Proposed Changes

This PR tightens timeout enforcement during cipher enumeration to prevent indefinite hangs in both ctls and ztls paths.

What changed

• pkg/tlsx/tls/tls.go
  • Uses per-cipher timeout context (context.WithTimeout) when options.Timeout is set.
  • Uses HandshakeContext so timeout is honored during TLS handshake.
  • Uses cloned TLS config per iteration before setting CipherSuites.
• pkg/tlsx/ztls/ztls.go
  • Uses per-cipher timeout context for pool acquire + handshake.
  • tlsHandshakeWithTimeout now runs handshake in goroutine and exits on context cancellation.
  • On timeout, sets connection deadline to unblock pending handshake I/O.
  • Uses cloned config per cipher iteration.
• pkg/tlsx/ztls/timeout_test.go
  • Adds regression test proving context deadline is enforced (TestTLSHandshakeWithTimeout_ContextDeadline).

Proof

Focused local verification:

go test ./pkg/tlsx/ztls -run TestTLSHandshakeWithTimeout_ContextDeadline -count=1
# ok

go test ./pkg/tlsx/tls -run TestNonExistent -count=1
# ok (compile check for changed ctls path)

Checklist

• PR created against correct branch
• Tests added/updated for fix behavior
• Focused verification run locally
• No unrelated changes

/claim #819

Summary by CodeRabbit

• Bug Fixes

  • Improved TLS handshake timeout enforcement and per-connection cleanup to reduce hangs and improve reliability of TLS interactions.
  • More reliable per-cipher handshake handling and clearer error reporting during TLS negotiations.

• Tests

  • Added test coverage validating TLS handshake timeout behavior and timing bounds.