diff --git a/Tun/Punchnet/Actors/SDLContextActor.swift b/Tun/Punchnet/Actors/SDLContextActor.swift
index a9bfb84..5b09b25 100644
--- a/Tun/Punchnet/Actors/SDLContextActor.swift
+++ b/Tun/Punchnet/Actors/SDLContextActor.swift
@@ -755,11 +755,11 @@ actor SDLContextActor {
     
     // 网络改变时需要重新配置网络信息
     private func setNetworkSettings(networkAddress: SDLConfiguration.NetworkAddress, dnsServer: String) async throws {
+        // 配置路由规则
         let routes: [NEIPv4Route] = [
             NEIPv4Route(destinationAddress: networkAddress.netAddress, subnetMask: networkAddress.maskAddress),
             NEIPv4Route(destinationAddress: dnsServer, subnetMask: "255.255.255.255"),
             
-            // TODO测试代码
             NEIPv4Route(destinationAddress: "172.16.1.0", subnetMask: "255.255.255.0"),
         ]
         
diff --git a/Tun/Punchnet/Actors/SDLQuicClient.swift b/Tun/Punchnet/Actors/SDLQuicClient.swift
index c5c9eab..f151d7b 100644
--- a/Tun/Punchnet/Actors/SDLQuicClient.swift
+++ b/Tun/Punchnet/Actors/SDLQuicClient.swift
@@ -50,7 +50,7 @@ final class SDLQUICClient {
             options.securityProtocolOptions,
             { metadata, trust, complete in
                 // 执行公钥校验
-                complete(QUICVerifier.verify(trust: trust))
+                complete(QUICVerifier.verify(trust: trust, host: host))
             },
             self.queue
         )
@@ -285,33 +285,43 @@ extension SDLQUICClient {
     enum QUICVerifier {
         // 你的 Base64 公钥指纹
         static let pinnedPublicKeyHashes = [
-            "Z2S0VNhlCqelkqTXxZNY39icMu622SfKhxXi3qi5fFA="
+            "Q41r6hbMWEVyxo6heNAH4Wx/TH5NNOWlNif9bewcJ3E="
         ]
         
-        static func verify(trust: sec_trust_t) -> Bool {
+        static func verify(trust: sec_trust_t, host: String) -> Bool {
             let secTrust = sec_trust_copy_ref(trust).takeRetainedValue()
             
-            // --- 修复部分：使用 macOS 12+ 的新 API ---
-            // SecTrustCopyCertificateChain 会返回一个 CFArray，包含整个证书链
+            // --- Step 1: 系统验证 ---
+            var error: CFError?
+            guard SecTrustEvaluateWithError(secTrust, &error) else {
+                SDLLogger.shared.log("❌ 系统证书验证失败: \(error?.localizedDescription ?? "未知错误")")
+                return false
+            }
+            
+            // --- Step 2: 主机名验证 ---
+            let policy = SecPolicyCreateSSL(true, host as CFString)
+            SecTrustSetPolicies(secTrust, policy)
+            
+            guard SecTrustEvaluateWithError(secTrust, &error) else {
+                SDLLogger.shared.log("❌ 主机名校验失败: \(error?.localizedDescription ?? "未知错误")")
+                return false
+            }
+            
+            // --- Step 3: 获取叶子证书 ---
             guard let chain = SecTrustCopyCertificateChain(secTrust) as? [SecCertificate],
                   let leafCertificate = chain.first else {
                 SDLLogger.shared.log("❌ 无法获取证书链或叶子证书")
                 return false
             }
             
-            // 提取公钥
-            guard let publicKey = SecCertificateCopyKey(leafCertificate) else {
-                SDLLogger.shared.log("❌ 无法从证书中提取公钥")
+            // --- Step 4: 提取公钥 ---
+            guard let publicKey = SecCertificateCopyKey(leafCertificate),
+                  let publicKeyData = SecKeyCopyExternalRepresentation(publicKey, nil) as Data? else {
+                SDLLogger.shared.log("❌ 无法提取公钥")
                 return false
             }
             
-            // 导出公钥原始数据 (SubjectPublicKeyInfo)
-            guard let publicKeyData = SecKeyCopyExternalRepresentation(publicKey, nil) as Data? else {
-                SDLLogger.shared.log("❌ 无法导出公钥数据")
-                return false
-            }
-
-            // 计算哈希并比对
+            // --- Step 5: SHA256 校验 ---
             let hash = SHA256.hash(data: publicKeyData)
             let hashBase64 = Data(hash).base64EncodedString()