documentation: Bump version

Signed-off-by: 愚者 <11926619+FansChou@users.noreply.github.com>

common/dialer/tfo.go

@@ -10,6 +10,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/bufio"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
@@ -24,9 +25,7 @@ type slowOpenConn struct {
 	destination M.Socksaddr
 	conn        net.Conn
 	create      chan struct{}
-	done        chan struct{}
 	access      sync.Mutex
-	closeOnce   sync.Once
 	err         error
 }
 
@@ -45,7 +44,6 @@ func DialSlowContext(dialer *tcpDialer, ctx context.Context, network string, des
 		network:     network,
 		destination: destination,
 		create:      make(chan struct{}),
-		done:        make(chan struct{}),
 	}, nil
 }
 
@@ -56,8 +54,8 @@ func (c *slowOpenConn) Read(b []byte) (n int, err error) {
 			if c.err != nil {
 				return 0, c.err
 			}
-		case <-c.done:
-			return 0, os.ErrClosed
+		case <-c.ctx.Done():
+			return 0, c.ctx.Err()
 		}
 	}
 	return c.conn.Read(b)
@@ -75,8 +73,6 @@ func (c *slowOpenConn) Write(b []byte) (n int, err error) {
 			return 0, c.err
 		}
 		return c.conn.Write(b)
-	case <-c.done:
-		return 0, os.ErrClosed
 	default:
 	}
 	conn, err := c.dialer.DialContext(c.ctx, c.network, c.destination.String(), b)
@@ -91,13 +87,7 @@ func (c *slowOpenConn) Write(b []byte) (n int, err error) {
 }
 
 func (c *slowOpenConn) Close() error {
-	c.closeOnce.Do(func() {
-		close(c.done)
-		if c.conn != nil {
-			c.conn.Close()
-		}
-	})
-	return nil
+	return common.Close(c.conn)
 }
 
 func (c *slowOpenConn) LocalAddr() net.Addr {
@@ -162,8 +152,8 @@ func (c *slowOpenConn) WriteTo(w io.Writer) (n int64, err error) {
 			if c.err != nil {
 				return 0, c.err
 			}
-		case <-c.done:
-			return 0, c.err
+		case <-c.ctx.Done():
+			return 0, c.ctx.Err()
 		}
 	}
 	return bufio.Copy(w, c.conn)

common/tls/ech.go

@@ -25,7 +25,7 @@ import (
 	"golang.org/x/crypto/cryptobyte"
 )
 
-func parseECHClientConfig(ctx context.Context, clientConfig ECHCapableConfig, options option.OutboundTLSOptions) (Config, error) {
+func parseECHClientConfig(ctx context.Context, options option.OutboundTLSOptions, tlsConfig *tls.Config) (Config, error) {
 	var echConfig []byte
 	if len(options.ECH.Config) > 0 {
 		echConfig = []byte(strings.Join(options.ECH.Config, "\n"))
@@ -45,12 +45,12 @@ func parseECHClientConfig(ctx context.Context, clientConfig ECHCapableConfig, op
 		if block == nil || block.Type != "ECH CONFIGS" || len(rest) > 0 {
 			return nil, E.New("invalid ECH configs pem")
 		}
-		clientConfig.SetECHConfigList(block.Bytes)
-		return clientConfig, nil
+		tlsConfig.EncryptedClientHelloConfigList = block.Bytes
+		return &STDClientConfig{tlsConfig}, nil
 	} else {
-		return &ECHClientConfig{
-			ECHCapableConfig: clientConfig,
-			dnsRouter:        service.FromContext[adapter.DNSRouter](ctx),
+		return &STDECHClientConfig{
+			STDClientConfig: STDClientConfig{tlsConfig},
+			dnsRouter:       service.FromContext[adapter.DNSRouter](ctx),
 		}, nil
 	}
 }
@@ -102,15 +102,15 @@ func reloadECHKeys(echKeyPath string, tlsConfig *tls.Config) error {
 	return nil
 }
 
-type ECHClientConfig struct {
-	ECHCapableConfig
+type STDECHClientConfig struct {
+	STDClientConfig
 	access     sync.Mutex
 	dnsRouter  adapter.DNSRouter
 	lastTTL    time.Duration
 	lastUpdate time.Time
 }
 
