I met the same problem with Windows 10 (Host OS) + VMware + Ubuntu.

In my case, the problem is caused by the company's firewall.

Just in case you might meet the same problem. I wrote an article about it:

Solve: Docker pull - "​... TLS handshake timeout"

I have accepted the above answer but, for an unknown reason, the problem reappeared after a few days with a slightly different error. Luckily I managed to solve it using a different setup, as written below. Hope it can help someone when the accepted answer does not work.

First of all, the condition where this error happens: CNTLM listens to 127.0.0.1:3128, docker proxy (set through the GUI) is 127.0.0.1:3128 both for HTTP and HTTPS

Error response from daemon: Get https://registry-1.docker.io/v2/: proxyconnect tcp: dial tcp 10.0.75.1:3128: connect: connection refused

I checked this similar case but the solution also did not work for me. I tried several different things including turning off firewall, and reproducing the initial problem (my initial question) and redoing the accepted solution, to no avail. I realized that the IP address shown in the error is not my corporate proxy, nor the Cntlm-listened port, nor my localhost, but the IP of the dockerNAT.

Then, I also noticed that when running CNTLM -g -v, below the Cntlm ready, staying in the foreground line, nothing showed up when I run docker pull hello-world (in another terminal).

Inspired by this answer, I tried to change the Cntlm.ini and the proxy setting on docker to 10.0.75.1:3128, and then restarted cntlm and docker. Now things changed slightly. The error message changed to this:

Error response from daemon: Get https://registry-1.docker.io/v2/: Parent proxy unreacheable

and Cntlm terminal now showed something when I hit the docker pull command, indicating that it somehow works. I suspected that the proxy hostname might cause the problem at this stage, since docker might not be able to access DNS server from the VM. Then I changed Cntlm.ini again, changing the hostname of the proxy into its IP address, and voila, now docker pull hello-world works normally!

(TBH I don't fully understand the network theory behind why this solution works. If anyone can give some explanation, that would be helpful.)

The timeout in your last configuration is caused by the fact that you're not getting through the proxy to those external DNS servers (8.8.8.8 - 8.8.4.4), I think.

You should be solving the first issue, being the server misbehaving. As was the case with me, mentioned here, this was caused by the unability of docker to authenticate with the proxy. My solution was to use cntml.

The cntlm configuration is actually really straightforward if you follow their guidelines. When you have cntlm running, you need to configure docker to use that as a proxy instead of your corporate proxy. Just a plain proxy without authentication - most likely 127.0.0.1:3128, if you're running it on the same machine. cntlm will handle the authentication on the corporate proxy.

As a reference, this is the cntlm config I used:

Username        <username>
Domain          <domain>
Password        <password>

PassLM          <PassLM output of cntlm -H>
PassNT          <PassNT output of cntlm -H>
PassNTLMv2      <PassNTLMv2 output of cntlm -H>

Proxy           <corporate proxy>:<corporate proxy port>
NoProxy         localhost, 127.0.0.*, 10.*, 192.168.*, 172.16.*.*

Listen          3128

You get the hashes by running cntlm -H -u <username>@<domain>.

Make sure you run cntlm in gateway mode cntlm -g (instead of cntlm -v).

Good luck!