sing-box/docs/configuration/shared/tls.md

275 lines
5.9 KiB
Markdown
Raw Normal View History

### Inbound
2022-07-27 04:03:07 +00:00
```json
{
"enabled": true,
"server_name": "",
"alpn": [],
"min_version": "",
"max_version": "",
"cipher_suites": [],
"certificate": "",
"certificate_path": "",
"key": "",
"key_path": "",
"acme": {
"domain": [],
"data_directory": "",
"default_server_name": "",
"email": "",
"provider": "",
"disable_http_challenge": false,
"disable_tls_alpn_challenge": false,
"alternative_http_port": 0,
2022-08-24 09:04:15 +00:00
"alternative_tls_port": 0,
"external_account": {
"key_id": "",
"mac_key": ""
}
}
2022-07-27 04:03:07 +00:00
}
```
### Outbound
2022-07-27 04:03:07 +00:00
```json
{
"enabled": true,
2022-08-26 10:36:49 +00:00
"disable_sni": false,
2022-07-27 04:03:07 +00:00
"server_name": "",
"insecure": false,
"alpn": [],
"min_version": "",
"max_version": "",
"cipher_suites": [],
"certificate": "",
2022-09-10 14:42:20 +00:00
"certificate_path": "",
"ech": {
"enabled": false,
"pq_signature_schemes_enabled": false,
"dynamic_record_sizing_disabled": false,
"config": ""
},
"utls": {
"enabled": false,
"fingerprint": ""
}
2022-07-27 04:03:07 +00:00
}
```
TLS version values:
* `1.0`
* `1.1`
* `1.2`
* `1.3`
Cipher suite values:
* `TLS_RSA_WITH_AES_128_CBC_SHA`
* `TLS_RSA_WITH_AES_256_CBC_SHA`
* `TLS_RSA_WITH_AES_128_GCM_SHA256`
* `TLS_RSA_WITH_AES_256_GCM_SHA384`
* `TLS_AES_128_GCM_SHA256`
* `TLS_AES_256_GCM_SHA384`
* `TLS_CHACHA20_POLY1305_SHA256`
* `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`
* `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`
* `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`
* `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`
* `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`
* `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`
* `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`
* `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`
* `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`
* `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`
!!! note ""
You can ignore the JSON Array [] tag when the content is only one item
2022-07-27 04:03:07 +00:00
### Fields
#### enabled
Enable TLS.
2022-07-27 04:03:07 +00:00
2022-08-26 10:36:49 +00:00
#### disable_sni
==Client only==
Do not send server name in ClientHello.
2022-07-27 04:03:07 +00:00
#### server_name
Used to verify the hostname on the returned certificates unless insecure is given.
It is also included in the client's handshake to support virtual hosting unless it is an IP address.
#### insecure
==Client only==
Accepts any server certificate.
#### alpn
List of supported application level protocols, in order of preference.
If both peers support ALPN, the selected protocol will be one from this list, and the connection will fail if there is
no mutually supported protocol.
See [Application-Layer Protocol Negotiation](https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation).
#### min_version
The minimum TLS version that is acceptable.
By default, TLS 1.2 is currently used as the minimum when acting as a
client, and TLS 1.0 when acting as a server.
2022-07-27 04:03:07 +00:00
#### max_version
The maximum TLS version that is acceptable.
By default, the maximum version is currently TLS 1.3.
2022-07-27 04:03:07 +00:00
#### cipher_suites
The elliptic curves that will be used in an ECDHE handshake, in preference order.
If empty, the default will be used. The client will use the first preference as the type for its key share in TLS 1.3.
This may change in the future.
#### certificate
The server certificate, in PEM format.
#### certificate_path
The path to the server certificate, in PEM format.
#### key
==Server only==
The server private key, in PEM format.
#### key_path
==Server only==
2022-07-30 14:00:04 +00:00
The path to the server private key, in PEM format.
2022-09-10 14:42:20 +00:00
#### ech
==Client only==
!!! warning ""
ECH is not included by default, see [Installation](/#installation).
ECH (Encrypted Client Hello) is a TLS extension that allows a client to encrypt the first part of its ClientHello
message.
If you don't know how to fill in the other configuration, just set `enabled`.
#### utls
==Client only==
!!! warning ""
uTLS is not included by default, see [Installation](/#installation).
!!! note ""
uTLS is poorly maintained and the effect may be unproven, use at your own risk.
uTLS is a fork of "crypto/tls", which provides ClientHello fingerprinting resistance.
Available fingerprint values:
* chrome
* firefox
* ios
* android
* random
### ACME Fields
2022-09-10 14:42:20 +00:00
!!! warning ""
ACME is not included by default, see [Installation](/#installation).
#### domain
List of domain.
ACME will be disabled if empty.
#### data_directory
The directory to store ACME data.
`$XDG_DATA_HOME/certmagic|$HOME/.local/share/certmagic` will be used if empty.
#### default_server_name
Server name to use when choosing a certificate if the ClientHello's ServerName field is empty.
#### email
The email address to use when creating or selecting an existing ACME server account
#### provider
The ACME CA provider to use.
| Value | Provider |
|-------------------------|---------------|
2022-08-23 15:15:56 +00:00
| `letsencrypt (default)` | Let's Encrypt |
| `zerossl` | ZeroSSL |
| `https://...` | Custom |
#### disable_http_challenge
Disable all HTTP challenges.
#### disable_tls_alpn_challenge
Disable all TLS-ALPN challenges
#### alternative_http_port
The alternate port to use for the ACME HTTP challenge; if non-empty, this port will be used instead of 80 to spin up a
listener for the HTTP challenge.
#### alternative_tls_port
The alternate port to use for the ACME TLS-ALPN challenge; the system must forward 443 to this port for challenge to
succeed.
2022-08-24 09:04:15 +00:00
#### external_account
EAB (External Account Binding) contains information necessary to bind or map an ACME account to some other account known
by the CA.
External account bindings are "used to associate an ACME account with an existing account in a non-ACME system, such as
a CA customer database.
To enable ACME account binding, the CA operating the ACME server needs to provide the ACME client with a MAC key and a
key identifier, using some mechanism outside of ACME. §7.3.4
#### external_account.key_id
The key identifier.
#### external_account.mac_key
2022-09-10 14:42:20 +00:00
The MAC key.
### Reload
For server configuration, certificate and key will be automatically reloaded if modified.