[Bug]: Regression when using Firefox profile

[jsnjack]

TLS client version

v1.11.0

System information

• Linux, Fedora 42

Issue description

tls: invalid server key share error when using Firefox profile (f.e. firefox 135) and trying to establish tls connection with the server which uses key_share secp256r1(CurveP256). This is a regression as the same code works fine in v1.9.2.

Steps to reproduce / Code Sample

1. Select the latest firefox profile (135) and make a request to https://sts-fips.us-east-1.amazonaws.com
2. The request will fail with tls: invalid server key share error

Code example

package main

import (
	"fmt"
	"io"
	"log"

	http "github.com/bogdanfinn/fhttp"
	tls_client "github.com/bogdanfinn/tls-client"
	"github.com/bogdanfinn/tls-client/profiles"
)

func main() {
	options := []tls_client.HttpClientOption{
		tls_client.WithClientProfile(profiles.Firefox_135),
		tls_client.WithNotFollowRedirects(),
	}

	client, err := tls_client.NewHttpClient(tls_client.NewNoopLogger(), options...)
	if err != nil {
		log.Println(err)
		return
	}

	req, err := http.NewRequest(http.MethodGet, "https://sts-fips.us-east-1.amazonaws.com", nil)
	if err != nil {
		log.Println(err)
		return
	}

	resp, err := client.Do(req)
	if err != nil {
		log.Println(err)
		return
	}

	defer resp.Body.Close()

	fmt.Println("status code:", resp.StatusCode)

	readBytes, err := io.ReadAll(resp.Body)
	if err != nil {
		log.Println(err)
		return
	}

	log.Println(string(readBytes))
}

go.mod file for version in which the bug is present:

module example

go 1.24.6

require (
	github.com/bogdanfinn/fhttp v0.6.1
	github.com/bogdanfinn/tls-client v1.11.0
)

require (
	github.com/Dharmey747/quic-go-utls v1.0.3-utls // indirect
	github.com/andybalholm/brotli v1.1.1 // indirect
	github.com/bogdanfinn/utls v1.7.3-barnius // indirect
	github.com/cloudflare/circl v1.5.0 // indirect
	github.com/klauspost/compress v1.17.11 // indirect
	github.com/quic-go/qpack v0.5.1 // indirect
	github.com/tam7t/hpkp v0.0.0-20160821193359-2b70b4024ed5 // indirect
	go.uber.org/mock v0.5.0 // indirect
	golang.org/x/crypto v0.36.0 // indirect
	golang.org/x/mod v0.18.0 // indirect
	golang.org/x/net v0.38.0 // indirect
	golang.org/x/sync v0.12.0 // indirect
	golang.org/x/sys v0.31.0 // indirect
	golang.org/x/text v0.23.0 // indirect
	golang.org/x/tools v0.22.0 // indirect
)

go.mod file for version which works:

module example

go 1.24.6

require (
	github.com/bogdanfinn/fhttp v0.5.36
	github.com/bogdanfinn/tls-client v1.9.2
)

require (
	github.com/andybalholm/brotli v1.1.1 // indirect
	github.com/bogdanfinn/utls v1.6.5 // indirect
	github.com/cloudflare/circl v1.5.0 // indirect
	github.com/klauspost/compress v1.17.11 // indirect
	github.com/quic-go/quic-go v0.48.1 // indirect
	github.com/tam7t/hpkp v0.0.0-20160821193359-2b70b4024ed5 // indirect
	golang.org/x/crypto v0.36.0 // indirect
	golang.org/x/net v0.38.0 // indirect
	golang.org/x/sys v0.31.0 // indirect
	golang.org/x/text v0.23.0 // indirect
)

[gunir]

After some debugging, I've found out the real culprit is: {Group: utls.X25519MLKEM768} of the new profile, if you swap position of those curves to something like this, it works:

			keyShare := &utls.KeyShareExtension{KeyShares: []utls.KeyShare{
				{Group: utls.CurveP256},      // <--- ADD THIS! FIPS REQUIRES IT
				{Group: utls.X25519MLKEM768},
				{Group: utls.X25519},
			}}

