BackgroundJobRunner stored active jobs in a Vec<BoxFuture> and polled
ALL of them on every wakeup — O(n) per poll. Since this runs in the
same tokio::select! as the WebServer accept loop, polling overhead from
active connections directly delayed acceptance of new connections.
FuturesUnordered only polls woken futures — O(woken) instead of O(n).
Two issues in TlsListener::poll_accept:
1. No timeout on TLS handshakes: LazyConfigAcceptor waits indefinitely
for ClientHello. Attackers that complete TCP handshake but never send
TLS data create zombie futures in `in_progress` that never complete.
Fix: wrap the entire handshake in tokio::time::timeout(15s).
2. Missing waker on new-connection pending path: when a TCP connection
is accepted and the TLS handshake is pending, poll_accept returned
Pending without calling wake_by_ref(). Since the TcpListener returned
Ready (not Pending), no waker was registered for it. With edge-
triggered epoll and no other wakeup source, the task sleeps forever
and remaining connections in the kernel accept queue are never
drained. Fix: add cx.waker().wake_by_ref() so the task immediately
re-polls and continues draining the accept queue.