-func (s *ECHClientConfig) ClientHandshake(ctx context.Context, conn net.Conn) (aTLS.Conn, error) {
+func (s *STDECHClientConfig) ClientHandshake(ctx context.Context, conn net.Conn) (aTLS.Conn, error) {
 	tlsConn, err := s.fetchAndHandshake(ctx, conn)
 	if err != nil {
 		return nil, err
@@ -122,17 +122,17 @@ func (s *ECHClientConfig) ClientHandshake(ctx context.Context, conn net.Conn) (a
 	return tlsConn, nil
 }
 
-func (s *ECHClientConfig) fetchAndHandshake(ctx context.Context, conn net.Conn) (aTLS.Conn, error) {
+func (s *STDECHClientConfig) fetchAndHandshake(ctx context.Context, conn net.Conn) (aTLS.Conn, error) {
 	s.access.Lock()
 	defer s.access.Unlock()
-	if len(s.ECHConfigList()) == 0 || s.lastTTL == 0 || time.Now().Sub(s.lastUpdate) > s.lastTTL {
+	if len(s.config.EncryptedClientHelloConfigList) == 0 || s.lastTTL == 0 || time.Now().Sub(s.lastUpdate) > s.lastTTL {
 		message := &mDNS.Msg{
 			MsgHdr: mDNS.MsgHdr{
 				RecursionDesired: true,
 			},
 			Question: []mDNS.Question{
 				{
-					Name:   mDNS.Fqdn(s.ServerName()),
+					Name:   mDNS.Fqdn(s.config.ServerName),
 					Qtype:  mDNS.TypeHTTPS,
 					Qclass: mDNS.ClassINET,
 				},
@@ -157,21 +157,21 @@ func (s *ECHClientConfig) fetchAndHandshake(ctx context.Context, conn net.Conn)
 						}
 						s.lastTTL = time.Duration(rr.Header().Ttl) * time.Second
 						s.lastUpdate = time.Now()
-						s.SetECHConfigList(echConfigList)
+						s.config.EncryptedClientHelloConfigList = echConfigList
 						break match
 					}
 				}
 			}
 		}
-		if len(s.ECHConfigList()) == 0 {
+		if len(s.config.EncryptedClientHelloConfigList) == 0 {
 			return nil, E.New("no ECH config found in DNS records")
 		}
 	}
 	return s.Client(conn)
 }
 
-func (s *ECHClientConfig) Clone() Config {
-	return &ECHClientConfig{ECHCapableConfig: s.ECHCapableConfig.Clone().(ECHCapableConfig), dnsRouter: s.dnsRouter, lastUpdate: s.lastUpdate}
+func (s *STDECHClientConfig) Clone() Config {
+	return &STDECHClientConfig{STDClientConfig: STDClientConfig{s.config.Clone()}, dnsRouter: s.dnsRouter, lastUpdate: s.lastUpdate}
 }
 
 func UnmarshalECHKeys(raw []byte) ([]tls.EncryptedClientHelloKey, error) {

common/tls/ech_keygen.go

@@ -11,12 +11,6 @@ import (
 	"github.com/cloudflare/circl/kem"
 )
 
-type ECHCapableConfig interface {
-	Config
-	ECHConfigList() []byte
-	SetECHConfigList([]byte)
-}
-
 func ECHKeygenDefault(serverName string) (configPem string, keyPem string, err error) {
 	cipherSuites := []echCipherSuite{
 		{

common/tls/ech_stub.go

@@ -10,7 +10,7 @@ import (
 	E "github.com/sagernet/sing/common/exceptions"
 )
 
-func parseECHClientConfig(ctx context.Context, clientConfig ECHCapableConfig, options option.OutboundTLSOptions) (Config, error) {
+func parseECHClientConfig(ctx context.Context, options option.OutboundTLSOptions, tlsConfig *tls.Config) (Config, error) {
 	return nil, E.New("ECH requires go1.24, please recompile your binary.")
 }
 

common/tls/reality_client.go

@@ -74,7 +74,7 @@ func NewRealityClient(ctx context.Context, serverAddress string, options option.
 	if decodedLen > 8 {
 		return nil, E.New("invalid short_id")
 	}
-	return &RealityClientConfig{ctx, uClient.(*UTLSClientConfig), publicKey, shortID}, nil
+	return &RealityClientConfig{ctx, uClient, publicKey, shortID}, nil
 }
 
 func (e *RealityClientConfig) ServerName() string {

common/tls/std_client.go

@@ -7,60 +7,43 @@ import (
 	"net"
 	"os"
 	"strings"
-	"time"
 
