--- a/sys/man/8/tlssrv
+++ b/sys/man/8/tlssrv
@@ -5,6 +5,10 @@ tlssrv, tlsclient, tlssrvtunnel, tlsclienttunnel \- TLS server and client
 .PP
 .B tlssrv
 [
+.B -T
+.I timeout
+]
+[
 .B -c
 .I cert.pem
 ]
@@ -50,6 +54,12 @@ file to establish an SSL or TLS connection before launching
 .I cmd
 .IR args ;
 a typical command might start the IMAP or HTTP server.
+A millisecond
+.I timeout
+for the TLS handshake phase can be set using the
+.B -T
+option.
+This can prevent clients from hogging connections.
 .I Cert.pem
 is the server certificate;
 .IR factotum (4)
--- a/sys/src/cmd/tlssrv.c
+++ b/sys/src/cmd/tlssrv.c
@@ -7,7 +7,7 @@
 enum{ BufSize = 8192 };
 
 char *remotesys, *logfile;
-int debug, p[2];
+int debug, p[2], timeout;
 
 void
 death(void *, char *)
@@ -105,7 +105,7 @@
 void
 usage(void)
 {
-	fprint(2, "usage: tlssrv -c cert [-D] [-l logfile] [-r remotesys] [cmd args...]\n");
+	fprint(2, "usage: tlssrv -c cert [-D] [-T timeout] [-l logfile] [-r remotesys] [cmd args...]\n");
 	fprint(2, "  after  auth/secretpem key.pem > /mnt/factotum/ctl\n");
 	exits("usage");
 }
@@ -135,6 +135,9 @@
 	case 'r':
 		remotesys = EARGF(usage());
 		break;
+	case 'T':
+		timeout = atoi(EARGF(usage()));
+		break;
 	default:
 		usage();
 	}ARGEND
@@ -159,12 +162,16 @@
 	fd = 1;
 	if(debug > 1)
 		fd = dumper(fd);
+	if(timeout)
+		alarm(timeout);
 	fd = tlsServer(fd, conn);
 	if(fd < 0){
 		if(debug)
 			reporter("failed: %r");
 		exits(0);
 	}
+	if(timeout)
+		alarm(0);
 	reporter("open");
 
 	if(argc > 0){