Test code:

package main

import (
	"fmt"
	"io"
	"log"

	http "github.com/bogdanfinn/fhttp"
	tls_client "github.com/bogdanfinn/tls-client"
	"github.com/bogdanfinn/tls-client/profiles"
	"github.com/bogdanfinn/fhttp/http2"
	utls "github.com/bogdanfinn/utls"
	"github.com/bogdanfinn/utls/dicttls"
)

// MyCustomFirefoxProfile is now set to use the Firefox 147 profile.
var MyCustomFirefoxProfile = createCustomFirefox147Profile()

func createCustomFirefox147Profile() profiles.ClientProfile {
	// 1. Define the ClientHelloID and SpecFactory
	clientHelloId := utls.ClientHelloID{
		// UPDATED: New client identity
		Client:  "CustomFirefox147",
		Version: "147",
		Seed:    nil,
		SpecFactory: func() (utls.ClientHelloSpec, error) {
			// --- Reusable Extension Definitions ---
			supportedCurves := &utls.SupportedCurvesExtension{Curves: []utls.CurveID{
				utls.X25519MLKEM768,
				utls.X25519,
				utls.CurveP256,
				utls.CurveP384,
				utls.CurveP521,
				utls.FAKEFFDHE2048,
				utls.FAKEFFDHE3072,
			}}
			supportedPoints := &utls.SupportedPointsExtension{SupportedPoints: []byte{
				utls.PointFormatUncompressed,
			}}
			alpnExtension := &utls.ALPNExtension{AlpnProtocols: []string{"h2", "http/1.1"}}
			
			// UPDATED: Removed utls.ECDSAWithSHA1 (ecdsa_sha1)
			delegatedCredentials := &utls.DelegatedCredentialsExtension{SupportedSignatureAlgorithms: []utls.SignatureScheme{
				utls.ECDSAWithP256AndSHA256,
				utls.ECDSAWithP384AndSHA384,
				utls.ECDSAWithP521AndSHA512,
			}}
			
			// UPDATED: Removed {Group: utls.CurveP256} to match the target KeyShare list (4588, 29).
			keyShare := &utls.KeyShareExtension{KeyShares: []utls.KeyShare{
				{Group: utls.CurveP256},      // <--- ADD THIS! FIPS REQUIRES IT
				{Group: utls.X25519MLKEM768},
				{Group: utls.X25519},
			}}
			
			supportedVersions := &utls.SupportedVersionsExtension{Versions: []uint16{
				utls.VersionTLS13,
				utls.VersionTLS12,
			}}
			
			// UPDATED: Removed utls.ECDSAWithSHA1 (ecdsa_sha1)
			signatureAlgorithms := &utls.SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []utls.SignatureScheme{
				utls.ECDSAWithP256AndSHA256,
				utls.ECDSAWithP384AndSHA384,
				utls.ECDSAWithP521AndSHA512,
				utls.PSSWithSHA256,
				utls.PSSWithSHA384,
				utls.PSSWithSHA512,
				utls.PKCS1WithSHA256,
				utls.PKCS1WithSHA384,
				utls.PKCS1WithSHA512,
				utls.PKCS1WithSHA1,
			}}
			compressCert := &utls.UtlsCompressCertExtension{Algorithms: []utls.CertCompressionAlgo{
				utls.CertCompressionZlib,
				utls.CertCompressionBrotli,
				utls.CertCompressionZstd,
			}}
			ech := &utls.GREASEEncryptedClientHelloExtension{
				CandidateCipherSuites: []utls.HPKESymmetricCipherSuite{
					{KdfId: dicttls.HKDF_SHA256, AeadId: dicttls.AEAD_AES_128_GCM},
					{KdfId: dicttls.HKDF_SHA256, AeadId: dicttls.AEAD_AES_256_GCM},
					{KdfId: dicttls.HKDF_SHA256, AeadId: dicttls.AEAD_CHACHA20_POLY1305},
				},
				CandidatePayloadLens: []uint16{128, 223},
			}
			
