Suricata drops invalid TLS alerts and logs “SSL info incomplete” on HTTPS traffic

Hi everyone, :waving_hand:

I am running Suricata 7.0.0 on Ubuntu 22.04 with TLS inspection enabled via a transparent proxy. However, I’m seeing frequent messages in the logs like:

SSL event tls_alert invalid status (warning): 0
SSL info incomplete, dropping connection

This occurs for normal HTTPS traffic—no evident network disruption, but some sessions hang or get reset, impacting users.

What I’ve tried:

  • Verified the custom proxy certificate is correctly imported in browsers
  • Enabled TLS 1.2/1.3 only (no legacy SSL)
  • Increased defrag.memcap and stream.memcap in suricata.yaml
  • Captured PCAPs—TLS handshake completes, but Suricata still logs the error mid-session

I checked this : Suricata 5.0.6 inline on RHEL dropping tls traffic with no alerts workday training in ameerpet

Questions:

  1. What exactly does Suricata log with “SSL info incomplete”? Is it missing segments, alerts, or bundle nonces?
  2. Could this be a bug in TLS flow tracking or a known issue in 7.0.0 with fragmented TLS records?
  3. Any config tweaks—e.g., tls.rebuilder, stream workers, or packet capture adjustments—that help resolve these incomplete logs?

Thanks in advance!