Bug 2381960

Summary: [BYOK] [RFE] Cephadm NFS service spec does not support SNI (Server Name Indication) for mTLS
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Binod Luitel <bluitel>
Component: NFS-GaneshaAssignee: Sachin Punadikar <spunadik>
NFS-Ganesha sub component: Ceph QA Contact: Manisha Saini <msaini>
Status: VERIFIED --- Docs Contact:
Severity: high    
Priority: unspecified CC: bkunal, cephqe-warriors, kkeithle, msaini, ngangadh, shbhosal, tserlin, vdas
Version: 6.4Keywords: FutureFeature
Target Milestone: ---   
Target Release: 9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nfs-ganesha-7.0-0.6.3.el9cp Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2392400 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2392400    

Description Binod Luitel 2025-07-18 17:01:08 UTC 
Description of problem:

Currently with the Ganesha nfs-ganesha-6.5-25, the mTLS connection Ganesha makes to fetch KMIP key using the KMIP key ID currently establishes connection to KMIP server using hostname provided in NFS-Ganesha configuration specification.

The configuration does not allow specifying SNI (Server Name Indication) for the mTLS connection and assumes that the cert it is using for mTLS connection is compartmentalized with the same hostname that it is using. 

But, often times, it is not true and client would have to specify which server it is trying to reach to, which is also true for IBM cloud mTLS implementation. 

Currently the Ingress host are IP addresses and the certs are configured with wildcard domains to facilitate communicate from different services within IMB cloud. Certs does not carry IP for SAN, so we are needing to workaround by mapping IPs to hostname locally using /etc/hosts

We'd like to get away from using workaround and use the proper SNI for mTLS.


Version-Release number of selected component (if applicable):

nfs-ganesha-6.5-25
ceph-19.2.1-234

How reproducible:

Use a valid certs that does not have SAN configured with exact domain match for KMIP server hostname. Try making the connection with TLS configured to SNI, connection should be successful and then try without SNI, connection should be unsuccessful.

Steps to Reproduce:
1. Use a valid certs that does not have SAN configured with exact domain match for KMIP server hostname.
2. Try making the connection without TLS configured to SNI, connection should be unsuccessful.
3. Try making the connection with TLS configured to SNI, connection should be successful.

Actual results:

SNI cannot be configured for KMI mTLS connection.

Expected results:

Ganesha config needs to accept SNI for KMIP mTLS connection.

Additional info:

NA