Apply connect_timeout also to TLS handshake

When out_forward plugin uses TLS transport, if the TLS handshake takes
a long time or hangs, the flusher (or event_loop for heartbeat) thread
waits forever even though connect_timeout is specified.

This fixes the problem by applying connect_timeout to TLS handshake.
To avoid breaking environments configured to use the short connect_timeout,
the TCP connection time is counted independently of the TLS handshake time.

Signed-off-by: Tomoki Sekiyama <[email protected]>

lib/fluent/plugin_helper/socket.rb

@@ -96,6 +96,7 @@ def socket_create_tls(
           enable_system_cert_store: true, allow_self_signed_cert: false, cert_paths: nil,
           cert_path: nil, private_key_path: nil, private_key_passphrase: nil,
           cert_thumbprint: nil, cert_logical_store_name: nil, cert_use_enterprise_store: true,
+          connect_timeout: nil,
           **kwargs, &block)
 
         host_is_ipaddress = IPAddr.new(host) rescue false
@@ -158,13 +159,23 @@ def socket_create_tls(
         end
         Fluent::TLS.set_version_to_context(context, version, min_version, max_version)
 
-        tcpsock = socket_create_tcp(host, port, **kwargs)
+        tcpsock = socket_create_tcp(host, port, connect_timeout: connect_timeout, **kwargs)
         sock = WrappedSocket::TLS.new(tcpsock, context)
         sock.sync_close = true
         sock.hostname = fqdn if verify_fqdn && fqdn && sock.respond_to?(:hostname=)
 
         log.trace "entering TLS handshake"
-        sock.connect
+        if connect_timeout
+          begin
+            Timeout.timeout(connect_timeout) { sock.connect }
+          rescue Timeout::Error
+            log.warn "timeout while connecting tls session", host: host
+            sock.close rescue nil
+            raise
+          end
+        else
+          sock.connect
+        end
 
         begin
           if verify_fqdn