Thanks, that’s very interesting. And frustrating! (For both you and me, sorry for the trouble.)
Are there any Caddy logs that correspond to your specific TLS handshake from any of your curl -v commands while troubleshooting? (The “last log entries” you posted above look like they come from other, unrelated requests.) Because I do see stuff like “choosing certificate” in the expanded logs (thanks for posting those) which is what I would expect to see if it was a bug in our Caddy/CertMagic code.
Otherwise, the fact that it’s just hanging leaves to believe it might be a lower-level networking issue? Did you say these hangs occur without any modification of the configs? Do only TLS handshakes hang or do all connections hang (including plaintext HTTP requests)?