fix(tcpclient, iostream): close SSLIOStream on TLS handshake timeout to prevent fd leak

[armorbreak001]

Problem (tornado#3614)

When TCPClient.connect() is called with both ssl_options and timeout, a TLS handshake timeout causes permanent file descriptor leak.

Root Cause

start_tls() transfers socket ownership in three steps:

1. Extract raw socket from original IOStream → self.socket = None
2. Wrap in SSL → create new SSLIOStream (local variable only)
3. Return Future[SSLIOStream] that resolves when handshake completes

When gen.with_timeout() fires:

• Caller gets TimeoutError
• Original stream's .socket is already None → close() is no-op
• The SSLIOStream (holding the real fd) is only reachable through the inner Future
• gen.with_timeout explicitly does not cancel the wrapped Future
• SSLIOStream stays on IOLoop forever → fd leaked permanently

Impact

Every timed-out TLS connection leaks one file descriptor. Long-running services that retry connections (e.g. HTTP clients with short timeouts) will eventually hit the OS fd limit (EMFILE / "too many open files").

Fix

Two files, minimal change:

tornado/iostream.py

In start_tls(): store the SSLIOStream as self._tls_stream before returning the future.

self._tls_stream = ssl_stream  # Keep reference for timeout cleanup

tornado/tcpclient.py

In connect(): on TimeoutError during start_tls(), close _tls_stream.

except gen.TimeoutError:
    tls_stream = getattr(stream, "_tls_stream", None)
    if tls_stream is not None:
        tls_stream.close()
        stream._tls_stream = None
    raise

Testing

New test: TestTLSHandshakeTimeoutCleanup.test_tls_handshake_timeout_closes_stream

• Opens TCP server socket (no TLS accept)
• Calls TCPClient.connect() with SSL + 0.01s timeout
• Expects TimeoutError
• Verifies no fd leaked via /proc/self/fd count

All existing tests pass:

• tcpclient_test.py: ✅ 27 passed, 4 skipped
• iostream_test.py: ✅ 142 passed, 61 skipped

Fixes #3614