Docs Config TLS Fields

TLS Fields

Every protocol that uses tls (VMess/VLESS/Trojan/AnyTLS, etc.) shares this same set of TLS configuration fields, including SNI, certificate verification, uTLS fingerprinting, REALITY, and ECH.

Example Config

config.yaml YAML
proxies:
  - name: "tls-example"
    tls: true
    sni: example.com
    fingerprint: xxx
    alpn:
      - h2
      - http/1.1
    skip-cert-verify: true
    client-fingerprint: chrome
    reality-opts:
      public-key: xxxx
      short-id: xxxx
    ech-opts:
      enable: true
      config: base64_encoded_config

Core Fields

tlsOptional

Enables TLS; only takes effect for protocols that support tls. Always enabled for the Trojan protocol.

sni / servernameOptional

The Server Name Indication. Called servername in VMess/VLESS; defaults to the address in server if left blank.

fingerprintOptional

The certificate fingerprint. You can get this with openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem, or find it under the SHA256 fingerprint in your browser's certificate viewer. Providing a leaf certificate's fingerprint only verifies that the server's certificate matches; providing an intermediate/root certificate's fingerprint verifies that the certificate chain was issued by it.

alpnOptional

The list of supported application-layer protocols, in priority order; only takes effect if both sides support ALPN — the connection fails if there's no protocol in common.

skip-cert-verifyOptional

Skips certificate verification; only needed for testing or self-signed certificates — not recommended for production use.

certificate / private-keyOptional

Setting both fields enables mTLS (mutual TLS authentication); values can be PEM content or a file path.

client-fingerprintVMess/VLESS/Trojan/AnyTLS only

The client's uTLS fingerprint, used to mimic a real browser's TLS characteristics. Choose chrome/firefox/safari/ios/android/edge/360/qq/random (randomly generated according to real-world browser distribution).

reality-opts

REALITY configuration — enabled when not empty.

public-keyRequired

The public key corresponding to the REALITY server's private key.

short-idRequired

One of the short IDs configured on the server.

support-x25519mlkem768Optional

Supports X25519-MLKEM768 post-quantum key exchange.

Due to compatibility issues with the upstream implementation, using REALITY with xray-core v26.7.11 or later is not recommended — use a native mihomo listener, sing-box, or an older xray-core version as the server instead.

ech-opts

enableOptional

Enables ECH (Encrypted Client Hello).

configOptional

The ECH configuration content. Leave blank to fetch it via DNS resolution, or provide this base64-encoded value directly. You can generate a self-signed config pair with mihomo generate ech-keypair test.com — put the content after Config: here, and the content after Key: in the server config.

query-server-nameOptional

The domain name used when resolving the ECH configuration via DNS.