Hi everyone,
I am running Suricata 7.0.0 on Ubuntu 22.04 with TLS inspection enabled via a transparent proxy. However, I’m seeing frequent messages in the logs like:
SSL event tls_alert invalid status (warning): 0
SSL info incomplete, dropping connection
This occurs for normal HTTPS traffic—no evident network disruption, but some sessions hang or get reset, impacting users.
What I’ve tried:
- Verified the custom proxy certificate is correctly imported in browsers
- Enabled TLS 1.2/1.3 only (no legacy SSL)
- Increased
defrag.memcap
andstream.memcap
insuricata.yaml
- Captured PCAPs—TLS handshake completes, but Suricata still logs the error mid-session
I checked this : Suricata 5.0.6 inline on RHEL dropping tls traffic with no alerts workday training in ameerpet
Questions:
- What exactly does Suricata log with “SSL info incomplete”? Is it missing segments, alerts, or bundle nonces?
- Could this be a bug in TLS flow tracking or a known issue in 7.0.0 with fragmented TLS records?
- Any config tweaks—e.g.,
tls.rebuilder
, stream workers, or packet capture adjustments—that help resolve these incomplete logs?
Thanks in advance!