From c032160262ad8f781e34cbdd9eed814ff1a09c8e Mon Sep 17 00:00:00 2001
From: Anton Miniailo <anton@goteleport.com>
Date: Tue, 22 Aug 2023 20:03:22 -0300
Subject: [PATCH] Issue certficate for desktop connection before actual
 connection

Before this we initiated connection first, then tried to issue certificate,
which could require MFA check and that would lead to timeout in multiplexer,
since there was no data on the connection while user was doing MFA check.
---
 lib/web/desktop.go | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/lib/web/desktop.go b/lib/web/desktop.go
index 28f3a41acb9be..1a66d364d18b9 100644
--- a/lib/web/desktop.go
+++ b/lib/web/desktop.go
@@ -168,6 +168,18 @@ func (h *Handler) createDesktopConnection(
 		validServiceIDs[i], validServiceIDs[j] = validServiceIDs[j], validServiceIDs[i]
 	})
 
+	pc, err := proxyClient(r.Context(), sctx, h.ProxyHostPort(), username, h.cfg.PROXYSigner)
+	if err != nil {
+		return sendTDPError(trace.Wrap(err))
+	}
+	defer pc.Close()
+
+	// Issue certificate for TLS config and pass MFA check if required.
+	tlsConfig, err := desktopTLSConfig(r.Context(), ws, pc, sctx, desktopName, username, site.GetName())
+	if err != nil {
+		return sendTDPError(err)
+	}
+
 	clientSrcAddr, clientDstAddr := utils.ClientAddrFromContext(r.Context())
 
 	c := &connector{
@@ -183,16 +195,6 @@ func (h *Handler) createDesktopConnection(
 	}
 	defer serviceConn.Close()
 
-	pc, err := proxyClient(r.Context(), sctx, h.ProxyHostPort(), username, h.cfg.PROXYSigner)
-	if err != nil {
-		return sendTDPError(trace.Wrap(err))
-	}
-	defer pc.Close()
-
-	tlsConfig, err := desktopTLSConfig(r.Context(), ws, pc, sctx, desktopName, username, site.GetName())
-	if err != nil {
-		return sendTDPError(err)
-	}
 	serviceConnTLS := tls.Client(serviceConn, tlsConfig)
 
 	if err := serviceConnTLS.HandshakeContext(r.Context()); err != nil {