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/tlsfragment"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
 )
 
 type STDClientConfig struct {
-	ctx                   context.Context
-	config                *tls.Config
-	fragment              bool
-	fragmentFallbackDelay time.Duration
-	recordFragment        bool
+	config *tls.Config
 }
 
-func (c *STDClientConfig) ServerName() string {
-	return c.config.ServerName
+func (s *STDClientConfig) ServerName() string {
+	return s.config.ServerName
 }
 
-func (c *STDClientConfig) SetServerName(serverName string) {
-	c.config.ServerName = serverName
+func (s *STDClientConfig) SetServerName(serverName string) {
+	s.config.ServerName = serverName
 }
 
-func (c *STDClientConfig) NextProtos() []string {
-	return c.config.NextProtos
+func (s *STDClientConfig) NextProtos() []string {
+	return s.config.NextProtos
 }
 
-func (c *STDClientConfig) SetNextProtos(nextProto []string) {
-	c.config.NextProtos = nextProto
+func (s *STDClientConfig) SetNextProtos(nextProto []string) {
+	s.config.NextProtos = nextProto
 }
 
-func (c *STDClientConfig) Config() (*STDConfig, error) {
-	return c.config, nil
+func (s *STDClientConfig) Config() (*STDConfig, error) {
+	return s.config, nil
 }
 
-func (c *STDClientConfig) Client(conn net.Conn) (Conn, error) {
-	if c.recordFragment {
-		conn = tf.NewConn(conn, c.ctx, c.fragment, c.recordFragment, c.fragmentFallbackDelay)
-	}
-	return tls.Client(conn, c.config), nil
+func (s *STDClientConfig) Client(conn net.Conn) (Conn, error) {
+	return tls.Client(conn, s.config), nil
 }
 
-func (c *STDClientConfig) Clone() Config {
-	return &STDClientConfig{c.ctx, c.config.Clone(), c.fragment, c.fragmentFallbackDelay, c.recordFragment}
-}
-
-func (c *STDClientConfig) ECHConfigList() []byte {
-	return c.config.EncryptedClientHelloConfigList
-}
-
-func (c *STDClientConfig) SetECHConfigList(EncryptedClientHelloConfigList []byte) {
-	c.config.EncryptedClientHelloConfigList = EncryptedClientHelloConfigList
+func (s *STDClientConfig) Clone() Config {
+	return &STDClientConfig{s.config.Clone()}
 }
 
 func NewSTDClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
@@ -77,7 +60,9 @@ func NewSTDClient(ctx context.Context, serverAddress string, options option.Outb
 	var tlsConfig tls.Config
 	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	tlsConfig.RootCAs = adapter.RootPoolFromContext(ctx)
-	if !options.DisableSNI {
+	if options.DisableSNI {
+		tlsConfig.ServerName = "127.0.0.1"
+	} else {
 		tlsConfig.ServerName = serverName
 	}
 	if options.Insecure {
@@ -142,10 +127,8 @@ func NewSTDClient(ctx context.Context, serverAddress string, options option.Outb
 		}
 		tlsConfig.RootCAs = certPool
 	}
-	stdConfig := &STDClientConfig{ctx, &tlsConfig, options.Fragment, time.Duration(options.FragmentFallbackDelay), options.RecordFragment}
 	if options.ECH != nil && options.ECH.Enabled {
-		return parseECHClientConfig(ctx, stdConfig, options)
-	} else {
-		return stdConfig, nil
+		return parseECHClientConfig(ctx, options, &tlsConfig)
 	}
+	return &STDClientConfig{&tlsConfig}, nil
 }

common/tls/utls_client.go

@@ -8,12 +8,11 @@ import (
 	"crypto/x509"
 	"math/rand"
 	"net"
+	"net/netip"
 	"os"
 	"strings"
-	"time"
 
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/tlsfragment"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
@@ -23,62 +22,48 @@ import (
 )
 
 type UTLSClientConfig struct {
-	ctx                   context.Context
-	config                *utls.Config
-	id                    utls.ClientHelloID
-	fragment              bool
-	fragmentFallbackDelay time.Duration
-	recordFragment        bool
+	config *utls.Config
+	id     utls.ClientHelloID
 }
 
