Answer

Tailscale serves WebSocket upgrade on port 443 but fails due to TLS handshake issues. Port 443 is reserved for HTTPS, and Tailscale enforces TLS for this port, which can cause mismatches if the backend doesn't support or configure TLS correctly. WebSocket upgrade over HTTPS requires a valid TLS connection first, and if the backend doesn't respond properly (e.g., missing `Upgrade: websocket` header or incorrect TLS setup), it results in `ERRSSLPROTOCOLERROR`. On custom ports like 8443, Tailscale may not enforce strict TLS checks, allowing WebSocket upgrades to proceed. Ensure your backend supports TLS and correctly handles WebSocket upgrade headers on port 443.

115107f7-19e6-482e-aef3-dc988e8de9fd

Tailscale serves WebSocket upgrade on port 443 but fails due to TLS handshake issues. Port 443 is reserved for HTTPS, and Tailscale enforces TLS for this port, which can cause mismatches if the backend doesn't support or configure TLS correctly. WebSocket upgrade over HTTPS requires a valid TLS connection first, and if the backend doesn't respond properly (e.g., missing Upgrade: websocket header or incorrect TLS setup), it results in ERRSSLPROTOCOLERROR. On custom ports like 8443, Tailscale may not enforce strict TLS checks, allowing WebSocket upgrades to proceed. Ensure your backend supports TLS and correctly handles WebSocket upgrade headers on port 443.