feat(tls): add ocspStapling to certificate config

Expose the OCSP Stapling refresh interval (seconds) on the TLS
certificate object in the inbound security form, defaulting to 3600s
to match xray-core. Covers both file-backed and inline cert shapes.

frontend/src/pages/inbounds/form/security/tls.tsx

@@ -1,5 +1,5 @@
 import { useTranslation } from 'react-i18next';
-import { Button, Form, Input, Radio, Select, Space, Switch } from 'antd';
+import { Button, Form, Input, InputNumber, Radio, Select, Space, Switch } from 'antd';
 import { MinusOutlined, PlusOutlined, ReloadOutlined } from '@ant-design/icons';
 
 import {
@@ -113,6 +113,7 @@ export default function TlsForm({
                   keyFile: '',
                   certificate: [],
                   key: [],
+                  ocspStapling: 3600,
                   oneTimeLoading: false,
                   usage: 'encipherment',
                   buildChain: false,
@@ -218,6 +219,12 @@ export default function TlsForm({
                     );
                   }}
                 </Form.Item>
+                <Form.Item
+                  name={[certField.name, 'ocspStapling']}
+                  label="OCSP Stapling"
+                >
+                  <InputNumber min={0} addonAfter="s" style={{ width: '50%' }} />
+                </Form.Item>
                 <Form.Item
                   name={[certField.name, 'oneTimeLoading']}
                   label={t('pages.inbounds.form.oneTimeLoading')}

frontend/src/pages/inbounds/form/useSecurityActions.ts

@@ -167,6 +167,7 @@ export function useSecurityActions({ form, setSaving, messageApi, nodeId }: UseS
         keyFile: '',
         certificate: [],
         key: [],
+        ocspStapling: 3600,
         oneTimeLoading: false,
         usage: 'encipherment',
         buildChain: false,

frontend/src/schemas/protocols/security/tls.ts

@@ -34,6 +34,7 @@ export type TlsCertUsage = z.infer<typeof TlsCertUsageSchema>;
 export const TlsCertFileSchema = z.object({
   certificateFile: z.string().min(1),
   keyFile: z.string().min(1),
+  ocspStapling: z.number().default(3600),
   oneTimeLoading: z.boolean().default(false),
   usage: TlsCertUsageSchema.default('encipherment'),
   buildChain: z.boolean().default(false),
@@ -41,6 +42,7 @@ export const TlsCertFileSchema = z.object({
 export const TlsCertInlineSchema = z.object({
   certificate: z.array(z.string()),
   key: z.array(z.string()),
+  ocspStapling: z.number().default(3600),
   oneTimeLoading: z.boolean().default(false),
   usage: TlsCertUsageSchema.default('encipherment'),
   buildChain: z.boolean().default(false),

frontend/src/test/__snapshots__/inbound-full.test.ts.snap

@@ -55,6 +55,7 @@ exports[`InboundSchema (full) fixtures > parses hysteria-v1-tls byte-stably 1`]
           "buildChain": false,
           "certificateFile": "/etc/ssl/certs/hysteria.crt",
           "keyFile": "/etc/ssl/private/hysteria.key",
+          "ocspStapling": 3600,
           "oneTimeLoading": false,
           "usage": "encipherment",
         },
@@ -193,6 +194,7 @@ exports[`InboundSchema (full) fixtures > parses trojan-ws-tls byte-stably 1`] =
           "buildChain": false,
           "certificateFile": "/etc/ssl/certs/trojan.crt",
           "keyFile": "/etc/ssl/private/trojan.key",
+          "ocspStapling": 3600,
           "oneTimeLoading": false,
           "usage": "encipherment",
         },
@@ -365,6 +367,7 @@ exports[`InboundSchema (full) fixtures > parses vless-ws-tls byte-stably 1`] = `
           "buildChain": false,
           "certificateFile": "/etc/ssl/certs/cdn.example.test.crt",
           "keyFile": "/etc/ssl/private/cdn.example.test.key",
+          "ocspStapling": 3600,
           "oneTimeLoading": false,
           "usage": "encipherment",
         },
@@ -453,6 +456,7 @@ exports[`InboundSchema (full) fixtures > parses vless-ws-tls-pinned byte-stably
           "buildChain": false,
           "certificateFile": "/etc/ssl/certs/cdn.example.test.crt",
           "keyFile": "/etc/ssl/private/cdn.example.test.key",
+          "ocspStapling": 3600,
           "oneTimeLoading": false,
           "usage": "encipherment",
         },
@@ -547,6 +551,7 @@ exports[`InboundSchema (full) fixtures > parses vmess-tcp-tls byte-stably 1`] =
           "buildChain": false,
           "certificateFile": "/etc/ssl/certs/vmess.crt",
           "keyFile": "/etc/ssl/private/vmess.key",
+          "ocspStapling": 3600,
           "oneTimeLoading": false,
           "usage": "encipherment",
         },

frontend/src/test/__snapshots__/security.test.ts.snap

@@ -51,6 +51,7 @@ exports[`SecuritySettingsSchema fixtures > parses tls-cert-file byte-stably 1`]
         "buildChain": false,
         "certificateFile": "/etc/ssl/certs/cdn.example.test.crt",
         "keyFile": "/etc/ssl/private/cdn.example.test.key",
+        "ocspStapling": 3600,
         "oneTimeLoading": false,
         "usage": "encipherment",
       },