If TLS fails, then close the socket (#475)

lovelydinosaur · web-flow · commit da99b468325c · 2022-01-05T13:29:31.000Z
diff --git a/httpcore/backends/asyncio.py b/httpcore/backends/asyncio.py
@@ -58,14 +58,18 @@ async def start_tls(
             anyio.BrokenResourceError: ConnectError,
         }
         with map_exceptions(exc_map):
-            with anyio.fail_after(timeout):
-                ssl_stream = await anyio.streams.tls.TLSStream.wrap(
-                    self._stream,
-                    ssl_context=ssl_context,
-                    hostname=server_hostname,
-                    standard_compatible=False,
-                    server_side=False,
-                )
+            try:
+                with anyio.fail_after(timeout):
+                    ssl_stream = await anyio.streams.tls.TLSStream.wrap(
+                        self._stream,
+                        ssl_context=ssl_context,
+                        hostname=server_hostname,
+                        standard_compatible=False,
+                        server_side=False,
+                    )
+            except Exception as exc:  # pragma: nocover
+                await self.aclose()
+                raise exc
         return AsyncIOStream(ssl_stream)
 
     def get_extra_info(self, info: str) -> typing.Any:
diff --git a/httpcore/backends/sync.py b/httpcore/backends/sync.py
@@ -47,8 +47,14 @@ def start_tls(
     ) -> NetworkStream:
         exc_map = {socket.timeout: ConnectTimeout, socket.error: ConnectError}
         with map_exceptions(exc_map):
-            self._sock.settimeout(timeout)
-            sock = ssl_context.wrap_socket(self._sock, server_hostname=server_hostname)
+            try:
+                self._sock.settimeout(timeout)
+                sock = ssl_context.wrap_socket(
+                    self._sock, server_hostname=server_hostname
+                )
+            except Exception as exc:  # pragma: nocover
+                self.close()
+                raise exc
         return SyncStream(sock)
 
     def get_extra_info(self, info: str) -> typing.Any:
diff --git a/httpcore/backends/trio.py b/httpcore/backends/trio.py
@@ -61,8 +61,12 @@ async def start_tls(
             server_side=False,
         )
         with map_exceptions(exc_map):
-            with trio.fail_after(timeout_or_inf):
-                await ssl_stream.do_handshake()
+            try:
+                with trio.fail_after(timeout_or_inf):
+                    await ssl_stream.do_handshake()
+            except Exception as exc:  # pragma: nocover
+                await self.aclose()
+                raise exc
         return TrioStream(ssl_stream)
 
     def get_extra_info(self, info: str) -> typing.Any:
