Add TLS record fragment support

documentation: Bump version
release: Update Go to 1.24.3
2025-09-02 23:38:48 +08:00 · 2025-05-12 12:16:18 +08:00 · 2025-05-11 17:08:49 +08:00 · 2025-05-11 16:51:57 +08:00 · 2025-05-11 16:51:57 +08:00 · 2025-05-11 16:51:57 +08:00
8 changed files with 11 additions and 72 deletions
--- a/docs/changelog.md
+++ b/docs/changelog.md
@ -4,18 +4,8 @@ icon: material/alert-decagram

 #### 1.12.0-beta.13

-* Add TLS record fragment route options **1**
-* Add missing `accept_routes` option for Tailscale **2**
 * Fixes and improvements

-**1**:
-
-See [Route Action](/configuration/route/rule_action/#tls_record_fragment).
-
-**2**:
-
-See [Tailscale](/configuration/endpoint/tailscale/#accept_routes).
-
 #### 1.12.0-beta.10

 * Add control options for listeners **1**
--- a/docs/configuration/endpoint/tailscale.md
+++ b/docs/configuration/endpoint/tailscale.md
@ -15,7 +15,6 @@ icon: material/new-box
  "control_url": "",
  "ephemeral": false,
  "hostname": "",
-  "accept_routes": false,
  "exit_node": "",
  "exit_node_allow_lan_access": false,
  "advertise_routes": [],
@ -63,10 +62,6 @@ System hostname is used by default.

 Example: `localhost`

-#### accept_routes
-
-Indicates whether the node should accept routes advertised by other nodes.
-
 #### exit_node

 The exit node name or IP address to use.
--- a/docs/configuration/route/rule_action.md
+++ b/docs/configuration/route/rule_action.md
@ -6,7 +6,6 @@ icon: material/new-box

    :material-plus: [tls_fragment](#tls_fragment)  
    :material-plus: [tls_fragment_fallback_delay](#tls_fragment_fallback_delay)  
-    :material-plus: [tls_record_fragment](#tls_record_fragment)  
    :material-plus: [resolve.disable_cache](#disable_cache)  
    :material-plus: [resolve.rewrite_ttl](#rewrite_ttl)  
    :material-plus: [resolve.client_subnet](#client_subnet)
@ -92,8 +91,7 @@ Not available when `method` is set to drop.
  "udp_connect": false,
  "udp_timeout": "",
  "tls_fragment": false,
-  "tls_fragment_fallback_delay": "",
-  "tls_record_fragment": ""
+  "tls_fragment_fallback_delay": ""
 }
 ```

@ -166,19 +164,13 @@ If no protocol is sniffed, the following ports will be recognized as protocols b

 Fragment TLS handshakes to bypass firewalls.

-This feature is intended to circumvent simple firewalls based on **plaintext packet matching**,
-and should not be used to circumvent real censorship.
+This feature is intended to circumvent simple firewalls based on **plaintext packet matching**, and should not be used to circumvent real censorship.

-Due to poor performance, try `tls_record_fragment` first, and only apply to server names known to be blocked.
+Since it is not designed for performance, it should not be applied to all connections, but only to server names that are known to be blocked.

-On Linux, Apple platforms, (administrator privileges required) Windows,
-the wait time can be automatically detected, otherwise it will fall back to
-waiting for a fixed time specified by `tls_fragment_fallback_delay`.
+On Linux, Apple platforms, (administrator privileges required) Windows, the wait time can be automatically detected, otherwise it will fall back to waiting for a fixed time specified by `tls_fragment_fallback_delay`.

-In addition, if the actual wait time is less than 20ms, it will also fall back to waiting for a fixed time,
-because the target is considered to be local or behind a transparent proxy.
-
-Conflict with `tls_record_fragment`.
+In addition, if the actual wait time is less than 20ms, it will also fall back to waiting for a fixed time, because the target is considered to be local or behind a transparent proxy.

 #### tls_fragment_fallback_delay

@ -188,17 +180,6 @@ The fallback value used when TLS segmentation cannot automatically determine the

 `500ms` is used by default.

-#### tls_record_fragment
-
-!!! question "Since sing-box 1.12.0"
-
-Fragment TLS handshake into multiple TLS records to bypass firewalls.
-
-This feature is intended to circumvent simple firewalls based on **plaintext packet matching**,
-and should not be used to circumvent real censorship.
-
-Conflict with `tls_fragment`.
-
 ### sniff

