REALITY practice: Support X25519MLKEM768 for TLS' communication

REALITY 抗量子更新第一弹来袭！升级服务端、客户端至该版本，REALITY target 支持 X25519MLKEM768 时将自动启用

X25519MLKEM768 可有效预防被“现在记录、以后拿量子计算机解密 TLS 流量”，此外 #3813 (comment)

最近有越来越多的网站开始支持 X25519MLKEM768 了，所以服务端一定要及时升级，避免新版客户端连不上

感谢 @yuhan6665 对 REALITY 仓库的维护，以及 @mingyech @BRUHItsABunny 对 uTLS 仓库的维护

有人觉得这次是 breaking，其实不尽然，因为我发得早，现在已经支持 X25519MLKEM768 的就技术前沿像 CF、Google 这样的，它们都没人偷，等一两个月后其它网站陆续开始支持了，大家的服务端早就升级、兼容了，所以我必须让 v25.5.16 成为新的稳定版

Shadowrocket TF 版已支持 XHTTP，大家可以测测，如果有问题请反馈过去

此外从上个版本开始，auto mode 的 XHTTP TLS 默认改为 packet-up，XHTTP REALITY 默认仍为 stream-one

请支持一个 REALITY NFT：https://opensea.io/assets/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/2

如果你有余力，请支持一个 Project X NFT：https://opensea.io/assets/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/1

该版本升级了一些依赖，并使用 Go 1.24.3 编译，已 tag v1.250516.0，感谢所有贡献者，详见下方 change log

What's Changed

• README.md: Add Remnawave to Web Panels by @iambabyninja in #4498
• API: Fix data race in online ipList by @Fangliding in #4513
• DNS: Ensure order for DNS server match by @Fangliding in #4510
• DNS: Add allowUnexpectedIPs for DnsServerObject by @patterniha in #4497
• DNS: Add tag for DnsServerObject by @Fangliding in #4515
• DNS: Retry with EDNS0 when response is truncated by @Fangliding in #4516
• DNS: Add timeoutMs for DnsServerObject by @patterniha in #4523
• Sockopt: Fix Windows UDP interface bind; Allow Linux customSockopt work for UDP by @Fangliding in #4504
• DNS DoH: Use EDNS0 with 100-300 padding by default (body padding) by @RPRX in 607c2a6
• Env: Add XRAY_LOCATION_CERT variable by @patterniha @RPRX in #4536
• DNS: Support returning upstream TTL to clients by @Meo597 in #4526
• DNS: Add expectedIPs as an alias of expectIPs by @patterniha in #4551
• HTTP inbound: Directly forward plain HTTP 1xx response header by @Fangliding in #4547
• Chore: Optimize .gitignore by @Pk-web6936 in #4564
• DNS: Use cache for NXDOMAIN (rcode 3 error) by @patterniha in #4560
• Sockopt: Fix Windows Multicast interface bind by @xqzr in #4568
• WireGuard: Improve config error handling; Prevent panic in case of errors during server initialization by @IlyaGulya in #4566
• Dialer: Do not use ListenSystemPacket() when dialing UDP by @RPRX in 8284a0e
• Sockopt: Fix Darwin (macOS, iOS...) UDP interface bind by @92613hjh in #4530
• Sockopt: Allow listen v6only work for Windows & Darwin by @xqzr @RPRX in #4571
• Config: Implement missing MarshalJSON for structs having custom UnmarshalJSON by @ragavpr in #4585
• Sockopt: Use Windows syscall by @xqzr in #4581
• Fix issues related to android client by @Cl-He-O in #4616
• Sockopt: Allow customSockopt work for Windows & Darwin by @Fangliding in #4576
• README.md: Add Loon to Others by @RPRX in 8212325
• README.md: Rename Clash.Meta to mihomo in Others by @RPRX in 2916b1b
• XHTTP client: Set packet-up as the default mode (auto) when using TLS by @RPRX in 0995fa4
• Sockopt: Fix Windows IP_MULTICAST_IF & IPV6_MULTICAST_IF by @xqzr in #4627
• DNS log: Optimize IP address display by @ddatsh in #4630
• uTLS: Add new fingerprints by @yuhan6665 in a608c5a
• QUIC sniffer: Full support for handling multiple initial packets by @j2rong4cn @RPRX @Vigilans @xiaokangwang @dyhkwong in #4642
• buffer.go: Ensure extended part by Extend() & Resize() are all-zero by @RPRX in 2eed70e
• QUIC sniffer: Optimize the code by @j2rong4cn in #4655
• Sockopt: Fix some domainStrategy & dialerProxy bugs by @patterniha in #4661
• DNS: Fix some bugs; Refactors; Optimizations by @patterniha in #4659
• Workflows: Build Android(7+) using NDK; Add Android(7+) amd64 build by @j2rong4cn in #4664
• Chore: Update gVisor to the latest version; Fmt .go files by @Pk-web6936 in #4663
• Improve random IP compatibility: support IPv4, add srcip option, and sync client source IP via sendthrough by @ImAubrey in #4671
• DNS: Extend hosts Abilities by @patterniha in #4673
• Workflows: Authenticating the GitHub API call with GitHub token by @yin1999 in #4703
• DNS-Hosts: appending matched-results again by @patterniha @Fangliding in #4702
• Workflows: Ensure Geodat exists by @Meo597 in #4680
• Removing code that was not being executed and should not be executed. by @patterniha in #4721
• REALITY practice: Support X25519MLKEM768 for TLS' communication by @RPRX in 7ddc4a2
• REALITY protocol: Remove ChaCha20-Poly1305 support for REALITY's session id auth by @RPRX in 09d84c4
• Sniffer: Fix potential infinite loop by @patterniha @Fangliding in #4726
• QUIC sniffer: Fix potential slice panic by @Fangliding in #4732

