Rewriting all calls to SSL on the Apache level is a last resort and as you already have seen may also rewrite URLs which you don't want to encrypt. It should however not be too difficult to find the item on your page which is causing the error. If you use Firefox, you can probably find the offending image, script or CSS file by looking in Tools->Error Console after the page has been loaded. The most recent errors are displayed there.

I'm just getting the following Message (No Warnings or Errors):
Potentially vulnerable to CVE-2009-3555

I forgot to mention that the "partially encrypted" error is displayed only on FireFox. IE7 & IE8 shows the website encrypted.

I have found this article: [wiki.mozilla.org...]

"In 2009 a flaw was discovered in the SSL/TLS protocol which is widely used in Internet applications, for example when accessing web pages using the "https" method.

This flaw could allow a MITM (man in the middle) to inject data into a connection between an Internet client and an Internet server, and potentially allow an attacker to execute commands using the credentials of an Internet user, or to even steal authentication credentials.

This security flaw has been labled CVE-2009-3555 and is being described in more detail at cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 and web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555

Because the flaw is not specific to any specific software product, but rather a fundamental design flaw, a lot of software using SSL/TLS is vulnerable."
.....
"In order to ascertain that SSL/TLS sessions are protected, most Internet installations using this protocol must be upgraded to support the new protocol (currently draft-rescorla-tls-renegotiation).

Firefox has started to support this new protocol version in its experimental version since February 8th, 2010. Mozilla will include support in stable product versions as soon as possible.

Unfortunately, because of the complexity of the flaw and the need to get most of the world to upgrade their servers, it's a tough decision how Firefox should act.

As of today (2010-02-08) it would be useless to show a warning indicator to Firefox users in the chrome, because we'd show warnings for 99.9% of the web. It would cause confusion for users and teach them to ignore the warning. "

- I really didn't understand what is saying... my server should be upgrade SSL/TLS to a newer version?
- Then, why my other sites on the same server using ssl normally?
- Is this caused because of the shopping cart script i'm using?

I assume you're using .htaccess in your "home page" directory, and that both SSL and non-SSL requests are 'pointed' to the same directory-structure, and therefore will both execute the same .htaccess code. This is not necessarily the case, so check it before continuing.

If so, the problem may be that you are redirecting *all* requests to https, including those for non-secure pages. Further, it is possible that your HTML source is referring to included objects in an inconsistent way.

Here's a "standard" set-up to take care of SSL-to-non-SSL, non-SSL-to-SSL and non-canonical hostname request redirects:

# Redirect secure pages to HTTPS if requested using HTTP
RewriteCond %{SERVER_PORT} !=443
RewriteRule ^(checkout\.php|login\.asp|showcart\.html)$ https://www.example.com/$1 [R=301,L]
#
# Redirect non-secure pages to HTTP if requested using HTTPS
RewriteCond %{SERVER_PORT} =443
RewriteCond $1 !^(checkout\.php|login\.asp|showcart\.html)$
RewriteRule ^(.+\.(php|asp|html?))$ http://www.example.com/$1 [R=301,L]
#
# Redirect requests using non-blank non-canonical hostname
# to canonical hostname, preserving HTTP/HTTPS protocol
RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$
RewriteCond %{SERVER_PORT}s ^(443(s)|[0-9]+s)$
RewriteRule ^(.*)$ http%2://www.example.com/$1 [R=301,L]

Note that only "page" URLs are redirected by the first two rules. Requests for included objects such as images, CSS, or external JavaScript files will not be affected. Therefore, these objects should be linked-to using page-relative <img src="images/logo.gif"> or server-relative <img src="/images/logo.gif"> URL-paths, or using absolute URLs appropriate to the the page in which the object is included -- i.e. if you wish to use an absolute link to an image from within a secure page, then specify the https protocol in the link, and if you wish to use an absolute link to an image from within a non-secure page, then specify the http protocol in that link.

This code is meant as an example. It is freshly-typed and not tested. Further, you can see that I 'invented' several URL-paths to demonstrate redirecting multiple pages.

Do not rely on the first two rules to correct linking errors within your own site. Although "it will work," it will likely result in poor page-load times and possibly in further trouble with SSL security warnings. Instead, rely on these two redirects only to correct bad links from other sites, incorrect search engine listings, and incorrect type-in URLs.

If you still have problems, the "Live HTTP Headers" add-on (or similar) for Firefox/Mozilla-based browsers can be used to inspect the HTTP request and response headers passed between your browser and your server. Careful examination of the URLs requested by the client and the resulting server responses can be quite revealing and useful in cases like this.

A common problem is the inclusion within a secure page of external scripts (such as Google Analytics, page 'hit' counters, etc.) with are not secure. The choices in that case are to find/obtain a secure link URL for the included object, or failing that, to remove the insecure object from the page.

Jim

Jim thank you very much for your effort and time.

After stripping the whole website down... i found the the problem is cause be this javascript:

function MM_preloadImages() { //v3.0
 var d=document; if(d.images){ if(!d.MM_p) d.MM_p=new Array();
  var i,j=d.MM_p.length,a=MM_preloadImages.arguments; for(i=0; i<a.length; i++)
  if (a[i].indexOf("#")!=0){ d.MM_p[j]=new Image; d.MM_p[j++].src=a[i];}}
}

This is unbelievable... this code was automatically added by dreamweaver when rollover images created.

So.. whats wrong with this code? I can't see where the problem is.

I don't know, because I *never* use client-side scripting -- too many problems of all kinds for me, and I'm just an old server guy... For me, AJAX is a household cleaning product. :)

Look at the on-page results of this code, and check the URLs that it produces. Likely they are all HTTP, regardless of the SSL/non-SSL context the script is running in. If this is the case, then you'll need to analyze how this code 'builds' URLs and modify it to include the HTTP/HTTPS protocol in the requested image URLs as appropriate.

For more assistance, I suggest our JavaScript forum.

Jim

I have solve the problem by replacing the "rollover" javascript.

Thanks for your help.

I have the same problem. What did you replace the rollover javascript with?
Thanks

Turns out I was asking it to load a missing gif file and my custom 404 message (though not shown in the case of a javascript error) was an HTTP page. Once I uploaded the missing file, the warning went away.

[edited by: jdMorgan at 1:43 am (utc) on Apr 17, 2010]
[edit reason] minor formatting repair [/edit]

Note that you can enclose ErrorDocument directives within <Files> and <FilesMatch> containers, and thereby serve an appropriate "error image" for missing GIFs if you want to...

# Declare a custom 404-Not Found error page
ErrorDocument 404 /404.html
#
# Serve a GIF instead if a missing GIF was requested
<FilesMatch "\.gif$">
ErrorDocument 404 /missing.gif
</FilesMatch>

The "/missing.gif" file could be a 1x1 transparent GIF, or a very simple image that says "Oops!" or "(Missing image)" and is designed to scale acceptably to landscape or portrait aspects at any of the various sizes that you use on your site.

Jim