-func (c *UTLSClientConfig) ServerName() string {
-	return c.config.ServerName
+func (e *UTLSClientConfig) ServerName() string {
+	return e.config.ServerName
 }
 
-func (c *UTLSClientConfig) SetServerName(serverName string) {
-	c.config.ServerName = serverName
+func (e *UTLSClientConfig) SetServerName(serverName string) {
+	e.config.ServerName = serverName
 }
 
-func (c *UTLSClientConfig) NextProtos() []string {
-	return c.config.NextProtos
+func (e *UTLSClientConfig) NextProtos() []string {
+	return e.config.NextProtos
 }
 
-func (c *UTLSClientConfig) SetNextProtos(nextProto []string) {
+func (e *UTLSClientConfig) SetNextProtos(nextProto []string) {
 	if len(nextProto) == 1 && nextProto[0] == http2.NextProtoTLS {
 		nextProto = append(nextProto, "http/1.1")
 	}
-	c.config.NextProtos = nextProto
+	e.config.NextProtos = nextProto
 }
 
-func (c *UTLSClientConfig) Config() (*STDConfig, error) {
+func (e *UTLSClientConfig) Config() (*STDConfig, error) {
 	return nil, E.New("unsupported usage for uTLS")
 }
 
-func (c *UTLSClientConfig) Client(conn net.Conn) (Conn, error) {
-	if c.recordFragment {
-		conn = tf.NewConn(conn, c.ctx, c.fragment, c.recordFragment, c.fragmentFallbackDelay)
-	}
-	return &utlsALPNWrapper{utlsConnWrapper{utls.UClient(conn, c.config.Clone(), c.id)}, c.config.NextProtos}, nil
+func (e *UTLSClientConfig) Client(conn net.Conn) (Conn, error) {
+	return &utlsALPNWrapper{utlsConnWrapper{utls.UClient(conn, e.config.Clone(), e.id)}, e.config.NextProtos}, nil
 }
 
-func (c *UTLSClientConfig) SetSessionIDGenerator(generator func(clientHello []byte, sessionID []byte) error) {
-	c.config.SessionIDGenerator = generator
+func (e *UTLSClientConfig) SetSessionIDGenerator(generator func(clientHello []byte, sessionID []byte) error) {
+	e.config.SessionIDGenerator = generator
 }
 
-func (c *UTLSClientConfig) Clone() Config {
+func (e *UTLSClientConfig) Clone() Config {
 	return &UTLSClientConfig{
-		c.ctx, c.config.Clone(), c.id, c.fragment, c.fragmentFallbackDelay, c.recordFragment,
+		config: e.config.Clone(),
+		id:     e.id,
 	}
 }
 
-func (c *UTLSClientConfig) ECHConfigList() []byte {
-	return c.config.EncryptedClientHelloConfigList
-}
-
-func (c *UTLSClientConfig) SetECHConfigList(EncryptedClientHelloConfigList []byte) {
-	c.config.EncryptedClientHelloConfigList = EncryptedClientHelloConfigList
-}
-
 type utlsConnWrapper struct {
 	*utls.UConn
 }
@@ -131,12 +116,14 @@ func (c *utlsALPNWrapper) HandshakeContext(ctx context.Context) error {
 	return c.UConn.HandshakeContext(ctx)
 }
 
-func NewUTLSClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (Config, error) {
+func NewUTLSClient(ctx context.Context, serverAddress string, options option.OutboundTLSOptions) (*UTLSClientConfig, error) {
 	var serverName string
 	if options.ServerName != "" {
 		serverName = options.ServerName
 	} else if serverAddress != "" {
-		serverName = serverAddress
+		if _, err := netip.ParseAddr(serverName); err != nil {
+			serverName = serverAddress
+		}
 	}
 	if serverName == "" && !options.Insecure {
 		return nil, E.New("missing server_name or insecure=true")
@@ -145,7 +132,11 @@ func NewUTLSClient(ctx context.Context, serverAddress string, options option.Out
 	var tlsConfig utls.Config
 	tlsConfig.Time = ntp.TimeFuncFromContext(ctx)
 	tlsConfig.RootCAs = adapter.RootPoolFromContext(ctx)
-	tlsConfig.ServerName = serverName
+	if options.DisableSNI {
+		tlsConfig.ServerName = "127.0.0.1"
+	} else {
+		tlsConfig.ServerName = serverName
+	}
 	if options.Insecure {
 		tlsConfig.InsecureSkipVerify = options.Insecure
 	} else if options.DisableSNI {
@@ -201,15 +192,7 @@ func NewUTLSClient(ctx context.Context, serverAddress string, options option.Out
 	if err != nil {
 		return nil, err
 	}
-	uConfig := &UTLSClientConfig{ctx, &tlsConfig, id, options.Fragment, time.Duration(options.FragmentFallbackDelay), options.RecordFragment}
-	if options.ECH != nil && options.ECH.Enabled {
-		if options.Reality != nil && options.Reality.Enabled {
-			return nil, E.New("Reality is conflict with ECH")
-		}
-		return parseECHClientConfig(ctx, uConfig, options)
-	} else {
-		return uConfig, nil
-	}
+	return &UTLSClientConfig{&tlsConfig, id}, nil
 }
 
