From 1a64d7e9debe4fae277ef36812766a5082e84fb1 Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Wed, 3 Jun 2026 17:49:36 +0200
Subject: [PATCH] feat(tls): add ocspStapling to certificate config

Expose the OCSP Stapling refresh interval (seconds) on the TLS
certificate object in the inbound security form, defaulting to 3600s
to match xray-core. Covers both file-backed and inline cert shapes.
---
 frontend/src/pages/inbounds/form/security/tls.tsx        | 9 ++++++++-
 frontend/src/pages/inbounds/form/useSecurityActions.ts   | 1 +
 frontend/src/schemas/protocols/security/tls.ts           | 2 ++
 .../src/test/__snapshots__/inbound-full.test.ts.snap     | 5 +++++
 frontend/src/test/__snapshots__/security.test.ts.snap    | 1 +
 5 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/frontend/src/pages/inbounds/form/security/tls.tsx b/frontend/src/pages/inbounds/form/security/tls.tsx
index bcf4b9dd..d2550eb7 100644
--- a/frontend/src/pages/inbounds/form/security/tls.tsx
+++ b/frontend/src/pages/inbounds/form/security/tls.tsx
@@ -1,5 +1,5 @@
 import { useTranslation } from 'react-i18next';
-import { Button, Form, Input, Radio, Select, Space, Switch } from 'antd';
+import { Button, Form, Input, InputNumber, Radio, Select, Space, Switch } from 'antd';
 import { MinusOutlined, PlusOutlined, ReloadOutlined } from '@ant-design/icons';
 
 import {
@@ -113,6 +113,7 @@ export default function TlsForm({
                   keyFile: '',
                   certificate: [],
                   key: [],
+                  ocspStapling: 3600,
                   oneTimeLoading: false,
                   usage: 'encipherment',
                   buildChain: false,
@@ -218,6 +219,12 @@ export default function TlsForm({
                     );
                   }}
                 </Form.Item>
+                <Form.Item
+                  name={[certField.name, 'ocspStapling']}
+                  label="OCSP Stapling"
+                >
+                  <InputNumber min={0} addonAfter="s" style={{ width: '50%' }} />
+                </Form.Item>
                 <Form.Item
                   name={[certField.name, 'oneTimeLoading']}
                   label={t('pages.inbounds.form.oneTimeLoading')}
diff --git a/frontend/src/pages/inbounds/form/useSecurityActions.ts b/frontend/src/pages/inbounds/form/useSecurityActions.ts
index 863d6aac..d9902511 100644
--- a/frontend/src/pages/inbounds/form/useSecurityActions.ts
+++ b/frontend/src/pages/inbounds/form/useSecurityActions.ts
@@ -167,6 +167,7 @@ export function useSecurityActions({ form, setSaving, messageApi, nodeId }: UseS
         keyFile: '',
         certificate: [],
         key: [],
+        ocspStapling: 3600,
         oneTimeLoading: false,
         usage: 'encipherment',
         buildChain: false,
diff --git a/frontend/src/schemas/protocols/security/tls.ts b/frontend/src/schemas/protocols/security/tls.ts
index f4d0db4c..ce3d2f37 100644
--- a/frontend/src/schemas/protocols/security/tls.ts
+++ b/frontend/src/schemas/protocols/security/tls.ts
@@ -34,6 +34,7 @@ export type TlsCertUsage = z.infer<typeof TlsCertUsageSchema>;
 export const TlsCertFileSchema = z.object({
   certificateFile: z.string().min(1),
   keyFile: z.string().min(1),
+  ocspStapling: z.number().default(3600),
   oneTimeLoading: z.boolean().default(false),
   usage: TlsCertUsageSchema.default('encipherment'),
   buildChain: z.boolean().default(false),
@@ -41,6 +42,7 @@ export const TlsCertFileSchema = z.object({
 export const TlsCertInlineSchema = z.object({
   certificate: z.array(z.string()),
   key: z.array(z.string()),
+  ocspStapling: z.number().default(3600),
   oneTimeLoading: z.boolean().default(false),
   usage: TlsCertUsageSchema.default('encipherment'),
   buildChain: z.boolean().default(false),
diff --git a/frontend/src/test/__snapshots__/inbound-full.test.ts.snap b/frontend/src/test/__snapshots__/inbound-full.test.ts.snap
index ad05df11..f162cadc 100644
--- a/frontend/src/test/__snapshots__/inbound-full.test.ts.snap
+++ b/frontend/src/test/__snapshots__/inbound-full.test.ts.snap
@@ -55,6 +55,7 @@ exports[`InboundSchema (full) fixtures > parses hysteria-v1-tls byte-stably 1`]
           "buildChain": false,
           "certificateFile": "/etc/ssl/certs/hysteria.crt",
           "keyFile": "/etc/ssl/private/hysteria.key",
+          "ocspStapling": 3600,
           "oneTimeLoading": false,
           "usage": "encipherment",
         },
@@ -193,6 +194,7 @@ exports[`InboundSchema (full) fixtures > parses trojan-ws-tls byte-stably 1`] =
           "buildChain": false,
           "certificateFile": "/etc/ssl/certs/trojan.crt",
           "keyFile": "/etc/ssl/private/trojan.key",
+          "ocspStapling": 3600,
           "oneTimeLoading": false,
           "usage": "encipherment",
         },
@@ -365,6 +367,7 @@ exports[`InboundSchema (full) fixtures > parses vless-ws-tls byte-stably 1`] = `
           "buildChain": false,
           "certificateFile": "/etc/ssl/certs/cdn.example.test.crt",
           "keyFile": "/etc/ssl/private/cdn.example.test.key",
+          "ocspStapling": 3600,
           "oneTimeLoading": false,
           "usage": "encipherment",
         },
@@ -453,6 +456,7 @@ exports[`InboundSchema (full) fixtures > parses vless-ws-tls-pinned byte-stably
           "buildChain": false,
           "certificateFile": "/etc/ssl/certs/cdn.example.test.crt",
           "keyFile": "/etc/ssl/private/cdn.example.test.key",
+          "ocspStapling": 3600,
           "oneTimeLoading": false,
           "usage": "encipherment",
         },
@@ -547,6 +551,7 @@ exports[`InboundSchema (full) fixtures > parses vmess-tcp-tls byte-stably 1`] =
           "buildChain": false,
           "certificateFile": "/etc/ssl/certs/vmess.crt",
           "keyFile": "/etc/ssl/private/vmess.key",
+          "ocspStapling": 3600,
           "oneTimeLoading": false,
           "usage": "encipherment",
         },
diff --git a/frontend/src/test/__snapshots__/security.test.ts.snap b/frontend/src/test/__snapshots__/security.test.ts.snap
index b37aabd3..b4b488e5 100644
--- a/frontend/src/test/__snapshots__/security.test.ts.snap
+++ b/frontend/src/test/__snapshots__/security.test.ts.snap
@@ -51,6 +51,7 @@ exports[`SecuritySettingsSchema fixtures > parses tls-cert-file byte-stably 1`]
         "buildChain": false,
         "certificateFile": "/etc/ssl/certs/cdn.example.test.crt",
         "keyFile": "/etc/ssl/private/cdn.example.test.key",
+        "ocspStapling": 3600,
         "oneTimeLoading": false,
         "usage": "encipherment",
       },