From f3d47ebb3fbc65fc25a39d4ef0d4561407acc941 Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Sun, 1 Feb 2026 14:03:46 +0100
Subject: [PATCH] Refactor TLS peer cert verification settings

Removed verifyPeerCertByNames and pinnedPeerCertSha256 from inbound TLS settings and UI. Added verifyPeerCertByName and pinnedPeerCertSha256 to outbound TLS settings and updated the outbound form to support these fields. This change streamlines and clarifies certificate verification configuration between inbound and outbound settings.
---
 web/assets/js/model/inbound.js  |  8 --------
 web/assets/js/model/outbound.js | 10 +++++++++-
 web/html/form/outbound.html     |  9 +++++++++
 web/html/form/tls_settings.html |  9 ---------
 4 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/web/assets/js/model/inbound.js b/web/assets/js/model/inbound.js
index eb2b0f96..3f3f8831 100644
--- a/web/assets/js/model/inbound.js
+++ b/web/assets/js/model/inbound.js
@@ -596,8 +596,6 @@ class TlsStreamSettings extends XrayCommonClass {
         maxVersion = TLS_VERSION_OPTION.TLS13,
         cipherSuites = '',
         rejectUnknownSni = false,
-        verifyPeerCertByNames = ['dns.google', 'cloudflare-dns.com'],
-        pinnedPeerCertSha256 = [],
         disableSystemRoot = false,
         enableSessionResumption = false,
         certificates = [new TlsStreamSettings.Cert()],
@@ -612,8 +610,6 @@ class TlsStreamSettings extends XrayCommonClass {
         this.maxVersion = maxVersion;
         this.cipherSuites = cipherSuites;
         this.rejectUnknownSni = rejectUnknownSni;
-        this.verifyPeerCertByNames = Array.isArray(verifyPeerCertByNames) ? verifyPeerCertByNames.join(",") : verifyPeerCertByNames;
-        this.pinnedPeerCertSha256 = pinnedPeerCertSha256;
         this.disableSystemRoot = disableSystemRoot;
         this.enableSessionResumption = enableSessionResumption;
         this.certs = certificates;
@@ -647,8 +643,6 @@ class TlsStreamSettings extends XrayCommonClass {
             json.maxVersion,
             json.cipherSuites,
             json.rejectUnknownSni,
-            json.verifyPeerCertByNames,
-            json.pinnedPeerCertSha256 || [],
             json.disableSystemRoot,
             json.enableSessionResumption,
             certs,
@@ -666,8 +660,6 @@ class TlsStreamSettings extends XrayCommonClass {
             maxVersion: this.maxVersion,
             cipherSuites: this.cipherSuites,
             rejectUnknownSni: this.rejectUnknownSni,
-            verifyPeerCertByNames: this.verifyPeerCertByNames.split(","),
-            pinnedPeerCertSha256: this.pinnedPeerCertSha256.length > 0 ? this.pinnedPeerCertSha256 : undefined,
             disableSystemRoot: this.disableSystemRoot,
             enableSessionResumption: this.enableSessionResumption,
             certificates: TlsStreamSettings.toJsonArray(this.certs),
diff --git a/web/assets/js/model/outbound.js b/web/assets/js/model/outbound.js
index 21d6c393..3e0dd0d4 100644
--- a/web/assets/js/model/outbound.js
+++ b/web/assets/js/model/outbound.js
@@ -347,6 +347,8 @@ class TlsStreamSettings extends CommonClass {
         fingerprint = '',
         allowInsecure = false,
         echConfigList = '',
+        verifyPeerCertByName = 'cloudflare-dns.com',
+        pinnedPeerCertSha256 = '',
     ) {
         super();
         this.serverName = serverName;
@@ -354,6 +356,8 @@ class TlsStreamSettings extends CommonClass {
         this.fingerprint = fingerprint;
         this.allowInsecure = allowInsecure;
         this.echConfigList = echConfigList;
+        this.verifyPeerCertByName = verifyPeerCertByName;
+        this.pinnedPeerCertSha256 = pinnedPeerCertSha256;
     }
 
     static fromJson(json = {}) {
@@ -363,6 +367,8 @@ class TlsStreamSettings extends CommonClass {
             json.fingerprint,
             json.allowInsecure,
             json.echConfigList,
+            json.verifyPeerCertByName,
+            json.pinnedPeerCertSha256,
         );
     }
 
@@ -372,7 +378,9 @@ class TlsStreamSettings extends CommonClass {
             alpn: this.alpn,
             fingerprint: this.fingerprint,
             allowInsecure: this.allowInsecure,
-            echConfigList: this.echConfigList
+            echConfigList: this.echConfigList,
+            verifyPeerCertByName: this.verifyPeerCertByName,
+            pinnedPeerCertSha256: this.pinnedPeerCertSha256
         };
     }
 }
diff --git a/web/html/form/outbound.html b/web/html/form/outbound.html
index ce917b21..4df095d4 100644
--- a/web/html/form/outbound.html
+++ b/web/html/form/outbound.html
@@ -703,6 +703,15 @@
           <a-form-item label="Allow Insecure">
             <a-switch v-model="outbound.stream.tls.allowInsecure"></a-switch>
           </a-form-item>
+          <a-form-item label="verify Peer Cert By Name">
+            <a-input
+              v-model.trim="outbound.stream.tls.verifyPeerCertByName"></a-input>
+          </a-form-item>
+          <a-form-item label="pinned Peer Cert Sha256">
+            <a-input v-model.trim="outbound.stream.tls.pinnedPeerCertSha256"
+              placeholder="Enter SHA256 fingerprints (base64)">
+            </a-input>
+          </a-form-item>
         </template>
 
         <!-- reality settings -->
diff --git a/web/html/form/tls_settings.html b/web/html/form/tls_settings.html
index 7b5d53b8..b2368d4f 100644
--- a/web/html/form/tls_settings.html
+++ b/web/html/form/tls_settings.html
@@ -70,15 +70,6 @@
     <a-form-item label="Session Resumption">
       <a-switch v-model="inbound.stream.tls.enableSessionResumption"></a-switch>
     </a-form-item>
-    <a-form-item label="verifyPeerCertByNames">
-      <a-input v-model.trim="inbound.stream.tls.verifyPeerCertByNames"></a-input>
-    </a-form-item>
-    <a-form-item label="pinned Peer Cert Sha256">
-      <a-select mode="tags" v-model="inbound.stream.tls.pinnedPeerCertSha256"
-        :dropdown-class-name="themeSwitcher.currentTheme"
-        placeholder="Enter SHA256 fingerprints (base64)">
-      </a-select>
-    </a-form-item>
     <a-divider :style="{ margin: '3px 0' }"></a-divider>
     <template v-for="cert,index in inbound.stream.tls.certs">
       <a-form-item label='{{ i18n "certificate" }}'>