[squid-users] LEGACY_SERVER_CONNECT, ALLOW_UNSAFE_LEGACY_RENEGOTIATION does not work - SSL bump, OpenSSL 3

[Amish]

Hello

I am using squid v5.7 with OpenSSL 3.0.7. (Arch Linux)

I have setup SSL bump which was working fine till OpenSSL 1.1.1 series.

With OpenSSL 3.0.7, SSL bump still works fine but except some 
(unpatched) sites.

For example:
https://www.jio.com/ (A leading mobile network provider in India)

For above site, squid throws error page with this message:

     [No Error] (TLS code: 
SQUID_TLS_ERR_CONNECT+TLS_LIB_ERR=A000152+TLS_IO_ERR=1)
     Failed to establish a secure connection: error:0A000152:SSL 
routines::unsafe legacy renegotiation disabled


Testing the same site with OpenSSL (via s_client) also fails unless 
legacy renegotiation is enabled:

$ openssl s_client -connect www.jio.com:443
40C7F204E37F0000:error:0A000152:SSL routines:final_renegotiate:unsafe 
legacy renegotiation disabled:ssl/statem/extensions.c:893:

$ openssl s_client  -legacy_renegotiation -connect www.jio.com:443
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", 
CN = Go Daddy Root Certificate Authority - G2
...


Since website is one of the important website, I am trying to inform 
squid to allow legacy server connect (I also tried with unsafe 
renegotiation)

Source: https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_options.html

squid.conf:

# workaround for legacy / unpatched servers
tls_outgoing_options 
options=LEGACY_SERVER_CONNECT,ALLOW_UNSAFE_LEGACY_RENEGOTIATION

# other related TLS related settings
tls_outgoing_options cafile=/etc/ssl/cert.pem

tls_outgoing_options 
cipher=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

# systemctl reload squid

But I am still getting the same error when trying to connect to the 
above site via squid proxy. (Works fine without proxy)

What am I doing wrong?

Tips / help appreciated,

Thank you,

Amish.