 var (
@@ -237,7 +220,7 @@ func init() {
 
 func uTLSClientHelloID(name string) (utls.ClientHelloID, error) {
 	switch name {
-	case "chrome_psk", "chrome_psk_shuffle", "chrome_padding_psk_shuffle", "chrome_pq", "chrome_pq_psk":
+	case "chrome_psk", "chrome_psk_shuffle", "chrome_padding_psk_shuffle", "chrome_pq":
 		fallthrough
 	case "chrome", "":
 		return utls.HelloChrome_Auto, nil

common/tlsfragment/conn.go

@@ -9,7 +9,6 @@ import (
 	"strings"
 	"time"
 
-	C "github.com/sagernet/sing-box/constant"
 	N "github.com/sagernet/sing/common/network"
 
 	"golang.org/x/net/publicsuffix"
@@ -20,21 +19,16 @@ type Conn struct {
 	tcpConn            *net.TCPConn
 	ctx                context.Context
 	firstPacketWritten bool
-	splitPacket        bool
 	splitRecord        bool
 	fallbackDelay      time.Duration
 }
 
-func NewConn(conn net.Conn, ctx context.Context, splitPacket bool, splitRecord bool, fallbackDelay time.Duration) *Conn {
-	if fallbackDelay == 0 {
-		fallbackDelay = C.TLSFragmentFallbackDelay
-	}
+func NewConn(conn net.Conn, ctx context.Context, splitRecord bool, fallbackDelay time.Duration) *Conn {
 	tcpConn, _ := N.UnwrapReader(conn).(*net.TCPConn)
 	return &Conn{
 		Conn:          conn,
 		tcpConn:       tcpConn,
 		ctx:           ctx,
-		splitPacket:   splitPacket,
 		splitRecord:   splitRecord,
 		fallbackDelay: fallbackDelay,
 	}
@@ -47,7 +41,7 @@ func (c *Conn) Write(b []byte) (n int, err error) {
 		}()
 		serverName := indexTLSServerName(b)
 		if serverName != nil {
-			if c.splitPacket {
+			if !c.splitRecord {
 				if c.tcpConn != nil {
 					err = c.tcpConn.SetNoDelay(true)
 					if err != nil {
@@ -87,41 +81,33 @@ func (c *Conn) Write(b []byte) (n int, err error) {
 					payload = b[splitIndexes[i-1]:splitIndexes[i]]
 				}
 				if c.splitRecord {
-					if c.splitPacket {
-						buffer.Reset()
-					}
 					payloadLen := uint16(len(payload))
 					buffer.Write(b[:3])
 					binary.Write(&buffer, binary.BigEndian, payloadLen)
 					buffer.Write(payload)
-					if c.splitPacket {
-						payload = buffer.Bytes()
+				} else if c.tcpConn != nil && i != len(splitIndexes) {
+					err = writeAndWaitAck(c.ctx, c.tcpConn, payload, c.fallbackDelay)
+					if err != nil {
+						return
 					}
-				}
-				if c.splitPacket {
-					if c.tcpConn != nil && i != len(splitIndexes) {
-						err = writeAndWaitAck(c.ctx, c.tcpConn, payload, c.fallbackDelay)
-						if err != nil {
-							return
-						}
-					} else {
-						_, err = c.Conn.Write(payload)
-						if err != nil {
-							return
-						}
+				} else {
+					_, err = c.Conn.Write(payload)
+					if err != nil {
+						return
 					}
 				}
 			}
-			if c.splitRecord && !c.splitPacket {
+			if c.splitRecord {
 				_, err = c.Conn.Write(buffer.Bytes())
 				if err != nil {
 					return
 				}
-			}
-			if c.tcpConn != nil {
-				err = c.tcpConn.SetNoDelay(false)
-				if err != nil {
-					return
+			} else {
+				if c.tcpConn != nil {
+					err = c.tcpConn.SetNoDelay(false)
+					if err != nil {
+						return
+					}
 				}
 			}
 			return len(b), nil

