Fixed comment: We mimic alias even when using a configured CN.

diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
index 7617600377dac03cd7b1be09e0f6a64c6b7958b2..9fe9842adc34e38008cdf093ce95699538c6c7cc 100644 (file)
--- a/src/ssl/gadgets.cc
+++ b/src/ssl/gadgets.cc
@@ -271,7 +271,7 @@ static bool buildCertificate(Ssl::X509_Pointer & cert, Ssl::CertificatePropertie
     } else if (!X509_gmtime_adj(X509_get_notAfter(cert.get()), 60*60*24*356*3))
         return false;
 
-    // If the common name is not adapted, also mimic the aliases and subjectAltName
+    // mimic the alias and possibly subjectAltName
     if (properties.mimicCert.get()) {
         unsigned char *alStr;
         int alLen;
@@ -280,8 +280,9 @@ static bool buildCertificate(Ssl::X509_Pointer & cert, Ssl::CertificatePropertie
             X509_alias_set1(cert.get(), alStr, alLen);
         }
 
+        // Mimic subjectAltName unless we used a configured CN: browsers reject
+        // certificates with CN unrelated to subjectAltNames.
         if (!properties.setCommonName) {
-            // Add subjectAltName extension used to support multiple hostnames with one certificate
             int pos=X509_get_ext_by_NID (properties.mimicCert.get(), OBJ_sn2nid("subjectAltName"), -1);
             X509_EXTENSION *ext=X509_get_ext(properties.mimicCert.get(), pos); 
             if (ext)