According to the description for mod_ssl multiple occurrences of x509 components are returned with a "_n" suffix, with n starting at 0. The description also explicitly states that both forms ..._x509 and ..._x509_0 return the same value, the first ..._x509 attribute value. My issue was that SSL_CLIENT_S_DN_OU returned the correct value, but SSL_CLIENT_S_DN_OU_0 was undefined. Providing ..._x509_0 provides allows to write compact code when scanning through multiple same name attributes, whereas the present situation forces one to single out the first component.
Sorry: The description of mod_ssl is correct in that it says that no _0 variable is available in the environment table. But the fact remains that apache scripts (e.g. in PHP) can't access a variable _0, contrary to what apache itself can do in its configuration files (e.g. in requirement statements).
It would be expensive to have mod_ssl export all the DN components. If the problem here is specifically with PHP, the right thing to do is to create a hook in the mod_php SAPI so it can make ssl_var_lookup() available to PHP scripts directly - that should be very very simple.
^ export all the DN components *twice*.