I have a public api, call it api.example.com, which is configured for mTLS. I am able to confirm that mTLS is working by using curl https://api.example.com --cert /path/to/cert --key /path/to/key where the "cert" is the client cert and the "key" is the client key.

I am trying to get this to work via Squid so that I don't have to supply the --cert and --key parameters and have other back end processes make the call via some http.get() command.

I have a working Squid configuration without mTLS. To this, I added:

tls_outgoing_options cert=/path/to/cert
tls_outgoing_options key=/path/to/key

I then tried

curl https://api.example.com

and expected this to work. Instead I get the following output when I use the curl -v option:

Connected to api.example.com port 443
TLSv1.3 (OUT), TLS handshake, Client hello (1):
TLSv1.3 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake Certificate (11):
TLSv1.2 (IN), TLS handshake, Server key exchange (12):
TLSv1.2 (IN), TLS handshake, Request CERT (13):
TLSv1.2 (IN), TLS handshake, Server finished (14):
TLSv1.2 (OUT), TLS handshake, Certificate (11):
TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
TLSv1.2 (OUT), TLS handshake, Finished (20):
OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.example.com:443
Closing connection

I also tried adding the following to squid.conf based on some research:

ssl_bump server-first all

This made no difference.

Has anyone been able to get Squid to work with mTLS? If so how? I am using Squid version 5.8.