Add TLS spoof support

2026-05-13 13:57:05 +00:00 · 2026-04-15 17:59:18 +08:00 · 2026-04-15 17:59:18 +08:00 · 08ce083b9b
commit 08ce083b9b
parent 6ef38042f3
45 changed files with 4227 additions and 6 deletions
--- a/docs/configuration/route/rule_action.zh.md
+++ b/docs/configuration/route/rule_action.zh.md
@ -138,7 +138,10 @@ icon: material/new-box
  "fallback_delay": "",
  "udp_disable_domain_unmapping": false,
  "udp_connect": false,
-  "udp_timeout": ""
+  "udp_timeout": "",
+  "tls_fragment": false,
+  "tls_fragment_fallback_delay": "",
+  "tls_record_fragment": false
 }
 ```

--- a/docs/configuration/shared/tls.md
+++ b/docs/configuration/shared/tls.md
@ -6,6 +6,8 @@ icon: material/new-box

    :material-plus: [certificate_provider](#certificate_provider)  
    :material-plus: [handshake_timeout](#handshake_timeout)  
+    :material-plus: [spoof](#spoof)  
+    :material-plus: [spoof_method](#spoof_method)  
    :material-delete-clock: [acme](#acme-fields)

 !!! quote "Changes in sing-box 1.13.0"
@ -127,6 +129,8 @@ icon: material/new-box
  "fragment": false,
  "fragment_fallback_delay": "",
  "record_fragment": false,
+  "spoof": "",
+  "spoof_method": "",
  "kernel_tx": false,
  "kernel_rx": false,
  "handshake_timeout": "",
@ -642,6 +646,41 @@ The fallback value used when TLS segmentation cannot automatically determine the

 Fragment TLS handshake into multiple TLS records to bypass firewalls.

+#### spoof
+
+!!! question "Since sing-box 1.14.0"
+
+==Client only, Linux/macOS/Windows only, requires elevated privileges==
+
+Inject a forged TLS ClientHello carrying a whitelisted SNI before the real one,
+to fool SNI-filtering middleboxes that permit specific hostnames.
+
+The forged segment is a copy of the real ClientHello with only the SNI value
+replaced by the value of this field, so TLS fingerprinting cannot distinguish
+it from the real one. The receiving server drops the forged segment
+(see `spoof_method`) while the middlebox treats it as a legitimate session.
+
+Requires raw-socket access (`CAP_NET_RAW` on Linux, root on macOS);
+on Linux, `CAP_NET_ADMIN` is additionally required because the send sequence
+number is read via `TCP_REPAIR`.
+On Windows, Administrator is required to install the embedded WinDivert kernel
+driver on first use. Windows on ARM64 is not supported.
+
+#### spoof_method
+
+!!! question "Since sing-box 1.14.0"
+
+==Client only==
+
+How the forged segment is rejected by the real server.
+
+| Value                      | Behavior                                                                               |
+|----------------------------|----------------------------------------------------------------------------------------|
+| `wrong-sequence` (default) | The forged segment's TCP sequence number is placed before the server's receive window. |
+| `wrong-checksum`           | The forged segment's TCP checksum is deliberately invalid.                              |
+
+Conflict with `spoof` unset.
+
 ### ACME Fields

 !!! failure "Deprecated in sing-box 1.14.0"
--- a/docs/configuration/shared/tls.zh.md
+++ b/docs/configuration/shared/tls.zh.md
@ -6,6 +6,8 @@ icon: material/new-box

    :material-plus: [certificate_provider](#certificate_provider)  
    :material-plus: [handshake_timeout](#handshake_timeout)  
+    :material-plus: [spoof](#spoof)  
+    :material-plus: [spoof_method](#spoof_method)  
    :material-delete-clock: [acme](#acme-字段)

 !!! quote "sing-box 1.13.0 中的更改"
@ -127,6 +129,8 @@ icon: material/new-box
  "fragment": false,
  "fragment_fallback_delay": "",
  "record_fragment": false,
+  "spoof": "",
+  "spoof_method": "",
  "kernel_tx": false,
  "kernel_rx": false,
  "handshake_timeout": "",
@ -636,6 +640,39 @@ ECH 配置路径，PEM 格式。

 将 TLS 握手分段为多个 TLS 记录以绕过防火墙。

+#### spoof
+
+!!! question "自 sing-box 1.14.0 起"
+
+==仅客户端，仅 Linux/macOS/Windows，需要提权==
+
+在真实 ClientHello 之前注入一个伪造的、携带白名单 SNI 的 TLS ClientHello，
+以欺骗基于 SNI 过滤的中间盒放行连接。
+
+伪造报文是真实 ClientHello 的副本，仅将 SNI 值替换为本字段的值，
+因此 TLS 指纹无法区分伪造与真实报文。真实服务器会丢弃伪造报文（见 `spoof_method`），
+而中间盒将该连接视为合法会话。
+
+需要原始套接字权限（Linux 上需 `CAP_NET_RAW`，macOS 上需 root）；
+在 Linux 上还需 `CAP_NET_ADMIN`，因为需要通过 `TCP_REPAIR` 读取发送序列号。
+Windows 上首次使用时需要 Administrator 以安装内嵌的 WinDivert 内核驱动，
+不支持 Windows ARM64。
+
+#### spoof_method
+
+!!! question "自 sing-box 1.14.0 起"
+
+==仅客户端==
+
+控制伪造报文被真实服务器拒绝的方式。
+
+| 取值                       | 行为                                           |
+|----------------------------|------------------------------------------------|
+| `wrong-sequence`（默认）   | 伪造报文的 TCP 序列号位于服务器接收窗口之前。 |
+| `wrong-checksum`           | 伪造报文的 TCP 校验和被故意设为无效。         |
+
+与 `spoof` 未设置冲突。
+
 ### ACME 字段

 !!! failure "已在 sing-box 1.14.0 废弃"