Re: [PATCH v1] Add ssl_alt_cert_file/ssl_alt_key_file for dual RSA+ECDSA certificate support

Hello!

The problem the patch tries to solve is real, but I see several
gaps/problems with the current implementation with some testing:

1. it seems to break TLS 1.3 HelloRetryRequest as it tries to add the
second certificate with override=0. Connection then fails with "SSL
error: tlsv1 alert internal error", server log shows "could not update
certificate chain: not replacing certificate" / "failed to switch to
SSL configuration for host, terminating connection"

2. The global ssl_alt_* GUCs are loaded into every pg_hosts context.
If the SNI cert is a different type, it loads the alternative
certificates as alternatives, if it's the same type, it replaces the
hosts entry.

3. pg_hosts/SNI has no support for the new GUCs, there's no way to
configure per host versions of the feature. Shouldn't the patch
include proper support for SNI?

4. Shouldn't alternative certificates load the entire chain, not just
the first block?

5. If both have the same type, the alternate certificate silently
replaces the primary one. Shouldn't that result in a startup error
instead?

6. Won't this cause build failure with LibreSSL, or older OpenSSL?