--- a/cmdline.c
+++ b/cmdline.c
@@ -58,6 +58,9 @@
 #ifdef USE_SSL
 " -e, --encrypt             SSL encrypt data between local proxy and destination\n"
 " -E, --encrypt-proxy       SSL encrypt data between client and local proxy\n"
+" -B, --buggy-encrypt-proxy Like --encrypt-proxy, but stop using SSL after\n"
+"                           CONNECT (might not work on all setups; see\n"
+"                           /usr/share/doc/proxytunnel/README.Debian.gz)\n"
 " -X, --encrypt-remproxy    Encrypt between 1st and 2nd proxy using SSL\n"
 #endif
 "\n"
@@ -130,6 +133,7 @@
 	args_info->domain_given = 0;
 	args_info->encrypt_given = 0;
 	args_info->encryptproxy_given = 0;
+	args_info->buggyencryptproxy_given = 0;
 	args_info->encryptremproxy_given = 0;
 	args_info->proctitle_given = 0;
 
@@ -155,6 +159,7 @@
 	args_info->standalone_arg = 0; \
 	args_info->encrypt_flag = 0; \
 	args_info->encryptproxy_flag = 0; \
+	args_info->buggyencryptproxy_flag = 0; \
 	args_info->encryptremproxy_flag = 0; \
 	args_info->proctitle_arg = NULL; \
 } 
@@ -197,13 +202,14 @@
 			{ "quiet",			0, NULL, 'q' },
 			{ "encrypt",		0, NULL, 'e' },
 			{ "encrypt-proxy",	0, NULL, 'E' },
+			{ "buggy-encrypt-proxy",	0, NULL, 'B' },
 			{ "encrypt-remproxy",0,NULL, 'X' },
 			{ NULL,				0, NULL, 0 }
 		};
 
-		c = getopt_long (argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEXq", long_options, &option_index);
+		c = getopt_long (argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEBXq", long_options, &option_index);
 #else
-		c = getopt( argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEXq" );
+		c = getopt( argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEBXq" );
 #endif
 
 		if (c == -1)
@@ -227,6 +233,12 @@
 				if( args_info->verbose_flag )
 					message("SSL client to proxy enabled\n");
 				break;
+
+			case 'B':	/* Turn on client to proxy SSL encryption, but only until CONNECT */
+				args_info->buggyencryptproxy_flag = !(args_info->buggyencryptproxy_flag);
+				if( args_info->verbose_flag )
+					message("SSL client to proxy enabled, only until CONNECT\n");
+				break;
 #endif
 
 			case 'i':	/* Run from inetd. */
--- a/cmdline.h
+++ b/cmdline.h
@@ -46,6 +46,7 @@
 	int standalone_arg;		/* Turn on stdalone (-a) on port */
 	int encrypt_flag;		/* Turn on SSL encryption (default=off). */
 	int encryptproxy_flag;	/* Turn on client to proxy SSL encryption (def=off).*/
+	int buggyencryptproxy_flag;	/* Turn on client to proxy SSL encryption, only until CONNECT (def=off).*/
 	int encryptremproxy_flag;  /* Turn on local to remote proxy SSL encryption (def=off).*/
 	char *proctitle_arg;	/* Override process title (default=off). */
 	int help_given;			/* Whether help was given. */
@@ -68,6 +69,7 @@
 	int quiet_given;		/* Whether quiet mode was given. */
 	int header_given;		/* Whether extra headers are given */
 	int encrypt_given;		/* Whether encrypt was given */
+	int buggyencryptproxy_given;	/* Whether encrypt was given */
 	int encryptproxy_given;	/* Whether encrypt was given */
 	int encryptremproxy_given;   /* Whether encrypt was given */
 	int proctitle_given;	/* Whether to override process title */
--- a/http.c
+++ b/http.c
@@ -149,6 +149,11 @@
 //	if( args_info.verbose_flag )
 //		message( "Data received from local proxy:\n");
 
+	if( args_info.buggyencryptproxy_flag && pts->ssl ) {
+		message( "Switching to non-SSL communication\n");
+		pts->ssl = 0;
+	}
+
 	/* Read the first line of the response and analyze it */
 	analyze_HTTP(pts);
 
--- a/proxytunnel.1
+++ b/proxytunnel.1
@@ -61,6 +61,12 @@
 .B \-E, \-\-encrypt-proxy
 Encrypt the data between the client and the local proxy using SSL.
 .TP
+.B \-B, \-\-buggy-encrypt-proxy
+Encrypt the data between the client and the local proxy using SSL,
+but stop using SSL immediately after the CONNECT exchange to workaround
+server bugs.  (Might not work on all setups;
+see /usr/share/doc/proxytunnel/README.Debian.gz for more details.)
+.TP
 .B \-X, \-\-encrypt-remproxy
 Encrypt the data between the local proxy and the second-level proxy
 using SSL.
--- a/proxytunnel.c
+++ b/proxytunnel.c
@@ -274,7 +274,7 @@
 
 #ifdef USE_SSL
 			/* If --encrypt-proxy is specified, connect to the proxy using SSL */
-			if ( args_info.encryptproxy_flag )
+			if ( args_info.encryptproxy_flag || args_info.buggyencryptproxy_flag )
 				stream_enable_ssl(stunnel);
 #endif /* USE_SSL */
 
@@ -385,9 +385,10 @@
 	/* Only one of -E/-e/-R can be specified. */
 	if ((args_info.encrypt_flag ? 1 : 0) +
 		(args_info.encryptproxy_flag ? 1 : 0) +
+		(args_info.buggyencryptproxy_flag ? 1 : 0) +
 		(args_info.encryptremproxy_flag ? 1 : 0) > 1)
 	{
-		message("Error: only one of --encrypt-proxy, --encrypt-remproxy and --encrypt can be specified for a tunnel\n");
+		message("Error: only one of --encrypt-proxy, --buggy-encrypt-proxy, --encrypt-remproxy and --encrypt can be specified for a tunnel\n");
 		exit( 1 );
 	}
 
@@ -410,7 +411,7 @@
 
 		/* If --encrypt-proxy is specified, connect to the proxy using SSL */
 #ifdef USE_SSL
-		if ( args_info.encryptproxy_flag )
+		if ( args_info.encryptproxy_flag || args_info.buggyencryptproxy_flag )
 			stream_enable_ssl(stunnel);
 #endif /* USE_SSL */
 
--- a/README
+++ b/README
@@ -34,6 +34,9 @@
  -d, --dest=STRING         Destination host:port combination
  -e, --encrypt             SSL encrypt data between local proxy and destination
  -E, --encrypt-proxy       SSL encrypt data between client and local proxy
+ -B, --buggy-encrypt-proxy Like --encrypt-proxy, but stop using SSL
+                           after CONNECT (might not work on all setups;
+                           see /usr/share/doc/proxytunnel/README.Debian.gz)
  -X, --encrypt-remproxy    Encrypt between 1st and 2nd proxy using SSL
 
 Additional options for specific features:
