Skip to content

outbound/ssh: add cipher, MAC, and key exchange configuration#4066

Open
rojer wants to merge 54 commits intoSagerNet:testingfrom
rojer:ssh_ciphers
Open

outbound/ssh: add cipher, MAC, and key exchange configuration#4066
rojer wants to merge 54 commits intoSagerNet:testingfrom
rojer:ssh_ciphers

Conversation

@rojer
Copy link
Copy Markdown

@rojer rojer commented Apr 21, 2026

Ability to specify client's cipher preference is useful. In particular, often aes128-gcm is more efficient but chacha-poly1305 is selected instead.

@nekohasekai nekohasekai force-pushed the testing branch 3 times, most recently from 99e1ffe to 8130928 Compare April 22, 2026 05:51
@nekohasekai
Add MAC and hostname rule items
27ca71f
@nekohasekai
Add Android support for MAC and hostname rule items
a9decac
@nekohasekai
Add macOS support for MAC and hostname rule items
92310b4
@nekohasekai
documentation: Update descriptions for neighbor rules
027f11c
@nekohasekai
Refactor ACME support to certificate provider
47df58f
@nekohasekai
Add BBR profile and hop interval randomization for Hysteria2
ed165ee
@nekohasekai
platform: Add OOM Report & Crash Report
d89a712
@nekohasekai
Also enable certificate store by default on Apple platforms
82d590a 
`SecTrustEvaluateWithError` is serial
@nekohasekai
Add evaluate DNS rule action and related rule items
144a3fb
@nekohasekai
platform: Fix set local
df5f2cc
@nekohasekai
Fix deprecated warning double-formatting on localized clients
f02472a
@nekohasekai
oom-killer: Free memory on pressure notification and use gradual inte…
bc6d0fe 
…rval backoff
@nekohasekai
tools: Network Quality & STUN
34a5ae7
@nekohasekai
platform: Fix darwin signal handler
48e18c7
@nekohasekai
tools: Tailscale status
5eec1a2
@nekohasekai
Revert "Also enable certificate store by default on Apple platforms"
c669743 
This reverts commit 62cb06c.
@nekohasekai
Fix rules lock
84b5c2f
@nekohasekai
Fix darwin local DNS transport
69b9198
@nekohasekai
tools: Tailscale status
10f4481
@nekohasekai
Un-deprecate ip_accept_any DNS rule item
eb2b0f4
@nekohasekai
documentation: Fixes
c884f9d
@nekohasekai
Add package_name_regex route, DNS and headless rule item
7b70e4c
@nekohasekai
platform: Wrap command RPC error returns with E.Cause
4413b5e
@nekohasekai
Fix lint errors
2be423b
@nekohasekai
Add cloudflared inbound
01207b2
@nekohasekai
documentation: Fix missing update for ip_version and query_type
c680b4a
@nekohasekai
Standardize hosts path
0a904a5
@nekohasekai
Add TLS spoof support
c17569e
@nekohasekai
Fix legacy rule-set download_detour blocked by empty direct check
65c79a4
@nekohasekai
Reject pure-IP rule-set references without match_response
222bb41 
DNS rules referencing rule-sets that contain only ip_cidr predicates
silently stopped matching when legacy DNS mode was disabled, because the
IP-CIDR branch cannot match against an in-flight DNS query. The existing
validation intentionally let every rule_set through on the premise that
mixed sets still work via their non-IP branches, which is only true when
such a branch exists. Track whether a rule-set carries any non-IP-CIDR
predicate and reject pure-IP references the same way bare ip_cidr fields
are already rejected.
@nekohasekai
Fix use-after-free of pooled value buffers in bbolt Batch writes
dd087f9
@nekohasekai
Reject IP literal server name with TLS spoof
4cc9404
@nekohasekai
Fix macOS tlsspoof
227df81
@nekohasekai
Scope HTTP/2 fallback and HTTP/3 broken state per authority
4bc13fc
@nekohasekai
Defer implicit default HTTP client fallback to first use
b96ef82
@nekohasekai
Strip EDNS padding from upstream DNS responses
32bcf1a
@nekohasekai
Fix Apple TLS metadata capture
b771448
@nekohasekai
Fix tls-spoof
2e3d20d
@nekohasekai
Add search domain support for Tailscale DNS
fa791ae
@nekohasekai
Log DNS optimistic background refresh outcomes
87b8007
@nekohasekai
Fix Tailscale search domain response name mismatch
2640dd9
@nekohasekai
Fix goroutine leak in networkquality tool
6904d91 
Serialize probe rounds in startProber to eliminate unbounded fan-out of
fire-and-forget probe goroutines (up to 100/sec per direction), and close
HTTP/3 transports via transport.Close() in addition to CloseIdleConnections.
@nekohasekai
Add ACME profile support for IP address certificates
986c7f8
@nekohasekai
Fix ACME HTTP-01 challenge for IPv6 literal addresses
a20f5fd
@nekohasekai
platform: Improve oom-killer
cd4a4e6
@nekohasekai
Fix darwin cgo DNS again
a8bd2e2
@nekohasekai
Bump version
76a2201
@rojer
outbound/ssh: add cipher, MAC, and key exchange configuration
d472511 
Ability to specify client's cipher preference is useful.
In particular, often `aes128-gcm` is more efficient but
`chacha-poly1305` is selected instead.
@rojer
Copy link
Copy Markdown
Author

rojer commented Apr 25, 2026

@nekohasekai this is a small change that shouldn't be controversial, any chance it can be merged before 0.14?

@nekohasekai nekohasekai force-pushed the testing branch 5 times, most recently from 1b0e6c5 to abedea4 Compare April 28, 2026 07:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rojer @nekohasekai