From: Wayne Davison Date: Mon, 15 Jun 2020 16:21:28 +0000 (-0700) Subject: Tweak the stunnel4 Verify config; tweak the rsync-ssl docs/usage. X-Git-Tag: v3.2.0pre2~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=00ec415a6965cf36bb05a7efbfdcc693ea2e0195;p=thirdparty%2Frsync.git Tweak the stunnel4 Verify config; tweak the rsync-ssl docs/usage. --- diff --git a/rsync-ssl b/rsync-ssl index f48f44f8..4f0e86ba 100755 --- a/rsync-ssl +++ b/rsync-ssl @@ -72,21 +72,21 @@ function rsync_ssl_helper { caopt="-verify_return_error -verify 4" # stunnel: cafile="" - verify=0 + verify="" elif [[ "$RSYNC_SSL_CA_CERT" == "" ]]; then # RSYNC_SSL_CA_CERT set but empty -do NO verifications: # openssl: caopt="-verify 1" # stunnel: cafile="" - verify=0 + verify="verifyChain = no" else # RSYNC_SSL_CA_CERT set - use CA AND verify: # openssl: caopt="-CAfile $RSYNC_SSL_CA_CERT -verify_return_error -verify 4" # stunnel: cafile="CAfile = $RSYNC_SSL_CA_CERT" - verify=3 + verify="verifyChain = yes" fi port="${RSYNC_PORT:-0}" @@ -118,7 +118,7 @@ debug = crit connect = $hostname:$port client = yes TIMEOUTclose = 0 -verify = $verify +$verify $certopt $cafile EOF @@ -146,7 +146,8 @@ function path_search { } if [[ "$#" == 0 ]]; then - echo "Usage: rsync-ssl [--type=openssl|stunnel] RSYNC_ARG [...]" 1>&2 + echo "Usage: rsync-ssl [--type=SSL_TYPE] RSYNC_ARG [...]" 1>&2 + echo "The SSL_TYPE can be stunnel or openssl" exit 1 fi diff --git a/rsync-ssl.1.md b/rsync-ssl.1.md index c8def0fa..c16b9657 100644 --- a/rsync-ssl.1.md +++ b/rsync-ssl.1.md @@ -5,7 +5,7 @@ rsync-ssl - a helper script for connecting to an ssl rsync daemon # SYNOPSIS ``` -rsync-ssl [--type=openssl|stunnel] RSYNC_ARGS +rsync-ssl [--type=SSL_TYPE] RSYNC_ARGS ``` # DESCRIPTION @@ -13,26 +13,25 @@ rsync-ssl [--type=openssl|stunnel] RSYNC_ARGS The rsync-ssl script helps you to run an rsync copy to/from an rsync daemon that requires ssl connections. -If the **first** arg is a `--type=NAME` option, the script will only use that -particular program to open an ssl connection instead of trying to find an +# OPTIONS + +If the **first** arg is a `--type=SSL_TYPE` option, the script will only use +that particular program to open an ssl connection instead of trying to find an stunnel or openssl executable via a simple heuristic (assuming that the `RSYNC_SSL_TYPE` environment variable is not set as well -- see below). This -option must be one of `--type=openssl` or `--type=stunnel`. The equal sign is +option must specify one of `openssl` or `stunnel`. The equal sign is required for this particular option. All the other options are passed through to the rsync command, so consult the **rsync** manpage for more information on how it works. -Note that the stunnel connection type requires at least version 4 of stunnel, -which should be the case on modern systems. - # ENVIRONMENT VARIABLES The ssl helper scripts are affected by the following environment variables: 0. `RSYNC_SSL_TYPE` Specifies the program type that should be used to open the - ssl connection. It must be one of "openssl" or "stunnel". The - `--type=NAME` option overrides this, if specified. + ssl connection. It must be one of `openssl` or `stunnel`. The + `--type=SSL_TYPE` option overrides this, when specified. 0. `RSYNC_SSL_PORT` If specified, the value is the port number that is used as the default when the user does not specify a port in their rsync command. When not specified, the default port number is 874. (Note that older rsync @@ -49,6 +48,11 @@ The ssl helper scripts are affected by the following environment variables: connection type is set to openssl. If unspecified, the $PATH is searched for "openssl". +# CAVEATS + +Note that using an stunnel connection requires at least version 4 of stunnel, +which should be the case on modern systems. + # EXAMPLES > rsync-ssl -aiv example.com::src/ dest