certauth problem after 7.1.2 update

[PhD]

Howdy all,

I have configured our server to use certificatebased authentication as explained in docs/certauth.txt - and has been working fine, until today when i upgraded to 7.1.2...

we have the standard "setup" as described in the txt file
we're using NeedClientAuth and have the server mode set to "redirect"

usually you browse to
server.com, and it redirects you to https://server.com, then redirects to https://server.com:9443/certauth, the ssl negotiation happens, then you are redirected back to https://server.com/zimbra/?ignoreLoginURL=1 and you're in your mailbox.


Now, since the upgrade... when it redirects you to the certauth port... the ssl handshaking completes, but the it doesnt redirect back to the normal https port when it changes the url to /zimbra/?ignoreLoginURL=1

so, we get the addressbar showing https://server.com:9443/zimbra/?ignoreLoginURL=1 with an error message in the browser:

HTTP ERROR: 403

Problem accessing /zimbra/. Reason:

requested resource is not allowed on this port

Powered by Jetty://

If at this stage, you remove everything after https://server.com, it will log you in to your mail.

It seems like something is broken at the port redirect stage.

Does anyone have any clues or ideas where i may look for more info on this?
I doesnt seem to log anything useful anywhere.

Cheers

[PhD]

i have just run up a fresh 7.1.2 install to see if this was and upgrade problem, or if its a bug in 7.1.2 now... and - it seems it is a problem with the new version.

on a bog stock install, i configure the following options..

[zimbra@zimbra-dev ~]$ zmprov ms zimbra-dev.domain.com zimbraMailSSLClientCertPort 9443
[zimbra@zimbra-dev ~]$ zmprov ms zimbra-dev.domain.comzimbraMailSSLClientCertMode NeedClientAuth
[zimbra@zimbra-dev ~]$ zmprov md domain.com+zimbraVirtualHostname zimbra-dev.domain.com
[zimbra@zimbra-dev ~]$ zmprov md domain.com zimbraWebClientLoginURL 'https://zimbra-dev.domain.com:9443/certauth'
[zimbra@zimbra-dev ~]$ zmprov md domain.com zimbraWebClientLogoutURL '../?sso=1'

and set up the server and user certs.. and went to browse https://zimbra-dev.domain.com and i am presented with the same problem...

the browser URL shows https://zimbra-dev.domain.com:9443/z...noreLoginURL=1

and the html text shows


HTTP ERROR: 403

Problem accessing /zimbra/. Reason:

requested resource is not allowed on this port

Powered by Jetty://

[LMStone]

I'd recommend filing a bug report in Bugzilla for this.

All the best,
Mark

[PhD]

Bug 63355 – Certauth doe not redirect from 9443 after negotiating SSL client certificate

Bug filed...