diff --git a/infra/conf/transport_internet.go b/infra/conf/transport_internet.go
index 7a86a08b..31701fe0 100644
--- a/infra/conf/transport_internet.go
+++ b/infra/conf/transport_internet.go
@@ -14,7 +14,6 @@ import (
 	"strconv"
 	"strings"
 	"syscall"
-	"time"
 
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/errors"
@@ -651,10 +650,8 @@ type TLSConfig struct {
 	MasterKeyLog            string           `json:"masterKeyLog"`
 	PinnedPeerCertSha256    string           `json:"pinnedPeerCertSha256"`
 	VerifyPeerCertByName    string           `json:"verifyPeerCertByName"`
-	VerifyPeerCertInNames   []string         `json:"verifyPeerCertInNames"`
 	ECHServerKeys           string           `json:"echServerKeys"`
 	ECHConfigList           string           `json:"echConfigList"`
-	ECHForceQuery           string           `json:"echForceQuery"`
 	ECHSocketSettings       *SocketConfig    `json:"echSockopt"`
 }
 
@@ -699,12 +696,7 @@ func (c *TLSConfig) Build() (proto.Message, error) {
 	config.MasterKeyLog = c.MasterKeyLog
 
 	if c.AllowInsecure {
-		if time.Now().After(time.Date(2026, 6, 1, 0, 0, 0, 0, time.UTC)) {
-			return nil, errors.PrintRemovedFeatureError(`"allowInsecure"`, `"pinnedPeerCertSha256"`)
-		} else {
-			errors.LogWarning(context.Background(), `"allowInsecure" will be removed automatically after 2026-06-01, please use "pinnedPeerCertSha256"(pcs) and "verifyPeerCertByName"(vcn) instead, PLEASE CONTACT YOUR SERVICE PROVIDER (AIRPORT)`)
-			config.AllowInsecure = true
-		}
+		return nil, errors.PrintRemovedFeatureError(`"allowInsecure"`, `"pinnedPeerCertSha256"(pcs) and "verifyPeerCertByName"(vcn)`)
 	}
 	if c.PinnedPeerCertSha256 != "" {
 		for v := range strings.SplitSeq(c.PinnedPeerCertSha256, ",") {
@@ -723,10 +715,6 @@ func (c *TLSConfig) Build() (proto.Message, error) {
 			config.PinnedPeerCertSha256 = append(config.PinnedPeerCertSha256, hashValue)
 		}
 	}
-
-	if c.VerifyPeerCertInNames != nil {
-		return nil, errors.PrintRemovedFeatureError(`"verifyPeerCertInNames"`, `"verifyPeerCertByName"`)
-	}
 	if c.VerifyPeerCertByName != "" {
 		for v := range strings.SplitSeq(c.VerifyPeerCertByName, ",") {
 			v = strings.TrimSpace(v)
@@ -744,13 +732,6 @@ func (c *TLSConfig) Build() (proto.Message, error) {
 		}
 		config.EchServerKeys = EchPrivateKey
 	}
-	switch c.ECHForceQuery {
-	case "none", "half", "full", "":
-		config.EchForceQuery = c.ECHForceQuery
-	default:
-		return nil, errors.New(`invalid "echForceQuery": `, c.ECHForceQuery)
-	}
-	config.EchForceQuery = c.ECHForceQuery
 	config.EchConfigList = c.ECHConfigList
 	if c.ECHSocketSettings != nil {
 		ss, err := c.ECHSocketSettings.Build()
diff --git a/transport/internet/tls/config.go b/transport/internet/tls/config.go
index 0c887804..9c860469 100644
--- a/transport/internet/tls/config.go
+++ b/transport/internet/tls/config.go
@@ -381,7 +381,6 @@ func (c *Config) GetTLSConfig(opts ...Option) *tls.Config {
 		PinnedPeerCertSha256: c.PinnedPeerCertSha256,
 	}
 	config := &tls.Config{
-		InsecureSkipVerify:     c.AllowInsecure,
 		Rand:                   randCarrier,
 		ClientSessionCache:     globalSessionCache,
 		RootCAs:                root,
diff --git a/transport/internet/tls/config.pb.go b/transport/internet/tls/config.pb.go
index 37628755..b622d5a6 100644
--- a/transport/internet/tls/config.pb.go
+++ b/transport/internet/tls/config.pb.go
@@ -177,8 +177,7 @@ func (x *Certificate) GetBuildChain() bool {
 }
 