			return utls.ClientHelloSpec{
				// --- TLS CIPHER SUITES ---
				CipherSuites: []uint16{
					utls.TLS_AES_128_GCM_SHA256,
					utls.TLS_CHACHA20_POLY1305_SHA256,
					utls.TLS_AES_256_GCM_SHA384,
					utls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
					utls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
					utls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
					utls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
					utls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
					utls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
					utls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
					utls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
					utls.TLS_RSA_WITH_AES_128_GCM_SHA256,
					utls.TLS_RSA_WITH_AES_256_GCM_SHA384,
					utls.TLS_RSA_WITH_AES_128_CBC_SHA,
					utls.TLS_RSA_WITH_AES_256_CBC_SHA,
				},
				CompressionMethods: []byte{
					utls.CompressionNone,
				},
				// --- TLS EXTENSIONS (Order MUST include 41 at the end to match JA3) ---
				Extensions: []utls.TLSExtension{
					&utls.SNIExtension{},                        // 0
					&utls.ExtendedMasterSecretExtension{},        // 23
					&utls.RenegotiationInfoExtension{Renegotiation: utls.RenegotiateOnceAsClient}, // 65281
					supportedCurves,                             // 10
					supportedPoints,                             // 11
					alpnExtension,                               // 16
					&utls.StatusRequestExtension{},               // 5
					delegatedCredentials,                        // 34
					&utls.SCTExtension{},                         // 18
					keyShare,                                    // 51
					supportedVersions,                           // 43
					signatureAlgorithms,                         // 13
					&utls.PSKKeyExchangeModesExtension{Modes: []uint8{utls.PskModeDHE}}, // 45
					&utls.FakeRecordSizeLimitExtension{Limit: 0x4001}, // 28
					compressCert,                                // 27
					ech,                                         // 65037
					// ADDED BACK: utls.UtlsPreSharedKeyExtension (41) as the final extension
					&utls.UtlsPreSharedKeyExtension{OmitEmptyPsk: true}, // 41 (PSK)
				},
			}, nil
		},
	}

	// 2. Define HTTP/2 Settings (No change needed)
	settings := map[http2.SettingID]uint32{
		http2.SettingHeaderTableSize:   65536,
		http2.SettingEnablePush:        0,
		http2.SettingInitialWindowSize: 131072,
		http2.SettingMaxFrameSize:      16384,
	}

	settingsOrder := []http2.SettingID{
		http2.SettingHeaderTableSize,
		http2.SettingEnablePush,
		http2.SettingInitialWindowSize,
		http2.SettingMaxFrameSize,
	}
	
	// 3. Define Pseudo-Header Order (No change needed)
	pseudoHeaderOrder := []string{
		":method",
		":path",
		":authority",
		":scheme",
	}

	// 4. Define Connection Flow Control Window Size (No change needed)
	connectionFlow := uint32(12517377)
	
	// 5. Define Header Priority (Weight 41 -> 42 on the wire, matching fingerprint)
	headerPriority := &http2.PriorityParam{
		StreamDep: 0,
		Exclusive: false,
		Weight:    41, // This internal value maps to a Priority Weight of 42 on the wire (internal value + 1).
	}

	// [FIX] Define Priorities to "consume" Stream 1
	// Setting a priority for Stream 1 tells fhttp to increment the nextStreamID count (1 + 2 = 3).
	// This results in the first HEADERS frame having stream_id: 3.
	/*
	priorities := []http2.Priority{
		{
			StreamID: 1,
			PriorityParam: http2.PriorityParam{
				StreamDep: 0,
				Exclusive: false,
				Weight:    255, // 256 on the wire (standard non-exclusive anchor)
			},
		},
	}	
	*/
	// 6. Create and return the final ClientProfile struct
	return profiles.NewClientProfile(
		clientHelloId,
		settings,
		settingsOrder,
		pseudoHeaderOrder,
		connectionFlow,
		nil,     // <--- CHANGED: Pass the priorities slice here
		headerPriority,
	)
}

func main() {
	// 1. Use a Pre-defined Profile
	// Instead of manually building a profile (which is error-prone), start with a built-in one.
	// Firefox 133 is the latest built-in; close enough to 135 for most checks.
	// If you strictly need 135, we can inject it, but let's try a known working profile first.

