VX DocsTLS
TlsConfig and Certificate
Protos:
tls.proto—TlsConfigcertificate.proto—Certificate
Set on TransportConfig.tls, MultiProxyInboundConfig.securityConfigs[].tls, Hysteria2 tlsConfig, and SplitHTTP downloadSettings.tls.
Mutually exclusive with reality (only one per transport block).
TlsConfig
rootCasCustom root CA PEM (each entry is a PEM byte blob)
serverNameSNI; defaults to the target domain when dialing
disableSystemRootDo not use system root CAs
allowInsecureSkip certificate verification (client)
nextProtocolALPN list (e.g. h2, http/1.1)
enableSessionResumptionEnable TLS session tickets / resumption
pinnedPeerCertificateChainSha256Pinned peer certificate chain SHA-256 hashes (each entry is 32 bytes)
verifyClientCertificateRequire a valid client certificate (server)
imitateuTLS client fingerprint name (e.g. chrome)
noSNIDo not send SNI (uTLS)
masterKeyLogNSS key log path (debugging)
echKeyServer ECH key
echConfigClient ECH config blob
enableEchClient: enable ECH
ForceALPN
TRANSPORT_PREFERENCE_TAKE_PRIORITYUse user-configured ALPN if set; otherwise transport default
NO_ALPNDo not send ALPN extension
UTLS_PRESETUse uTLS preset ALPN
Certificate
Certificates and private keys can be inline PEM bytes or loaded from file paths (paths take precedence over inline).
certificatePEM certificate bytes
keyPEM private key bytes
certificateFilepathCertificate file path
keyFilepathPrivate key file path
{
"transport": {
"tcp": {},
"tls": {
"serverName": "example.com",
"certificates": [
{
"certificateFilepath": "/etc/vx/fullchain.pem",
"keyFilepath": "/etc/vx/privkey.pem"
}
],
"nextProtocol": ["h2", "http/1.1"]
}
}
}Related
- REALITY — alternative security layer mutually exclusive with TLS
- WebSocket / gRPC — commonly paired with TLS on port 443
- VLESS Vision —
flowwith TLS or REALITY