 type Config struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	AllowInsecure bool                   `protobuf:"varint,1,opt,name=allow_insecure,json=allowInsecure,proto3" json:"allow_insecure,omitempty"`
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// List of certificates to be served on server.
 	Certificate []*Certificate `protobuf:"bytes,2,rep,name=certificate,proto3" json:"certificate,omitempty"`
 	// Override server name.
@@ -205,7 +204,6 @@ type Config struct {
 	VerifyPeerCertByName []string               `protobuf:"bytes,17,rep,name=verify_peer_cert_by_name,json=verifyPeerCertByName,proto3" json:"verify_peer_cert_by_name,omitempty"`
 	EchServerKeys        []byte                 `protobuf:"bytes,18,opt,name=ech_server_keys,json=echServerKeys,proto3" json:"ech_server_keys,omitempty"`
 	EchConfigList        string                 `protobuf:"bytes,19,opt,name=ech_config_list,json=echConfigList,proto3" json:"ech_config_list,omitempty"`
-	EchForceQuery        string                 `protobuf:"bytes,20,opt,name=ech_force_query,json=echForceQuery,proto3" json:"ech_force_query,omitempty"`
 	EchSocketSettings    *internet.SocketConfig `protobuf:"bytes,21,opt,name=ech_socket_settings,json=echSocketSettings,proto3" json:"ech_socket_settings,omitempty"`
 	PinnedPeerCertSha256 [][]byte               `protobuf:"bytes,22,rep,name=pinned_peer_cert_sha256,json=pinnedPeerCertSha256,proto3" json:"pinned_peer_cert_sha256,omitempty"`
 	unknownFields        protoimpl.UnknownFields
@@ -242,13 +240,6 @@ func (*Config) Descriptor() ([]byte, []int) {
 	return file_transport_internet_tls_config_proto_rawDescGZIP(), []int{1}
 }
 
-func (x *Config) GetAllowInsecure() bool {
-	if x != nil {
-		return x.AllowInsecure
-	}
-	return false
-}
-
 func (x *Config) GetCertificate() []*Certificate {
 	if x != nil {
 		return x.Certificate
@@ -354,13 +345,6 @@ func (x *Config) GetEchConfigList() string {
 	return ""
 }
 
-func (x *Config) GetEchForceQuery() string {
-	if x != nil {
-		return x.EchForceQuery
-	}
-	return ""
-}
-
 func (x *Config) GetEchSocketSettings() *internet.SocketConfig {
 	if x != nil {
 		return x.EchSocketSettings
@@ -393,9 +377,8 @@ const file_transport_internet_tls_config_proto_rawDesc = "" +
 	"\x05Usage\x12\x10\n" +
 	"\fENCIPHERMENT\x10\x00\x12\x14\n" +
 	"\x10AUTHORITY_VERIFY\x10\x01\x12\x13\n" +
-	"\x0fAUTHORITY_ISSUE\x10\x02\"\xf5\x06\n" +
-	"\x06Config\x12%\n" +
-	"\x0eallow_insecure\x18\x01 \x01(\bR\rallowInsecure\x12J\n" +
+	"\x0fAUTHORITY_ISSUE\x10\x02\"\xa6\x06\n" +
+	"\x06Config\x12J\n" +
 	"\vcertificate\x18\x02 \x03(\v2(.xray.transport.internet.tls.CertificateR\vcertificate\x12\x1f\n" +
 	"\vserver_name\x18\x03 \x01(\tR\n" +
 	"serverName\x12#\n" +
@@ -413,8 +396,7 @@ const file_transport_internet_tls_config_proto_rawDesc = "" +
 	"\x11curve_preferences\x18\x10 \x03(\tR\x10curvePreferences\x126\n" +
 	"\x18verify_peer_cert_by_name\x18\x11 \x03(\tR\x14verifyPeerCertByName\x12&\n" +
 	"\x0fech_server_keys\x18\x12 \x01(\fR\rechServerKeys\x12&\n" +
-	"\x0fech_config_list\x18\x13 \x01(\tR\rechConfigList\x12&\n" +
-	"\x0fech_force_query\x18\x14 \x01(\tR\rechForceQuery\x12U\n" +
+	"\x0fech_config_list\x18\x13 \x01(\tR\rechConfigList\x12U\n" +
 	"\x13ech_socket_settings\x18\x15 \x01(\v2%.xray.transport.internet.SocketConfigR\x11echSocketSettings\x125\n" +
 	"\x17pinned_peer_cert_sha256\x18\x16 \x03(\fR\x14pinnedPeerCertSha256Bs\n" +
 	"\x1fcom.xray.transport.internet.tlsP\x01Z0github.com/xtls/xray-core/transport/internet/tls\xaa\x02\x1bXray.Transport.Internet.Tlsb\x06proto3"
diff --git a/transport/internet/tls/config.proto b/transport/internet/tls/config.proto
index 45928226..a05cc049 100644
--- a/transport/internet/tls/config.proto
+++ b/transport/internet/tls/config.proto
@@ -38,7 +38,7 @@ message Certificate {
 }
 
 message Config {
-  bool allow_insecure = 1;
+  // Number 1 was assigned and used by an legacy option.
 
   // List of certificates to be served on server.
   repeated Certificate certificate = 2;
@@ -81,8 +81,7 @@ message Config {
 
   string ech_config_list = 19;
 
-  // Deprecated
-  string ech_force_query = 20;
+  // Number 20 was assigned and used by an legacy option.
 
   SocketConfig ech_socket_settings = 21;