Suricata drops invalid TLS alerts and logs “SSL info incomplete” on HTTPS traffic

Hi everyone, :waving_hand:

I am running Suricata 7.0.0 on Ubuntu 22.04 with TLS inspection enabled via a transparent proxy. However, I’m seeing frequent messages in the logs like:

SSL event tls_alert invalid status (warning): 0
SSL info incomplete, dropping connection

This occurs for normal HTTPS traffic—no evident network disruption, but some sessions hang or get reset, impacting users.

What I’ve tried:

  • Verified the custom proxy certificate is correctly imported in browsers
  • Enabled TLS 1.2/1.3 only (no legacy SSL)
  • Increased defrag.memcap and stream.memcap in suricata.yaml
  • Captured PCAPs—TLS handshake completes, but Suricata still logs the error mid-session

I checked this : Suricata 5.0.6 inline on RHEL dropping tls traffic with no alerts workday training in ameerpet

Questions:

  1. What exactly does Suricata log with “SSL info incomplete”? Is it missing segments, alerts, or bundle nonces?
  2. Could this be a bug in TLS flow tracking or a known issue in 7.0.0 with fragmented TLS records?
  3. Any config tweaks—e.g., tls.rebuilder, stream workers, or packet capture adjustments—that help resolve these incomplete logs?

Thanks in advance!

Are you sure that this log message is from Suricata?