I have a Squid 3.5.23 running on Debian Stretch, recompiled from the deb source and configured as a transparent proxy. I changed the configuration in order to allow SSL proxying and it seems to be running OK when I install the generated Squid certificate as a trusted root authority. Facebook, Google, Kernel.org and most other HTTPS sites pass through OK, and the browser correctly thinks those sites' certificate authority is the proxy's. Now, SOME sites give me a certificate warning and then an error if I accept it as an exception.
The following error was encountered while trying to retrieve the URL: https://2.16.189.72/*
Failed to establish a secure connection to 2.16.189.72
The system returned:
(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)
Handshake with SSL server failed: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
https://wiki.squid-cache.org/ (Now that is ironic) -> The following error was encountered while trying to retrieve the URL: https://master.squid-cache.org/*
Failed to establish a secure connection to 104.130.201.120
The system returned:
(71) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
I generated the certificate with the following commands:
openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 \ -keyout mycompany.pem -out mycompany.pem openssl x509 -in mycompany.pem -outform DER -out mycompany.der /usr/lib/squid/ssl_crtd -c -s /etc/squid/certs/ssl_db -M 4MB chown -R proxy.proxy ssl_db
Clues?
In the end, I solved the problem by installing Squid 4.0.21 (still a beta at this moment) which has code to handle these missing certificate cases like browsers do. More details at this page in Squid's wiki.