Feature Request: Add Certificate Pinning Support for ShadowTLS (Mitigate State-Level TLS MITM Risk)

[nomae123]

Some recently leaked GFW internal documents (https://gfw.report/blog/geedge_and_mesa_leak/en/) indicate that state-level MITM systems may intercept TLS traffic by using their own trusted root certificates to re-sign TLS connections.
Since ShadowTLS relies on connecting to a real TLS server, this creates a risk: if a forged certificate is presented by a MITM TLS proxy, ShadowTLS v3 cannot currently detect it.

To improve security in hostile networks, I would like to request support for certificate pinning (e.g., SHA-256 SPKI or certificate hash). This would ensure ShadowTLS only accepts the genuine certificate of the backend site and becomes more resistant to active interception.

Thank you for considering this feature.

[nomae123]

According to the leaked source code. If certificate pinning is enabled, GFW would escape its MITM function to avoid being noticed by the users. So, it is a crucial security vulnerability that needs to be fixed immediately. Please check it.