From 6cef6fbfec92f1154b6a5b986548478137598975 Mon Sep 17 00:00:00 2001
From: Maximilian Hils <git@maximilianhils.com>
Date: Tue, 21 Oct 2014 15:08:39 +0200
Subject: [PATCH] tweak SSL detection heuristics

---
 libmproxy/protocol/http.py | 10 +++++++++-
 libmproxy/proxy/config.py  |  9 ++++++++-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/libmproxy/protocol/http.py b/libmproxy/protocol/http.py
index 33d860ca8..adb743a21 100644
--- a/libmproxy/protocol/http.py
+++ b/libmproxy/protocol/http.py
@@ -1269,7 +1269,15 @@ class HTTPHandler(ProtocolHandler):
             self.expected_form_out = "relative"
             self.skip_authentication = True
 
-            if address.port in self.c.config.ssl_ports:
+            # In practice, nobody issues a CONNECT request to send unencrypted HTTP requests afterwards.
+            # If we don't delegate to TCP mode, we should always negotiate a SSL connection.
+            should_establish_ssl = (
+                address.port in self.c.config.ssl_ports
+                or
+                not self.c.config.check_tcp(address)
+            )
+
+            if should_establish_ssl:
                 self.c.log("Received CONNECT request to SSL port. Upgrading to SSL...", "debug")
                 self.c.establish_ssl(server=True, client=True)
                 self.c.log("Upgrade to SSL completed.", "debug")
diff --git a/libmproxy/proxy/config.py b/libmproxy/proxy/config.py
index 948decc11..fe2b45f4e 100644
--- a/libmproxy/proxy/config.py
+++ b/libmproxy/proxy/config.py
@@ -127,6 +127,12 @@ def process_proxy_options(parser, options):
             parser.error("Certificate file does not exist: %s" % parts[1])
         certs.append(parts)
 
+    ssl_ports = options.ssl_ports
+    if options.ssl_ports != TRANSPARENT_SSL_PORTS:
+        # arparse appends to default value by default, strip that off.
+        # see http://bugs.python.org/issue16399
+        ssl_ports = ssl_ports[len(TRANSPARENT_SSL_PORTS):]
+
     return ProxyConfig(
         host=options.addr,
         port=options.port,
@@ -144,6 +150,7 @@ def process_proxy_options(parser, options):
         ciphers=options.ciphers,
         certs=certs,
         certforward=options.certforward,
+        ssl_ports=ssl_ports
     )
 
 
@@ -180,7 +187,7 @@ def ssl_option_group(parser):
         help="Don't connect to upstream server to look up certificate details."
     )
     group.add_argument(
-        "--ssl-port", action="append", type=int, dest="ssl_ports", default=TRANSPARENT_SSL_PORTS,
+        "--ssl-port", action="append", type=int, dest="ssl_ports", default=list(TRANSPARENT_SSL_PORTS),
         metavar="PORT",
         help="Can be passed multiple times. Specify destination ports which are assumed to be SSL. "
              "Defaults to %s." % str(TRANSPARENT_SSL_PORTS)