--- a/sys/src/cmd/ip/httpd/httpd.c
+++ b/sys/src/cmd/ip/httpd/httpd.c
@@ -8,6 +8,7 @@
 
 enum {
 	Nbuckets	= 256,
+	HandshakeTimeout = 30*1000,	/* ms allowed for the TLS handshake */
 };
 
 typedef struct Strings		Strings;
@@ -310,7 +311,11 @@ dolisten(char *address)
 				conn.certlen = certlen;
 				if (certchain != nil)
 					conn.chain = certchain;
+				/* time out a stalled handshake; the alarm note kills
+				 * this per-connection child, like parsereq's timeout */
+				alarm(HandshakeTimeout);
 				data = tlsServer(data, &conn);
+				alarm(0);
 				scheme = "https";
 			}else
 				scheme = "http";