DigiCert EV SSL not activating in certain browsers

[jdarby]

I'm having a problem getting our EV SSL (extended validation, the green address bar for SSL) to work properly once a user hits the Billing Address screen.

Note: Certificates have been verified as working properly by DigiCert and properly installed by our IT provider.

We have two domains pointing to the same store and an EV SSL for each, hyattgrandbed.com and guest.hyattathomeservices.com.
Hit each of them with IE (I'm using IE8) and you'll see the SSL perform as intended once you hit the page after basket.aspx to enter Billing Address.

Now, try the same thing in Firefox (5.0 here) or Opera and you'll only see the SSL engage when you're browsing with hyattgrandbed.com.

The DigiCert tech mentioned that it is most often a Mixed Content issue where some items on the page are sent over SSL and some are not. Anyone had this type of experience or know what needs to be done in order to get SSL working properly in all browsers on both domains?

thanks!

[jdarby]

Here is the email I just received from the developer that I have looking at this:

I really think this is an able commerce bug. Here is a screen shot of what is happening. When you hit refresh, only one line displays and SSL works. I think it has something to do with the redirecting that is happening in the software. Can you post this on the boards see if anyone else has encountered it? I think it has something to do with it redirecting to itself to switch from http to https when you hit refresh, its already on https so it doesn’t need to redirect it back to itself.

Can anyone from AC elaborate on why this is happening?

[Logan Rhodehamel]

There is something off about the images being brought in by CSS. I am trying to imagine possible causes and solutions. I am suspicious of the ajax image that pops up the processing icon. A couple of times on your site I've managed to demonstrate this image being accessed over HTTP even when on the HTTPS url. That image is brought up by a javascript, so I'm wondering if that is somehow triggering the browser to react improperly.

I found two more interesting notes while testing. If on the basket page, I disable the style.css page using the FireFox Web Developer Toolbar add-on, then I click the checkout link, the problem does not occur. I am redirected to the checkout page and the SSL lock is valid. I also then disabled all images from the basket page (and from the browsing session in general) and find the same result - the SSL functions properly.

These two things lead me to believe the problem surrounds images, probably ones that are loaded via the style. One thing I might suggest for you is to try to disable that ajax timer that pops up the processing image. In a default AbleCommerce install, this is handled in the file ~/Layouts/scriptlet.master. Inside you would add comment tags around the UpdateProgress control like so:

Code: Select all

    <%--
    <ajax:UpdateProgress ID="UpdateProgress1" runat="server" DisplayAfter="2000">
        <ProgressTemplate>
            <div id="ajaxProgressBg"></div>
            <div id="ajaxProgress"></div>
        </ProgressTemplate>
    </ajax:UpdateProgress>
    --%>

The little <%-- --%> is an ASP.NET code comment and is the code to add to the file. That will disable the processing image. I am curious if disabling this control will eliminate the issue. What I'm thinking is maybe the javascript timer triggers a request for the processing.gif image after you click checkout, after you switch to ssl context, but prior to the page displaying. And then maybe the browser is thinking that javascript made a request to a non ssl resource, and so you get the broken lock.