For the last two months telegram and some others have showed a weird behaviour:
- DNS responds with AAAA and A records
- Establish a TCP connection to port
HTTP GET /get the HTTPS redirect
- Establish a new TCP connection to port
TLSv1.3 handshake, Client hello
- ... and wait for the timeout
Here is a full log:
curl https://web.telegram.org -v * Trying [2001:67c:4e8:f004::9]:443... * Connected to web.telegram.org (2001:67c:4e8:f004::9) port 443 (#0) * ALPN: offers h2 * ALPN: offers http/1.1 * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: none * [CONN-0-0][CF-SSL] TLSv1.0 (OUT), TLS header, Certificate Status (22): * [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1): * SSL connection timeout * Closing connection 0 curl: (28) SSL connection timeout
Is the source network the cause?
Since it just works from some networks and not from others. The interesting question is:
- Is the telegram network to blame? Is there a bug/configuration depending on some client networks?
- Or is there a middle box droppping traffic?
The routing works and since HTTP without encryption works I suspect at least one middle box doing something weird with TLS 1.3 instead of just forwarding the data.