|
|
@@ -8,9 +8,9 @@
|
|
|
"min_version": "",
|
|
|
"max_version": "",
|
|
|
"cipher_suites": [],
|
|
|
- "certificate": "",
|
|
|
+ "certificate": [],
|
|
|
"certificate_path": "",
|
|
|
- "key": "",
|
|
|
+ "key": [],
|
|
|
"key_path": "",
|
|
|
"acme": {
|
|
|
"domain": [],
|
|
|
@@ -27,6 +27,13 @@
|
|
|
"mac_key": ""
|
|
|
}
|
|
|
},
|
|
|
+ "ech": {
|
|
|
+ "enabled": false,
|
|
|
+ "pq_signature_schemes_enabled": false,
|
|
|
+ "dynamic_record_sizing_disabled": false,
|
|
|
+ "key": [],
|
|
|
+ "key_path": ""
|
|
|
+ },
|
|
|
"reality": {
|
|
|
"enabled": false,
|
|
|
"handshake": {
|
|
|
@@ -62,7 +69,8 @@
|
|
|
"enabled": false,
|
|
|
"pq_signature_schemes_enabled": false,
|
|
|
"dynamic_record_sizing_disabled": false,
|
|
|
- "config": ""
|
|
|
+ "config": [],
|
|
|
+ "config_path": ""
|
|
|
},
|
|
|
"utls": {
|
|
|
"enabled": false,
|
|
|
@@ -162,7 +170,7 @@ This may change in the future.
|
|
|
|
|
|
#### certificate
|
|
|
|
|
|
-The server certificate, in PEM format.
|
|
|
+The server certificate line array, in PEM format.
|
|
|
|
|
|
#### certificate_path
|
|
|
|
|
|
@@ -172,7 +180,7 @@ The path to the server certificate, in PEM format.
|
|
|
|
|
|
==Server only==
|
|
|
|
|
|
-The server private key, in PEM format.
|
|
|
+The server private key line array, in PEM format.
|
|
|
|
|
|
#### key_path
|
|
|
|
|
|
@@ -180,19 +188,6 @@ The server private key, in PEM format.
|
|
|
|
|
|
The path to the server private key, in PEM format.
|
|
|
|
|
|
-#### ech
|
|
|
-
|
|
|
-==Client only==
|
|
|
-
|
|
|
-!!! warning ""
|
|
|
-
|
|
|
- ECH is not included by default, see [Installation](/#installation).
|
|
|
-
|
|
|
-ECH (Encrypted Client Hello) is a TLS extension that allows a client to encrypt the first part of its ClientHello
|
|
|
-message.
|
|
|
-
|
|
|
-If you don't know how to fill in the other configuration, just set `enabled`.
|
|
|
-
|
|
|
#### utls
|
|
|
|
|
|
==Client only==
|
|
|
@@ -222,6 +217,58 @@ Available fingerprint values:
|
|
|
|
|
|
Chrome fingerprint will be used if empty.
|
|
|
|
|
|
+## ECH Fields
|
|
|
+
|
|
|
+!!! warning ""
|
|
|
+
|
|
|
+ ECH is not included by default, see [Installation](/#installation).
|
|
|
+
|
|
|
+ECH (Encrypted Client Hello) is a TLS extension that allows a client to encrypt the first part of its ClientHello
|
|
|
+message.
|
|
|
+
|
|
|
+The ECH key and configuration can be generated by `sing-box generate ech-keypair [-pq-signature-schemes-enabled]`.
|
|
|
+
|
|
|
+#### pq_signature_schemes_enabled
|
|
|
+
|
|
|
+Enable support for post-quantum peer certificate signature schemes.
|
|
|
+
|
|
|
+It is recommended to match the parameters of `sing-box generate ech-keypair`.
|
|
|
+
|
|
|
+#### dynamic_record_sizing_disabled
|
|
|
+
|
|
|
+Disables adaptive sizing of TLS records.
|
|
|
+
|
|
|
+When true, the largest possible TLS record size is always used.
|
|
|
+When false, the size of TLS records may be adjusted in an attempt to improve latency.
|
|
|
+
|
|
|
+#### key
|
|
|
+
|
|
|
+==Server only==
|
|
|
+
|
|
|
+ECH key line array, in PEM format.
|
|
|
+
|
|
|
+#### key_path
|
|
|
+
|
|
|
+==Server only==
|
|
|
+
|
|
|
+The path to ECH key, in PEM format.
|
|
|
+
|
|
|
+#### config
|
|
|
+
|
|
|
+==Client only==
|
|
|
+
|
|
|
+ECH configuration line array, in PEM format.
|
|
|
+
|
|
|
+If empty, load from DNS will be attempted.
|
|
|
+
|
|
|
+#### config_path
|
|
|
+
|
|
|
+==Client only==
|
|
|
+
|
|
|
+The path to ECH configuration, in PEM format.
|
|
|
+
|
|
|
+If empty, load from DNS will be attempted.
|
|
|
+
|
|
|
### ACME Fields
|
|
|
|
|
|
!!! warning ""
|
|
|
@@ -345,4 +392,4 @@ Check disabled if empty.
|
|
|
|
|
|
### Reload
|
|
|
|
|
|
-For server configuration, certificate and key will be automatically reloaded if modified.
|
|
|
+For server configuration, certificate, key and ECH key will be automatically reloaded if modified.
|
世界