[squid-users] squid tproxy ssl-bump and Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

[Vieri]

Hi,

I'm running a Squid proxy like so:

http_port 3129 tproxy
https_port 3130 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem

The squid server certificate was self-generated:
openssl req -new -newkey rsa:2048 -sha256 -days 7300 -nodes -x509 -keyout /etc/ssl/squid/proxyserver.pem -out /etc/ssl/squid/proxyserver.pem

I configured my firewall rules approriately and everything seems to work fine on systems such as Windows 7 32bits/64bits with IE11, IE8 or latest Firefox.
However, I'm having trouble with Windows XP Pro SP3 and IE8.
On this client OS, Firefox 45.0.1 works fine with HTTP and HTTPS sites. However, IE8 on this same client OS works fine accessing HTTP sites but not HTTPS.

When I try to access google.com I first get a certificate warning (untrusted cert). That's the first flaw because I shouldn't get this page since the proxy server's certificate is in the IE Trust Store (under root certificates).
Then if I try to connect to google.com despite the "untrusted certificate" warning, I get the exception:

71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: error:1409F07F:SSL routines:ssl3_write_pending:bad write retry

I noticed that this browser/OS only has TLS up to 1.0 (no 1.2 or 1.1).

I can reproduce the same Squid exception on a Windows 7 IE8 system if I disable TLS 1.2 and only use TLS 1.1 and/or lower.

Any ideas?

Regards,

Vieri