From b0e2375fd821f34b3d9af27c45b9d1166bf46b44 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B8=96=E7=95=8C?= Date: Mon, 8 Sep 2025 15:35:34 +0800 Subject: [PATCH] documentation: Add kTLS --- docs/configuration/shared/tls.md | 56 +++++++++++++++++++++++++++- docs/configuration/shared/tls.zh.md | 57 +++++++++++++++++++++++++++++ 2 files changed, 111 insertions(+), 2 deletions(-) diff --git a/docs/configuration/shared/tls.md b/docs/configuration/shared/tls.md index 6fe74846..ead462ee 100644 --- a/docs/configuration/shared/tls.md +++ b/docs/configuration/shared/tls.md @@ -1,7 +1,12 @@ --- -icon: material/alert-decagram +icon: material/new-box --- +!!! quote "Changes in sing-box 1.13.0" + + :material-plus: [kernel_tx](#kernel_tx) + :material-plus: [kernel_rx](#kernel_rx) + !!! quote "Changes in sing-box 1.12.0" :material-plus: [fragment](#fragment) @@ -28,6 +33,8 @@ icon: material/alert-decagram "certificate_path": "", "key": [], "key_path": "", + "kernel_tx": false, + "kernel_rx": false, "acme": { "domain": [], "data_directory": "", @@ -188,7 +195,8 @@ By default, the maximum version is currently TLS 1.3. #### cipher_suites -A list of enabled TLS 1.0–1.2 cipher suites. The order of the list is ignored. Note that TLS 1.3 cipher suites are not configurable. +A list of enabled TLS 1.0–1.2 cipher suites. The order of the list is ignored. +Note that TLS 1.3 cipher suites are not configurable. If empty, a safe default list is used. The default cipher suites might change over time. @@ -220,6 +228,50 @@ The server private key line array, in PEM format. The path to the server private key, in PEM format. +#### kernel_tx + +!!! question "Since sing-box 1.13.0" + +!!! quote "" + + Only supported on Linux 5.1+, use a newer kernel if possible. + +!!! quote "" + + Only TLS 1.3 is supported. + +!!! warning "" + + uTLS is compatible, but not other custom TLS. + +!!! warning "" + + kTLS TX may only improve performance when `splice(2)` is available (both ends must be TCP or TLS without additional protocols after handshake); otherwise, it will definitely degrade performance. + +Enable kernel TLS transmit support. + +#### kernel_rx + +!!! question "Since sing-box 1.13.0" + +!!! quote "" + + Only supported on Linux 5.1+, use a newer kernel if possible. + +!!! quote "" + + Only TLS 1.3 is supported. + +!!! warning "" + + uTLS is compatible, but not other custom TLS. + +!!! failure "" + + kTLS RX will definitely degrade performance even if `splice(2)` is in use, so enabling it is not recommended. + +Enable kernel TLS receive support. + ## Custom TLS support !!! info "QUIC support" diff --git a/docs/configuration/shared/tls.zh.md b/docs/configuration/shared/tls.zh.md index b85d3290..ef8a7c76 100644 --- a/docs/configuration/shared/tls.zh.md +++ b/docs/configuration/shared/tls.zh.md @@ -2,6 +2,11 @@ icon: material/alert-decagram --- +!!! quote "sing-box 1.13.0 中的更改" + + :material-plus: [kernel_tx](#kernel_tx) + :material-plus: [kernel_rx](#kernel_rx) + !!! quote "sing-box 1.12.0 中的更改" :material-plus: [tls_fragment](#tls_fragment) @@ -28,6 +33,8 @@ icon: material/alert-decagram "certificate_path": "", "key": [], "key_path": "", + "kernel_tx": false, + "kernel_rx": false, "acme": { "domain": [], "data_directory": "", @@ -216,6 +223,56 @@ TLS 版本值: 服务器 PEM 私钥路径。 +#### kernel_tx + +!!! question "自 sing-box 1.13.0 起" + +!!! quote "" + + 仅支持 Linux 5.1+,如果可能,使用较新的内核。 + +!!! quote "" + + 仅支持 TLS 1.3。 + +!!! warning "" + + 兼容 uTLS,但不兼容其他自定义 TLS。 + +!!! warning "" + + kTLS TX 仅当 `splice(2)` 可用时(两端经过握手后必须为没有附加协议的 TCP 或 TLS)才能提高性能;否则肯定会降低性能。 + +启用内核 TLS 发送支持。 + +#### kernel_rx + +!!! question "自 sing-box 1.13.0 起" + +!!! quote "" + + 仅支持 Linux 5.1+,如果可能,使用较新的内核。 + +!!! quote "" + + 仅支持 TLS 1.3。 + +!!! warning "" + + 兼容 uTLS,但不兼容其他自定义 TLS。 + +!!! failure "" + + 即使使用 `splice(2)`,kTLS RX 也肯定会降低性能,因此不建议启用。 + +启用内核 TLS 接收支持。 + +## 自定义 TLS 支持 + +!!! info "QUIC 支持" + + 只有 ECH 在 QUIC 中被支持. + #### utls ==仅客户端==