Yet Another Drupal and SSL Issue

I've been trying to get Drupal to work with SSL (mod_ssl/Openssl),
virtualhost, and Apache webserver. Before go on, let me give you
the specifications of each involving component:

Drupal: 4.6.5
OS: Slackware 10.1
Kernel: 2.4.14
OpenSSL: 0.9.7d
Apache: 2.0.52
mod_ssl: 2.8.22

One last thing, I am utilizing clean URL with drupal and it has been
working great with the normal settings for a while (non-SSL that is).
My initial plan/goal was to use SSL for certain number of pages within
Drupal, mainly login (user/admin) and account sensitive information.
I was planning to accomplish that with help of RewriteEngine to
redirect from http://drupalsite/user to https://drupalsite/user. But
while I was trying to get the rewrite to work, I realize even if I
directly point my browser to any https://drupalsite/... (or even
drupal's root directory, that is https://drupalsite/), the page is not
being encrypted in any form (no sign of lockbox in the browsers, IE,
FF, Mozilla, etc.). So for now, I am struggling to get the encryption
to work with drupal and taken out all redirections out, except drupal's
default rewrite so I can debug the SSL issue first.

The SSL works fine with everything else except drupal. Case in point,
I created a separate virtualhost with different docroot and tried
a dummy FORM with user/pass fields, ran the packet sniffer to see
if the POST is being encrypted which it did. Then I assumed there
must be something wrong with drupal's virtualhost settings. So I
placed the same form from that virtualhost in the drupal's docroot
(that is http://drupalsite/form.html); Then I tried passing user/pass
with https of that URI (https://drupalsite/form.html) and it DID
encrypted the information (I verified this via the packet sniffer
versus plain http of the same page).

So I am to believe drupal internal work is the culprit because the
same SSL settings for different virtualhosts AND even static pages
in drupal's virtualhosts do utilize SSL but not with drupal itself.
I am using the default redirection .htaccess provided by drupal, all
directly in my /path/to/apache2/conf/httpd.conf.

Another thing to point is the especial characteristic of doing
rewrite rules with SSL. When I swith to https://drupalsite/, the
page does not get encrypted but "https" remains on the address bar
as the protocol. To force the entire site into SSL:

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]

Or, in a .htaccess or block, you'd need to remove that
leading slash:

RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [R,L]

But then again, I have my .htaccess included in conf/httpd.conf and
not using any . I did test conf/drupal.conf with the
added backslash:

# conf/drupal.conf
RewriteRule ^/(.*)$ /index.php?q=$1 [L,QSA]

And it still refused to work -- the page just does not want to get
encrypted.

I have tried to play around with drupal/sites/default/settings.php's
base_url to switch back and forth between "http" and "https" with
or w/o conditions and what not -- it didn't work:

if($_SERVER["SERVER_PORT"] == 443){
  $base_url = 'https://drupalsite';
} else {
  $base_url = 'http://drupalsite';
}

I even took out "http" from base_url to see if drupal can automatically
handle various protocols, no luck. I know name-based virtualhost does
not work with SSL and I am soley running one virtualhost with it (port
443). I've included my virtualhosts of http and https for drupal and
currently, drupal's http works as before but https just does not encrypt
any page. I thought maybe there is some internal iframe with https link
being placed but that was not the case as the packet sniffer showed the
unencrypted information being passed to the server.

I even comment out drupal's default rewrite file from conf/httpd.conf
to see whether it would work with non-clean URL... Still the same result.
I should mention that in all testing conditions, when a new browser is
opened up and https is requested, I do get a typical SSL handshake/
negotiation/server certificate exchange (as the packet sniffer indicates).

I have looked around drupal's forums but haven't found an answer to
my problem. I know several people have gotten it to work so if someone
can shed a light here, I would greatly appreciated.

