From 631e97cbcf0248bbdced99a88c3a2bcf1fabb955 Mon Sep 17 00:00:00 2001
From: Ryan Whitworth <rwhitworth@a16z.com>
Date: Sat, 28 Mar 2026 15:54:14 -0400
Subject: [PATCH] fix(server): add 10s timeout to TLS handshake

---
 crates/openshell-server/src/lib.rs | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/crates/openshell-server/src/lib.rs b/crates/openshell-server/src/lib.rs
index e827b3628..98fc76919 100644
--- a/crates/openshell-server/src/lib.rs
+++ b/crates/openshell-server/src/lib.rs
@@ -206,19 +206,27 @@ pub async fn run_server(config: Config, tracing_log_bus: TracingLogBus) -> Resul
         if let Some(ref acceptor) = tls_acceptor {
             let tls_acceptor = acceptor.clone();
             tokio::spawn(async move {
-                match tls_acceptor.inner().accept(stream).await {
-                    Ok(tls_stream) => {
+                match tokio::time::timeout(
+                    std::time::Duration::from_secs(10),
+                    tls_acceptor.inner().accept(stream),
+                )
+                .await
+                {
+                    Ok(Ok(tls_stream)) => {
                         if let Err(e) = service.serve(tls_stream).await {
                             error!(error = %e, client = %addr, "Connection error");
                         }
                     }
-                    Err(e) => {
+                    Ok(Err(e)) => {
                         if is_benign_tls_handshake_failure(&e) {
                             debug!(error = %e, client = %addr, "TLS handshake closed early");
                         } else {
                             error!(error = %e, client = %addr, "TLS handshake failed");
                         }
                     }
+                    Err(_) => {
+                        debug!(client = %addr, "TLS handshake timed out");
+                    }
                 }
             });
         } else {