From 217641d0ef7ca8e020152f0574067e23e2d70a5a Mon Sep 17 00:00:00 2001
From: Daniel Dolezal <d.dolezal97@protonmail.com>
Date: Sun, 3 May 2026 11:43:27 +0200
Subject: [PATCH] fix: auto-wrap TLS for port 443 in _send_remote
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Port 443 → ssl.create_default_context().wrap_socket() before the
challenge handshake so Traefik TCP routers with TLS termination work.
Other ports stay plain TCP.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 browser_cli/client.py | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/browser_cli/client.py b/browser_cli/client.py
index 24844fb..9dca4b5 100644
--- a/browser_cli/client.py
+++ b/browser_cli/client.py
@@ -242,9 +242,21 @@ def _send_remote(endpoint: str, msg: dict, private_key=None) -> bytes | None:
     host, _, port_str = endpoint.rpartition(":")
     if not host or not port_str:
         raise BrowserNotConnected(f"Invalid remote endpoint '{endpoint}': expected host:port")
-    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
-        sock.settimeout(30)
-        sock.connect((host, int(port_str)))
+    port = int(port_str)
+    raw_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    raw_sock.settimeout(30)
+    try:
+        raw_sock.connect((host, port))
+        if port == 443:
+            import ssl
+            ctx = ssl.create_default_context()
+            sock = ctx.wrap_socket(raw_sock, server_hostname=host)
+        else:
+            sock = raw_sock
+    except Exception:
+        raw_sock.close()
+        raise
+    with sock:
 
         # receive challenge
         challenge_raw = _recv_all(sock)