New Contributors

• @Meo597 made their first contribution in #4526
• @Pk-web6936 made their first contribution in #4564
• @IlyaGulya made their first contribution in #4566
• @92613hjh made their first contribution in #4530
• @ragavpr made their first contribution in #4585
• @Cl-He-O made their first contribution in #4616
• @ddatsh made their first contribution in #4630
• @j2rong4cn made their first contribution in #4642

Full Changelog: v25.3.6...v25.5.16

Xray-core 四月累积更新版本，主要包含大量修复，以及 XHTTP TLS 默认改为 packet-up，XHTTP REALITY 默认仍为 stream-one

Xray-core v25.4.30 已转为 latest 以触发更大范围的测试，目前的发布策略是即使没有 release notes，每两个版本标一个 latest，有 release notes 时再标 v1.250306.0 这样的兼容性 tag

小火箭 TF 版已支持 XHTTP，大家可以测测，如果有问题请反馈过去

Full Changelog: v25.3.31...v25.4.30

Xray-core 三月累积更新版本，主要包含大量针对 DNS 和 sockopt 的增强，以及其它几处修复，感谢各位贡献者

https://xtls.github.io/config/dns.html#dnsserverobject

Full Changelog: v25.3.6...v25.3.31

XHTTP: Beyond REALITY #4113 & MITM-Domain-Fronting

距离上次写 release notes 已过了近三个月，在此期间 XHTTP 积累了大量的改进与修复，其中感知最明显的是逐步将 HTTP request header 的 path padding 迁移至了 Referer header 以避免产生过长的日志（由 @rPDmYQ 提出），以及逐步修复了 stream-up 通过 CF 时连接 100 秒后被掐断的问题，请查看 commit history 及第四版 XHTTP: Beyond REALITY。

XHTTP 服务端需要及时升级至该版本，以支持新版 XHTTP 客户端。

另一项重点开发的功能是 MITM-Domain-Fronting：

• 比如现在你可以用 Xray 对浏览器发出的 TLS MITM 并强制域前置，以实现无代理服务器直连一些被 GFW 封锁的网站。
• Xray 内置 DNS 也加了 h2c:// 以搭配 freedom 出站实现内置 DoH 域前置，它正好可以绕过近期 GFW 对 DoH 的封锁。并且 Xray 内置 DoH 现在均默认使用 Chrome 指纹、加了 header padding。
• @patterniha 分享出了适用于伊朗的完整 serverless 配置，包括 TCP/TLS fragment 和 UDP noises：Serverless-for-Iran。Please join the official Xray Iranian group https://t.me/projectXhttp for more information.

