moby
diff --git a/‎daemon/containerd/resolver.go‎
Lines changed: 29 additions & 3 deletions b/‎daemon/containerd/resolver.go‎
Lines changed: 29 additions & 3 deletions
@@ -4,7 +4,11 @@ import (
 	"context"
 	"crypto/tls"
 	"errors"
+	"net"
 	"net/http"
+	"os"
+	"strings"
+	"syscall"
 
 	"github.com/containerd/containerd/remotes"
 	"github.com/containerd/containerd/remotes/docker"
@@ -118,9 +122,7 @@ type httpFallback struct {
 
 func (f httpFallback) RoundTrip(r *http.Request) (*http.Response, error) {
 	resp, err := f.super.RoundTrip(r)
-	var tlsErr tls.RecordHeaderError
-	if errors.As(err, &tlsErr) && string(tlsErr.RecordHeader[:]) == "HTTP/" {
-		// server gave HTTP response to HTTPS client
+	if err != nil && (isTLSError(err) || isPortError(err, r.URL.Host)) {
 		plainHttpUrl := *r.URL
 		plainHttpUrl.Scheme = "http"
 
@@ -132,3 +134,27 @@ func (f httpFallback) RoundTrip(r *http.Request) (*http.Response, error) {
 
 	return resp, err
 }
+
+func isTLSError(err error) bool {
+	var tlsErr tls.RecordHeaderError
+	if errors.As(err, &tlsErr) && string(tlsErr.RecordHeader[:]) == "HTTP/" {
+		return true
+	}
+	if strings.Contains(err.Error(), "TLS handshake timeout") {
+		return true
+	}
+
+	return false
+}
+
+func isPortError(err error, host string) bool {
+	if errors.Is(err, syscall.ECONNREFUSED) || os.IsTimeout(err) {
+		if _, port, _ := net.SplitHostPort(host); port != "" {
+			// Port is specified, will not retry on different port with scheme change
+			return false
+		}
+		return true
+	}
+
+	return false
+}