From b3ffe63380544d7e756adbbb1fa376a5a49237df Mon Sep 17 00:00:00 2001
From: Daniel Gustafsson <dgustafsson@postgresql.org>
Date: Mon, 1 Jun 2026 14:14:07 +0200
Subject: [PATCH 1/4] ssl: Remove static var tracking tls_init_hook warnings

If the TLS init hook is defined in conjunction with ssl_sni we
issue a warning to help the user re-configure the cluster.  To
avoid drowning the log in warnings, we log only once instead of
once per host.  This removes the static variable tracking the
warning to aid future multithreading efforts.
---
 src/backend/libpq/be-secure-openssl.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 4ce2a92b964..025c55d9bd6 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -98,7 +98,7 @@ static bool initialize_dh(SSL_CTX *context, bool isServerStart);
 static bool initialize_ecdh(SSL_CTX *context, bool isServerStart);
 static const char *SSLerrmessageExt(unsigned long ecode, const char *replacement);
 static const char *SSLerrmessage(unsigned long ecode);
-static bool init_host_context(HostsLine *host, bool isServerStart);
+static bool init_host_context(HostsLine *host, bool isServerStart, bool *hasWarned);
 static void host_context_cleanup_cb(void *arg);
 #ifdef HAVE_SSL_CTX_SET_CLIENT_HELLO_CB
 static int	sni_clienthello_cb(SSL *ssl, int *al, void *arg);
@@ -160,6 +160,7 @@ be_tls_init(bool isServerStart)
 	int			ssl_ver_min = -1;
 	int			ssl_ver_max = -1;
 	host_cache_hash *host_cache = NULL;
+	bool		hasWarned = false;
 
 	/*
 	 * Since we don't know which host we're using until the ClientHello is
@@ -249,7 +250,7 @@ be_tls_init(bool isServerStart)
 		{
 			HostsLine  *host = lfirst(line);
 
-			if (!init_host_context(host, isServerStart))
+			if (!init_host_context(host, isServerStart, &hasWarned))
 				goto error;
 
 			/*
@@ -344,7 +345,7 @@ be_tls_init(bool isServerStart)
 		pgconf->ssl_passphrase_cmd = ssl_passphrase_command;
 		pgconf->ssl_passphrase_reload = ssl_passphrase_command_supports_reload;
 
-		if (!init_host_context(pgconf, isServerStart))
+		if (!init_host_context(pgconf, isServerStart, &hasWarned))
 			goto error;
 
 		/*
@@ -609,10 +610,9 @@ host_context_cleanup_cb(void *arg)
 }
 
 static bool
-init_host_context(HostsLine *host, bool isServerStart)
+init_host_context(HostsLine *host, bool isServerStart, bool *hasWarned)
 {
 	SSL_CTX    *ctx = SSL_CTX_new(SSLv23_method());
-	static bool init_warned = false;
 
 	if (!ctx)
 	{
@@ -634,7 +634,7 @@ init_host_context(HostsLine *host, bool isServerStart)
 		(*openssl_tls_init_hook) (ctx, isServerStart);
 	else
 	{
-		if (openssl_tls_init_hook != default_openssl_tls_init && !init_warned)
+		if (openssl_tls_init_hook != default_openssl_tls_init && !*hasWarned)
 		{
 			ereport(WARNING,
 					errcode(ERRCODE_CONFIG_FILE_ERROR),
@@ -645,7 +645,7 @@ init_host_context(HostsLine *host, bool isServerStart)
 							"that is currently installed, or remove the hook "
 							"and use per-host passphrase commands in \"%s\".",
 							"ssl_sni", HostsFileName));
-			init_warned = true;
+			*hasWarned = true;
 		}
 
 		/*
-- 
2.39.3 (Apple Git-146)

