Description of problem:

Currently with the Ganesha nfs-ganesha-6.5-25, the mTLS connection Ganesha makes to fetch KMIP key using the KMIP key ID currently establishes connection to KMIP server using hostname provided in NFS-Ganesha configuration specification.

The configuration does not allow specifying SNI (Server Name Indication) for the mTLS connection and assumes that the cert it is using for mTLS connection is compartmentalized with the same hostname that it is using. 

But, often times, it is not true and client would have to specify which server it is trying to reach to, which is also true for IBM cloud mTLS implementation. 

Currently the Ingress host are IP addresses and the certs are configured with wildcard domains to facilitate communicate from different services within IMB cloud. Certs does not carry IP for SAN, so we are needing to workaround by mapping IPs to hostname locally using /etc/hosts

We'd like to get away from using workaround and use the proper SNI for mTLS.


Version-Release number of selected component (if applicable):

nfs-ganesha-6.5-25
ceph-19.2.1-234

How reproducible:

Use a valid certs that does not have SAN configured with exact domain match for KMIP server hostname. Try making the connection with TLS configured to SNI, connection should be successful and then try without SNI, connection should be unsuccessful.

Steps to Reproduce:
1. Use a valid certs that does not have SAN configured with exact domain match for KMIP server hostname.
2. Try making the connection without TLS configured to SNI, connection should be unsuccessful.
3. Try making the connection with TLS configured to SNI, connection should be successful.

Actual results:

SNI cannot be configured for KMI mTLS connection.

Expected results:

Ganesha config needs to accept SNI for KMIP mTLS connection.

Additional info:

NA