For the last two months telegram and some others have showed a weird behaviour:

1. DNS responds with AAAA and A records
2. Establish a TCP connection to port 80 over IPv6
   1. Send HTTP GET / get the HTTPS redirect
3. Establish a new TCP connection to port 443
   1. Send TLSv1.3 handshake, Client hello
   2. ... and wait for the timeout

Here is a full log:

curl https://web.telegram.org -v
*   Trying [2001:67c:4e8:f004::9]:443...
* Connected to web.telegram.org (2001:67c:4e8:f004::9) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* [CONN-0-0][CF-SSL] TLSv1.0 (OUT), TLS header, Certificate Status (22):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL connection timeout
* Closing connection 0
curl: (28) SSL connection timeout

Is the source network the cause?

Since it just works from some networks and not from others. The interesting question is:

• Is the telegram network to blame? Is there a bug/configuration depending on some client networks?
• Or is there a middle box droppping traffic?

The routing works and since HTTP without encryption works I suspect at least one middle box doing something weird with TLS 1.3 instead of just forwarding the data.