I'm trying to set up an encrypted communication between the browser and our proxy (squid)
theoretically, it must work out of the box with modern browsers as mentioned in squid official doc : https://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection
I tried to implement this on a dockerized Alpine, and a squid 5.5 with openssl module
in squid.conf, I have:
...
http_port 3128
https_port 3129 cert=/etc/squid/crt.pem key=/etc/squid/key.pem
...
but when I request squid https port, I got this error every time, in cache.log:
...
ERROR: failure while accepting a TLS connection on conn77 local=172.17.0.2:3129 remote=172.17.0.1:56608 FD 12 flags=1: 0x7fbd208f33e0*1
connection: conn77 local=172.17.0.2:3129 remote=172.17.0.1:56608 FD 12 flags=1
Pipeline.cc(31) front: Pipeline 0x7fbd208f13a0 empty
Error.cc(22) update: recent: ERR_SECURE_ACCEPT_FAIL/SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=1408F09B+TLS_IO_ERR=1
...
I also tried this with squid 4.10 with gnutls module, in an Ubuntu 20.40 environment, with the same squid.conf, and I got again a TLS error
...
client_side.cc(2597) tlsAttemptHandshake: Error negotiating TLS on local=x.x.x.x:3129 remote=x.x.x.x:50874 FD 11 flags=1: Aborted by client: An unexpected TLS packet was received.
...
I used for certificates, a self signed one, and a generated certificate signed by our CA, for both scenarios
Also, I tried multiple https_port options (disable some SSL implementation, manipulation of client certificates...) but without success
Can someone enlighten me about what I'm missing?
Update
I forgot to mention that the problem is present only with web browsers, curl succeeded to encrypt his connection with the proxy
So I used Wireshark to capture traffic of a web browser (firefox) and curl and I found out that firefox don't start tls handshake with the proxy unless curl
Firefox capture: Firefox_capture
Curl capture: Curl_capture