InsecureSkipVerify doesnt work, at least with proxy usage.

[plzcloseyoureyes]

Describe the bug
InsecureSkipVerify doesnt really work on self-signed certificates

To Reproduce
Steps to reproduce the behavior:

package main

import (
	"fmt"
	"log"

	"github.com/Noooste/azuretls-client"
)

func main() {
	session := azuretls.NewSession()
	session.InsecureSkipVerify = true
	session.Browser = azuretls.Firefox // Automatic JA3 + HTTP/2 fingerprinting

	err := session.SetProxy("socks4://104.37.135.145:4145")
	if err != nil {
		log.Fatal("FATAL ERROR:", err)
	}

	response, err := session.Do(&azuretls.Request{
		Method:             "GET",
		Url:                "https://expired.badssl.com/",
		InsecureSkipVerify: true,
	})
	// tls "github.com/Noooste/utls"
	// https://tls.peet.ws/api/all
	if err != nil {
		log.Fatal("REQ FAILED", err)
	}
	fmt.Println(response.Header["Content-Encoding"])
	fmt.Println(response.StatusCode, string(response.Body))
}

Expected behavior
When using InsecureSkipVerify it is expected to work even if the desired URL has invalid certificate

What happens:

2025/09/21 15:54:02 Request error: failed to handshake: tls: invalid server key share

[Noooste]

Hello, thanks for reporting this issue. Do you know if this is due only when using socks4 or any type of proxies ?

[plzcloseyoureyes]

I didnt test with other proxies, with socks4 it happend for sure

[plzcloseyoureyes]

Uh also yes, it doesnt happen without proxies from my tests

[plzcloseyoureyes]

As you can see, without proxy it works.

[Noooste]

Hello,
I've investigated the tls: invalid server key share error when using Firefox TLS profile with SOCKS4 proxies, and here's what I found:

The issue is specifically caused by tls.CurveP256 in the KeyShare extension when used with certain SOCKS4 proxy servers. This is not due to InsecureSkipVerify since it's a handshake error with the proxy server.

To resolve this issue you can:
Option 1: Switch to Chrome Profile (Recommended)
Option 2: Use SOCKS5 Instead
Option 3: Modify Firefox Profile (Advanced)

If you need Firefox fingerprinting with SOCKS4, you would need to use a custom TLS profile that excludes P-256 from the KeyShare extension while keeping other Firefox characteristics.

The issue occurs in profiles.go where the Firefox profile includes:

&tls.KeyShareExtension{KeyShares: []tls.KeyShare{
    {Group: tls.X25519MLKEM768},
    {Group: tls.X25519},
    {Group: tls.CurveP256}, // ← This line causes SOCKS4 failures                                                                                                                                                                                                                                                 
}},

When tls.CurveP256 is removed/commented out, SOCKS4 proxies work correctly because the handshake falls back to X25519, which has better SOCKS4 compatibility.

[plzcloseyoureyes]

Congrats on finding the issue, What comes to mind is that its weird that its happening because socks is just transferring data like a tunnel shouldnt interfere that's odd 😄

[Noooste]

Indeed, I also don't understand why it happens with your SOCKS4 (I've hosted a SOCKS4 server on my side and it works). For now, I advise you to choose one of those options if possible:

To resolve this issue you can:
Option 1: Switch to Chrome Profile (Recommended)
Option 2: Use SOCKS5 Instead
Option 3: Modify Firefox Profile (Advanced)