common/tlsfragment/conn_test.go

@@ -15,7 +15,7 @@ func TestTLSFragment(t *testing.T) {
 	t.Parallel()
 	tcpConn, err := net.Dial("tcp", "1.1.1.1:443")
 	require.NoError(t, err)
-	tlsConn := tls.Client(tf.NewConn(tcpConn, context.Background(), true, false, 0), &tls.Config{
+	tlsConn := tls.Client(tf.NewConn(tcpConn, context.Background(), false, 0), &tls.Config{
 		ServerName: "www.cloudflare.com",
 	})
 	require.NoError(t, tlsConn.Handshake())
@@ -25,17 +25,7 @@ func TestTLSRecordFragment(t *testing.T) {
 	t.Parallel()
 	tcpConn, err := net.Dial("tcp", "1.1.1.1:443")
 	require.NoError(t, err)
-	tlsConn := tls.Client(tf.NewConn(tcpConn, context.Background(), false, true, 0), &tls.Config{
-		ServerName: "www.cloudflare.com",
-	})
-	require.NoError(t, tlsConn.Handshake())
-}
-
-func TestTLS2Fragment(t *testing.T) {
-	t.Parallel()
-	tcpConn, err := net.Dial("tcp", "1.1.1.1:443")
-	require.NoError(t, err)
-	tlsConn := tls.Client(tf.NewConn(tcpConn, context.Background(), true, true, 0), &tls.Config{
+	tlsConn := tls.Client(tf.NewConn(tcpConn, context.Background(), true, 0), &tls.Config{
 		ServerName: "www.cloudflare.com",
 	})
 	require.NoError(t, tlsConn.Handshake())

docs/changelog.md

@@ -2,22 +2,6 @@
 icon: material/alert-decagram
 ---
 
-#### 1.12.0-beta.24
-
-* Allow `tls_fragment` and `tls_record_fragment` to be enabled together **1**
-* Also add fragment options for TLS client configuration **2**
-* Fixes and improvements
-
-**1**:
-
-For debugging only, it is recommended to disable if record fragmentation works.
-
-See [Route Action](/configuration/route/rule_action/#tls_fragment).
-
-**2**:
-
-See [TLS](/configuration/shared/tls/).
-
 #### 1.12.0-beta.23
 
 * Add loopback address support for tun **1**

docs/configuration/route/rule_action.md

@@ -172,12 +172,14 @@ and should not be used to circumvent real censorship.
 Due to poor performance, try `tls_record_fragment` first, and only apply to server names known to be blocked.
 
 On Linux, Apple platforms, (administrator privileges required) Windows,
-the wait time can be automatically detected. Otherwise, it will fall back to
+the wait time can be automatically detected, otherwise it will fall back to
 waiting for a fixed time specified by `tls_fragment_fallback_delay`.
 
 In addition, if the actual wait time is less than 20ms, it will also fall back to waiting for a fixed time,
 because the target is considered to be local or behind a transparent proxy.
 
+Conflict with `tls_record_fragment`.
+
 #### tls_fragment_fallback_delay
 
 !!! question "Since sing-box 1.12.0"
@@ -192,6 +194,11 @@ The fallback value used when TLS segmentation cannot automatically determine the
 
 Fragment TLS handshake into multiple TLS records to bypass firewalls.
 
