From b607f96e27d9b0639c9b2755c1b10cabf9339778 Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <dgustafsson@postgresql.org>
Date: Mon, 1 Jun 2026 14:14:07 +0200
Subject: [PATCH v2 1/4] ssl: Remove static var tracking tls_init_hook warnings

If the TLS init hook is defined in conjunction with ssl_sni we
issue a warning to help the user re-configure the cluster.  To
avoid drowning the log in warnings, we log only once instead of
once per host.  This removes the static variable tracking the
warning to aid future multithreading efforts.

Author: Daniel Gustafsson <daniel@yesql.se>
Reviewed-by: Tristan Partin <tristan@partin.io>
Reviewed-by: Andreas Karlsson <andreas@proxel.se>
Discussion: https://postgr.es/m/68B9881D-DAA8-467D-A251-C96E98E57BA0@yesql.se
---
 src/backend/libpq/be-secure-openssl.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 4ce2a92b964..0a13b8aa922 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -98,7 +98,8 @@ static bool initialize_dh(SSL_CTX *context, bool isServerStart);
 static bool initialize_ecdh(SSL_CTX *context, bool isServerStart);
 static const char *SSLerrmessageExt(unsigned long ecode, const char *replacement);
 static const char *SSLerrmessage(unsigned long ecode);
-static bool init_host_context(HostsLine *host, bool isServerStart);
+static bool init_host_context(HostsLine *host, bool isServerStart, bool *hasWarned)
+			pg_attribute_nonnull(3);
 static void host_context_cleanup_cb(void *arg);
 #ifdef HAVE_SSL_CTX_SET_CLIENT_HELLO_CB
 static int	sni_clienthello_cb(SSL *ssl, int *al, void *arg);
@@ -160,6 +161,7 @@ be_tls_init(bool isServerStart)
 	int			ssl_ver_min = -1;
 	int			ssl_ver_max = -1;
 	host_cache_hash *host_cache = NULL;
+	bool		hasWarned = false;
 
 	/*
 	 * Since we don't know which host we're using until the ClientHello is
@@ -249,7 +251,7 @@ be_tls_init(bool isServerStart)
 		{
 			HostsLine  *host = lfirst(line);
 
-			if (!init_host_context(host, isServerStart))
+			if (!init_host_context(host, isServerStart, &hasWarned))
 				goto error;
 
 			/*
@@ -344,7 +346,7 @@ be_tls_init(bool isServerStart)
 		pgconf->ssl_passphrase_cmd = ssl_passphrase_command;
 		pgconf->ssl_passphrase_reload = ssl_passphrase_command_supports_reload;
 
-		if (!init_host_context(pgconf, isServerStart))
+		if (!init_host_context(pgconf, isServerStart, &hasWarned))
 			goto error;
 
 		/*
@@ -609,10 +611,11 @@ host_context_cleanup_cb(void *arg)
 }
 
 static bool
-init_host_context(HostsLine *host, bool isServerStart)
+init_host_context(HostsLine *host, bool isServerStart, bool *hasWarned)
 {
 	SSL_CTX    *ctx = SSL_CTX_new(SSLv23_method());
-	static bool init_warned = false;
+
+	Assert(hasWarned);
 
 	if (!ctx)
 	{
@@ -634,7 +637,7 @@ init_host_context(HostsLine *host, bool isServerStart)
 		(*openssl_tls_init_hook) (ctx, isServerStart);
 	else
 	{
-		if (openssl_tls_init_hook != default_openssl_tls_init && !init_warned)
+		if (openssl_tls_init_hook != default_openssl_tls_init && !*hasWarned)
 		{
 			ereport(WARNING,
 					errcode(ERRCODE_CONFIG_FILE_ERROR),
@@ -645,7 +648,7 @@ init_host_context(HostsLine *host, bool isServerStart)
 							"that is currently installed, or remove the hook "
 							"and use per-host passphrase commands in \"%s\".",
 							"ssl_sni", HostsFileName));
-			init_warned = true;
+			*hasWarned = true;
 		}
 
 		/*
-- 
2.39.3 (Apple Git-146)

