diff --git a/proxywatchd.py b/proxywatchd.py
index e814875..2cc2a8c 100644
--- a/proxywatchd.py
+++ b/proxywatchd.py
@@ -1460,6 +1460,26 @@ class TargetTestJob():
                         if config.watchd.debug:
                             _log('failed to extract MITM cert: %s' % str(e), 'debug')
                     return None, proto, duration, torhost, srvname, 0, use_ssl, 'ssl_mitm'
+                elif et == rocksock.RS_ET_SSL and not ssl_only_check:
+                    # SSL failed but proxy protocol worked - fallback to HTTP
+                    if config.watchd.debug:
+                        _log('SSL failed, fallback to HTTP: %s://%s:%d' % (proto, ps.ip, ps.port), 'debug')
+                    try:
+                        http_port = 80
+                        http_proxies = [
+                            rocksock.RocksockProxyFromURL('socks5://%s' % torhost),
+                            rocksock.RocksockProxyFromURL('%s://%s:%s' % (proto, ps.ip, ps.port)),
+                        ]
+                        http_sock = rocksock.Rocksock(host=connect_host, port=http_port, ssl=0,
+                                                      proxies=http_proxies, timeout=adaptive_timeout)
+                        http_sock.connect()
+                        http_sock.send('HEAD / HTTP/1.0\r\nHost: %s\r\n\r\n' % srvname)
+                        elapsed = time.time() - duration
+                        if pool:
+                            pool.record_success(torhost, elapsed)
+                        return http_sock, proto, duration, torhost, srvname, 0, 0, 'ssl_fallback_http'
+                    except rocksock.RocksockException:
+                        pass  # HTTP fallback failed, continue to next protocol
 
             except KeyboardInterrupt as e:
                 raise e