# conf/drupal.conf
# Apache/PHP/Drupal settings:
#

# Protect files and directories from prying eyes.
<FilesMatch "(\.(engine|inc|module|sh|sql|theme|tpl|xtmpl)|code-style\.pl|Entries.*|Repository|Root)$">
  Order deny,allow
  Deny from all
</FilesMatch>

# Set some options.
Options -Indexes
Options +FollowSymLinks

# Customized error messages.
ErrorDocument 404 /index.php

# Set the default handler.
DirectoryIndex index.php

# Override PHP settings. More exist in sites/default/settings.php, but
# the following cannot be changed at runtime. The first IfModule is
# for Apache 1.3, the second for Apache 2.
<IfModule mod_php4.c>
  php_value magic_quotes_gpc                0
  php_value register_globals                0
  php_value session.auto_start              0
</IfModule>

<IfModule sapi_apache2.c>
  php_value magic_quotes_gpc                0
  php_value register_globals                0
  php_value session.auto_start              0
</IfModule>

# Reduce the time dynamically generated pages are cache-able.
<IfModule mod_expires.c>
  ExpiresByType text/html A1
</IfModule>

# Various rewrite rules.
<IfModule mod_rewrite.c>
  RewriteEngine on

  # Modify the RewriteBase if you are using Drupal in a subdirectory and
  # the rewrite rules are not working properly.
  #RewriteBase /drupal

  # Rewrite old-style URLs of the form 'node.php?id=x'.
  #RewriteCond %{REQUEST_FILENAME} !-f
  #RewriteCond %{REQUEST_FILENAME} !-d
  #RewriteCond %{QUERY_STRING} ^id=([^&]+)$
  #RewriteRule node.php index.php?q=node/view/%1 [L]

  # Rewrite old-style URLs of the form 'module.php?mod=x'.
  #RewriteCond %{REQUEST_FILENAME} !-f
  #RewriteCond %{REQUEST_FILENAME} !-d
  #RewriteCond %{QUERY_STRING} ^mod=([^&]+)$
  #RewriteRule module.php index.php?q=%1 [L]

  # Rewrite current-style URLs of the form 'index.php?q=x'.
  RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f
  RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-d
  RewriteRule ^(.*)$ /index.php?q=$1 [L,QSA]

  #RewriteCond %{REQUEST_FILENAME} !-f
  #RewriteCond %{REQUEST_FILENAME} !-d
  #RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
</IfModule>





#
# conf/httpd.conf
#

<VirtualHost 192.168.1.126:443>
    ServerName drupal.domain.com:443
    DocumentRoot /var/www/drupal
    ServerAdmin stop@spamming.damn.it

    # Per-Server Logging:
    # The home of a custom SSL log file. Use this when you want a
    # compact non-error SSL logfile on a virtual host basis.
    CustomLog logs/ssl_access_drupal.domain.com_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    ErrorLog logs/ssl_error_drupal.domain.com_log


    # Enable/Disable SSL for this virtual host.
    SSLEngine on
    # Here I am allowing SSLv3 and TLSv1, I am NOT allowing the old SSLv2.
    SSLProtocol all -SSLv2


    # SSL Cipher Suite:
    SSLCipherSuite HIGH:MEDIUM

    # Server Certificate:
    SSLCertificateFile /path/to/drupal.domain.com.crt

    # Server Private Key:
    SSLCertificateKeyFile /path/to/drupal.domain.com.key

    # Server Certificate Chain:
    SSLCertificateChainFile /path/to/ca.domain.com.crt

    # Certificate Authority (CA):
    SSLCACertificateFile /path/to/ca.domain.com.crt

    SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

    # I have all the default .htaccess rewrite rules in conf/drupla.conf and
    # Using clear URL.
    Include conf/drupal.conf

</VirtualHost>


NameVirtualHost 192.168.1.126:80

<VirtualHost 192.168.1.126:80>
     DocumentRoot /var/www/drupal
     ServerName drupal.domain.com
     ServerAdmin stop@spamming.damn.it

     # Just like the SSL enabled virtualhost, I am using the default rewrite
     # engine.
     Include conf/drupal.conf

</VirtualHost>