Hello! The problem the patch tries to solve is real, but I see several gaps/problems with the current implementation with some testing:
1. it seems to break TLS 1.3 HelloRetryRequest as it tries to add the second certificate with override=0. Connection then fails with "SSL error: tlsv1 alert internal error", server log shows "could not update certificate chain: not replacing certificate" / "failed to switch to SSL configuration for host, terminating connection" 2. The global ssl_alt_* GUCs are loaded into every pg_hosts context. If the SNI cert is a different type, it loads the alternative certificates as alternatives, if it's the same type, it replaces the hosts entry. 3. pg_hosts/SNI has no support for the new GUCs, there's no way to configure per host versions of the feature. Shouldn't the patch include proper support for SNI? 4. Shouldn't alternative certificates load the entire chain, not just the first block? 5. If both have the same type, the alternate certificate silently replaces the primary one. Shouldn't that result in a startup error instead? 6. Won't this cause build failure with LibreSSL, or older OpenSSL?
