Add timeout to ACME-TLS/1 challenge handshake

Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
2026-01-08 16:16:05 +01:00 · 2026-01-08 16:16:05 +01:00 · e9f3089e90
commit e9f3089e90
parent 47d7094dfb
2 changed files with 70 additions and 1 deletions
--- a/pkg/server/router/tcp/router_test.go
+++ b/pkg/server/router/tcp/router_test.go
@ -679,6 +679,64 @@ func Test_Routing(t *testing.T) {
 	}
 }

+func Test_Router_acmeTLSALPNHandlerTimeout(t *testing.T) {
+	router, err := NewRouter()
+	require.NoError(t, err)
+
+	router.httpsTLSConfig = &tls.Config{}
+
+	listener, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+
+	acceptCh := make(chan struct{}, 1)
+	go func() {
+		close(acceptCh)
+
+		conn, err := listener.Accept()
+		require.NoError(t, err)
+
+		defer listener.Close()
+
+		router.acmeTLSALPNHandler().
+			ServeTCP(conn.(*net.TCPConn))
+	}()
+
+	<-acceptCh
+
+	conn, err := net.DialTimeout("tcp", listener.Addr().String(), 2*time.Second)
+	require.NoError(t, err)
+
+	// This is a minimal truncated Client Hello message
+	// to simulate a hanging connection during TLS handshake.
+	clientHello := []byte{
+		// TLS Record Header
+		0x16,       // Content Type: Handshake
+		0x03, 0x01, // Version: TLS 1.0 (for compatibility)
+		0x00, 0x50, // Length: 80 bytes
+	}
+
+	_, err = conn.Write(clientHello)
+	require.NoError(t, err)
+
+	errCh := make(chan error, 1)
+	go func() {
+		// This will return an EOF as the acmeTLSALPNHandler will close the connection
+		// after a timeout during the TLS handshake.
+		b := make([]byte, 256)
+		_, err = conn.Read(b)
+
+		errCh <- err
+	}()
+
+	select {
+	case err := <-errCh:
+		assert.ErrorIs(t, err, io.EOF)
+
+	case <-time.After(3 * time.Second):
+		t.Fatal("Error: Timeout waiting for acmeTLSALPNHandler to close the connection")
+	}
+}
+
 // routerTCPCatchAll configures a TCP CatchAll No TLS - HostSNI(`*`) router.
 func routerTCPCatchAll(conf *runtime.Configuration) {
 	conf.TCPRouters["tcp-catchall"] = &runtime.TCPRouterInfo{