add test to confirm that closing the connection on handshake error (tlsConn.Close()) is necessary

Author: peterguy

internal/api/proxy_test.go

@@ -291,6 +291,53 @@ func TestWithProxyTransport_HTTPSProxy_HTTP2ToOrigin(t *testing.T) {
 	}
 }
 
+func TestWithProxyTransport_HandshakeFailureClosesConn(t *testing.T) {
+	// Verify that when the TLS handshake to the origin fails, the underlying
+	// tunnel connection is closed (regression test for tlsConn.Close on error).
+	//
+	// A plain TCP listener acts as the target. The proxy CONNECT succeeds
+	// (TCP-level), but the subsequent TLS handshake fails because the target
+	// is not a TLS server. If handshakeTLS properly closes tlsConn on failure,
+	// the tunnel tears down and the target sees the connection close.
+	connClosed := make(chan struct{})
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("listen: %v", err)
+	}
+	defer ln.Close()
+
+	go func() {
+		conn, err := ln.Accept()
+		if err != nil {
+			return
+		}
+		defer conn.Close()
+		// Send non-TLS bytes so the client handshake fails immediately
+		// rather than waiting for a timeout.
+		conn.Write([]byte("not-tls\n"))
+		// Drain until the remote side closes the tunnel.
+		io.Copy(io.Discard, conn)
+		close(connClosed)
+	}()
+
+	proxyURL, _ := startProxy(t, true)
+	transport := withProxyTransport(newTestTransport(), proxyURL, "")
+	t.Cleanup(transport.CloseIdleConnections)
+	client := &http.Client{Transport: transport, Timeout: 5 * time.Second}
+
+	_, err = client.Get("https://" + ln.Addr().String())
+	if err == nil {
+		t.Fatal("expected TLS handshake error, got nil")
+	}
+
+	select {
+	case <-connClosed:
+		// Connection was properly cleaned up.
+	case <-time.After(5 * time.Second):
+		t.Fatal("connection was not closed after TLS handshake failure")
+	}
+}
+
 func TestWithProxyTransport_ProxyRejectsConnect(t *testing.T) {
 	tests := []struct {
 		name       string