Client sometimes resets TLS connection to transparent proxy


I am running mitmdump in transparent mode with http2 disabled and one iOS client connecting through it. QUIC is blocked btw. Generally this works very well.

In the logs I see errors like this from time to time, sometimes they come in bursts: Client Handshake failed. The client may not trust the proxy’s certificate for ClientHandshakeException(“Cannot establish TLS with client (sni: TlsException(’’,)”,)

It is not that the client generally distrusts the MITM root CA, follow-up connections right after to the same ip+SNI (maybe retries) succeed and data is exchanged over HTTP.

I can reliably trigger these errors for instance by (re-)starting the Google app.

With wireshark I see that for the failed connections the TLS session is completely established and only reset by the client after the ‘Server finished’ message. The TLS exchange of the next successful connection looks the similar to me and includes the same server certificate chain. In stead of the reset the client starts sending an HTTP request.

Has anybody else observed this? Anybody willing to assist fixing the root cause of these?