SSL - Suggestion



It looks like Dream Objects does have a wildcard certificate which is good, but Chrome currently reports it as being in-secure (I.e. No padlock) due to the algorithm. In the future Chrome is likely to report it as being bad. (I.e. Red X)

Therefore it would be nice if the cerrtificate was upgraded to the latest standards.

It also looks like the SSL profile that you’re using is not ideal, resulting in an SSL Labs “B” rating:

The main reason for this is support for SSL3 and RC4. Really the profile used should at least be rated as A-, but ideally A+. This should be periodically checked and updated as required. You could allow selection on a per-bucket basis if you wish to retain compatibility with IE 8 / Win XP.

It would also be nice if we could provide our own certificates for the aliases in the same way that you can when using the shared hosting.

It goes without saying that the above should also apply for DreamSpeed.


Our security team was just talking about the cipher suite we’re using with DreamObjects and that we needed to update it. Look for an update soon.

We don’t have any plans yet for allowing you to provide your own certificate but it’s something we’ll look at.


If you want to make your site run entirely under SSL, there are two pieces to that:

a) Zen Cart side:

  • HTTP_SERVER should use your https:// address instead of an http:// address
  • ENABLE_SSL should be set to ‘false’ (because ENABLE_SSL is only set to ‘true’ when you want ZC to switch back and forth between http and https for certain secured pages)
    *NOTE: Some people have reported that setting ENABLE_SSL to ‘false’ in this case may cause confusion to some payment module configurations which expect SSL and rely on the ENABLE_SSL setting to confirm it. Thus, in some cases it may still be wise to leave ENABLE_SSL set to ‘true’ even when using https on all pages.

b) Server side:
You might want to also make some Apache configurations to redirect any non-SSL URLs to the SSL equivalent. Often this is done in .htaccess. Consult your hosting company for the best way to do this on your particular server. (There are lots of possible approaches posted all over the internet, but your hosting company knows the best way for your particular server.)