 ```json
--- a/docs/configuration/route/rule_action.zh.md
+++ b/docs/configuration/route/rule_action.zh.md
@ -5,11 +5,7 @@ icon: material/new-box
 !!! quote "sing-box 1.12.0 中的更改"

    :material-plus: [tls_fragment](#tls_fragment)  
-    :material-plus: [tls_fragment_fallback_delay](#tls_fragment_fallback_delay)  
-    :material-plus: [tls_record_fragment](#tls_record_fragment)  
-    :material-plus: [resolve.disable_cache](#disable_cache)  
-    :material-plus: [resolve.rewrite_ttl](#rewrite_ttl)  
-    :material-plus: [resolve.client_subnet](#client_subnet)
+    :material-plus: [tls_fragment_fallback_delay](#tls_fragment_fallback_delay)

 ## 最终动作

@ -163,15 +159,12 @@ UDP 连接超时时间。

 此功能旨在规避基于**明文数据包匹配**的简单防火墙，不应该用于规避真的审查。

-由于性能不佳，请首先尝试 `tls_record_fragment`，且仅应用于已知被阻止的服务器名称。
+由于它不是为性能设计的，不应被应用于所有连接，而仅应用于已知被阻止的服务器名称。

-在 Linux、Apple 平台和需要管理员权限的 Windows 系统上，可自动检测等待时间。
-若无法自动检测，将回退使用 `tls_fragment_fallback_delay` 指定的固定等待时间。
+在 Linux、Apple 平台和需要管理员权限的 Windows 系统上，可自动检测等待时间。若无法自动检测，将回退使用 `tls_fragment_fallback_delay` 指定的固定等待时间。

