Files
3x-ui/frontend/src/lib/xray/inbound-tls-defaults.ts
T
MHSanaei 39774a6a38 fix(tls): default OCSP stapling to off for new inbound certs
Certs without an OCSP responder URL (e.g. Let's Encrypt, which dropped OCSP in 2025) made xray log 'ignoring invalid OCSP: no OCSP server specified in cert' on every refresh. Default the per-cert ocspStapling interval to 0 (disabled) so new inbounds stay quiet; the field is kept for certs that do support stapling.
2026-06-21 19:15:57 +02:00

35 lines
958 B
TypeScript

import { TlsStreamSettingsSchema } from '@/schemas/protocols/security/tls';
function defaultCertificate(): Record<string, unknown> {
return {
useFile: true,
certificateFile: '',
keyFile: '',
certificate: [],
key: [],
ocspStapling: 0,
oneTimeLoading: false,
usage: 'encipherment',
buildChain: false,
};
}
export function createTlsSettingsWithDefaultCert(): Record<string, unknown> {
const tls = TlsStreamSettingsSchema.parse({}) as Record<string, unknown>;
tls.certificates = [defaultCertificate()];
return tls;
}
export function createHysteriaTlsSettingsWithDefaultCert(): Record<string, unknown> {
const tls = createTlsSettingsWithDefaultCert();
tls.alpn = ['h3'];
const settings = tls.settings && typeof tls.settings === 'object' && !Array.isArray(tls.settings)
? { ...(tls.settings as Record<string, unknown>) }
: {};
settings.fingerprint = '';
tls.settings = settings;
return tls;
}