Why does Tailscale serve fail WebSocket upgrade on port 443 but work on custom ports?

When using tailscale serve to proxy an HTTP backend (OpenClaw gateway on port 18789), WebSocket connections to wss://hostname:443 fail with ERR_SSL_PROTOCOL_ERROR, but the exact same proxy config on a custom port (8443) handles WebSocket upgrade fine.

Setup:

• tailscale serve --bg 18789 (proxies port 443 → localhost:18789)
• tailscale serve --bg --https=8443 http://127.0.0.1:18800 (proxies 8443 → localhost:18800)

Port 443 serves HTTPS fine for regular HTTP requests but kills WebSocket connections immediately (close code 1005). Port 8443 handles both HTTP and WebSocket perfectly.

Is this a known Tailscale serve limitation on port 443? Does it have to do with the default HTTPS handler conflicting with WebSocket upgrade? Or is there a configuration I am missing?

Node.js ws library confirms the same behavior server-side — WSS to port 443 gets ssl3_read_bytes:tlsv1 alert internal error.