OK, I see how it works. You’ve disabled w3_is_https() in inc/define.php.
Weighing the probability of your implementing a proper MTM check vs. the number of people who are running sites with self-signed, expired, or otherwise compromised certs, wouldn’t it make sense to put the old logic back in and maybe put a warning in the config pages about how it doesn’t prevent MTM attacks?
