Hi Chuck, I've ran into the following problem while trying to mount on RHEL9.4 client using xprtsec=tls. After some debugging I have determined that the reason mount by DNS name was failing is because gnutls insisted on having in SubjectAltName=DNS:foo.bar.com. Having a certificate that has a DNS name in the "CN" and then had "SubjectAltName=IP:x.x.x.x" was failing. But when I created a certificate with "SubjectAltName:IP:x.x.x.x:DNS:x.x.x.x" then I could mount (or just having DNS: works too but in that case mounting by IP doesn't work). Here's the output from tlshd when it fail (with SubjectAltName "IP"):: tlshd[260035]: gnutls(3): self-signed cert found: subject `EMAIL=kolga@xxxxxxxxxx,CN=rhel94.nas.lab,OU=NFS,O=Netapp,L=Ann Arbor,ST=MI,C=US', issuer `EMAIL=kolga@xxxxxxxxxx,CN=rhel94.nas.lab,OU=NFS,O=Netapp,L=Ann Arbor,ST=MI,C=US', serial 0x751ad911565945cce5d29d1c206450538f496b90, RSA key 2048 bits, signed using RSA-SHA256, activated `2024-05-31 15:07:53 UTC', expires `2024-06-30 15:07:53 UTC', pin-sha256="Efzu7ftve1SHxBVAIwf81jwAasQ0M3j5qWbEVuM8X8I=" tlshd[260035]: gnutls(3): ASSERT: x509_ext.c[gnutls_subject_alt_names_get]:111 tlshd[260035]: gnutls(3): ASSERT: x509.c[get_alt_name]:2011 tlshd[260035]: gnutls(3): ASSERT: verify-high.c[gnutls_x509_trust_list_verify_crt2]:1615 tlshd[260035]: gnutls(3): ASSERT: auto-verify.c[auto_verify_cb]:51 tlshd[260035]: gnutls(3): ASSERT: handshake.c[_gnutls_run_verify_callback]:3018 tlshd[260035]: gnutls(3): ASSERT: handshake-tls13.c[_gnutls13_handshake_client]:139 tlshd[260035]: Certificate owner unexpected. Question: is ktls-utils requirement for IP presence in SubjectAltName now requires both?