请支持一个 REALITY NFT：https://opensea.io/assets/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/2

如果你有余力，请支持一个 Project X NFT：https://opensea.io/assets/ethereum/0x5ee362866001613093361eb8569d59c4141b76d1/1

Xray 接下来的重心转向 Vision Seed & VLESS Encryption，Windows Tun & GUI Client，以及 ECH 和 REALITY 抗量子更新。

最低 Go 版本要求已升至 Go 1.24+，@KobeArthurScofield 正在维护 https://github.com/XTLS/go-win7 以继续支持 Win7。

虽然我们 tag 了 v1.250306.0，但目前仅打算在稳定版时更新这种 tag，所以如果你的项目需要追新，仍需指定 commit id。

What's Changed

• XHTTP XMUX: Fix OpenUsage never gets reduced by @RPRX in 1410b63
• XHTTP client: Make H3 httptrace work on v2rayNG by @RPRX in 53b04d5
• XHTTP client: Merge Open* into OpenStream(), and more by @RPRX in db934f0
• DNS: Always use a DNS Message ID of 0 for DoH and DoQ by @maoxikun @dyhkwong in #4193
• chore: use errors.New to replace fmt.Errorf with no parameters by @RiceChuan in #4204
• Core: Add mutex to injection resolution by @yuhan6665 in #4206
• Dokodemo TPROXY: Interrupt UDP download if upload timeouts by @RPRX in a8559a1
• XHTTP XMUX: Increase the default value for cMaxReuseTimes by @RPRX in ff4331a
• XHTTP XMUX: cMaxLifetimeMs -> hMaxReusableSecs, Refactor default values by @RPRX in 4ce65fc
• Sockopt config: Add penetrate for XHTTP U-D-S, Remove tcpNoDelay by @RPRX in 369d894
• Inbounds config: Add mixed as an alias of socks by @RPRX in 5af9068
• Build: Use patched newer Go version to build Windows 7 assets by @KobeArthurScofield in #4192
• Upgrade quic-go to patched v0.48.2 by @RPRX in 8a6a538
• Config: Correctly marshal Int32Range to JSON by @yiguous in #4234
• Freedom config: Fix noises delay by @GFW-knocker in #4233
• Workflows: Trigger all Build & Test on all branches & files by @RPRX in dd4ba82
• Freedom noises: Change legacy variable name by @Fangliding in #4238
• Freedom noises: Support "hex" as type & packet by @GFW-knocker @RPRX in #4239
• Freedom noises: Support RawURLEncoding for "base64" by @RPRX in 2f52aa7
• Upgrade gVisor to a newer version by @hossinasaadi in #3903
• Build: Update GeoIP/GeoSite Cache per hour by @KobeArthurScofield in #4247
• XHTTP XMUX: Abandon client if client.Do(req) failed by @RPRX in #4253
• Freedom: Don't use rawConn copy when using utls by @Fangliding in #4272
• chore: fix struct field name in comment by @dashangcun in #4284
• Commands: Fix dumping merged config for XHTTP by @vrnobody in #4290
• Mixed inbound: Handle immediately closing connection gracefully by @rPDmYQ @RPRX in #4297
• XHTTP client: Move x_padding into Referer header by @rPDmYQ in #4298
• DNS: Implement queryStrategy for "localhost" by @Fangliding in #4303
• XHTTP server: Add scStreamUpServerSecs, enabled by default by @RPRX in #4306
• DNS DoH: Add h2c Remote mode (with TLS serverNameToVerify) by @RPRX in 2522cfd
• RAW: Allow setting ALPN http/1.1 for non-REALITY uTLS by @RPRX in 740a6b0
• Log: Add microseconds for all kinds of logs by @RPRX in 5679d71
• UDS: Keep valid source addr by @Fangliding in #4325
