450 $&{server_name} not listed in SANs', `dnl')
