07:39 <whitequark[cis]> ewenmcneill: can you give me the iptables line i can just run >_<

07:47 <ewenmcneill[m]> whitequark: What I'm using locally is: iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1456 -d whitequark.org

07:47 <ewenmcneill[m]> whitequark: at a guess you'd need to (a) change that to be the INPUT chain, and (b) possibly remove the "-d whitequark.org" (which I added as this is the only path that affects me that I know about).

07:48 <ewenmcneill[m]> I forget if there's a "clamp MSS" option for iptables; I'm fairly sure "--set-mss" will force the MSS (max segment size) even if it's larger, which will also break things if it does increase it from the client request.

07:50 <whitequark[cis]> I think there was a clamp MSS option

07:50 <whitequark[cis]> --clamp-mss-to-pmtu or somehing

07:51 <ewenmcneill[m]> --clamp-mss-to-pmtu yes. But it relies on Path MTU discovery working, which I'm not certain will work here.

07:51 <ewenmcneill[m]> I can't find any other "set to min of this value and TCP session requested MSS" 😕

07:52 <whitequark[cis]> test it?

07:54 <ewenmcneill[m]> whitequark: I think that helped. I just tested from another system here (which hasn't had a local work around applied), and got a TLS connection this time.

07:54 <whitequark[cis]> alright

07:54 <ewenmcneill[m]> (Because it's MSS clamping, I can't test with "do not fragment" ICMP probing.)