 此外，若实际等待时间小于 20 毫秒，同样会回退至固定等待时间模式，因为此时判定目标处于本地或透明代理之后。

-与 `tls_record_fragment` 冲突。
-
 #### tls_fragment_fallback_delay

 !!! question "自 sing-box 1.12.0 起"
@ -180,16 +173,6 @@ UDP 连接超时时间。

 默认使用 `500ms`。

-#### tls_record_fragment
-
-!!! question "自 sing-box 1.12.0 起"
-
-通过分段 TLS 握手数据包到多个 TLS 记录来绕过防火墙检测。
-
-此功能旨在规避基于**明文数据包匹配**的简单防火墙，不应该用于规避真的审查。
-
-与 `tls_fragment` 冲突。
-
 ### sniff

 ```json
--- a/go.mod
+++ b/go.mod
@ -35,8 +35,7 @@ require (
 	github.com/sagernet/sing-tun v0.6.6-0.20250428031943-0686f8c4f210
 	github.com/sagernet/sing-vmess v0.2.2-0.20250503051933-9b4cf17393f8
 	github.com/sagernet/smux v1.5.34-mod.2
-	github.com/sagernet/tailscale v1.80.3-mod.5
-	github.com/sagernet/utls v1.6.7
+	github.com/sagernet/tailscale v1.80.3-mod.4
 	github.com/sagernet/wireguard-go v0.0.1-beta.7
 	github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854
 	github.com/spf13/cobra v1.9.1
--- a/go.sum
+++ b/go.sum
@ -186,10 +186,8 @@ github.com/sagernet/sing-vmess v0.2.2-0.20250503051933-9b4cf17393f8 h1:zW+zAOCxU
 github.com/sagernet/sing-vmess v0.2.2-0.20250503051933-9b4cf17393f8/go.mod h1:IL8Rr+EGwuqijszZkNrEFTQDKhilEpkqFqOlvdpS6/w=
 github.com/sagernet/smux v1.5.34-mod.2 h1:gkmBjIjlJ2zQKpLigOkFur5kBKdV6bNRoFu2WkltRQ4=
 github.com/sagernet/smux v1.5.34-mod.2/go.mod h1:0KW0+R+ycvA2INW4gbsd7BNyg+HEfLIAxa5N02/28Zc=
-github.com/sagernet/tailscale v1.80.3-mod.4.0.20250512093633-e1bc1888c814 h1:B6ejgOuM1BrX4TzWvm1h/LQAOZW1T1jP4PSZe8b/49o=
-github.com/sagernet/tailscale v1.80.3-mod.4.0.20250512093633-e1bc1888c814/go.mod h1:EBxXsWu4OH2ELbQLq32WoBeIubG8KgDrg4/Oaxjs6lI=
-github.com/sagernet/tailscale v1.80.3-mod.5 h1:7V7z+p2C//TGtff20pPnDCt3qP6uFyY62peJoKF9z/A=
-github.com/sagernet/tailscale v1.80.3-mod.5/go.mod h1:EBxXsWu4OH2ELbQLq32WoBeIubG8KgDrg4/Oaxjs6lI=
+github.com/sagernet/tailscale v1.80.3-mod.4 h1:9UgYq8m9mwX5dbTbueVxbRh+bq7AayxemJGM2PkJQnE=
+github.com/sagernet/tailscale v1.80.3-mod.4/go.mod h1:EBxXsWu4OH2ELbQLq32WoBeIubG8KgDrg4/Oaxjs6lI=
 github.com/sagernet/wireguard-go v0.0.1-beta.7 h1:ltgBwYHfr+9Wz1eG59NiWnHrYEkDKHG7otNZvu85DXI=
 github.com/sagernet/wireguard-go v0.0.1-beta.7/go.mod h1:jGXij2Gn2wbrWuYNUmmNhf1dwcZtvyAvQoe8Xd8MbUo=
 github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854 h1:6uUiZcDRnZSAegryaUGwPC/Fj13JSHwiTftrXhMmYOc=
--- a/option/tailscale.go
+++ b/option/tailscale.go
@ -11,7 +11,6 @@ type TailscaleEndpointOptions struct {
 	ControlURL             string           `json:"control_url,omitempty"`
 	Ephemeral              bool             `json:"ephemeral,omitempty"`
 	Hostname               string           `json:"hostname,omitempty"`
-	AcceptRoutes           bool             `json:"accept_routes,omitempty"`
 	ExitNode               string           `json:"exit_node,omitempty"`
 	ExitNodeAllowLANAccess bool             `json:"exit_node_allow_lan_access,omitempty"`
 	AdvertiseRoutes        []netip.Prefix   `json:"advertise_routes,omitempty"`
--- a/protocol/tailscale/endpoint.go
+++ b/protocol/tailscale/endpoint.go
@ -72,7 +72,6 @@ type Endpoint struct {
 	filter            *atomic.Pointer[filter.Filter]
 	onReconfig        wgengine.ReconfigListener

-	acceptRoutes           bool
 	exitNode               string
 	exitNodeAllowLANAccess bool
 	advertiseRoutes        []netip.Prefix
