Choose openssl before stunnel.

diff --git a/rsync-ssl b/rsync-ssl
index 4f0e86ba9c9f6926a091d02d1cfdd37f36c60a99..f520d5ddc03df96f0a6deb0e6bbaf8a0f9185835 100755 (executable)
--- a/rsync-ssl
+++ b/rsync-ssl
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# This script supports using stunnel or openssl to secure an rsync daemon connection.
+# This script supports using openssl or stunnel to secure an rsync daemon connection.
 
 # By default this script takes rsync args and hands them off to the actual
 # rsync command with an --rsh option that makes it open an SSL connection to an
@@ -31,7 +31,7 @@ function rsync_ssl_run {
 
 function rsync_ssl_helper {
     if [[ -z "$RSYNC_SSL_TYPE" ]]; then
-       found=`path_search stunnel4 stunnel openssl` || exit 1
+       found=`path_search openssl stunnel4 stunnel` || exit 1
        if [[ "$found" == */openssl ]]; then
            RSYNC_SSL_TYPE=openssl
            RSYNC_SSL_OPENSSL="$found"
@@ -71,6 +71,9 @@ function rsync_ssl_helper {
        # openssl:
        caopt="-verify_return_error -verify 4"
        # stunnel:
+       # Since there is no way of using the default CA certificate collection,
+       # we cannot do any verification. Thus, stunnel should really only be
+       # used if nothing else is available.
        cafile=""
        verify=""
     elif [[ "$RSYNC_SSL_CA_CERT" == "" ]]; then
@@ -147,7 +150,7 @@ function path_search {
 
 if [[ "$#" == 0 ]]; then
     echo "Usage: rsync-ssl [--type=SSL_TYPE] RSYNC_ARG [...]" 1>&2
-    echo "The SSL_TYPE can be stunnel or openssl"
+    echo "The SSL_TYPE can be openssl or stunnel"
     exit 1
 fi
 

diff --git a/rsync-ssl.1.md b/rsync-ssl.1.md
index c16b9657ce039e44a7adce9ad0debfed2eecf799..ff4913c2abd9c29a80f6a3404e99d7252db33025 100644 (file)
--- a/rsync-ssl.1.md
+++ b/rsync-ssl.1.md
@@ -17,7 +17,7 @@ that requires ssl connections.
 
 If the **first** arg is a `--type=SSL_TYPE` option, the script will only use
 that particular program to open an ssl connection instead of trying to find an
-stunnel or openssl executable via a simple heuristic (assuming that the
+openssl or stunnel executable via a simple heuristic (assuming that the
 `RSYNC_SSL_TYPE` environment variable is not set as well -- see below).  This
 option must specify one of `openssl` or `stunnel`.  The equal sign is
 required for this particular option.
@@ -41,17 +41,12 @@ The ssl helper scripts are affected by the following environment variables:
     certificate to use for the connection.
 0.  `RSYNC_SSL_CA_CERT` If specified, the value is a filename that contains a
     certificate authority certificate that is used to validate the connection.
-0.  `RSYNC_SSL_STUNNEL` Specifies the stunnel executable to run when the
-    connection type is set to stunnel.  If unspecified, the $PATH is searched
-    first for "stunnel4" and then for "stunnel".
 0.  `RSYNC_SSL_OPENSSL` Specifies the openssl executable to run when the
     connection type is set to openssl.  If unspecified, the $PATH is searched
     for "openssl".
-
-# CAVEATS
-
-Note that using an stunnel connection requires at least version 4 of stunnel,
-which should be the case on modern systems.
+0.  `RSYNC_SSL_STUNNEL` Specifies the stunnel executable to run when the
+    connection type is set to stunnel.  If unspecified, the $PATH is searched
+    first for "stunnel4" and then for "stunnel".
 
 # EXAMPLES
 
@@ -63,6 +58,14 @@ which should be the case on modern systems.
 
 **rsync**(1), **rsyncd.conf**(5)
 
+# CAVEATS
+
+Note that using an stunnel connection requires at least version 4 of stunnel,
+which should be the case on modern systems.  Also, it does not verify a
+connection against the CA certificate collection, so it only encrypts the
+connection without any cert validation unless you have specified the
+certificate environment options.
+
 # BUGS
 
 Please report bugs! See the web site at <http://rsync.samba.org/>.