From b607f96e27d9b0639c9b2755c1b10cabf9339778 Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Mon, 1 Jun 2026 14:14:07 +0200 Subject: [PATCH v2 1/4] ssl: Remove static var tracking tls_init_hook warnings If the TLS init hook is defined in conjunction with ssl_sni we issue a warning to help the user re-configure the cluster. To avoid drowning the log in warnings, we log only once instead of once per host. This removes the static variable tracking the warning to aid future multithreading efforts. Author: Daniel Gustafsson Reviewed-by: Tristan Partin Reviewed-by: Andreas Karlsson Discussion: https://postgr.es/m/68B9881D-DAA8-467D-A251-C96E98E57BA0@yesql.se --- src/backend/libpq/be-secure-openssl.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 4ce2a92b964..0a13b8aa922 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -98,7 +98,8 @@ static bool initialize_dh(SSL_CTX *context, bool isServerStart); static bool initialize_ecdh(SSL_CTX *context, bool isServerStart); static const char *SSLerrmessageExt(unsigned long ecode, const char *replacement); static const char *SSLerrmessage(unsigned long ecode); -static bool init_host_context(HostsLine *host, bool isServerStart); +static bool init_host_context(HostsLine *host, bool isServerStart, bool *hasWarned) + pg_attribute_nonnull(3); static void host_context_cleanup_cb(void *arg); #ifdef HAVE_SSL_CTX_SET_CLIENT_HELLO_CB static int sni_clienthello_cb(SSL *ssl, int *al, void *arg); @@ -160,6 +161,7 @@ be_tls_init(bool isServerStart) int ssl_ver_min = -1; int ssl_ver_max = -1; host_cache_hash *host_cache = NULL; + bool hasWarned = false; /* * Since we don't know which host we're using until the ClientHello is @@ -249,7 +251,7 @@ be_tls_init(bool isServerStart) { HostsLine *host = lfirst(line); - if (!init_host_context(host, isServerStart)) + if (!init_host_context(host, isServerStart, &hasWarned)) goto error; /* @@ -344,7 +346,7 @@ be_tls_init(bool isServerStart) pgconf->ssl_passphrase_cmd = ssl_passphrase_command; pgconf->ssl_passphrase_reload = ssl_passphrase_command_supports_reload; - if (!init_host_context(pgconf, isServerStart)) + if (!init_host_context(pgconf, isServerStart, &hasWarned)) goto error; /* @@ -609,10 +611,11 @@ host_context_cleanup_cb(void *arg) } static bool -init_host_context(HostsLine *host, bool isServerStart) +init_host_context(HostsLine *host, bool isServerStart, bool *hasWarned) { SSL_CTX *ctx = SSL_CTX_new(SSLv23_method()); - static bool init_warned = false; + + Assert(hasWarned); if (!ctx) { @@ -634,7 +637,7 @@ init_host_context(HostsLine *host, bool isServerStart) (*openssl_tls_init_hook) (ctx, isServerStart); else { - if (openssl_tls_init_hook != default_openssl_tls_init && !init_warned) + if (openssl_tls_init_hook != default_openssl_tls_init && !*hasWarned) { ereport(WARNING, errcode(ERRCODE_CONFIG_FILE_ERROR), @@ -645,7 +648,7 @@ init_host_context(HostsLine *host, bool isServerStart) "that is currently installed, or remove the hook " "and use per-host passphrase commands in \"%s\".", "ssl_sni", HostsFileName)); - init_warned = true; + *hasWarned = true; } /* -- 2.39.3 (Apple Git-146)