fix(tls): improve SSL/TLS certificate tracking and fix memory leaks

- lib/ProxySQL_GloVars.cpp: Free tls_cert_file, tls_ca_file, and tls_key_file in ProxySQL_GlobalVariables destructor.
- src/proxy_tls.cpp: Added std::lock_guard during initial bootstrap of TLS variables to prevent race conditions.
- src/proxy_tls.cpp: Ensure TLS file paths are updated in GloVars during PROXYSQL RELOAD TLS to keep stats table consistent with runtime configuration.

lib/ProxySQL_GloVars.cpp

@@ -170,6 +170,18 @@ ProxySQL_GlobalVariables::~ProxySQL_GlobalVariables() {
 		free(global.gr_bootstrap_ssl_mode);
 		global.gr_bootstrap_ssl_mode = nullptr;
 	}
+	if (global.tls_cert_file) {
+		free(global.tls_cert_file);
+		global.tls_cert_file = nullptr;
+	}
+	if (global.tls_ca_file) {
+		free(global.tls_ca_file);
+		global.tls_ca_file = nullptr;
+	}
+	if (global.tls_key_file) {
+		free(global.tls_key_file);
+		global.tls_key_file = nullptr;
+	}
 };
 
 ProxySQL_GlobalVariables::ProxySQL_GlobalVariables() :

src/proxy_tls.cpp

@@ -407,16 +407,19 @@ int ProxySQL_create_or_load_TLS(bool bootstrap, std::string& msg) {
 		SSL_CTX_set_options(GloVars.global.ssl_ctx, SSL_OP_NO_TICKET);
 		SSL_CTX_set_session_cache_mode(GloVars.global.ssl_ctx, SSL_SESS_CACHE_OFF);
 
-		// Store TLS file paths and tracking info for stats table (no lock needed during bootstrap)
-		free(GloVars.global.tls_key_file);
-		GloVars.global.tls_key_file = ssl_key_fp ? strdup(ssl_key_fp) : NULL;
-		free(GloVars.global.tls_cert_file);
-		GloVars.global.tls_cert_file = ssl_cert_fp ? strdup(ssl_cert_fp) : NULL;
-		free(GloVars.global.tls_ca_file);
-		GloVars.global.tls_ca_file = ssl_ca_fp ? strdup(ssl_ca_fp) : NULL;
-		GloVars.global.tls_load_count++;
-		GloVars.global.tls_last_load_timestamp = time(NULL);
-		GloVars.global.tls_last_load_ok = true;
+		// Store TLS file paths and tracking info for stats table
+		{
+			std::lock_guard<std::mutex> lock(GloVars.global.ssl_mutex);
+			free(GloVars.global.tls_key_file);
+			GloVars.global.tls_key_file = ssl_key_fp ? strdup(ssl_key_fp) : NULL;
+			free(GloVars.global.tls_cert_file);
+			GloVars.global.tls_cert_file = ssl_cert_fp ? strdup(ssl_cert_fp) : NULL;
+			free(GloVars.global.tls_ca_file);
+			GloVars.global.tls_ca_file = ssl_ca_fp ? strdup(ssl_ca_fp) : NULL;
+			GloVars.global.tls_load_count++;
+			GloVars.global.tls_last_load_timestamp = time(NULL);
+			GloVars.global.tls_last_load_ok = true;
+		}
 	} else {
 		// here we use global.tmp_ssl_ctx instead of global.ssl_ctx
 		// because we will try to swap at the end
@@ -437,6 +440,12 @@ int ProxySQL_create_or_load_TLS(bool bootstrap, std::string& msg) {
 							GloVars.global.ssl_key_pem_mem = load_file(ssl_key_fp);
         					GloVars.global.ssl_cert_pem_mem = load_file(ssl_cert_fp);
 							// Update TLS tracking fields for stats table (under ssl_mutex)
+							free(GloVars.global.tls_key_file);
+							GloVars.global.tls_key_file = ssl_key_fp ? strdup(ssl_key_fp) : NULL;
+							free(GloVars.global.tls_cert_file);
+							GloVars.global.tls_cert_file = ssl_cert_fp ? strdup(ssl_cert_fp) : NULL;
+							free(GloVars.global.tls_ca_file);
+							GloVars.global.tls_ca_file = ssl_ca_fp ? strdup(ssl_ca_fp) : NULL;
 							GloVars.global.tls_load_count++;
 							GloVars.global.tls_last_load_timestamp = time(NULL);
 							GloVars.global.tls_last_load_ok = true;