From 39774a6a3830eee01fde9f40a1829a5ddc99c0fd Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Sun, 21 Jun 2026 19:15:57 +0200
Subject: [PATCH] fix(tls): default OCSP stapling to off for new inbound certs

Certs without an OCSP responder URL (e.g. Let's Encrypt, which dropped OCSP in 2025) made xray log 'ignoring invalid OCSP: no OCSP server specified in cert' on every refresh. Default the per-cert ocspStapling interval to 0 (disabled) so new inbounds stay quiet; the field is kept for certs that do support stapling.
---
 frontend/src/lib/xray/inbound-tls-defaults.ts          |  2 +-
 frontend/src/pages/inbounds/form/security/tls.tsx      |  2 +-
 frontend/src/schemas/protocols/security/tls.ts         |  4 ++--
 .../src/test/__snapshots__/inbound-full.test.ts.snap   | 10 +++++-----
 frontend/src/test/__snapshots__/security.test.ts.snap  |  2 +-
 5 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/frontend/src/lib/xray/inbound-tls-defaults.ts b/frontend/src/lib/xray/inbound-tls-defaults.ts
index 4ef9ad115..ad0919115 100644
--- a/frontend/src/lib/xray/inbound-tls-defaults.ts
+++ b/frontend/src/lib/xray/inbound-tls-defaults.ts
@@ -7,7 +7,7 @@ function defaultCertificate(): Record<string, unknown> {
     keyFile: '',
     certificate: [],
     key: [],
-    ocspStapling: 3600,
+    ocspStapling: 0,
     oneTimeLoading: false,
     usage: 'encipherment',
     buildChain: false,
diff --git a/frontend/src/pages/inbounds/form/security/tls.tsx b/frontend/src/pages/inbounds/form/security/tls.tsx
index e17af3332..5a4ab7730 100644
--- a/frontend/src/pages/inbounds/form/security/tls.tsx
+++ b/frontend/src/pages/inbounds/form/security/tls.tsx
@@ -132,7 +132,7 @@ export default function TlsForm({
                   keyFile: '',
                   certificate: [],
                   key: [],
-                  ocspStapling: 3600,
+                  ocspStapling: 0,
                   oneTimeLoading: false,
                   usage: 'encipherment',
                   buildChain: false,
diff --git a/frontend/src/schemas/protocols/security/tls.ts b/frontend/src/schemas/protocols/security/tls.ts
index fdf0a02bd..91eafca10 100644
--- a/frontend/src/schemas/protocols/security/tls.ts
+++ b/frontend/src/schemas/protocols/security/tls.ts
@@ -39,7 +39,7 @@ export type TlsCertUsage = z.infer<typeof TlsCertUsageSchema>;
 export const TlsCertFileSchema = z.object({
   certificateFile: z.string().min(1),
   keyFile: z.string().min(1),
-  ocspStapling: z.number().default(3600),
+  ocspStapling: z.number().default(0),
   oneTimeLoading: z.boolean().default(false),
   usage: TlsCertUsageSchema.default('encipherment'),
   buildChain: z.boolean().default(false),
@@ -47,7 +47,7 @@ export const TlsCertFileSchema = z.object({
 export const TlsCertInlineSchema = z.object({
   certificate: z.array(z.string()),
   key: z.array(z.string()),
-  ocspStapling: z.number().default(3600),
+  ocspStapling: z.number().default(0),
   oneTimeLoading: z.boolean().default(false),
   usage: TlsCertUsageSchema.default('encipherment'),
   buildChain: z.boolean().default(false),
diff --git a/frontend/src/test/__snapshots__/inbound-full.test.ts.snap b/frontend/src/test/__snapshots__/inbound-full.test.ts.snap
index 4dc1226e4..22342aac9 100644
--- a/frontend/src/test/__snapshots__/inbound-full.test.ts.snap
+++ b/frontend/src/test/__snapshots__/inbound-full.test.ts.snap
@@ -57,7 +57,7 @@ exports[`InboundSchema (full) fixtures > parses hysteria-v1-tls byte-stably 1`]
           "buildChain": false,
           "certificateFile": "/etc/ssl/certs/hysteria.crt",
           "keyFile": "/etc/ssl/private/hysteria.key",
-          "ocspStapling": 3600,
+          "ocspStapling": 0,
           "oneTimeLoading": false,
           "usage": "encipherment",
         },
@@ -201,7 +201,7 @@ exports[`InboundSchema (full) fixtures > parses trojan-ws-tls byte-stably 1`] =
           "buildChain": false,
           "certificateFile": "/etc/ssl/certs/trojan.crt",
           "keyFile": "/etc/ssl/private/trojan.key",
-          "ocspStapling": 3600,
+          "ocspStapling": 0,
           "oneTimeLoading": false,
           "usage": "encipherment",
         },
@@ -379,7 +379,7 @@ exports[`InboundSchema (full) fixtures > parses vless-ws-tls byte-stably 1`] = `
           "buildChain": false,
           "certificateFile": "/etc/ssl/certs/cdn.example.test.crt",
           "keyFile": "/etc/ssl/private/cdn.example.test.key",
-          "ocspStapling": 3600,
+          "ocspStapling": 0,
           "oneTimeLoading": false,
           "usage": "encipherment",
         },
@@ -471,7 +471,7 @@ exports[`InboundSchema (full) fixtures > parses vless-ws-tls-pinned byte-stably
           "buildChain": false,
           "certificateFile": "/etc/ssl/certs/cdn.example.test.crt",
           "keyFile": "/etc/ssl/private/cdn.example.test.key",
-          "ocspStapling": 3600,
+          "ocspStapling": 0,
           "oneTimeLoading": false,
           "usage": "encipherment",
         },
@@ -570,7 +570,7 @@ exports[`InboundSchema (full) fixtures > parses vmess-tcp-tls byte-stably 1`] =
           "buildChain": false,
           "certificateFile": "/etc/ssl/certs/vmess.crt",
           "keyFile": "/etc/ssl/private/vmess.key",
-          "ocspStapling": 3600,
+          "ocspStapling": 0,
           "oneTimeLoading": false,
           "usage": "encipherment",
         },
diff --git a/frontend/src/test/__snapshots__/security.test.ts.snap b/frontend/src/test/__snapshots__/security.test.ts.snap
index 61b4b4359..3f47f51d9 100644
--- a/frontend/src/test/__snapshots__/security.test.ts.snap
+++ b/frontend/src/test/__snapshots__/security.test.ts.snap
@@ -51,7 +51,7 @@ exports[`SecuritySettingsSchema fixtures > parses tls-cert-file byte-stably 1`]
         "buildChain": false,
         "certificateFile": "/etc/ssl/certs/cdn.example.test.crt",
         "keyFile": "/etc/ssl/private/cdn.example.test.key",
-        "ocspStapling": 3600,
+        "ocspStapling": 0,
         "oneTimeLoading": false,
         "usage": "encipherment",
       },