When setting one of those variables, logins are to be done over ssl.
However, the sidebar link "login" button points to the schema used for page (i.e., if you enter the page over http, it points to http://site/wp-login.php, transmitting username and password unencrypted.
if FORCE_SSL_ADMIN is set, this even results in the login page beeing redisplayed (when coming from a non-ssl page, coming from an ssl page or changing the link manually to https (using firebug) works)
IMHO, the theme should honor the variables and if present, always set the login link to https
Alternatively, the login page could be made configurable under theme options