TLS Configuration¶
tls¶
Enables TLS, applicable only to protocols that use tls, with the trojan protocol requiring it to be enabled.
sni/servername¶
The server name indication, referred to as servername in VMess/VLESS. If left empty, it defaults to the address in server.
fingerprint¶
Certificate fingerprint, applicable only to protocols that use tls.
alpn¶
List of supported Application Layer Protocol Negotiation options, arranged in order of priority.
If both peers support ALPN, the selected protocol will be one from this list; if there are no mutually supported protocols, the connection will fail.
Refer to Application-Layer Protocol Negotiation
skip-cert-verify¶
Bypasses certificate verification, applicable only to protocols that use tls.
certificate¶
If filled, this enables mTLS (must be filled in with private-key). The content is the certificate in PEM format or the path to the certificate.
private-key¶
If filled, this enables mTLS (must be filled in with certificate). The content is the private key corresponding to the certificate in PEM format or the path to the private key.
client-fingerprint¶
Client uTLS fingerprint, applicable only to VMess/VLESS/Trojan protocols. For optional details, refer to Global Client Fingerprint.
reality-opts¶
Configuration for reality; if not empty, reality will be enabled.
reality-opts.public-key¶
Public key corresponding to the reality server's private key.
reality-opts.short-id¶
One of the server's short IDs.
reality-opts.support-x25519mlkem768¶
Support for X25519-MLKEM768 key exchange.
ech-opts¶
ech-opts.enable¶
Enables ECH (Encrypted Client Hello). If not empty, ECH will be enabled.
ech-opts.config¶
Base64-encoded configuration for ECH.