fix(tls): default OCSP stapling to off for new inbound certs

Certs without an OCSP responder URL (e.g. Let's Encrypt, which dropped OCSP in 2025) made xray log 'ignoring invalid OCSP: no OCSP server specified in cert' on every refresh. Default the per-cert ocspStapling interval to 0 (disabled) so new inbounds stay quiet; the field is kept for certs that do support stapling.

frontend/src/lib/xray/inbound-tls-defaults.ts

@@ -7,7 +7,7 @@ function defaultCertificate(): Record<string, unknown> {
     keyFile: '',
     certificate: [],
     key: [],
-    ocspStapling: 3600,
+    ocspStapling: 0,
     oneTimeLoading: false,
     usage: 'encipherment',
     buildChain: false,

frontend/src/pages/inbounds/form/security/tls.tsx

@@ -132,7 +132,7 @@ export default function TlsForm({
                   keyFile: '',
                   certificate: [],
                   key: [],
-                  ocspStapling: 3600,
+                  ocspStapling: 0,
                   oneTimeLoading: false,
                   usage: 'encipherment',
                   buildChain: false,

frontend/src/schemas/protocols/security/tls.ts

@@ -39,7 +39,7 @@ export type TlsCertUsage = z.infer<typeof TlsCertUsageSchema>;
 export const TlsCertFileSchema = z.object({
   certificateFile: z.string().min(1),
   keyFile: z.string().min(1),
-  ocspStapling: z.number().default(3600),
+  ocspStapling: z.number().default(0),
   oneTimeLoading: z.boolean().default(false),
   usage: TlsCertUsageSchema.default('encipherment'),
   buildChain: z.boolean().default(false),
@@ -47,7 +47,7 @@ export const TlsCertFileSchema = z.object({
 export const TlsCertInlineSchema = z.object({
   certificate: z.array(z.string()),
   key: z.array(z.string()),
-  ocspStapling: z.number().default(3600),
+  ocspStapling: z.number().default(0),
   oneTimeLoading: z.boolean().default(false),
   usage: TlsCertUsageSchema.default('encipherment'),
   buildChain: z.boolean().default(false),

frontend/src/test/__snapshots__/inbound-full.test.ts.snap

@@ -57,7 +57,7 @@ exports[`InboundSchema (full) fixtures > parses hysteria-v1-tls byte-stably 1`]
           "buildChain": false,
           "certificateFile": "/etc/ssl/certs/hysteria.crt",
           "keyFile": "/etc/ssl/private/hysteria.key",
-          "ocspStapling": 3600,
+          "ocspStapling": 0,
           "oneTimeLoading": false,
           "usage": "encipherment",
         },
@@ -201,7 +201,7 @@ exports[`InboundSchema (full) fixtures > parses trojan-ws-tls byte-stably 1`] =
           "buildChain": false,
           "certificateFile": "/etc/ssl/certs/trojan.crt",
           "keyFile": "/etc/ssl/private/trojan.key",
-          "ocspStapling": 3600,
+          "ocspStapling": 0,
           "oneTimeLoading": false,
           "usage": "encipherment",
         },
@@ -379,7 +379,7 @@ exports[`InboundSchema (full) fixtures > parses vless-ws-tls byte-stably 1`] = `
           "buildChain": false,
           "certificateFile": "/etc/ssl/certs/cdn.example.test.crt",
           "keyFile": "/etc/ssl/private/cdn.example.test.key",
-          "ocspStapling": 3600,
+          "ocspStapling": 0,
           "oneTimeLoading": false,
           "usage": "encipherment",
         },
@@ -471,7 +471,7 @@ exports[`InboundSchema (full) fixtures > parses vless-ws-tls-pinned byte-stably
           "buildChain": false,
           "certificateFile": "/etc/ssl/certs/cdn.example.test.crt",
           "keyFile": "/etc/ssl/private/cdn.example.test.key",
-          "ocspStapling": 3600,
+          "ocspStapling": 0,
           "oneTimeLoading": false,
           "usage": "encipherment",
         },
@@ -570,7 +570,7 @@ exports[`InboundSchema (full) fixtures > parses vmess-tcp-tls byte-stably 1`] =
           "buildChain": false,
           "certificateFile": "/etc/ssl/certs/vmess.crt",
           "keyFile": "/etc/ssl/private/vmess.key",
-          "ocspStapling": 3600,
+          "ocspStapling": 0,
           "oneTimeLoading": false,
           "usage": "encipherment",
         },

frontend/src/test/__snapshots__/security.test.ts.snap

@@ -51,7 +51,7 @@ exports[`SecuritySettingsSchema fixtures > parses tls-cert-file byte-stably 1`]
         "buildChain": false,
         "certificateFile": "/etc/ssl/certs/cdn.example.test.crt",
         "keyFile": "/etc/ssl/private/cdn.example.test.key",
-        "ocspStapling": 3600,
+        "ocspStapling": 0,
         "oneTimeLoading": false,
         "usage": "encipherment",
       },