From 5cdf57ffb9f3628366df17c77f7556b13469f1ce Mon Sep 17 00:00:00 2001
From: Sergey Nazaryev <sergey@coolautomation.com>
Date: Sun, 21 Sep 2025 20:42:55 +0300
Subject: [PATCH] Implement simple TLS handshake timeout for OpenSSL

Fixes #819

Signed-off-by: Sergey Nazaryev <sergey@coolautomation.com>
---
 openssl.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/openssl.c b/openssl.c
index 761cb034e..cb48576a2 100644
--- a/openssl.c
+++ b/openssl.c
@@ -2026,6 +2026,11 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 	while ((err = SSL_connect(https_ssl)) <= 0) {
 		fd_set wr_set, rd_set;
 		int maxfd = ssl_sock;
+		struct timeval timeout;
+
+		/* Aligned with DEFAULT_HANDSHAKE_TIMEOUT_MS from GnuTLS 3.8.10 */
+		timeout.tv_sec = 40;
+		timeout.tv_usec = 0;
 
 		FD_ZERO(&wr_set);
 		FD_ZERO(&rd_set);
@@ -2044,8 +2049,14 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 		}
 
 		cmd_fd_set(vpninfo, &rd_set, &maxfd);
-		select(maxfd + 1, &rd_set, &wr_set, NULL, NULL);
-		if (is_cancel_pending(vpninfo, &rd_set)) {
+		err = select(maxfd + 1, &rd_set, &wr_set, NULL, &timeout);
+		if (err == 0) {
+			vpn_progress(vpninfo, PRG_ERR, _("SSL connection failure: %s\n"),
+							 strerror(ETIMEDOUT));
+			SSL_free(https_ssl);
+			closesocket(ssl_sock);
+			return -EIO;
+		} else if (is_cancel_pending(vpninfo, &rd_set)) {
 			vpn_progress(vpninfo, PRG_ERR, _("SSL connection cancelled\n"));
 			SSL_free(https_ssl);
 			closesocket(ssl_sock);
-- 
GitLab