fix #4551 (#4594)

mitmproxy/proxy/layers/tls.py

@@ -393,6 +393,11 @@ class ClientTLSLayer(_TLSLayer):
             err = f"The client may not trust the proxy's certificate for {dest} ({err})"
         yield commands.Log(f"Client TLS handshake failed. {err}", level="warn")
         yield from super().on_handshake_error(err)
+        self.event_to_child = self.errored  # type: ignore
+
+    def errored(self, event: events.Event) -> layer.CommandGenerator[None]:
+        if self.debug is not None:
+            yield commands.Log(f"Swallowing {event} as handshake failed.", "debug")
 
 
 class MockTLSLayer(_TLSLayer):

test/helper_tools/loggrep.py

@@ -0,0 +1,16 @@
+#!/usr/bin/env python3
+import fileinput
+import sys
+
+if __name__ == "__main__":
+    if len(sys.argv) < 3:
+        print(f"Usage: {sys.argv[0]} port filenames")
+        sys.exit()
+
+    port = sys.argv[1]
+    matches = False
+    for line in fileinput.input(sys.argv[2:]):
+        if line.startswith("["):
+            matches = port in line
+        if matches:
+            print(line, end="")

test/mitmproxy/proxy/layers/test_tls.py

@@ -476,6 +476,15 @@ class TestClientTLS:
         )
         assert not tctx.client.tls_established
 
+        # Make sure that an active server connection does not cause child layers to spawn.
+        client_layer.debug = ""
+        assert (
+            playbook
+            >> events.DataReceived(Server(None), b"data on other stream")
+            << commands.Log(">> DataReceived(server, b'data on other stream')", 'debug')
+            << commands.Log("Swallowing DataReceived(server, b'data on other stream') as handshake failed.", "debug")
+        )
+
     def test_mitmproxy_ca_is_untrusted(self, tctx: context.Context):
         """Test the scenario where the client doesn't trust the mitmproxy CA."""
         playbook, client_layer, tssl_client = make_client_tls_layer(tctx, sni=b"wrong.host.mitmproxy.org")