	// Note: If your library version supports Firefox_135, use it.
	// Otherwise, Firefox_133 is a safer bet to avoid "unknown profile" errors.
	options := []tls_client.HttpClientOption{
		tls_client.WithTimeoutSeconds(30),
		tls_client.WithClientProfile(MyCustomFirefoxProfile),
		tls_client.WithNotFollowRedirects(),
	}

	// 2. Create the Client
	client, err := tls_client.NewHttpClient(tls_client.NewNoopLogger(), options...)
	if err != nil {
		log.Fatalf("Failed to create client: %v", err)
	}

	// 3. Define Target
	targetURL := "https://sts-fips.us-east-1.amazonaws.com"

	// 4. Create Request using fhttp
	req, err := http.NewRequest(http.MethodGet, targetURL, nil)
	if err != nil {
		log.Fatalf("Failed to create request: %v", err)
	}

	// 5. Set Headers Correctly
	// Important: fhttp/tls-client will handle the pseudo-header order (:method, :path, etc.)
	// based on the profile. We just need to provide the standard headers.
	// Note the use of specific ordering via HeaderOrderKey if strict ordering is needed,
	// but tls-client often handles this for standard profiles.

	req.Header = http.Header{
		"User-Agent":                {"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0"},
		"Accept":                    {"image/avif,image/webp,*/*"},
		"Accept-Language":           {"en-US,en;q=0.5"},
		"Accept-Encoding":           {"gzip, deflate, br, zstd"}, // Added zstd which modern Firefox supports
		"Connection":                {"keep-alive"},
		"Sec-Fetch-Dest":            {"image"},
		"Sec-Fetch-Mode":            {"no-cors"},
		"Sec-Fetch-Site":            {"cross-site"},
		"Pragma":                    {"no-cache"},
		"Cache-Control":             {"no-cache"},
		"Te":                        {"trailers"},
		// Explicitly define order to match Firefox
		http.HeaderOrderKey: {
			"User-Agent",
			"Accept",
			"Accept-Language",
			"Accept-Encoding",
			"Connection",
			"Sec-Fetch-Dest",
			"Sec-Fetch-Mode",
			"Sec-Fetch-Site",
			"Pragma",
			"Cache-Control",
			"Te",
		},
        // Set pseudo-header order explicitly for fhttp requests
        http.PHeaderOrderKey: {
            ":method",
            ":path",
            ":authority",
            ":scheme",
        },
	}

	// 6. Execute
	log.Printf("Requesting %s...", targetURL)
	resp, err := client.Do(req)
	if err != nil {
		log.Fatalf("Request failed: %v", err)
	}
	defer resp.Body.Close()

	// 7. Output
	fmt.Println("--------------------------------------------------")
	fmt.Printf("Status Code: %d %s\n", resp.StatusCode, resp.Status)
	fmt.Printf("Protocol:    %s\n", resp.Proto)

	// Read body
	bodyBytes, err := io.ReadAll(resp.Body)
	if err != nil {
		log.Printf("Failed to read body: %v", err)
	} else {
		fmt.Printf("Body Length: %d bytes\n", len(bodyBytes))
		if len(bodyBytes) > 8 && string(bodyBytes[:4]) == "\x89PNG" {
			fmt.Println("Content Check: Valid PNG Header detected.")
		} else {
			fmt.Printf("Content Check: Not a PNG. First 20 bytes: %q\n", string(bodyBytes[:min(20, len(bodyBytes))]))
		}
	}
}

func min(a, b int) int {
	if a < b {
		return a
	}
	return b
}

Result:

2025/12/05 18:32:01 Requesting https://sts-fips.us-east-1.amazonaws.com...
--------------------------------------------------
Status Code: 302 302 Found
Protocol:    HTTP/1.1
Body Length: 0 bytes
Content Check: Not a PNG. First 20 bytes: ""

This could be because of the support of Group: utls.X25519MLKEM768 being imperfect, causing this issue, the only way to fix this issue is improve Group: utls.X25519MLKEM768's logic, this is out of my knowledge...

