I've captured a TLS 1.2 handshake and I've successfully decrypted a piece of application data using Scapy. How can I modify the content of this data and re-encrypt the packet such that it passes all integrity checks?

conf.tls_session_enable = True
conf.tls_nss_filename = "secrets.log"
# ...
def modify_and_encrypt(original_packet: IP, decrypted_packet: IP):
  modified_data = process_data(decrypted_packet[TLS].msg[0])

  # how do I re-encrypt the packet?

I tried simply modifying the data field in the TLS packet and letting Scapy figure out the rest:

tls = decrypted_packet[TLS]
tls.msg[0] = modified_data
original_packet[TLS] = TLS(_pkt=tls.build())

return original_packet

It seems to fail some integrity check and Wireshark can't decrypt the result like it can for the other packets in the same connection. I'm guessing that there are some values that need to be recomputed that Scapy isn't recomputing automatically. I'm only changing the value of one byte, so the length is the same. I also tried setting the TCP and IP checksum to None to ensure those get recomputed, but that doesn't change the outcome.

Using Scapy 2.6.1.