From b3ffe63380544d7e756adbbb1fa376a5a49237df Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Mon, 1 Jun 2026 14:14:07 +0200 Subject: [PATCH 1/4] ssl: Remove static var tracking tls_init_hook warnings If the TLS init hook is defined in conjunction with ssl_sni we issue a warning to help the user re-configure the cluster. To avoid drowning the log in warnings, we log only once instead of once per host. This removes the static variable tracking the warning to aid future multithreading efforts. --- src/backend/libpq/be-secure-openssl.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 4ce2a92b964..025c55d9bd6 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -98,7 +98,7 @@ static bool initialize_dh(SSL_CTX *context, bool isServerStart); static bool initialize_ecdh(SSL_CTX *context, bool isServerStart); static const char *SSLerrmessageExt(unsigned long ecode, const char *replacement); static const char *SSLerrmessage(unsigned long ecode); -static bool init_host_context(HostsLine *host, bool isServerStart); +static bool init_host_context(HostsLine *host, bool isServerStart, bool *hasWarned); static void host_context_cleanup_cb(void *arg); #ifdef HAVE_SSL_CTX_SET_CLIENT_HELLO_CB static int sni_clienthello_cb(SSL *ssl, int *al, void *arg); @@ -160,6 +160,7 @@ be_tls_init(bool isServerStart) int ssl_ver_min = -1; int ssl_ver_max = -1; host_cache_hash *host_cache = NULL; + bool hasWarned = false; /* * Since we don't know which host we're using until the ClientHello is @@ -249,7 +250,7 @@ be_tls_init(bool isServerStart) { HostsLine *host = lfirst(line); - if (!init_host_context(host, isServerStart)) + if (!init_host_context(host, isServerStart, &hasWarned)) goto error; /* @@ -344,7 +345,7 @@ be_tls_init(bool isServerStart) pgconf->ssl_passphrase_cmd = ssl_passphrase_command; pgconf->ssl_passphrase_reload = ssl_passphrase_command_supports_reload; - if (!init_host_context(pgconf, isServerStart)) + if (!init_host_context(pgconf, isServerStart, &hasWarned)) goto error; /* @@ -609,10 +610,9 @@ host_context_cleanup_cb(void *arg) } static bool -init_host_context(HostsLine *host, bool isServerStart) +init_host_context(HostsLine *host, bool isServerStart, bool *hasWarned) { SSL_CTX *ctx = SSL_CTX_new(SSLv23_method()); - static bool init_warned = false; if (!ctx) { @@ -634,7 +634,7 @@ init_host_context(HostsLine *host, bool isServerStart) (*openssl_tls_init_hook) (ctx, isServerStart); else { - if (openssl_tls_init_hook != default_openssl_tls_init && !init_warned) + if (openssl_tls_init_hook != default_openssl_tls_init && !*hasWarned) { ereport(WARNING, errcode(ERRCODE_CONFIG_FILE_ERROR), @@ -645,7 +645,7 @@ init_host_context(HostsLine *host, bool isServerStart) "that is currently installed, or remove the hook " "and use per-host passphrase commands in \"%s\".", "ssl_sni", HostsFileName)); - init_warned = true; + *hasWarned = true; } /* -- 2.39.3 (Apple Git-146)