2020-11-25 19:01:53 +08:00
syntax = "proto3" ;
package xray . transport.internet.tls ;
option csharp_namespace = "Xray.Transport.Internet.Tls" ;
2020-12-04 09:36:16 +08:00
option go_package = "github.com/xtls/xray-core/transport/internet/tls" ;
2020-11-25 19:01:53 +08:00
option java_package = "com.xray.transport.internet.tls" ;
option java_multiple_files = true ;
2025-08-02 17:47:55 +02:00
import "transport/internet/config.proto" ;
2020-11-25 19:01:53 +08:00
message Certificate {
// TLS certificate in x509 format.
2020-12-25 15:10:12 +00:00
bytes certificate = 1 ;
2020-11-25 19:01:53 +08:00
// TLS key in x509 format.
2020-12-25 15:10:12 +00:00
bytes key = 2 ;
2020-11-25 19:01:53 +08:00
enum Usage {
ENCIPHERMENT = 0 ;
AUTHORITY_VERIFY = 1 ;
AUTHORITY_ISSUE = 2 ;
}
Usage usage = 3 ;
2020-12-25 16:01:20 +08:00
2021-02-20 02:15:57 +00:00
uint64 ocsp_stapling = 4 ;
2021-02-12 23:33:19 +08:00
// TLS certificate path
string certificate_path = 5 ;
// TLS Key path
string key_path = 6 ;
2021-02-20 02:15:57 +00:00
// If true, one-Time Loading
bool One_time_loading = 7 ;
2024-07-29 14:58:58 +08:00
bool build_chain = 8 ;
2020-11-25 19:01:53 +08:00
}
message Config {
// Whether or not to allow self-signed certificates.
bool allow_insecure = 1 ;
// List of certificates to be served on server.
repeated Certificate certificate = 2 ;
// Override server name.
string server_name = 3 ;
// Lists of string as ALPN values.
repeated string next_protocol = 4 ;
2021-01-01 11:33:09 +00:00
// Whether or not to enable session (ticket) resumption.
bool enable_session_resumption = 5 ;
2020-11-25 19:01:53 +08:00
// If true, root certificates on the system will not be loaded for
// verification.
2020-12-16 15:59:04 +00:00
bool disable_system_root = 6 ;
2020-12-16 13:20:24 +08:00
2020-12-16 08:50:18 +00:00
// The minimum TLS version.
2020-12-16 15:59:04 +00:00
string min_version = 7 ;
// The maximum TLS version.
string max_version = 8 ;
2020-12-16 20:53:55 +08:00
2020-12-16 15:59:04 +00:00
// Specify cipher suites, except for TLS 1.3.
2020-12-16 20:53:55 +08:00
string cipher_suites = 9 ;
2021-03-29 10:08:29 +00:00
// TLS Client Hello fingerprint (uTLS).
string fingerprint = 11 ;
2021-05-09 23:47:21 +08:00
bool reject_unknown_sni = 12 ;
2021-10-22 00:04:06 -04:00
2025-02-06 07:37:30 +00:00
/* @Document Some certificate chain sha256 hashes.
@Document After normal validation or allow_insecure, if the server's cert chain hash does not match any of these values, the connection will be aborted.
2021-10-22 00:04:06 -04:00
@Critical
*/
repeated bytes pinned_peer_certificate_chain_sha256 = 13 ;
2023-02-17 16:01:24 +08:00
2025-02-06 07:37:30 +00:00
/* @Document Some certificate public key sha256 hashes.
2025-03-03 14:45:12 +00:00
@Document After normal validation (required), if one of certs in verified chain matches one of these values, the connection will be eventually accepted.
2023-02-17 16:01:24 +08:00
@Critical
*/
repeated bytes pinned_peer_certificate_public_key_sha256 = 14 ;
2023-11-27 10:08:34 -05:00
string master_key_log = 15 ;
2024-11-11 12:21:28 +08:00
// Lists of string as CurvePreferences values.
repeated string curve_preferences = 16 ;
2025-01-25 10:51:44 +00:00
2025-02-06 07:37:30 +00:00
/* @Document Replaces server_name to verify the peer cert.
@Document After allow_insecure (automatically), if the server's cert can't be verified by any of these names, pinned_peer_certificate_chain_sha256 will be tried.
@Critical
*/
repeated string verify_peer_cert_in_names = 17 ;
2025-07-26 16:47:27 +08:00
2025-08-01 19:25:15 +08:00
bytes ech_server_keys = 18 ;
2025-07-26 16:47:27 +08:00
2025-08-01 19:25:15 +08:00
string ech_config_list = 19 ;
2025-08-03 18:15:42 +08:00
string ech_force_query = 20 ;
2025-08-02 17:47:55 +02:00
SocketConfig ech_socket_settings = 21 ;
2026-01-09 08:11:24 +08:00
repeated bytes pinned_peer_cert_sha256 = 22 ;
2025-08-02 17:47:55 +02:00
}