documentation: Add kTLS

2025-09-09 13:04:06 +08:00 · 2025-09-08 15:35:34 +08:00 · 2025-09-08 15:35:34 +08:00 · c3d6f42a5a
commit c3d6f42a5a
parent 73595dd75c
2 changed files with 111 additions and 2 deletions
--- a/docs/configuration/shared/tls.md
+++ b/docs/configuration/shared/tls.md
@ -1,7 +1,12 @@
 ---
-icon: material/alert-decagram
+icon: material/new-box
 ---

+!!! quote "Changes in sing-box 1.13.0"
+
+    :material-plus: [kernel_tx](#kernel_tx)  
+    :material-plus: [kernel_rx](#kernel_rx)
+
 !!! quote "Changes in sing-box 1.12.0"

    :material-plus: [fragment](#fragment)  
@ -28,6 +33,8 @@ icon: material/alert-decagram
  "certificate_path": "",
  "key": [],
  "key_path": "",
+  "kernel_tx": false,
+  "kernel_rx": false,
  "acme": {
    "domain": [],
    "data_directory": "",
@ -188,7 +195,8 @@ By default, the maximum version is currently TLS 1.3.

 #### cipher_suites

-A list of enabled TLS 1.0–1.2 cipher suites. The order of the list is ignored. Note that TLS 1.3 cipher suites are not configurable.
+A list of enabled TLS 1.0–1.2 cipher suites. The order of the list is ignored.
+Note that TLS 1.3 cipher suites are not configurable.

 If empty, a safe default list is used. The default cipher suites might change over time.

@ -220,6 +228,50 @@ The server private key line array, in PEM format.

 The path to the server private key, in PEM format.

+#### kernel_tx
+
+!!! question "Since sing-box 1.13.0"
+
+!!! quote ""
+
+    Only supported on Linux 5.1+, use a newer kernel if possible.
+
+!!! quote ""
+
+    Only TLS 1.3 is supported.
+
+!!! warning ""
+
+    uTLS is compatible, but not other custom TLS.
+
+!!! warning ""
+
+    kTLS TX may only improve performance when `splice(2)` is available (both ends must be TCP or TLS without additional protocols after handshake); otherwise, it will definitely degrade performance.
+
+Enable kernel TLS transmit support.
+
+#### kernel_rx
+
+!!! question "Since sing-box 1.13.0"
+
+!!! quote ""
+
+    Only supported on Linux 5.1+, use a newer kernel if possible.
+
+!!! quote ""
+
+    Only TLS 1.3 is supported.
+
+!!! warning ""
+
+    uTLS is compatible, but not other custom TLS.
+
+!!! failure ""
+
+    kTLS RX will definitely degrade performance even if `splice(2)` is in use, so enabling it is not recommended.
+
+Enable kernel TLS receive support.
+
 ## Custom TLS support

 !!! info "QUIC support"
--- a/docs/configuration/shared/tls.zh.md
+++ b/docs/configuration/shared/tls.zh.md
@ -2,6 +2,11 @@
 icon: material/alert-decagram
 ---

+!!! quote "sing-box 1.13.0 中的更改"
+
+    :material-plus: [kernel_tx](#kernel_tx)  
+    :material-plus: [kernel_rx](#kernel_rx)
+
 !!! quote "sing-box 1.12.0 中的更改"

    :material-plus: [tls_fragment](#tls_fragment)  
@ -28,6 +33,8 @@ icon: material/alert-decagram
  "certificate_path": "",
  "key": [],
  "key_path": "",
+  "kernel_tx": false,
+  "kernel_rx": false,
  "acme": {
    "domain": [],
    "data_directory": "",
@ -216,6 +223,56 @@ TLS 版本值：

 服务器 PEM 私钥路径。

+#### kernel_tx
+
+!!! question "自 sing-box 1.13.0 起"
+
+!!! quote ""
+
+    仅支持 Linux 5.1+，如果可能，使用较新的内核。
+
+!!! quote ""
+
+    仅支持 TLS 1.3。
+
+!!! warning ""
+
+    兼容 uTLS，但不兼容其他自定义 TLS。
+
+!!! warning ""
+
+    kTLS TX 仅当 `splice(2)` 可用时（两端经过握手后必须为没有附加协议的 TCP 或 TLS）才能提高性能；否则肯定会降低性能。
+
+启用内核 TLS 发送支持。
+
+#### kernel_rx
+
+!!! question "自 sing-box 1.13.0 起"
+
+!!! quote ""
+
+    仅支持 Linux 5.1+，如果可能，使用较新的内核。
+
+!!! quote ""
+
+    仅支持 TLS 1.3。
+
+!!! warning ""
+
+    兼容 uTLS，但不兼容其他自定义 TLS。
+
+!!! failure ""
+
+    即使使用 `splice(2)`，kTLS RX 也肯定会降低性能，因此不建议启用。
+
+启用内核 TLS 接收支持。
+
+## 自定义 TLS 支持
+
+!!! info "QUIC 支持"
+
+    只有 ECH 在 QUIC 中被支持.
+
 #### utls

 ==仅客户端==