This is a serious one.

And it is even worse:

It is sufficient if you set the "Redirect to SSL" flag on a single database then accessing it with the browser will send you into the redirection loop.

This has worked for decades so how did they manage to break this now!

I just upgraded our 8.5.3 server to Domino 9 and I can confirm that I have the same problem with "redirect to SSL" as a server setting.

I have used tihs setting to redirect all traffic to SSL for several years without a problem and right after the upgrade it now does not work at all.

Firefox says:

The page isn't redirecting properly
Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

Because the whole server (Web site document for the domain) is set in the security Tab to "Redirect TCP to SSL" no http now works! (sad face).

This is very very bad.

Especially since we have had a working environment for s few years and the upgrade now forces me to remove SSL from the whole server.

It looks to me as if SSL is "broken" on Domino 9.

UPDATE: I removed the "Redirect to SSL" in the Web Site Document and also removed the "Redirect to SSL" TCP/IP port status on the server document (ports -> Internet ports -> Web tab)

This made my server "usable" again. (without SSL)

Observe! SSL now works if I manually add the https tag on the url.

But with the 2 settings I described above set to redirect to SSL the server goes in an infinite redirect loop.

I even tried to remove the "server document" setting and only use the Web site redirect but it still went into infinite loops.

(even though It looked like it worked when I was logged in already).

Mike,

The issue occurs on three different servers of mine (two of them are test servers, one on linux, one on windows). I can confirm that it happens on w32, w64 and SLES x86. Two test servers are fresh install, the other one is upgrade from 8.5.3.

When you enable IHS, the problem disappears.

I checked the thread logs for my local test server:

This redirection sequence goes the same until browser gives up.

Configuration is nothing special. I'm using Internet sites with SSL enabled.

I can't open PMR for myself (I'm a business partner and don't have Value Package) and I can't share log/dump files publicly. But I can post this issue into DP forum.

Thanks.

Our two servers are both affected. Both run 32-bit Domino (on 64-bit Windows). Without IHS.

One uses Internet Sites and one traditional Web Configuration documents.

As I wrote, I did not use the server-global "Redirecto to SSL" port setting but rather individual "Require SSL" properties on NSF databases.

But I guess the bad effect is the same.

I can provide these debug log files. Mike, please download with the link below? Too large to paste in here.

Download here

Hi Mike.

FYI: it seemed to work for me when I was already logged in.

I had only the Web Site document "Redirect to SLL" enabled and it worked when I was already logged in (session login).

When I logged out and tried the server again it failed (infinite loop).

We are using Multi-Server SSO (LTPA). However, we have been using this for years.

And yes, we have a domcfg.nsf but it is using the default form coming with it (just to avoid the ugly default form).

As I wrote the problem goes away once I remove the "Require SSL" flag from the NSF database.

Removing the domcfg.nsf completely, does not change the behaviour.

Disabling SSO also does not change it.

Mike,

I did some additional tests with SSL redirect enabled at Internet site configuration level.

Authentication has no effect. I tested my test server with and without session authentication. Even a database with anonymous access allowed causes the problem. According to thread logs, if we request such a database resource, it stops at the authentication level and return to redirection.

I have also tried using different host names to check if the problem is related to host-name binding but it doesn't matter.

Interestingly, the only page I can reach is /names.nsf?login. I can reach this page, see the login form (without images) but authentication doesn't change anything (it doesn't get authenticated, no cookies).

I get the login form after that, and submit username password;

The problem might be related to authentication, but it acts strange. I tried turning off Name & Password authentication for SSL, the problem still continues. 

Mike,

Since we can't repeat this on any servers, I thought it must be a result of a setting coming from my names.nsf. I tried 10-15 different things and found the difference :)

I have a notes.ini setting "HTTPEnableConnectorHeaders=1" which is defined in the configuration document. So it comes to every servers I have (My servers were behind plugin before). After deleting this entry, it is back to normal. I guess the IHS implementation may have changed this behaviour. 

Thx for the effort!

Mike, I don't know what you are trying, but ...

I just took a fresh plain Windows Server 2008 R2 VM and installed Domino 9.0 with as few clicks as possible, e.g. all defaults but plus IHS. Of course I also installed a Domino admin in order to manage it.

Then I set up/configured that Domino server, again with as few clicks as possible, everything left as defaults (except enabling the HTTP task). I created SSL keys and certificates as usual, via an internal CA we have (Domino CA in our production environment). Enabled SSL, worked fine. Authentication was left as basic (default). No internet sites, no web configs, no nothing.

I used webadmin.nsf for the test. I fired it up and HTTP and HTTPS access worked fine to webadmin.nsf. I went to the Domino Admin and set the "Require SSL" flag on webadmin.nsf. Started a fresh IE browser and accessed the webadmin.nsf and voila, had the bug, i.e. the browser got into that endless redirection loop, even before the authentication came up (so like someone else also stated, I guess this will also happen for anonymous access).

Mike, I cannot understand how you are unable to reproduce this ... hard to imagine a simpler reproducible setup and bug.

By the way, out of curiosity, I also tested with the new IHS feature (that was the actual reason why I installed this test server, to evaluate IHS).

I also created the necessary SSL keys/certificates for it and activated it. Interestingly, when going through IHS, the problem did NOT show up.

However, I think not everyone will rush out and use IHS just because it appeared in the product ...

Also see above post about HTTPEnableConnectorHeaders=1, this must not be in your INI.

I just took a fresh plain Windows Server 2008 R2 VM and installed Domino 9.0 with as few clicks as possible, e.g. all defaults but plus IHS. Of course I also installed a Domino admin in order to manage it.

Well, it means what I wrote. I installed with everything left at defaults except that I added IHS. However, that of course does not activate IHS yet.

My later text explains that the problem happened only when working with the regular HTTP task without activating IHS.

And of course also the notes.ini was left at defaults (that means no changes whatsoever by me) for that last test.

It is - in my opinion - not possible that you cannot reproduce it ... :-)

If you don't believe - we can do a TeamViewer session ...

Would it be helpful if I prepare a VM as I described and make it available to you?

Mike, I'll collect/send later this weekend.

Can you send me an e-mail address where to send to?

Mine is rommel _at_ ars.de ...

I did now finally have time to track down this issue ...

I checked again our production servers and there we indeed have the HTTPEnableConnectorHeaders=1 set. We distribute this via a configuration document and I have to find out why - we don't use IIS front end servers. I guess we should be able to disable it and then perhaps see what fails ... if anything. :-)

I also found out why I saw on my test server what I thought is the same problem: I made a typing error for the SSL keyring file so it was not loaded and I always overlooked the error message telling me so ... how embarrassing. So after fixing this the "Redirect to SSL" problem of course went away.

Sorry for wasting so much of your time!

I guess for the case of HTTPEnableConnectorHeaders=1 this will be fixed in an upcoming fixpack?