From ad88633da3de19fb8d0eb314704309cabb2a5131 Mon Sep 17 00:00:00 2001
From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Sat, 25 Feb 2012 12:29:46 -0700
Subject: [PATCH] Fixed comment: We mimic alias even when using a configured
 CN.

---
 src/ssl/gadgets.cc | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
index 7617600377..9fe9842adc 100644
--- a/src/ssl/gadgets.cc
+++ b/src/ssl/gadgets.cc
@@ -271,7 +271,7 @@ static bool buildCertificate(Ssl::X509_Pointer & cert, Ssl::CertificatePropertie
     } else if (!X509_gmtime_adj(X509_get_notAfter(cert.get()), 60*60*24*356*3))
         return false;
 
-    // If the common name is not adapted, also mimic the aliases and subjectAltName
+    // mimic the alias and possibly subjectAltName
     if (properties.mimicCert.get()) {
         unsigned char *alStr;
         int alLen;
@@ -280,8 +280,9 @@ static bool buildCertificate(Ssl::X509_Pointer & cert, Ssl::CertificatePropertie
             X509_alias_set1(cert.get(), alStr, alLen);
         }
 
+        // Mimic subjectAltName unless we used a configured CN: browsers reject
+        // certificates with CN unrelated to subjectAltNames.
         if (!properties.setCommonName) {
-            // Add subjectAltName extension used to support multiple hostnames with one certificate
             int pos=X509_get_ext_by_NID (properties.mimicCert.get(), OBJ_sn2nid("subjectAltName"), -1);
             X509_EXTENSION *ext=X509_get_ext(properties.mimicCert.get(), pos); 
             if (ext)
-- 
2.47.2