a client makes a HTTP request to a proxy: CONNECT secure.newegg.com:443
the server responds HTTP 200
the proxy adds a header to the server's response (e.g. "Proxy-agent: Apache/2.4.16 (Unix)" in the attached pcap).
SSL handshake proceeds
Bro fails to identify the SSL handshake
As soon as Bro sees "HTTP/1.0 200 Connection Established\r\n", it instantiates a child analyzer and passes the rest of the server's response to the child. In particular, this means the "Proxy-agent" header is treated as the first data transmitted in the SSL handshake. As a result, protocol detection fails.
The attached patch remembers that the HTTP 200 was received and only instantiates the child analyzer when the newline is reached at the end of the HTTP message (e.g. after the "Proxy-agent" header).
Running bro -C -r http-connect.pcap with the attached pcap should output output-without-patch.tar.gz before applying the patch (note the absence of ssl.log) and should output output-with-patch.tar.gz after applying the patch.