- Added the `--write-devices` option based on the long-standing patch.
- - Added openssl support to the rsync-ssl script, which is now installed by
- default. This script was unified with the stunnel-rsync helper script to
- simplify packaging.
+ - Added openssl & preliminary gnutls support to the rsync-ssl script, which is
+ now installed by default. This was unified with the old stunnel-rsync
+ helper script to simplify packaging. Note that the script accepts the use
+ of --type=gnutls for gnutls testing, but does not look for gnutls-cli on the
+ path yet. The use of type=gnutls will not work right until gnutls-cli no
+ longer drops data.
- Rsync was enhanced to set the `RSYNC_PORT` environment variable when running
a daemon-over-rsh script. Its value is the user-specified port number (set
- Tweak auxilliary doc file names, such as: README.md, INSTALL.md, NEWS.md, &
OLDNEWS.md.
- - The rsync-ssl script wants to run either openssl or stunnel4, so consider
- adding a dependency for openssl (though it's probably fine to just let it
- complain about being unable to find either program and let the user decide
+ - The rsync-ssl script wants to run openssl or stunnel4, so consider adding a
+ dependency for one of those options (though it's probably fine to just let
+ it complain about being unable to find the program and let the user decide
if they want to install one or the other).
- If you packaged rsync + rsync-ssl + rsync-ssl-daemon as separate packages,
#!/bin/bash
-# This script supports using openssl or stunnel to secure an rsync daemon connection.
+# This script uses openssl, gnutls, or stunnel to secure an rsync daemon connection.
# By default this script takes rsync args and hands them off to the actual
# rsync command with an --rsh option that makes it open an SSL connection to an
if [[ "$found" == */openssl ]]; then
RSYNC_SSL_TYPE=openssl
RSYNC_SSL_OPENSSL="$found"
+ elif [[ "$found" == */gnutls-cli ]]; then
+ RSYNC_SSL_TYPE=gnutls
+ RSYNC_SSL_GNUTLS="$found"
else
RSYNC_SSL_TYPE=stunnel
RSYNC_SSL_STUNNEL="$found"
fi
optsep=' '
;;
+ gnutls)
+ if [[ -z "$RSYNC_SSL_GNUTLS" ]]; then
+ RSYNC_SSL_GNUTLS=`path_search gnutls-cli` || exit 1
+ fi
+ optsep=' '
+ ;;
stunnel)
if [[ -z "$RSYNC_SSL_STUNNEL" ]]; then
RSYNC_SSL_STUNNEL=`path_search stunnel4 stunnel` || exit 1
if [[ -z "$RSYNC_SSL_CERT" ]]; then
certopt=""
+ gnutls_cert_opt=""
else
certopt="cert$optsep$RSYNC_SSL_CERT"
+ gnutls_cert_opt="--x509keyfile=$RSYNC_SSL_CERT"
fi
if [[ -z ${RSYNC_SSL_CA_CERT+x} ]]; then
# RSYNC_SSL_CA_CERT unset - default CA set AND verify:
# openssl:
caopt="-verify_return_error -verify 4"
+ # gnutls:
+ gnutls_opts=""
# stunnel:
# Since there is no way of using the default CA certificate collection,
# we cannot do any verification. Thus, stunnel should really only be
# RSYNC_SSL_CA_CERT set but empty -do NO verifications:
# openssl:
caopt="-verify 1"
+ # gnutls:
+ gnutls_opts="--insecure"
# stunnel:
cafile=""
verify="verifyChain = no"
# RSYNC_SSL_CA_CERT set - use CA AND verify:
# openssl:
caopt="-CAfile $RSYNC_SSL_CA_CERT -verify_return_error -verify 4"
+ # gnutls:
+ gnutls_opts="--x509cafile=$RSYNC_SSL_CA_CERT"
# stunnel:
cafile="CAfile = $RSYNC_SSL_CA_CERT"
verify="verifyChain = yes"
if [[ $RSYNC_SSL_TYPE == openssl ]]; then
exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
+ elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then
+ exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_opts $hostname:$port
else
# devzero@web.de came up with this no-tmpfile calling syntax:
exec $RSYNC_SSL_STUNNEL -fd 10 11<&0 <<EOF 10<&0 0<&11 11<&-
0. `RSYNC_SSL_OPENSSL` Specifies the openssl executable to run when the
connection type is set to openssl. If unspecified, the $PATH is searched
for "openssl".
+0. `RSYNC_SSL_GNUTLS` Specifies the gnutls-cli executable to run when the
+ connection type is set to gnutls. If unspecified, the $PATH is searched
+ for "gnutls-cli".
0. `RSYNC_SSL_STUNNEL` Specifies the stunnel executable to run when the
connection type is set to stunnel. If unspecified, the $PATH is searched
first for "stunnel4" and then for "stunnel".
connection without any cert validation unless you have specified the
certificate environment options.
+This script also supports a `--type=gnutls` option, but at the time of this
+release the gnutls-cli command was dropping output, making it unusable. If
+that bug has been fixed in your version, feel free to put gnutls into the
+RSYNC_SSL_TYPE environment variable if you want to make its use the default.
+
# BUGS
Please report bugs! See the web site at <http://rsync.samba.org/>.
projects / thirdparty / rsync.git / commitdiff
