From 9d603c5ad20503c11e6b79aa8e0203d45e835358 Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Sun, 1 Feb 2026 03:12:54 +0100
Subject: Add pinnedPeerCertSha256 support to TLS settings

Introduces the pinnedPeerCertSha256 field to TlsStreamSettings in the JS model and adds a corresponding input in the TLS settings form. This allows users to specify SHA256 fingerprints for peer certificate pinning, enhancing security configuration options.
---
 web/assets/js/model/inbound.js | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'web/assets')

diff --git a/web/assets/js/model/inbound.js b/web/assets/js/model/inbound.js
index 47f32f5c..1e3c0357 100644
--- a/web/assets/js/model/inbound.js
+++ b/web/assets/js/model/inbound.js
@@ -597,6 +597,7 @@ class TlsStreamSettings extends XrayCommonClass {
         cipherSuites = '',
         rejectUnknownSni = false,
         verifyPeerCertByName = ['dns.google', 'cloudflare-dns.com'],
+        pinnedPeerCertSha256 = [],
         disableSystemRoot = false,
         enableSessionResumption = false,
         certificates = [new TlsStreamSettings.Cert()],
@@ -612,6 +613,7 @@ class TlsStreamSettings extends XrayCommonClass {
         this.cipherSuites = cipherSuites;
         this.rejectUnknownSni = rejectUnknownSni;
         this.verifyPeerCertByName = Array.isArray(verifyPeerCertByName) ? verifyPeerCertByName.join(",") : verifyPeerCertByName;
+        this.pinnedPeerCertSha256 = pinnedPeerCertSha256;
         this.disableSystemRoot = disableSystemRoot;
         this.enableSessionResumption = enableSessionResumption;
         this.certs = certificates;
@@ -646,6 +648,7 @@ class TlsStreamSettings extends XrayCommonClass {
             json.cipherSuites,
             json.rejectUnknownSni,
             json.verifyPeerCertByName,
+            json.pinnedPeerCertSha256 || [],
             json.disableSystemRoot,
             json.enableSessionResumption,
             certs,
@@ -664,6 +667,7 @@ class TlsStreamSettings extends XrayCommonClass {
             cipherSuites: this.cipherSuites,
             rejectUnknownSni: this.rejectUnknownSni,
             verifyPeerCertByName: this.verifyPeerCertByName.split(","),
+            pinnedPeerCertSha256: this.pinnedPeerCertSha256.length > 0 ? this.pinnedPeerCertSha256 : undefined,
             disableSystemRoot: this.disableSystemRoot,
             enableSessionResumption: this.enableSessionResumption,
             certificates: TlsStreamSettings.toJsonArray(this.certs),
-- 
cgit v1.2.3