Add pinnedPeerCertSha256 support to TLS settings

Introduces the pinnedPeerCertSha256 field to TlsStreamSettings in the JS model and adds a corresponding input in the TLS settings form. This allows users to specify SHA256 fingerprints for peer certificate pinning, enhancing security configuration options. Co-authored-by: MHSanaei <ho3ein.sanaei@gmail.com>
2026-03-13 21:13:09 +00:00 · 2026-02-01 10:51:38 +01:00
parent 8ba7f73736
commit 94c4becb34
2 changed files with 10 additions and 0 deletions
--- a/web/assets/js/model/inbound.js
+++ b/web/assets/js/model/inbound.js
@@ -596,6 +596,7 @@ class TlsStreamSettings extends XrayCommonClass {
        maxVersion = TLS_VERSION_OPTION.TLS13,
        cipherSuites = '',
        rejectUnknownSni = false,
+        pinnedPeerCertSha256 = [],
        disableSystemRoot = false,
        enableSessionResumption = false,
        certificates = [new TlsStreamSettings.Cert()],
@@ -610,6 +611,7 @@ class TlsStreamSettings extends XrayCommonClass {
        this.maxVersion = maxVersion;
        this.cipherSuites = cipherSuites;
        this.rejectUnknownSni = rejectUnknownSni;
+        this.pinnedPeerCertSha256 = pinnedPeerCertSha256;
        this.disableSystemRoot = disableSystemRoot;
        this.enableSessionResumption = enableSessionResumption;
        this.certs = certificates;
@@ -643,6 +645,7 @@ class TlsStreamSettings extends XrayCommonClass {
            json.maxVersion,
            json.cipherSuites,
            json.rejectUnknownSni,
+            json.pinnedPeerCertSha256 || [],
            json.disableSystemRoot,
            json.enableSessionResumption,
            certs,
@@ -660,6 +663,7 @@ class TlsStreamSettings extends XrayCommonClass {
            maxVersion: this.maxVersion,
            cipherSuites: this.cipherSuites,
            rejectUnknownSni: this.rejectUnknownSni,
+            pinnedPeerCertSha256: this.pinnedPeerCertSha256.length > 0 ? this.pinnedPeerCertSha256 : undefined,
            disableSystemRoot: this.disableSystemRoot,
            enableSessionResumption: this.enableSessionResumption,
            certificates: TlsStreamSettings.toJsonArray(this.certs),
--- a/web/html/xui/form/tls_settings.html
+++ b/web/html/xui/form/tls_settings.html
@@ -58,6 +58,12 @@
        <a-form-item label="Session Resumption">
        <a-switch v-model="inbound.stream.tls.enableSessionResumption"></a-switch>
        </a-form-item>
+        <a-form-item label="Pinned Peer Cert">
+        <a-select mode="tags" v-model="inbound.stream.tls.pinnedPeerCertSha256"
+            :dropdown-class-name="themeSwitcher.currentTheme"
+            placeholder="Enter SHA256 fingerprints (base64)">
+        </a-select>
+        </a-form-item>
        <a-divider :style="{ margin: '0' }"></a-divider>
        <template v-for="cert,index in inbound.stream.tls.certs">
            <a-form-item label='{{ i18n "certificate" }}'>