TLS Fields
Every protocol that uses tls (VMess/VLESS/Trojan/AnyTLS, etc.) shares this same set of TLS configuration fields, including SNI, certificate verification, uTLS fingerprinting, REALITY, and ECH.
Example Config
proxies: - name: "tls-example" tls: true sni: example.com fingerprint: xxx alpn: - h2 - http/1.1 skip-cert-verify: true client-fingerprint: chrome reality-opts: public-key: xxxx short-id: xxxx ech-opts: enable: true config: base64_encoded_config
Core Fields
tlsOptionalEnables TLS; only takes effect for protocols that support tls. Always enabled for the Trojan protocol.
sni / servernameOptionalThe Server Name Indication. Called servername in VMess/VLESS; defaults to the address in server if left blank.
fingerprintOptionalThe certificate fingerprint. You can get this with openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem, or find it under the SHA256 fingerprint in your browser's certificate viewer. Providing a leaf certificate's fingerprint only verifies that the server's certificate matches; providing an intermediate/root certificate's fingerprint verifies that the certificate chain was issued by it.
alpnOptionalThe list of supported application-layer protocols, in priority order; only takes effect if both sides support ALPN — the connection fails if there's no protocol in common.
skip-cert-verifyOptionalSkips certificate verification; only needed for testing or self-signed certificates — not recommended for production use.
certificate / private-keyOptionalSetting both fields enables mTLS (mutual TLS authentication); values can be PEM content or a file path.
client-fingerprintVMess/VLESS/Trojan/AnyTLS onlyThe client's uTLS fingerprint, used to mimic a real browser's TLS characteristics. Choose chrome/firefox/safari/ios/android/edge/360/qq/random (randomly generated according to real-world browser distribution).
reality-opts
REALITY configuration — enabled when not empty.
public-keyRequiredThe public key corresponding to the REALITY server's private key.
short-idRequiredOne of the short IDs configured on the server.
support-x25519mlkem768OptionalSupports X25519-MLKEM768 post-quantum key exchange.
Due to compatibility issues with the upstream implementation, using REALITY with xray-core v26.7.11 or later is not recommended — use a native mihomo listener, sing-box, or an older xray-core version as the server instead.
ech-opts
enableOptionalEnables ECH (Encrypted Client Hello).
configOptionalThe ECH configuration content. Leave blank to fetch it via DNS resolution, or provide this base64-encoded value directly. You can generate a self-signed config pair with mihomo generate ech-keypair test.com — put the content after Config: here, and the content after Key: in the server config.
query-server-nameOptionalThe domain name used when resolving the ECH configuration via DNS.