documentation: Update TLS ECH struct

This commit is contained in:
世界 2023-08-29 22:43:48 +08:00
parent 187bf2f7bc
commit 533fca9fa3
No known key found for this signature in database
GPG key ID: CD109927C34A63C4
2 changed files with 133 additions and 38 deletions

View file

@ -8,9 +8,9 @@
"min_version": "", "min_version": "",
"max_version": "", "max_version": "",
"cipher_suites": [], "cipher_suites": [],
"certificate": "", "certificate": [],
"certificate_path": "", "certificate_path": "",
"key": "", "key": [],
"key_path": "", "key_path": "",
"acme": { "acme": {
"domain": [], "domain": [],
@ -27,6 +27,13 @@
"mac_key": "" "mac_key": ""
} }
}, },
"ech": {
"enabled": false,
"pq_signature_schemes_enabled": false,
"dynamic_record_sizing_disabled": false,
"key": [],
"key_path": ""
},
"reality": { "reality": {
"enabled": false, "enabled": false,
"handshake": { "handshake": {
@ -62,7 +69,8 @@
"enabled": false, "enabled": false,
"pq_signature_schemes_enabled": false, "pq_signature_schemes_enabled": false,
"dynamic_record_sizing_disabled": false, "dynamic_record_sizing_disabled": false,
"config": "" "config": [],
"config_path": ""
}, },
"utls": { "utls": {
"enabled": false, "enabled": false,
@ -162,7 +170,7 @@ This may change in the future.
#### certificate #### certificate
The server certificate, in PEM format. The server certificate line array, in PEM format.
#### certificate_path #### certificate_path
@ -172,7 +180,7 @@ The path to the server certificate, in PEM format.
==Server only== ==Server only==
The server private key, in PEM format. The server private key line array, in PEM format.
#### key_path #### key_path
@ -180,19 +188,6 @@ The server private key, in PEM format.
The path to the server private key, in PEM format. The path to the server private key, in PEM format.
#### ech
==Client only==
!!! warning ""
ECH is not included by default, see [Installation](/#installation).
ECH (Encrypted Client Hello) is a TLS extension that allows a client to encrypt the first part of its ClientHello
message.
If you don't know how to fill in the other configuration, just set `enabled`.
#### utls #### utls
==Client only== ==Client only==
@ -222,6 +217,58 @@ Available fingerprint values:
Chrome fingerprint will be used if empty. Chrome fingerprint will be used if empty.
## ECH Fields
!!! warning ""
ECH is not included by default, see [Installation](/#installation).
ECH (Encrypted Client Hello) is a TLS extension that allows a client to encrypt the first part of its ClientHello
message.
The ECH key and configuration can be generated by `sing-box generate ech-keypair [-pq-signature-schemes-enabled]`.
#### pq_signature_schemes_enabled
Enable support for post-quantum peer certificate signature schemes.
It is recommended to match the parameters of `sing-box generate ech-keypair`.
#### dynamic_record_sizing_disabled
Disables adaptive sizing of TLS records.
When true, the largest possible TLS record size is always used.
When false, the size of TLS records may be adjusted in an attempt to improve latency.
#### key
==Server only==
ECH key line array, in PEM format.
#### key_path
==Server only==
The path to ECH key, in PEM format.
#### config
==Client only==
ECH configuration line array, in PEM format.
If empty, load from DNS will be attempted.
#### config_path
==Client only==
The path to ECH configuration, in PEM format.
If empty, load from DNS will be attempted.
### ACME Fields ### ACME Fields
!!! warning "" !!! warning ""
@ -345,4 +392,4 @@ Check disabled if empty.
### Reload ### Reload
For server configuration, certificate and key will be automatically reloaded if modified. For server configuration, certificate, key and ECH key will be automatically reloaded if modified.

View file

@ -8,9 +8,9 @@
"min_version": "", "min_version": "",
"max_version": "", "max_version": "",
"cipher_suites": [], "cipher_suites": [],
"certificate": "", "certificate": [],
"certificate_path": "", "certificate_path": "",
"key": "", "key": [],
"key_path": "", "key_path": "",
"acme": { "acme": {
"domain": [], "domain": [],
@ -27,6 +27,13 @@
"mac_key": "" "mac_key": ""
} }
}, },
"ech": {
"enabled": false,
"pq_signature_schemes_enabled": false,
"dynamic_record_sizing_disabled": false,
"key": [],
"key_path": ""
},
"reality": { "reality": {
"enabled": false, "enabled": false,
"handshake": { "handshake": {
@ -56,13 +63,14 @@
"min_version": "", "min_version": "",
"max_version": "", "max_version": "",
"cipher_suites": [], "cipher_suites": [],
"certificate": "", "certificate": [],
"certificate_path": "", "certificate_path": "",
"ech": { "ech": {
"enabled": false, "enabled": false,
"pq_signature_schemes_enabled": false, "pq_signature_schemes_enabled": false,
"dynamic_record_sizing_disabled": false, "dynamic_record_sizing_disabled": false,
"config": "" "config": [],
"config_path": ""
}, },
"utls": { "utls": {
"enabled": false, "enabled": false,
@ -162,7 +170,7 @@ TLS 版本值:
#### certificate #### certificate
服务器 PEM 证书。 服务器 PEM 证书行数组
#### certificate_path #### certificate_path
@ -172,7 +180,7 @@ TLS 版本值:
==仅服务器== ==仅服务器==
服务器 PEM 私钥。 服务器 PEM 私钥行数组
#### key_path #### key_path
@ -180,19 +188,6 @@ TLS 版本值:
服务器 PEM 私钥路径。 服务器 PEM 私钥路径。
#### ech
==仅客户端==
!!! warning ""
默认安装不包含 ECH, 参阅 [安装](/zh/#_2)。
ECH (Encrypted Client Hello) 是一个 TLS 扩展,它允许客户端加密其 ClientHello 的第一部分
信息。
如果您不知道如何填写其他配置,只需设置 `enabled` 即可。
#### utls #### utls
==仅客户端== ==仅客户端==
@ -222,6 +217,59 @@ uTLS 是 "crypto/tls" 的一个分支,它提供了 ClientHello 指纹识别阻
默认使用 chrome 指纹。 默认使用 chrome 指纹。
## ECH 字段
!!! warning ""
默认安装不包含 ECH, 参阅 [安装](/zh/#_2)。
ECH (Encrypted Client Hello) 是一个 TLS 扩展,它允许客户端加密其 ClientHello 的第一部分
信息。
ECH 配置和密钥可以通过 `sing-box generate ech-keypair [-pq-signature-schemes-enabled]` 生成。
#### pq_signature_schemes_enabled
启用对后量子对等证书签名方案的支持。
建议匹配 `sing-box generate ech-keypair` 的参数。
#### dynamic_record_sizing_disabled
禁用 TLS 记录的自适应大小调整。
如果为 true则始终使用最大可能的 TLS 记录大小。
如果为 false则可能会调整 TLS 记录的大小以尝试改善延迟。
#### key
==仅服务器==
ECH PEM 密钥行数组
#### key_path
==仅服务器==
ECH PEM 密钥路径
#### config
==仅客户端==
ECH PEM 配置行数组
如果为空,将尝试从 DNS 加载。
#### config_path
==仅客户端==
ECH PEM 配置路径
如果为空,将尝试从 DNS 加载。
### ACME 字段 ### ACME 字段
!!! warning "" !!! warning ""