Add ECH support for NaiveProxy outbound and tls.ech.query_server_name option

- Enable ECH for NaiveProxy outbound with DNS resolver integration - Add query_server_name option to override domain for ECH HTTPS record queries - Update cronet-go dependency and remove windows_386 support
2025-12-17 21:45:18 +08:00
parent be7254c335
commit e473c64cd6
10 changed files with 167 additions and 90 deletions
--- a/docs/configuration/outbound/naive.md
+++ b/docs/configuration/outbound/naive.md
@@ -86,7 +86,7 @@ See [UDP Over TCP](/configuration/shared/udp-over-tcp/) for details.

 TLS configuration, see [TLS](/configuration/shared/tls/#outbound).

-Only `server_name`, `certificate`, `certificate_path` and `certificate_public_key_sha256` are supported.
+Only `server_name`, `certificate`, `certificate_path`, `certificate_public_key_sha256` and `ech` are supported.

 ### Dial Fields

--- a/docs/configuration/outbound/naive.zh.md
+++ b/docs/configuration/outbound/naive.zh.md
@@ -86,7 +86,7 @@ UDP over TCP 配置。

 TLS 配置, 参阅 [TLS](/zh/configuration/shared/tls/#outbound)。

-只有 `server_name`、`certificate`、`certificate_path` 和 `certificate_public_key_sha256` 是被支持的。
+只有 `server_name`、`certificate`、`certificate_path`、`certificate_public_key_sha256` 和 `ech` 是被支持的。

 ### 拨号字段

--- a/docs/configuration/shared/tls.md
+++ b/docs/configuration/shared/tls.md
@@ -14,6 +14,7 @@ icon: material/new-box
    :material-plus: [client_key_path](#client_key_path)
    :material-plus: [client_authentication](#client_authentication)
    :material-plus: [client_certificate_public_key_sha256](#client_certificate_public_key_sha256)
+    :material-plus: [ech.query_server_name](#query_server_name)

 !!! quote "Changes in sing-box 1.12.0"

@@ -118,6 +119,7 @@ icon: material/new-box
    "enabled": false,
    "config": [],
    "config_path": "",
+    "query_server_name": "",

    // Deprecated
    "pq_signature_schemes_enabled": false,
@@ -505,6 +507,16 @@ The path to ECH configuration, in PEM format.

 If empty, load from DNS will be attempted.

+#### query_server_name
+
+!!! question "Since sing-box 1.13.0"
+
+==Client only==
+
+Overrides the domain name used for ECH HTTPS record queries.
+
+If empty, `server_name` is used for queries.
+
 #### fragment

 !!! question "Since sing-box 1.12.0"
--- a/docs/configuration/shared/tls.zh.md
+++ b/docs/configuration/shared/tls.zh.md
@@ -14,6 +14,7 @@ icon: material/new-box
    :material-plus: [client_key_path](#client_key_path)
    :material-plus: [client_authentication](#client_authentication)
    :material-plus: [client_certificate_public_key_sha256](#client_certificate_public_key_sha256)
+    :material-plus: [ech.query_server_name](#query_server_name)

 !!! quote "sing-box 1.12.0 中的更改"

@@ -118,6 +119,7 @@ icon: material/new-box
    "enabled": false,
    "config": [],
    "config_path": "",
+    "query_server_name": "",

    // 废弃的
    "pq_signature_schemes_enabled": false,
@@ -503,6 +505,16 @@ ECH 配置路径，PEM 格式。

 如果为空，将尝试从 DNS 加载。

+#### query_server_name
+
+!!! question "自 sing-box 1.13.0 起"
+
+==仅客户端==
+
+覆盖用于 ECH HTTPS 记录查询的域名。
+
+如果为空，使用 `server_name` 查询。
+
 #### fragment

 !!! question "自 sing-box 1.12.0 起"