From 7f772de88c532be9637f6c018af9b1c30b0a80d3 Mon Sep 17 00:00:00 2001
From: wwqgtxx <wwqgtxx@gmail.com>
Date: Fri, 6 Mar 2026 17:52:06 +0800
Subject: [PATCH] chore: simplify masque certificate verification

---
 transport/masque/masque.go | 17 +++--------------
 1 file changed, 3 insertions(+), 14 deletions(-)

diff --git a/transport/masque/masque.go b/transport/masque/masque.go
index df11eb19..12552aba 100644
--- a/transport/masque/masque.go
+++ b/transport/masque/masque.go
@@ -66,25 +66,14 @@ func PrepareTlsConfig(privKey *ecdsa.PrivateKey, peerPubKey *ecdsa.PublicKey, sn
 		// WARN: SNI is usually not for the endpoint, so we must skip verification
 		InsecureSkipVerify: true,
 		// we pin to the endpoint public key
-		VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
-			if len(rawCerts) == 0 {
-				return nil
-			}
-
+		VerifyConnection: func(cs tls.ConnectionState) error {
 			var err error
-			for _, v := range rawCerts {
-				cert, er := x509.ParseCertificate(v)
-				if er != nil {
-					err = errors.Join(err, er)
-					continue
-				}
-
-				if er = verfiyCert(cert); er != nil {
+			for _, cert := range cs.PeerCertificates {
+				if er := verfiyCert(cert); er != nil {
 					err = errors.Join(err, er)
 					continue
 				}
 			}
-
 			return err
 		},
 	}