[gunir]

Dirty fix: bogdanfinn/utls#6

[gunir]

Test:

package main

import (
	"fmt"
	"io"
	"log"

	http "github.com/bogdanfinn/fhttp"
	tls_client "github.com/bogdanfinn/tls-client"
	"github.com/bogdanfinn/tls-client/profiles"
	"github.com/bogdanfinn/fhttp/http2"
	utls "github.com/bogdanfinn/utls"
	"github.com/bogdanfinn/utls/dicttls"
)

// MyCustomFirefoxProfile is now set to use the Firefox 147 profile.
var MyCustomFirefoxProfile = createCustomFirefox147Profile()

func createCustomFirefox147Profile() profiles.ClientProfile {
	// 1. Define the ClientHelloID and SpecFactory
	clientHelloId := utls.ClientHelloID{
		// UPDATED: New client identity
		Client:  "CustomFirefox147",
		Version: "147",
		Seed:    nil,
		SpecFactory: func() (utls.ClientHelloSpec, error) {
			// --- Reusable Extension Definitions ---
			supportedCurves := &utls.SupportedCurvesExtension{Curves: []utls.CurveID{
				utls.X25519MLKEM768,
				utls.X25519,
				utls.CurveP256,
				utls.CurveP384,
				utls.CurveP521,
				utls.FAKEFFDHE2048,
				utls.FAKEFFDHE3072,
			}}
			supportedPoints := &utls.SupportedPointsExtension{SupportedPoints: []byte{
				utls.PointFormatUncompressed,
			}}
			alpnExtension := &utls.ALPNExtension{AlpnProtocols: []string{"h2", "http/1.1"}}
			
			// UPDATED: Removed utls.ECDSAWithSHA1 (ecdsa_sha1)
			delegatedCredentials := &utls.DelegatedCredentialsExtension{SupportedSignatureAlgorithms: []utls.SignatureScheme{
				utls.ECDSAWithP256AndSHA256,
				utls.ECDSAWithP384AndSHA384,
				utls.ECDSAWithP521AndSHA512,
			}}
			
			// UPDATED: Removed {Group: utls.CurveP256} to match the target KeyShare list (4588, 29).
			keyShare := &utls.KeyShareExtension{KeyShares: []utls.KeyShare{
				{Group: utls.X25519MLKEM768},
				{Group: utls.X25519},
				{Group: utls.CurveP256},      // <--- ADD THIS! FIPS REQUIRES IT
			}}
			
			supportedVersions := &utls.SupportedVersionsExtension{Versions: []uint16{
				utls.VersionTLS13,
				utls.VersionTLS12,
			}}
			
			// UPDATED: Removed utls.ECDSAWithSHA1 (ecdsa_sha1)
			signatureAlgorithms := &utls.SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []utls.SignatureScheme{
				utls.ECDSAWithP256AndSHA256,
				utls.ECDSAWithP384AndSHA384,
				utls.ECDSAWithP521AndSHA512,
				utls.PSSWithSHA256,
				utls.PSSWithSHA384,
				utls.PSSWithSHA512,
				utls.PKCS1WithSHA256,
				utls.PKCS1WithSHA384,
				utls.PKCS1WithSHA512,
				utls.PKCS1WithSHA1,
			}}
			compressCert := &utls.UtlsCompressCertExtension{Algorithms: []utls.CertCompressionAlgo{
				utls.CertCompressionZlib,
				utls.CertCompressionBrotli,
				utls.CertCompressionZstd,
			}}
			ech := &utls.GREASEEncryptedClientHelloExtension{
				CandidateCipherSuites: []utls.HPKESymmetricCipherSuite{
					{KdfId: dicttls.HKDF_SHA256, AeadId: dicttls.AEAD_AES_128_GCM},
					{KdfId: dicttls.HKDF_SHA256, AeadId: dicttls.AEAD_AES_256_GCM},
					{KdfId: dicttls.HKDF_SHA256, AeadId: dicttls.AEAD_CHACHA20_POLY1305},
				},
				CandidatePayloadLens: []uint16{128, 223},
			}
			