+This feature is intended to circumvent simple firewalls based on **plaintext packet matching**,
+and should not be used to circumvent real censorship.
+
+Conflict with `tls_fragment`.
+
 ### sniff
 
 ```json

docs/configuration/route/rule_action.zh.md

@@ -170,6 +170,8 @@ UDP 连接超时时间。
 
 此外，若实际等待时间小于 20 毫秒，同样会回退至固定等待时间模式，因为此时判定目标处于本地或透明代理之后。
 
+与 `tls_record_fragment` 冲突。
+
 #### tls_fragment_fallback_delay
 
 !!! question "自 sing-box 1.12.0 起"
@@ -184,6 +186,10 @@ UDP 连接超时时间。
 
 通过分段 TLS 握手数据包到多个 TLS 记录来绕过防火墙检测。
 
+此功能旨在规避基于**明文数据包匹配**的简单防火墙，不应该用于规避真的审查。
+
+与 `tls_fragment` 冲突。
+
 ### sniff
 
 ```json

docs/configuration/shared/tls.md

@@ -4,9 +4,6 @@ icon: material/alert-decagram
 
 !!! quote "Changes in sing-box 1.12.0"
 
-    :material-plus: [fragment](#fragment)  
-    :material-plus: [fragment_fallback_delay](#fragment_fallback_delay)  
-    :material-plus: [record_fragment](#record_fragment)  
     :material-delete-clock: [ech.pq_signature_schemes_enabled](#pq_signature_schemes_enabled)  
     :material-delete-clock: [ech.dynamic_record_sizing_disabled](#dynamic_record_sizing_disabled)
 
@@ -85,9 +82,6 @@ icon: material/alert-decagram
   "cipher_suites": [],
   "certificate": "",
   "certificate_path": "",
-  "fragment": false,
-  "fragment_fallback_delay": "",
-  "record_fragment": false,
   "ech": {
     "enabled": false,
     "config": [],
@@ -319,44 +313,6 @@ The path to ECH configuration, in PEM format.
 
 If empty, load from DNS will be attempted.
 
-#### fragment
-
-!!! question "Since sing-box 1.12.0"
-
-==Client only==
-
-Fragment TLS handshakes to bypass firewalls.
-
-This feature is intended to circumvent simple firewalls based on **plaintext packet matching**,
-and should not be used to circumvent real censorship.
-
-Due to poor performance, try `record_fragment` first, and only apply to server names known to be blocked.
-
-On Linux, Apple platforms, (administrator privileges required) Windows,
-the wait time can be automatically detected. Otherwise, it will fall back to
-waiting for a fixed time specified by `fragment_fallback_delay`.
-
-In addition, if the actual wait time is less than 20ms, it will also fall back to waiting for a fixed time,
-because the target is considered to be local or behind a transparent proxy.
-
-#### fragment_fallback_delay
-
-!!! question "Since sing-box 1.12.0"
-
-==Client only==
-
-The fallback value used when TLS segmentation cannot automatically determine the wait time.
-
-`500ms` is used by default.
-
-#### record_fragment
-
-!!! question "Since sing-box 1.12.0"
-
-==Client only==
-
-Fragment TLS handshake into multiple TLS records to bypass firewalls.
-
 ### ACME Fields
 
 #### domain

docs/configuration/shared/tls.zh.md

@@ -4,9 +4,6 @@ icon: material/alert-decagram
 
 !!! quote "sing-box 1.12.0 中的更改"
 
-    :material-plus: [tls_fragment](#tls_fragment)  
-    :material-plus: [tls_fragment_fallback_delay](#tls_fragment_fallback_delay)  
-    :material-plus: [tls_record_fragment](#tls_record_fragment)  
     :material-delete-clock: [ech.pq_signature_schemes_enabled](#pq_signature_schemes_enabled)  
     :material-delete-clock: [ech.dynamic_record_sizing_disabled](#dynamic_record_sizing_disabled)
 
@@ -85,9 +82,6 @@ icon: material/alert-decagram
   "cipher_suites": [],
   "certificate": [],
   "certificate_path": "",
-  "fragment": false,
-  "fragment_fallback_delay": "",
-  "record_fragment": false,
   "ech": {
     "enabled": false,
     "pq_signature_schemes_enabled": false,
@@ -311,41 +305,6 @@ ECH PEM 配置路径
 如果为 true，则始终使用最大可能的 TLS 记录大小。
 如果为 false，则可能会调整 TLS 记录的大小以尝试改善延迟。
 
