The essential points from this guide -- each one is explained in detail below.
HTTPS through a proxy uses the CONNECT method to create an encrypted tunnel -- the proxy never sees your traffic.
SSL certificate errors usually mean MITM inspection by the proxy, a corporate firewall, or outdated CA certificates.
Never disable SSL verification in production -- it opens you to credential theft and data interception.
SOCKS5 proxies tunnel all traffic at the TCP level and do not interfere with SSL at all.
Update your CA bundle (certifi in Python, ca-certificates on Linux) to fix legitimate certificate issues.
When your client sends an HTTPS request through an HTTP proxy, it first sends a CONNECT request to the proxy in plaintext. The proxy establishes a TCP connection to the target and returns HTTP 200 Connection Established. From that point, your client performs the TLS handshake directly with the target through the tunnel. The proxy sees only encrypted bytes -- it cannot read or modify the traffic.
This is the correct behavior. If you are getting SSL errors, something is breaking this tunnel: the proxy is intercepting and re-encrypting traffic (MITM), the CONNECT method is not being used, or there is a certificate issue unrelated to the proxy.
Some proxies (especially corporate proxies and security appliances) perform SSL inspection by terminating your TLS connection, reading the plaintext, and re-encrypting it with their own certificate. Your client rejects this certificate because it is not signed by a trusted CA.
Symptoms: errors like "certificate verify failed", "self-signed certificate in certificate chain", or "unable to get local issuer certificate".
If this is a corporate proxy you must use, install the corporate CA certificate in your trust store. In Python:
import requests
response = requests.get(
'https://target.com',
proxies={'https': 'http://user:pass@gw.knoxproxy.com:7000'},
verify='/path/to/corporate-ca-bundle.crt'
)If this is your scraping proxy, switch providers. Legitimate proxy providers like KnoxProxy use CONNECT tunneling and never inspect your HTTPS traffic.
Outdated CA certificates cause legitimate SSL errors that appear only when routing through a proxy (because the proxy forces a new connection path that may use different certificate chains). In Python, the certifi package provides the CA bundle:
pip install --upgrade certifiOn Ubuntu/Debian:
sudo apt update && sudo apt install ca-certificates
sudo update-ca-certificatesOn macOS:
brew install ca-certificatesVerify your CA bundle works:
import certifi
print(certifi.where()) # prints path to CA bundleIf upgrading certifi does not fix the error, the target site may have a misconfigured certificate chain (missing intermediate certificates). Test the target directly without a proxy to confirm.
The short answer: almost never in production. Disabling SSL verification (verify=False in Python, rejectUnauthorized: false in Node.js) means your traffic can be intercepted by anyone between the proxy and the target. Your credentials, API keys, and scraped data are all exposed.
The only acceptable scenarios for disabling verification are: testing against a local development server with a self-signed certificate, or scraping a target with a known-broken certificate chain where you have verified the site identity through other means. Even then, disable verification only for that specific request, not globally.
# BAD -- disables verification for all requests
requests.get(url, verify=False)
# Less bad -- at least limited to one session for one target
session = requests.Session()
session.verify = '/path/to/custom-ca.crt' # prefer custom CA over disablingIf you find yourself needing to disable SSL verification to use a proxy provider, that provider is performing MITM inspection and you should switch to one that uses CONNECT tunneling.
openssl s_client -connect target.com:443 -proxy gw.knoxproxy.com:7000. This shows exactly which certificate is failing and why.Ready to put this into practice? Browse all proxy types
KnoxProxy Research Team · Technical Content
Network engineers and proxy infrastructure specialists with 10+ years in anti-bot systems, web scraping, and IP routing.
90.4M+ ethically sourced residential IPs across 195 countries. Start free -- no credit card required.