@ -171,7 +170,6 @@ func NewEndpoint(ctx context.Context, router adapter.Router, logger log.ContextL
 		network:                service.FromContext[adapter.NetworkManager](ctx),
 		platformInterface:      service.FromContext[platform.Interface](ctx),
 		server:                 server,
-		acceptRoutes:           options.AcceptRoutes,
 		exitNode:               options.ExitNode,
 		exitNodeAllowLANAccess: options.ExitNodeAllowLANAccess,
 		advertiseRoutes:        options.AdvertiseRoutes,
@ -228,10 +226,6 @@ func (t *Endpoint) Start(stage adapter.StartStage) error {

 	localBackend := t.server.ExportLocalBackend()
 	perfs := &ipn.MaskedPrefs{
-		Prefs: ipn.Prefs{
-			RouteAll: t.acceptRoutes,
-		},
-		RouteAllSet:        true,
 		ExitNodeIPSet:      true,
 		AdvertiseRoutesSet: true,
 	}
Author	SHA1	Message	Date
世界	0be2233795	Add TLS record fragment support	2025-05-12 12:16:18 +08:00
世界	c2b7d5bd12	documentation: Bump version	2025-05-11 17:08:49 +08:00
世界	c4ac5f71b6	release: Update Go to 1.24.3	2025-05-11 16:51:57 +08:00
世界	cc7a374545	Fix set edns0 client subnet	2025-05-11 16:51:57 +08:00
世界	13e30d43ae	Update minor dependencies	2025-05-11 16:51:57 +08:00
世界	d5bc5e39b9	Update certmagic and providers	2025-05-11 16:51:57 +08:00
世界	cb8adafc3e	Update protobuf and grpc	2025-05-11 16:51:57 +08:00
世界	b60f18004f	Add control options for listeners	2025-05-11 16:51:56 +08:00
世界	e170562ab1	Update quic-go to v0.51.0	2025-05-11 16:51:51 +08:00
世界	d5838a1d8f	Update utls to v1.7.0	2025-05-07 15:13:27 +08:00
世界	761598885d	Handle EDNS version downgrade	2025-05-07 15:13:27 +08:00
世界	b4f126ed7d	documentation: Fix anytls padding scheme description	2025-05-07 15:13:27 +08:00
安容	6388c2e213	Report invalid DNS address early	2025-05-07 15:13:26 +08:00
世界	c7d76c1a2f	Fix wireguard `listen_port`	2025-05-07 15:13:26 +08:00
世界	86362ed8fd	clash-api: Add more meta api	2025-05-07 15:13:26 +08:00
世界	63980c491f	Fix DNS lookup	2025-05-07 15:13:26 +08:00
世界	772f43633b	Fix fetch ECH configs	2025-05-07 15:13:26 +08:00
reletor	dc6ffbfb45	documentation: Minor fixes	2025-05-07 15:13:25 +08:00
caelansar	e8e5aa25ba	Fix callback deletion in UDP transport	2025-05-07 15:13:25 +08:00
世界	8d0a758cac	documentation: Try to make the play review happy	2025-05-07 15:13:24 +08:00
世界	eb30c72ecd	Fix missing handling of legacy `domain_strategy` options	2025-05-07 15:13:24 +08:00
世界	1a836e2658	Improve local DNS server	2025-05-07 15:13:24 +08:00
anytls	057ecd243c	Update anytls Co-authored-by: anytls <anytls>	2025-05-07 15:13:24 +08:00
世界	6504309d1a	Fix DNS dialer	2025-05-07 15:13:24 +08:00
世界	ad03f8a294	release: Skip override version for iOS	2025-05-07 15:13:23 +08:00
iikira	62418e8562	Fix UDP DNS server crash Signed-off-by: iikira <i2@mail.iikira.com>	2025-05-07 15:13:23 +08:00
ReleTor	6daafc3f34	Fix fetch ECH configs	2025-05-07 15:13:23 +08:00
世界	be27a43c02	Allow direct outbounds without `domain_resolver`	2025-05-07 15:13:23 +08:00
世界	1db007c4ae	Fix Tailscale dialer	2025-05-07 15:13:23 +08:00
dyhkwong	2c5e277a49	Fix DNS over QUIC stream close	2025-05-07 15:13:22 +08:00
anytls	a048092b1d	Update anytls Co-authored-by: anytls <anytls>	2025-05-07 15:13:22 +08:00
Rambling2076	7216d7c7de	Fix missing `with_tailscale` in Dockerfile Signed-off-by: Rambling2076 <Rambling2076@proton.me>	2025-05-07 15:13:21 +08:00
世界	38d79fa3f9	Fail when default DNS server not found	2025-05-07 15:13:21 +08:00