• Upgrade quic-go to official v0.49.0 by @RPRX in a7a8362
• README.md: Add xray-checker to Xray Tools by @kutovoys in #4319
• XTLS Vision: Use separate uplink/downlink flag for direct copy by @yuhan6665 in #4329
• XHTTP client: Add back minimal path padding for compatibility by @RPRX in efdc70f
• Commands: Fix ambiguous printing of private x25519 key by @auvred in #4343
• README.md: Add Project XHTTP (Persian) to Telegram by @RPRX in 480c7d7
• MITM: Allow forwarding local negotiated ALPN http/1.1 to the real website by @RPRX in 9b78411
• MITM: Allow using local received SNI in the outgoing serverName & verifyPeerCertInNames by @RPRX in c6a31f4
• Log: Add microseconds for golang's standard logger by @RPRX in 527caa3
• MITM freedom RAW TLS: Report website with unexpected Negotiated Protocol / invalid Domain Fronting certificate by @RPRX in 117de1f
• API: Add user IPs and access times tracking by @mr1cloud in #4360
• Chore: Make some Maps into real Sets by @arturmelanchyk in #4362
• README.md: Add XrayUI to Asuswrt-Merlin clients by @DanielLavrushin in #4355
• Geofiles: Switch to Loyalsoldier's v2ray-rules-dat by @RPRX in c81d8e4
• Workflows: Reduce Geodata update frequency by @KobeArthurScofield in #4369
• MITM freedom RAW TLS: Allow "fromMitm" to be written at any position in verifyPeerCertInNames, Add checking for alpn "fromMitm" by @RPRX in d4c7cd0
• DNS DoH h2c Remote: Add verifyPeerCertInNames "fromMitm" support by @RPRX in 613c63b
• Commands: Use ".crt" & ".key" suffixes when generating TLS certificates by @RPRX in 925a985
• XHTTP server: Finish stream-up's HTTP POST when its request.Body is closed by @RPRX in dcd7e92
• Workflows: Fix Actions' manual dispatch for assets update by @KobeArthurScofield in #4378
• Config: Correctly marshal PortList and NameServerConfig to JSON by @yiguous in #4386
• UDS: Make all remote addr 0.0.0.0 by @Fangliding @RPRX in #4390
• Build: End of the easily mistaken 'Makefile' by @KobeArthurScofield @RPRX in #4395
• API: Improve cli usage descriptions by @billzhong in #4401
• XTLS: More separate uplink/downlink flags for splice copy by @yuhan6665 in #4407
• XHTTP server: Set remoteAddr & localAddr correctly by @RPRX in 8cb63db
• XHTTP client: Revert "Add back minimal path padding for compatibility" by @RPRX in c5de08b
• Metrics: Add direct listen by @Fangliding in #4409
• UDS: Use UnixListenerWrapper & UnixConnWrapper by @Fangliding @RPRX in #4413
• XHTTP server: Fix stream-up "single POST problem", Use united httpServerConn instead of recover() by @RPRX in b786a50
• Outbound: Add outbound sendThrough origin beha...

See https://github.com/XTLS/Xray-core/releases/tag/v25.3.6

See https://github.com/XTLS/Xray-core/releases/tag/v25.3.6

See https://github.com/XTLS/Xray-core/releases/tag/v25.3.6

See https://github.com/XTLS/Xray-core/releases/tag/v25.3.6

See https://github.com/XTLS/Xray-core/releases/tag/v25.3.6

See https://github.com/XTLS/Xray-core/releases/tag/v25.3.6