diff --git a/proxywatchd.py b/proxywatchd.py index 905664e..8677989 100644 --- a/proxywatchd.py +++ b/proxywatchd.py @@ -1535,7 +1535,7 @@ class TargetTestJob(): elif et == rocksock.RS_ET_GAI: _log("could not resolve connection target %s" % connect_host, "ERROR") break - elif err == rocksock.RS_E_SSL_CERTIFICATE_ERROR: + elif et == rocksock.RS_ET_SSL and err == rocksock.RS_E_SSL_CERTIFICATE_ERROR: # MITM detected - proxy works but intercepts TLS ps.mitm = 1 elapsed = time.time() - duration @@ -1559,9 +1559,9 @@ class TargetTestJob(): if config.watchd.debug: _log('failed to extract MITM cert: %s' % str(e), 'debug') return None, proto, duration, torhost, srvname, 0, use_ssl, 'ssl_mitm' - elif et == rocksock.RS_ET_SSL and not ssl_only_check: - # SSL failed but proxy protocol worked - fallback to Tor API check (HTTP) - # sock already disconnected above, but ensure cleanup + elif et == rocksock.RS_ET_SSL and ssl_only_check: + # SSL handshake failed (but proxy protocol worked) - verify with HTTP + # Only for 'ssl' checktype; cert errors handled above as MITM try: sock.disconnect() except Exception: @@ -1569,7 +1569,7 @@ class TargetTestJob(): # Delay before secondary check (allows different Tor circuit) time.sleep(0.3) if config.watchd.debug: - _log('SSL failed, fallback to Tor API: %s://%s:%d' % (proto, ps.ip, ps.port), 'debug') + _log('SSL handshake failed, fallback to HTTP: %s://%s:%d' % (proto, ps.ip, ps.port), 'debug') try: # Secondary check via Tor Project API (plain HTTP) tor_check_host = 'check.torproject.org'