-#### tls_fragment
-
-!!! question "自 sing-box 1.12.0 起"
-
-==仅客户端==
-
-通过分段 TLS 握手数据包来绕过防火墙检测。
-
-此功能旨在规避基于**明文数据包匹配**的简单防火墙，不应该用于规避真的审查。
-
-由于性能不佳，请首先尝试 `tls_record_fragment`，且仅应用于已知被阻止的服务器名称。
-
-在 Linux、Apple 平台和需要管理员权限的 Windows 系统上，可自动检测等待时间。
-若无法自动检测，将回退使用 `tls_fragment_fallback_delay` 指定的固定等待时间。
-
-此外，若实际等待时间小于 20 毫秒，同样会回退至固定等待时间模式，因为此时判定目标处于本地或透明代理之后。
-
-#### tls_fragment_fallback_delay
-
-!!! question "自 sing-box 1.12.0 起"
-
-==仅客户端==
-
-当 TLS 分片功能无法自动判定等待时间时使用的回退值。
-
-默认使用 `500ms`。
-
-#### tls_record_fragment
-
-==仅客户端==
-
-!!! question "自 sing-box 1.12.0 起"
-
-通过分段 TLS 握手数据包到多个 TLS 记录来绕过防火墙检测。
-
 ### ACME 字段
 
 #### domain

option/tls.go

@@ -37,22 +37,19 @@ func (o *InboundTLSOptionsContainer) ReplaceInboundTLSOptions(options *InboundTL
 }
 
 type OutboundTLSOptions struct {
-	Enabled               bool                       `json:"enabled,omitempty"`
-	DisableSNI            bool                       `json:"disable_sni,omitempty"`
-	ServerName            string                     `json:"server_name,omitempty"`
-	Insecure              bool                       `json:"insecure,omitempty"`
-	ALPN                  badoption.Listable[string] `json:"alpn,omitempty"`
-	MinVersion            string                     `json:"min_version,omitempty"`
-	MaxVersion            string                     `json:"max_version,omitempty"`
-	CipherSuites          badoption.Listable[string] `json:"cipher_suites,omitempty"`
-	Certificate           badoption.Listable[string] `json:"certificate,omitempty"`
-	CertificatePath       string                     `json:"certificate_path,omitempty"`
-	Fragment              bool                       `json:"fragment,omitempty"`
-	FragmentFallbackDelay badoption.Duration         `json:"fragment_fallback_delay,omitempty"`
-	RecordFragment        bool                       `json:"record_fragment,omitempty"`
-	ECH                   *OutboundECHOptions        `json:"ech,omitempty"`
-	UTLS                  *OutboundUTLSOptions       `json:"utls,omitempty"`
-	Reality               *OutboundRealityOptions    `json:"reality,omitempty"`
+	Enabled         bool                       `json:"enabled,omitempty"`
+	DisableSNI      bool                       `json:"disable_sni,omitempty"`
+	ServerName      string                     `json:"server_name,omitempty"`
+	Insecure        bool                       `json:"insecure,omitempty"`
+	ALPN            badoption.Listable[string] `json:"alpn,omitempty"`
+	MinVersion      string                     `json:"min_version,omitempty"`
+	MaxVersion      string                     `json:"max_version,omitempty"`
+	CipherSuites    badoption.Listable[string] `json:"cipher_suites,omitempty"`
+	Certificate     badoption.Listable[string] `json:"certificate,omitempty"`
+	CertificatePath string                     `json:"certificate_path,omitempty"`
+	ECH             *OutboundECHOptions        `json:"ech,omitempty"`
+	UTLS            *OutboundUTLSOptions       `json:"utls,omitempty"`
+	Reality         *OutboundRealityOptions    `json:"reality,omitempty"`
 }
 
 type OutboundTLSOptionsContainer struct {

route/conn.go

@@ -90,8 +90,14 @@ func (m *ConnectionManager) NewConnection(ctx context.Context, this N.Dialer, co
 		m.logger.ErrorContext(ctx, err)
 		return
 	}
-	if metadata.TLSFragment || metadata.TLSRecordFragment {
-		remoteConn = tf.NewConn(remoteConn, ctx, metadata.TLSFragment, metadata.TLSRecordFragment, metadata.TLSFragmentFallbackDelay)
+	if metadata.TLSFragment {
+		fallbackDelay := metadata.TLSFragmentFallbackDelay
+		if fallbackDelay == 0 {
+			fallbackDelay = C.TLSFragmentFallbackDelay
+		}
+		remoteConn = tf.NewConn(remoteConn, ctx, false, fallbackDelay)
+	} else if metadata.TLSRecordFragment {
+		remoteConn = tf.NewConn(remoteConn, ctx, true, 0)
 	}
 	m.access.Lock()
 	element := m.connections.PushBack(conn)