Client sometimes resets TLS connection to transparent proxy

I am running mitmdump in transparent mode with http2 disabled and one iOS client connecting through it. QUIC is blocked btw. Generally this works very well.

In the logs I see errors like this from time to time, sometimes they come in bursts: Client Handshake failed. The client may not trust the proxy’s certificate for ClientHandshakeException(“Cannot establish TLS with client (sni: TlsException(’’,)”,)

It is not that the client generally distrusts the MITM root CA, follow-up connections right after to the same ip+SNI (maybe retries) succeed and data is exchanged over HTTP.

I can reliably trigger these errors for instance by (re-)starting the Google app.

With wireshark I see that for the failed connections the TLS session is completely established and only reset by the client after the ‘Server finished’ message. The TLS exchange of the next successful connection looks the similar to me and includes the same server certificate chain. In stead of the reset the client starts sending an HTTP request.

Has anybody else observed this? Anybody willing to assist fixing the root cause of these?

Update: I got rid of a few of the connection resets, in particular the ones from Google services, by adding this to a script:

import mitmproxy
from mitmproxy import http

def response(flow: http.HTTPFlow) -> None:
    flow.response.headers.pop('Alt-Svc', None)

Apparently the Alt-Scv header tricks Google apps to close all HTTP connections and try to switch to QUIC. Removing the header mediates this.