			return utls.ClientHelloSpec{
				// --- TLS CIPHER SUITES ---
				CipherSuites: []uint16{
					utls.TLS_AES_128_GCM_SHA256,
					utls.TLS_CHACHA20_POLY1305_SHA256,
					utls.TLS_AES_256_GCM_SHA384,
					utls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
					utls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
					utls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
					utls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
					utls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
					utls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
					utls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
					utls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
					utls.TLS_RSA_WITH_AES_128_GCM_SHA256,
					utls.TLS_RSA_WITH_AES_256_GCM_SHA384,
					utls.TLS_RSA_WITH_AES_128_CBC_SHA,
					utls.TLS_RSA_WITH_AES_256_CBC_SHA,
				},
				CompressionMethods: []byte{
					utls.CompressionNone,
				},
				// --- TLS EXTENSIONS (Order MUST include 41 at the end to match JA3) ---
				Extensions: []utls.TLSExtension{
					&utls.SNIExtension{},                        // 0
					&utls.ExtendedMasterSecretExtension{},        // 23
					&utls.RenegotiationInfoExtension{Renegotiation: utls.RenegotiateOnceAsClient}, // 65281
					supportedCurves,                             // 10
					supportedPoints,                             // 11
					alpnExtension,                               // 16
					&utls.StatusRequestExtension{},               // 5
					delegatedCredentials,                        // 34
					&utls.SCTExtension{},                         // 18
					keyShare,                                    // 51
					supportedVersions,                           // 43
					signatureAlgorithms,                         // 13
					&utls.PSKKeyExchangeModesExtension{Modes: []uint8{utls.PskModeDHE}}, // 45
					&utls.FakeRecordSizeLimitExtension{Limit: 0x4001}, // 28
					compressCert,                                // 27
					ech,                                         // 65037
					// ADDED BACK: utls.UtlsPreSharedKeyExtension (41) as the final extension
					&utls.UtlsPreSharedKeyExtension{OmitEmptyPsk: true}, // 41 (PSK)
				},
			}, nil
		},
	}

	// 2. Define HTTP/2 Settings (No change needed)
	settings := map[http2.SettingID]uint32{
		http2.SettingHeaderTableSize:   65536,
		http2.SettingEnablePush:        0,
		http2.SettingInitialWindowSize: 131072,
		http2.SettingMaxFrameSize:      16384,
	}

	settingsOrder := []http2.SettingID{
		http2.SettingHeaderTableSize,
		http2.SettingEnablePush,
		http2.SettingInitialWindowSize,
		http2.SettingMaxFrameSize,
	}
	
	// 3. Define Pseudo-Header Order (No change needed)
	pseudoHeaderOrder := []string{
		":method",
		":path",
		":authority",
		":scheme",
	}

	// 4. Define Connection Flow Control Window Size (No change needed)
	connectionFlow := uint32(12517377)
	
	// 5. Define Header Priority (Weight 41 -> 42 on the wire, matching fingerprint)
	headerPriority := &http2.PriorityParam{
		StreamDep: 0,
		Exclusive: false,
		Weight:    41, // This internal value maps to a Priority Weight of 42 on the wire (internal value + 1).
	}

	// [FIX] Define Priorities to "consume" Stream 1
	// Setting a priority for Stream 1 tells fhttp to increment the nextStreamID count (1 + 2 = 3).
	// This results in the first HEADERS frame having stream_id: 3.
	/*
	priorities := []http2.Priority{
		{
			StreamID: 1,
			PriorityParam: http2.PriorityParam{
				StreamDep: 0,
				Exclusive: false,
				Weight:    255, // 256 on the wire (standard non-exclusive anchor)
			},
		},
	}	
	*/
	// 6. Create and return the final ClientProfile struct
	return profiles.NewClientProfile(
		clientHelloId,
		settings,
		settingsOrder,
		pseudoHeaderOrder,
		connectionFlow,
		nil,     // <--- CHANGED: Pass the priorities slice here
		headerPriority,
	)
}

func main() {
	// 1. Use a Pre-defined Profile
	// Instead of manually building a profile (which is error-prone), start with a built-in one.
	// Firefox 133 is the latest built-in; close enough to 135 for most checks.
	// If you strictly need 135, we can inject it, but let's try a known working profile first.