世界	d3bb8c5971	Update gVisor to 20250319.0	2025-05-07 15:13:21 +08:00
世界	d81fdd8401	Explicitly reject detour to empty direct outbounds	2025-05-07 15:13:21 +08:00
世界	f292280ff5	Add netns support	2025-05-07 15:13:20 +08:00
世界	452ca55091	Add wildcard name support for predefined records	2025-05-07 15:13:20 +08:00
世界	866b726b77	Remove map usage in options	2025-05-07 15:13:20 +08:00
世界	29ecb715e9	Fix unhandled DNS loop	2025-05-07 15:13:20 +08:00
世界	cf1c7c3138	Add wildcard-sni support for shadow-tls inbound	2025-05-07 15:13:19 +08:00
k9982874	c14a04f6cf	Add ntp protocol sniffing	2025-05-07 15:13:19 +08:00
世界	e5d9f40e78	option: Fix marshal legacy DNS options	2025-05-07 15:13:18 +08:00
世界	c81cb83d22	Make `domain_resolver` optional when only one DNS server is configured	2025-05-07 15:13:18 +08:00
世界	c22ea80cb2	Fix DNS lookup context pollution	2025-05-07 15:13:18 +08:00
世界	825a9cd726	Fix http3 DNS server connecting to wrong address	2025-05-07 15:13:17 +08:00
Restia-Ashbell	7c3263688f	documentation: Fix typo	2025-05-07 15:13:17 +08:00
anytls	22185ffd5b	Update sing-anytls Co-authored-by: anytls <anytls>	2025-05-07 15:13:17 +08:00
k9982874	d53dae1793	Fix hosts DNS server	2025-05-07 15:13:17 +08:00
世界	a36bd4c25d	Fix UDP DNS server crash	2025-05-07 15:13:16 +08:00
世界	e93033914b	documentation: Fix missing `ip_accept_any` DNS rule option	2025-05-07 15:13:16 +08:00
世界	17cd4efc8d	Fix anytls dialer usage	2025-05-07 15:13:16 +08:00
世界	2ddc11918c	Move predefined DNS server to rule action	2025-05-07 15:13:15 +08:00
世界	6e4d92b9dd	Fix domain resolver on direct outbound	2025-05-07 15:13:15 +08:00
Zephyruso	a1e6f4ee55	Fix missing AnyTLS display name	2025-05-07 15:13:15 +08:00
anytls	7040d8de98	Update sing-anytls Co-authored-by: anytls <anytls>	2025-05-07 15:13:14 +08:00
Estel	d004f3c5d4	documentation: Fix typo Signed-off-by: Estel <callmebedrockdigger@gmail.com>	2025-05-07 15:13:14 +08:00
TargetLocked	79c8141422	Fix parsing legacy DNS options	2025-05-07 15:13:14 +08:00
世界	1295212910	Fix DNS fallback	2025-05-07 15:13:13 +08:00
世界	324b437e74	documentation: Fix missing hosts DNS server	2025-05-07 15:13:13 +08:00
anytls	6071b5690c	Add MinIdleSession option to AnyTLS outbound Co-authored-by: anytls <anytls>	2025-05-07 15:13:13 +08:00
ReleTor	5bb58c49e2	documentation: Minor fixes	2025-05-07 15:13:12 +08:00
libtry486	c10ef770da	documentation: Fix typo fix typo Signed-off-by: libtry486 <89328481+libtry486@users.noreply.github.com>	2025-05-07 15:13:12 +08:00
Alireza Ahmadi	6d410cc676	Fix Outbound deadlock	2025-05-07 15:13:12 +08:00
世界	097d2984ef	documentation: Fix AnyTLS doc	2025-05-07 15:13:11 +08:00
anytls	4cb528c747	Add AnyTLS protocol	2025-05-07 15:13:11 +08:00
世界	52561dba46	Migrate to stdlib ECH support	2025-05-07 15:13:10 +08:00
世界	686e21035c	Add fallback local DNS server for iOS	2025-05-07 15:13:10 +08:00
世界	a66454f45f	Get darwin local DNS server from libresolv	2025-05-07 15:13:10 +08:00
世界	8689358c63	Improve resolve action	2025-05-07 15:13:10 +08:00
世界	942a45da98	Fix toolchain version	2025-05-07 15:13:10 +08:00
世界	5f1b064234	Add back port hopping to hysteria 1	2025-05-07 15:13:10 +08:00
xchacha20-poly1305	eb7caa2d5e	Remove single quotes of raw Moziila certs	2025-05-07 15:13:09 +08:00
世界	99c5fde40d	Add Tailscale endpoint	2025-05-07 15:13:00 +08:00