Support my work ♥

Telegram (and some others) have a weird TCP timeout during the TLS handshake over IPv6

For the last two months telegram and some others have showed a weird behaviour:

  1. DNS responds with AAAA and A records
  2. Establish a TCP connection to port 80 over IPv6
    1. Send HTTP GET / get the HTTPS redirect
  3. Establish a new TCP connection to port 443
    1. Send TLSv1.3 handshake, Client hello
    2. ... and wait for the timeout

Here is a full log:

curl -v
*   Trying [2001:67c:4e8:f004::9]:443...
* Connected to (2001:67c:4e8:f004::9) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* [CONN-0-0][CF-SSL] TLSv1.0 (OUT), TLS header, Certificate Status (22):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL connection timeout
* Closing connection 0
curl: (28) SSL connection timeout

Is the source network the cause?

Since it just works from some networks and not from others. The interesting question is:

  • Is the telegram network to blame? Is there a bug/configuration depending on some client networks?
  • Or is there a middle box droppping traffic?

The routing works and since HTTP without encryption works I suspect at least one middle box doing something weird with TLS 1.3 instead of just forwarding the data.