	// Note: If your library version supports Firefox_135, use it.
	// Otherwise, Firefox_133 is a safer bet to avoid "unknown profile" errors.
	options := []tls_client.HttpClientOption{
		tls_client.WithTimeoutSeconds(30),
		tls_client.WithClientProfile(MyCustomFirefoxProfile),
		tls_client.WithNotFollowRedirects(),
	}

	// 2. Create the Client
	client, err := tls_client.NewHttpClient(tls_client.NewNoopLogger(), options...)
	if err != nil {
		log.Fatalf("Failed to create client: %v", err)
	}

	// 3. Define Target
	targetURL := "https://sts-fips.us-east-1.amazonaws.com"

	// 4. Create Request using fhttp
	req, err := http.NewRequest(http.MethodGet, targetURL, nil)
	if err != nil {
		log.Fatalf("Failed to create request: %v", err)
	}

	// 5. Set Headers Correctly
	// Important: fhttp/tls-client will handle the pseudo-header order (:method, :path, etc.)
	// based on the profile. We just need to provide the standard headers.
	// Note the use of specific ordering via HeaderOrderKey if strict ordering is needed,
	// but tls-client often handles this for standard profiles.

	req.Header = http.Header{
		"User-Agent":                {"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0"},
		"Accept":                    {"image/avif,image/webp,*/*"},
		"Accept-Language":           {"en-US,en;q=0.5"},
		"Accept-Encoding":           {"gzip, deflate, br, zstd"}, // Added zstd which modern Firefox supports
		"Connection":                {"keep-alive"},
		"Sec-Fetch-Dest":            {"image"},
		"Sec-Fetch-Mode":            {"no-cors"},
		"Sec-Fetch-Site":            {"cross-site"},
		"Pragma":                    {"no-cache"},
		"Cache-Control":             {"no-cache"},
		"Te":                        {"trailers"},
		// Explicitly define order to match Firefox
		http.HeaderOrderKey: {
			"User-Agent",
			"Accept",
			"Accept-Language",
			"Accept-Encoding",
			"Connection",
			"Sec-Fetch-Dest",
			"Sec-Fetch-Mode",
			"Sec-Fetch-Site",
			"Pragma",
			"Cache-Control",
			"Te",
		},
        // Set pseudo-header order explicitly for fhttp requests
        http.PHeaderOrderKey: {
            ":method",
            ":path",
            ":authority",
            ":scheme",
        },
	}

	// 6. Execute
	log.Printf("Requesting %s...", targetURL)
	resp, err := client.Do(req)
	if err != nil {
		log.Fatalf("Request failed: %v", err)
	}
	defer resp.Body.Close()

	// 7. Output
	fmt.Println("--------------------------------------------------")
	fmt.Printf("Status Code: %d %s\n", resp.StatusCode, resp.Status)
	fmt.Printf("Protocol:    %s\n", resp.Proto)

	// Read body
	bodyBytes, err := io.ReadAll(resp.Body)
	if err != nil {
		log.Printf("Failed to read body: %v", err)
	} else {
		fmt.Printf("Body Length: %d bytes\n", len(bodyBytes))
		if len(bodyBytes) > 8 && string(bodyBytes[:4]) == "\x89PNG" {
			fmt.Println("Content Check: Valid PNG Header detected.")
		} else {
			fmt.Printf("Content Check: Not a PNG. First 20 bytes: %q\n", string(bodyBytes[:min(20, len(bodyBytes))]))
		}
	}
}

func min(a, b int) int {
	if a < b {
		return a
	}
	return b
}

Result:

go run tlscli.go 
2025/12/06 13:17:21 Requesting https://sts-fips.us-east-1.amazonaws.com...
--------------------------------------------------
Status Code: 302 302 Found
Protocol:    HTTP/1.1
Body Length: 0 bytes
Content Check: Not a PNG. First 20 bytes: ""