Close proxy connection when tunnel TLS handshake fails

[mbeijen]

Summary

When an HTTP CONNECT proxy tunnel is established but the subsequent TLS handshake with the remote server fails, the underlying TCP connection to the proxy is left in ACTIVE state and never removed from the pool. The pool eventually hits max_connections and stalls forever.

This PR wraps the start_tls() call in AsyncTunnelHTTPConnection.handle_async_request() (and its sync twin) in a try/except, so any exception during TLS setup triggers an aclose() on the CONNECT connection — returning it to a closed state the pool can discard.

Ports encode/httpcore#1049 (baizhu), via codeberg.org/httpxyz/httpcorexyz@b192486.

Notes

• Only _async/http_proxy.py and tests/httpcore2/_async/test_http_proxy.py were edited by hand; the _sync/ counterparts were regenerated by scripts/unasync.py.
• Added test_proxy_tunneling_tls_error, which uses a BrokenTLSStream that raises OSError from start_tls(). The test asserts that the request fails and that proxy.connections is empty afterwards (i.e. the leaked connection is gone). 100% coverage preserved.

---

Note: this change was prepared with AI assistance (Claude Code).

[codspeed-hq]

Merging this PR will not alter performance

✅ 15 untouched benchmarks
⏩ 7 skipped benchmarks¹

---

_{Comparing mbeijen:fix/proxy-tunnel-tls-close (a5a21a5) with main (04f3804)}

Footnotes

1. 7 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[cubic-dev-ai]

No issues found across 4 files

_{Re-trigger cubic}