Skip to content

Fix zombie connection when TLS handshake fails in HTTP proxy #1049

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
baizhufbb wants to merge 4 commits into
base: master
Choose a base branch
from
+104 −8
Open

Fix zombie connection when TLS handshake fails in HTTP proxy #1049

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
204ec92
Fix zombie connection when TLS handshake fails in HTTP proxy
baizhufbb Dec 31, 2025
30789fc
Fix sync version: Add try-except for TLS handshake failure
baizhufbb Dec 31, 2025
00b33c3
Fix kwargs definition in sync version
baizhufbb Dec 31, 2025
35ddb37
Add test coverage for proxy TLS handshake failure
baizhufbb Jan 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 9 additions & 3 deletions httpcore/_async/http_proxy.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -312,9 +312,15 @@ async def handle_async_request(self, request: Request) -> Response:
"server_hostname": self._remote_origin.host.decode("ascii"),
"timeout": timeout,
}
async with Trace("start_tls", logger, request, kwargs) as trace:
stream = await stream.start_tls(**kwargs)
trace.return_value = stream
try:
async with Trace("start_tls", logger, request, kwargs) as trace:
stream = await stream.start_tls(**kwargs)
trace.return_value = stream
except Exception:
# Close the underlying connection when TLS handshake fails to avoid
# zombie connections occupying the connection pool
await self._connection.aclose()
raise

# Determine if we should be using HTTP/1.1 or HTTP/2
ssl_object = stream.get_extra_info("ssl_object")
Expand Down
12 changes: 9 additions & 3 deletions httpcore/_sync/http_proxy.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -312,9 +312,15 @@ def handle_request(self, request: Request) -> Response:
"server_hostname": self._remote_origin.host.decode("ascii"),
"timeout": timeout,
}
with Trace("start_tls", logger, request, kwargs) as trace:
stream = stream.start_tls(**kwargs)
trace.return_value = stream
try:
with Trace("start_tls", logger, request, kwargs) as trace:
stream = stream.start_tls(**kwargs)
trace.return_value = stream
except Exception:
# Close the underlying connection when TLS handshake fails to avoid
# zombie connections occupying the connection pool
self._connection.close()
raise

# Determine if we should be using HTTP/1.1 or HTTP/2
ssl_object = stream.get_extra_info("ssl_object")
Expand Down
44 changes: 43 additions & 1 deletion tests/_async/test_http_proxy.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -224,7 +224,7 @@ async def test_proxy_tunneling_with_403():
"""
network_backend = AsyncMockBackend(
[
b"HTTP/1.1 403 Permission Denied\r\n" b"\r\n",
b"HTTP/1.1 403 Permission Denied\r\n\r\n",
]
)

Expand Down Expand Up @@ -276,3 +276,45 @@ def test_proxy_headers():
assert proxy.headers == [
(b"Proxy-Authorization", b"Basic dXNlcm5hbWU6cGFzc3dvcmQ=")
]


@pytest.mark.anyio
async def test_proxy_tunneling_tls_error():
"""
Send an HTTPS request via a proxy, but the TLS handshake fails.
"""

class BrokenTLSStream(AsyncMockStream):
async def start_tls(
self,
ssl_context: ssl.SSLContext,
server_hostname: typing.Optional[str] = None,
timeout: typing.Optional[float] = None,
) -> AsyncNetworkStream:
raise OSError("TLS Failure")

class BrokenTLSBackend(AsyncMockBackend):
async def connect_tcp(
self,
host: str,
port: int,
timeout: typing.Optional[float] = None,
local_address: typing.Optional[str] = None,
socket_options: typing.Optional[typing.Iterable[SOCKET_OPTION]] = None,
) -> AsyncNetworkStream:
return BrokenTLSStream(list(self._buffer))

network_backend = BrokenTLSBackend(
[
b"HTTP/1.1 200 OK\r\n\r\n",
]
)

async with AsyncConnectionPool(
proxy=Proxy("http://localhost:8080/"),
network_backend=network_backend,
) as proxy:
with pytest.raises(OSError, match="TLS Failure"):
await proxy.request("GET", "https://example.com/")

assert not proxy.connections
44 changes: 43 additions & 1 deletion tests/_sync/test_http_proxy.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -224,7 +224,7 @@ def test_proxy_tunneling_with_403():
"""
network_backend = MockBackend(
[
b"HTTP/1.1 403 Permission Denied\r\n" b"\r\n",
b"HTTP/1.1 403 Permission Denied\r\n\r\n",
]
)

Expand Down Expand Up @@ -276,3 +276,45 @@ def test_proxy_headers():
assert proxy.headers == [
(b"Proxy-Authorization", b"Basic dXNlcm5hbWU6cGFzc3dvcmQ=")
]



def test_proxy_tunneling_tls_error():
"""
Send an HTTPS request via a proxy, but the TLS handshake fails.
"""

class BrokenTLSStream(MockStream):
def start_tls(
self,
ssl_context: ssl.SSLContext,
server_hostname: typing.Optional[str] = None,
timeout: typing.Optional[float] = None,
) -> NetworkStream:
raise OSError("TLS Failure")

class BrokenTLSBackend(MockBackend):
def connect_tcp(
self,
host: str,
port: int,
timeout: typing.Optional[float] = None,
local_address: typing.Optional[str] = None,
socket_options: typing.Optional[typing.Iterable[SOCKET_OPTION]] = None,
) -> NetworkStream:
return BrokenTLSStream(list(self._buffer))

network_backend = BrokenTLSBackend(
[
b"HTTP/1.1 200 OK\r\n\r\n",
]
)

with ConnectionPool(
proxy=Proxy("http://localhost:8080/"),
network_backend=network_backend,
) as proxy:
with pytest.raises(OSError, match="TLS Failure"):
proxy.request("GET", "https://example.com/")

assert not proxy.connections